Public Folder Root Permission
We have recently found that any user can create a folder from the Public Folder Root. We started using Exchange back on 2000, upgrading to 2003, 2007 and now 2010. We would like to restrict this ability to just Exchge Administrators. If
we run get-publicfolderclientpermission "\" from the mangement shell we get:
Identity : \
User : Default
AccessRights : {PublishingAuthor}
Identity : \
User : Anonymous
AccessRights : {Reviewer}
If you view the permissions from Outlook on the root public folder, everything is grayed out. Permision is set to Custom and the following options are checked: Read Items, Create subfolders, Folder Visible, Edit Own and Delete Own.
How can we remove create subfolders for everyone except admins?
I have already tried running add-publicfolderclientpermission "\" -User "Administrator" -AccessRights Owner but get access denied.
September 7th, 2010 8:49pm
The problem is that your Default is Publishing Author.
You need to add someone else as an Owner, I usually create a group to do so. The group will need to be a public folder admin.
http://technet.microsoft.com/en-us/library/bb310789(EXCHG.80).aspx
Then change "Default" to none.
Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2010 9:01pm
I get the following error when trying to add another user to the root folder.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-PublicFolderClientPermission], MapiAccessDeniedException
+ FullyQualifiedErrorId : 6A0B99BE,Microsoft.Exchange.Management.MapiTasks.AddPublicFolderClientPermission
I have tried using my account (Domain Admin and Exchange Admin) and the domain Administrator account.
September 7th, 2010 9:14pm
Does that account have Public Folder Admin rights? Do not presume that because it is a Domain Admin that it does.
Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2010 9:55pm
Yes. Domain Admins is a member of the Exchange Public Folder Adminsitrators group and Exchange Organization Administrators group.
September 8th, 2010 1:48pm
Hi ScottECC,
Per my known, you could use AddReplicaToPFRecursive.ps1 in the script folder to achieve your target.
Regards!
Gavin
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2010 12:06pm
I ran AddReplicaToPFRecursive.ps1 to add the server as a replica then tried to add another user as the owner of "\" and still got the following.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-PublicFolderClientPermission], MapiAccessDeniedException
+ FullyQualifiedErrorId : 6A0B99BE,Microsoft.Exchange.Management.MapiTasks.AddPublicFolderClientPermission
September 14th, 2010 4:20pm
Hi ScottECC,
Sorry for the above mistacke, please use below :
AddUsersToPFRecursive.ps1 -TopPublicFolder "\" -User username -Permission owner
Related information:
http://technet.microsoft.com/en-us/library/aa998834.aspx
Regards!
Gavin
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2010 10:11pm
Yes. I did that again and received the message below. I tried with several accounts, all members of domain admins exchange admin, and public folder admins .
Failed to commit the change on object "000000001A447390AA6611CD9BC800AA002FC45A0300CB017C031A3B5947AC00CD660C94E1D30000000000010000" because access is denied.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-PublicFolderClientPermission], MapiAccessDeniedException
+ FullyQualifiedErrorId : 2B9FB3B2,Microsoft.Exchange.Management.MapiTasks.AddPublicFolderClientPermission
The script then continues without a problem for all other folders below the root.
September 17th, 2010 10:21am