Public folder Administrative permissions are not being inherited by child folders
We are currently in the process of designing an Exchange 2007 organization that will be used to host two separate companies with two separate support organizations. Therefore as a requirement we have the need to implement a split permissions model, ensuring administrators in one company can only perform administration over their designated messaging objects.In order to configure the administrative permissions over the shared public folder hierarchy we have adopted the approach of removing all administrators from the Exchange Public folder administrators group and have instead implemented specific permissions to specific top-level folders using the Add-PublicfolderAdministrativePermissions cmdlet.Unfortunately we appear to be experiencing a problem following the use of the cmdlet; outlined in working example below.Working example:-Top level folder: \Company1-Responsible support group: Company1Admins-Executed command: add-publicfolderadministrativepermission -user Company1Admins -identity "\Company1" -accessrights allextendedrights -inheritencetype allFollowing the execution of the command, the Company1Admins group appears to have the required level of administration control over the \Company1 folder. The problem only becomes apparent when a new child folder is created beneath \Company1 e.g. \Company1\Child.It appears even though we have specified '-inheritencetype all' on the command, the new child folder does not inherit the ability for the Company1Admins group to administer the folder. Running the get-publicfolderadministrativepermission cmdlet against \Company1\Child reveals that the group has no permissions at all over this child folder.I would be grateful for any advice on how we can use this command to provide the desired result; are we mis-interpreting how the command works or is there some other command or syntax that we should use. Also do you know of any other way we could implement this Public folder split permissions requirement?
October 11th, 2009 7:19pm
Like EX2k and EX2K3, EX2K7 also inherits the permission from parent folder. When you create a new public folder within an existing public folder hierarchy, that public folder inherits the permissions of the parent folder. add-publicfolderadministrativepermission basically used for top level permission on PF's such as users cannot create Top level PF's and The user can be granted or denied specific rights to public folders. But you need to gr ant the Client level permission also on the particular PF's so that those client level permissions can be propagated to child folders How to Add Permissions for Client Users to Access Public Folder ContentVinod
|CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 1:40pm
Vinod,The problem is not related to client permissions but to the administrative permissions assigned via the add-publicfolderadministrativepermission cmdlet; the inheritence of all client permissions via the Add-PublicFolderClientPermission cmdlet works as expected but administrative permissions don't.Rob.
October 12th, 2009 1:55pm
Did you tried as below? add-publicfolderadministrativepermission -user Company1Admins -identity "\Company1" -accessrights allextendedrights -inheritence SelfandChildren Vinod
|CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 2:07pm
Tried all variations of the -inheritence parameter.
October 12th, 2009 2:09pm
Alright Rob,Lets wait for MS people to hop in and see what they say. Even i am curious now :))Vinod
|CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 2:13pm
Thanks for your input anyway.Rob.
October 12th, 2009 2:16pm