Fritters
asked on
Reverse denial of permission to everyone on public folders
SBS2003. I was trying to prevent access to public folders to only a few users. I thought that granting permissions to some but denying permissions to "Everyone" would do it.
So, on the server itself, in Exchange System Manager, I denied all permissions to Everyone. The result was that the "Public Folders" subfolder under "Folders" would no longer expand to show the folders AND the label "Public Folders" disappeared. I was still able to right click on the folder but got a message that there was no such name. Unfortunately, I did not write the message.
I searched EE and found that with access to the AD manager, I could reset permissions. Under the domain name, I don't see anything specifically referring to Public Folders. I do see Microsoft Exchange System Objects with a system mailbox, but doubt that that's related.
From my workstation (with administrator rights on the server) I still see the public folder and the subfolders but cannot see the contents (except for an Addresses contacts subfolder. I need to reset things back to normal so I can try to accomplish what I'm trying to do correctly!
So, on the server itself, in Exchange System Manager, I denied all permissions to Everyone. The result was that the "Public Folders" subfolder under "Folders" would no longer expand to show the folders AND the label "Public Folders" disappeared. I was still able to right click on the folder but got a message that there was no such name. Unfortunately, I did not write the message.
I searched EE and found that with access to the AD manager, I could reset permissions. Under the domain name, I don't see anything specifically referring to Public Folders. I do see Microsoft Exchange System Objects with a system mailbox, but doubt that that's related.
From my workstation (with administrator rights on the server) I still see the public folder and the subfolders but cannot see the contents (except for an Addresses contacts subfolder. I need to reset things back to normal so I can try to accomplish what I'm trying to do correctly!
ASKER
How do I reverse what I've done so that the public folders show up again? That was my original problem.
Look through your permissions and find the deny
Uncheck it...
Uncheck it...
Keep commenting I am sure I can walk you through it...
ASKER
If I understood your message, it was to right click on the "public folders", select properties and change any "deny" to "permit". The problem is that there is no "public folders" folder listed under Folders to set properties or permission on!
Deny to Everyone is something that happens quite a lot. Removing the Everyone is also quite common.
The mistake you have made is mix up permissions on the object with permissions on the content. There is no way to deny access to all users in public folders, and it isn't something you should do anyway. Public Folders also contain system information, so all users need to access the public folder store at all times.
The simply rule with Exchange permissions is do not touch unless you are 100% confident of the consequences. In most cases Everyone should never be touched.
Anyway, you will have to fix this through adsiedit.msc
If you haven't used adsiedit.msc before you need to be very careful. Think of the warnings about the registry, multiply by 10 and then consider that one false move could mean the entire domain has to be rebuilt.
Alas I don't have access to an Exchange 2003 environment in my current location, only Exchange 2010, so I cannot guide you to the exact place. You are looking for the Public Folder store under that specific server.
Once you have found it, you can choose Properties by right clicking and that should show you the permissions. The Everyone can then be changed back to how it was before.
Simon.
The mistake you have made is mix up permissions on the object with permissions on the content. There is no way to deny access to all users in public folders, and it isn't something you should do anyway. Public Folders also contain system information, so all users need to access the public folder store at all times.
The simply rule with Exchange permissions is do not touch unless you are 100% confident of the consequences. In most cases Everyone should never be touched.
Anyway, you will have to fix this through adsiedit.msc
If you haven't used adsiedit.msc before you need to be very careful. Think of the warnings about the registry, multiply by 10 and then consider that one false move could mean the entire domain has to be rebuilt.
Alas I don't have access to an Exchange 2003 environment in my current location, only Exchange 2010, so I cannot guide you to the exact place. You are looking for the Public Folder store under that specific server.
Once you have found it, you can choose Properties by right clicking and that should show you the permissions. The Everyone can then be changed back to how it was before.
Simon.
ASKER
I need the instructions to use adsiedit.msc so I pick the right item, etc. I have downloaded it and (about to) install it but don't want to poke around until I have instructions.
I can't give you those instructions as I don't have a system to look at.
If you don't want to do it yourself, call Microsoft and pay their fee or find an experienced Exchange consultant to do it for you.
Simon.
If you don't want to do it yourself, call Microsoft and pay their fee or find an experienced Exchange consultant to do it for you.
Simon.
ASKER
Is the Public Folder store an item listed under either Domain or Configuration? Which?
ASKER
OK. I stopped Exchange services. I ran ASDIEDIT. Drilled down in Configuration and found the public folders item. Right clicked on Properties. Selected security tab. Selected "Everyone". Expected to find "Deny" for each permission (since that is what I had done manually in Exchange System Manager. But that was not the case. Some "Permits" were still selected. Not sure what to try now. Anyone?
ASKER
Receiving no further response, I paid for a support call to MS. After 3.5 hours, it was fixed.
Inheritances and Permissions were quite screwed up (and may have been for years without noticing the effects) and then, even after deleting some, fixing others, the "public folders" store would still not mount. Eventually, we backed up the system state for safety, deleted the "public folder" using ADSIEDIT, recreated a new one, mounted that and things returned to normal. Since the PUB database files were never affected, all the original public subfolder "reappeared".
Afterward, he directed me to use PFDAVAdmin.EXE to set permissions rather than Exchange Manager. It's a more friendly interface.
He also advised to never set permissions on the "Public Folders" folder ("the store" if I recall as he referred to it) but instead on subfolders and sub-sub folders only.
Please consider this question withdrawn as "$elf" solved.
Inheritances and Permissions were quite screwed up (and may have been for years without noticing the effects) and then, even after deleting some, fixing others, the "public folders" store would still not mount. Eventually, we backed up the system state for safety, deleted the "public folder" using ADSIEDIT, recreated a new one, mounted that and things returned to normal. Since the PUB database files were never affected, all the original public subfolder "reappeared".
Afterward, he directed me to use PFDAVAdmin.EXE to set permissions rather than Exchange Manager. It's a more friendly interface.
He also advised to never set permissions on the "Public Folders" folder ("the store" if I recall as he referred to it) but instead on subfolders and sub-sub folders only.
Please consider this question withdrawn as "$elf" solved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would create a Security Group of users who can view public folders.
Remove the "everyone" and "authenticated users" from the permissions.
Add your new group... as long as the people you don't want to access it are not a part of any groups listed in the secutity tab they will not gain access...
I could write more on why deny is used sparingly but it is verbose.
Simply not being granted permissions is as effective as being denied them...
I have never used deny yet in my IT experience in Exchange!