Managing Exchange Server Permissions

Viewing Permissions

If you don't see permissions on objects in the Exchange Administrator program (4.0 - 5.5), choose Tools | Options, switch to the Permissions tab, then check the box for Show Permissions pages for all objects.

Folder Permissions

In Exchange 5.5 and earlier, existing folders do not automatically propagate permission changes to child folders. However, new folders do inherit permissions from their parents. Also, using the Exchange Administrator program, you can propagate settings to child folders.

If you are not the administrator and need to manage folder permissions, ask the administrator to set up some distribution lists that you can use for setting permissions on the folders. You will need to have permission to edit the DL. Then, when someone new needs to be added, you'll just change the DL -- adding and removing members through Outlook -- not the permissions on each folder.

Also see:

  • XCLN: How to Create Public Folders and Set Default Properties on All Subsequently Created Folders
  • XADM: Propagating Permissions to All Public Folder Subfolders
  • XADM: Using PFADMIN to Remove Public Folder Permissions
  • XADM You Cannot Add a Distribution Group to Permissions of a Public Folder in Exchange 2000 -- If you want to use a distribution group, you need AD in native mode.
  • XADM White Paper - Public Folder Permissions in a Mixed-Mode Microsoft Exchange Organization
  • Using a Security Group to Create Public Folder Permissions
  • Working with Store Permissions in Microsoft Exchange 2000 and 2003

  • User Reply Address

    Several scenarios:
  • You want a user to be able to reply to messages sent to a public folder with the folder's address.
  • You want a user to be able to reply with another mailbox's address -- without the user's own address appearing anywhere on the reply.
  • You want to be able to send using the return address of a distribution list in the Global Address List (GAL).
  • The solution is the same in all cases: You must grant Send As permission on the folder or mailbox using the Exchange Administrator program or Active Directory. Send As is granted via accounts and groups, not mailboxes and Exchange distribution lists. If you want a user to send with a folder's address, the folder must not be hidden.

    Once the user has Send As permission, they can use View | From Field in Outlook to display the From box and either click From to choose from the Address Book or type in the name of the public folder or other mailbox. If the public folder is hidden from the GAL, the user should go to the folder's Properties page and add the folder's address to their own address book.

    See:

  • HOW TO Grant Send As and Send on Behalf Permissions in Exchange 2000 Server
  • XADM How to Grant a User Send As Rights in Exchange Server 5.5 and Exchange 2000


  • Tools

    Active Folders Exchange Server folder and mailbox management tool suite including policy management, server-based compression, permissions management, audit trail and reporting. Can sweep all user mail folders -- including those in Personal Folders .pst files -- to locate particular attachments or messages meeting other criteria.
    ERSA "Exchange Security Risk Auditor" to audit and change mailbox permissions both for periodic security audits and for common events, such as an employee leaving the company.
    Exchange Permission Manager Assign permissions on multiple Exchange public folders and system folders and users can modify mailbox permissions in addition to public folder permissions, company-wide. It works with Exchange 5.5, 2000 and 2003; and, for reporting, you can print out current permissions on single or groups of folders. Version 2.
    Folder Permissions Manager Symprex Folder Permissions Manager allows administrators to centrally manage all permissions on mailbox folders and public folders on Exchange 5.5, 2000 and 2003. Folder permissions can be listed and changed manually, or using templates with permissions settings created using the built-in wizard. Permissions can be applied to any number of mailboxes and folders at the click of a button.
    OWA Permissions Control Web application for viewing and modifying folder permissions. Combines features of the company's former OWA Delegate Control and OWA Public Folder Control. (5 Mar)
    PFAdmin Tool from the Exchange 2000 Resource Kit to change permissions and replication settings for a folder and its subfolders. Does not work with any version of Exchange after Exchange 2000 SP1. Also see:
  • XADM The Pfadmin Utility Does Not Work with Error Message OpenAddressBook Failed, Error 0x40380
  • XADM Error Message When You Set Permissions on Public Folders Invalid Windows Handle ID No 80040102 Exchange System Manager
  • PFDavAdmin Free tool from Microsoft for managing permissions on public and mailbox folders, including all the way down to the item level. Requires .NET Framework. For use with Exchange 2000 Server, Exchage Server 2003 and Exchange Server 2007.
    PFInfo Tool from the Exchange Server Resource Kit for generating a file with information about public folder permissions and replicas. See XADM Error Message Opening Address Book When Running the Pfinfo.exe Utility.
    Public Folder Utility View folder permissions and other properties. Export folder properties and permissions to a text file or relational database for analysis. Send customized messages to folder owners. Manage orphaned public folder client permissions.
    SetPerm Allows you to set default permissions on individual folders within mailboxes throughout your organization or on groups of mailboxes. Free.

    Set All Calendars to Reviewer

    Many organizations want people to not only see each other's free/busy times but also get appointment details. Therefore, they want to enforce a policy of using Reviewer as the default permission on each user's Calendar folder. This is not a capability built into Outlook, but you can perform this task with some of the tools above.

    If you want to experiment, you could also create a custom application using CDO and the ACL Component from the Platform SDK to manage permissions; a version of Acl.dll compiled for Windows NT/2000 is available from Microsoft's FTP site (this site is not always responsive). If you need a Windows 95/98 version, you'll have to compile the C++ source yourself. More information:

  • Sue Mosher's pre-conference Workshop from Microsoft Exchange Conference 99 -- The PowerPoint presentation for Segment 5 (324kb) includes details on the ACL model. The source code (473kb) includes a sample Outlook 2000 VBA project that runs on Windows NT only.
  • Professional CDO Programming
  • 0 comments:

    Post a Comment