• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 796
  • Last Modified:

Shared Public Calendar Permissions - Exchange 2003 SP2

Hello,
I'm having difficulties getting Public Folder permissions to work correctly using security groups. I have a couple of Shared Public Calendars and I want only a subset of users to have the "Author" client permission on these calendars. However, when I used the security group it doesn't work, but when I used individual user accounts permission works without any problems. I've looked at event logs on both the server and client side but no clues. I'm using a security group and not a DL; even if I used a DL once added to the "Client Permissions" tab it's converted to a security group. My email server is Exchange 2003 SP2 with the latest patches/updates.

I appreciate any help you can provide me as I'm at a loss. Thanks.
0
bndit
Asked:
bndit
  • 5
  • 4
1 Solution
 
RGEIS2000Commented:
If I recall correctly, there are two levels of permissions that need to be modified on the calendar share in Exchange. It would be easy to assign permissions on one, but forget the other.
0
 
bnditAuthor Commented:
Well, there are two "levels" 1) client permission and 2) administrative rights....in my case, I dont think I have to change administrative rights because when I add the user account to the client permission tab, the user can see and modify the calendar (client permission = author)...so I'm not sure what you mean by having to change two permission levels.
0
 
MesthaCommented:
You only have to change client rights. Do not touch administrative rights.

However, two things.

1. You need to use mail enabled groups to grant permissions to groups. That means they need to be in the GAL.
2. Least restrictive wins.
For example - if default is "owner" then it doesn't matter what you give to anyone else, everyone will be owner.
Best practise is to change "Default" to none, then set permissions as required, with anything global (ie everyone has) set using your equivalent of "All Staff".

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
bnditAuthor Commented:
I'm using mail-enabled security groups. They're in the GAL.
I'm aware of the default inheritance permission...however, that's only when adding groups...i.e. if default is owner and if I add GroupA, GroupA will be added with owner, but you can change that...just an extra step. I'm attaching a screenshot of the client permissions for one of my share calendars...the groups are as follows:

1. CA_Calendar_Admins - Editor
2. CA_Calendar_Users - Author

Hope that helps.
Screenshot-6--2-.png
0
 
MesthaCommented:
The NT User is a concern. That means the "owner" is a non-mail enabled account. That can cause problems.
If that is Administrator, then Administrator should be mail enabled.
Otherwise you need to change the owner to a mail enabled account.

On one of the users who should be restricted, in Outlook, look at the properties of the Folder. On the security tab it will show you what permissions that user has. If they are an Owner then it will show all permissions.

Simon.
0
 
bnditAuthor Commented:
I went ahead and removed the NT Administrator user account from these shared calendars and made a different mailbox-enabled account the owner for all of them.

I when ahead and look at the properties of these shared calendars in Outlook, and discovered something very interesting. It doesn't matter what client permission I give to the "CA_Calendar_Users" the "effective" permission *seems* to be controlled by the Default client permission. In other words, since the client permission for Default is Reviewer, as a member of the security group, which has Author client permission I will see Reviewer for the specific folder and not Author as expected. As soon as I change the client permission for Default I can see it from Outlook. The then question is, why is this? if I'm a member of a group that has more permissions on the particular shared calendar, why do I get the Default permissions?
0
 
MesthaCommented:
That would tend to indicate that for whatever reason your groups are not being recognised. I would suggest creating a new mail enabled group as a test to see if the problem continues with the groups. Make sure it is a static and not a dynamic group.

Simon.
0
 
bnditAuthor Commented:
I can do that, but not sure if I follow you on the static vs dynamic. I believe that only applies to DLs and not to security groups. As far as I know public folders *only* works with security groups. You can add DL's but they're converted to security groups.
0
 
MesthaCommented:
The conversion happens behind the scenes by Exchange. Therefore it is possible to create a distribution group and then use it for permissions, because it gets converted. Hence not using a dynamic group.
Some people don't quite understand that, so I always point it out.

Personally I don't bother with creating distribution groups at all. I never use dynamic groups, and do everything in security groups.

Simon.
0
 
bnditAuthor Commented:
thx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now