Reverse denial of permission to everyone on public folders

SBS2003.  I was trying to prevent access to public folders to only a few users.  I thought that granting permissions to some but denying permissions to "Everyone" would do it.  

So, on the server itself, in Exchange System Manager, I denied all permissions to Everyone.  The result was that the "Public Folders" subfolder under "Folders" would no longer expand to show the folders AND the label "Public Folders" disappeared.  I was still able to right click on the folder but got a message that there was no such name.  Unfortunately, I did not write the message.
I searched EE and found that with access to the AD manager, I could reset permissions.  Under the domain name, I don't see anything specifically referring to Public Folders.  I do see Microsoft Exchange System Objects with a system mailbox, but doubt that that's related.

From my workstation (with administrator rights on the server) I still see the public folder and the subfolders but cannot see the contents (except for an Addresses contacts subfolder.  I need to reset things back to normal so I can try to accomplish what I'm trying to do correctly!

Who is Participating?
FrittersAuthor Commented:
Further information from MS summarizing the fix:
Problem : -
Unable to see Public Folders in Exchange System Manager after the permissions changes. Public Information Store is dismounted  on  Exchange Server name : DELL1420   (E2K3 Std SP2  on  Small Business 2003)

Resolution :-
ð      We found that when we click Folder hierarchies in adsiedit.msc it says Invalid path . We did the below steps

1. Right click on First  Administrative Group
2. Select New Object
3. Select msExchContainer for the class and click Next
4. Enter the following for the value: Folder Hierarchies, click Next
5. Click Finish

Ø      Created Public Folder Tree Object using adsiedit:

1. Right click CN=Folder Hierarchies -> New Object
2. Selected msExchPFTree for the class
3. For the value we entered, "Public Folders" and clicked next
4. Clicked on the "More Attributes" button, selected msExchPFTreeType and set the value to 1.
5. Click Ok and then finish

Ø      Populated msExchOwningPFTree attribute object of the PF Stores in the organization using adsiedit:

1. Get properties of the newly created "Public Folders" Tree object in Adsiedit.
2. Copy the distinguishedname value to the clipboard and then click cancel.
3. Navigate to the Storage group that contains the Public Folder Store for this server and get properties of the server.
4. Locate the msExchOwningPFTree attribute and paste in the value that was copied to the clipboard.

Ø      Now tried to mount the public folder store and it got mounted.

Ø      We then used the PFDAVAdmin tool to set the client permissions for Public Folders.

Additional Information and Recommendations:-

TechNet Virtual Labs: Exchange Server
Deny is used very sparingly...
I would create a Security Group of users who can view public folders.
Remove the "everyone" and "authenticated users" from the permissions.
Add your new group... as long as the people you don't want to access it are not a part of any groups listed in the secutity tab they will not gain access...
I could write more on why deny is used sparingly but it is verbose.
Simply not being granted permissions is as effective as being denied them...
I have never used deny yet in my IT experience in Exchange!
FrittersAuthor Commented:
How do I reverse what I've done so that the public folders show up again?  That was my original problem.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Open Excahnge System Manager

Look through your permissions and find the deny
Uncheck it...
Keep commenting I am sure I can walk you through it...
FrittersAuthor Commented:
If I understood your message, it was to right click on the "public folders", select properties and change any "deny" to "permit".  The problem is that there is no "public folders" folder listed under Folders to set properties or permission on!
Deny to Everyone is something that happens quite a lot. Removing the Everyone is also quite common.
The mistake you have made is mix up permissions on the object with permissions on the content. There is no way to deny access to all users in public folders, and it isn't something you should do anyway. Public Folders also contain system information, so all users need to access the public folder store at all times.

The simply rule with Exchange permissions is do not touch unless you are 100% confident of the consequences. In most cases Everyone should never be touched.

Anyway, you will have to fix this through adsiedit.msc
If you haven't used adsiedit.msc before you need to be very careful. Think of the warnings about the registry, multiply by 10 and then consider that one false move could mean the entire domain has to be rebuilt.

Alas I don't have access to an Exchange 2003 environment in my current location, only Exchange 2010, so I cannot guide you to the exact place. You are looking for the Public Folder store under that specific server.
Once you have found it, you can choose Properties by right clicking and that should show you the permissions. The Everyone can then be changed back to how it was before.

FrittersAuthor Commented:
I need the instructions to use adsiedit.msc so I pick the right item, etc.  I have downloaded it and (about to) install it but don't want to poke around until I have instructions.
I can't give you those instructions as I don't have a system to look at.
If you don't want to do it yourself, call Microsoft and pay their fee or find an experienced Exchange consultant to do it for you.

FrittersAuthor Commented:
Is the Public Folder store an item listed under either Domain or Configuration?  Which?
FrittersAuthor Commented:
OK.  I stopped Exchange services.  I ran ASDIEDIT.  Drilled down in Configuration and found the public folders item.  Right clicked on Properties.  Selected security tab.  Selected "Everyone".  Expected to find "Deny" for each permission (since that is what I had done manually in Exchange System Manager.  But that was not the case.  Some "Permits" were still selected.  Not sure what to try now.  Anyone?
FrittersAuthor Commented:
Receiving no further response, I paid for a support call to MS.  After 3.5 hours, it was fixed.
Inheritances and Permissions were quite screwed up (and may have been for years without noticing the effects) and then, even after deleting some, fixing others,  the "public folders" store would still not mount.  Eventually, we backed up the system state for safety, deleted the "public folder" using ADSIEDIT, recreated a new one, mounted that and things returned to normal.  Since the PUB database files were never affected, all the original public subfolder "reappeared".

Afterward, he directed me to use PFDAVAdmin.EXE to set permissions rather than Exchange Manager.  It's a more friendly interface.

He also advised to never set permissions on the "Public Folders" folder ("the store" if I recall as he referred to it) but instead on subfolders and sub-sub folders only.  

Please consider this question withdrawn as "$elf" solved.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.