Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Exchange Server 2010 : Perform Essential Public Folder Management (part 2) - Define Public Folder Permissions

6/29/2011 11:25:07 AM

2. Define Public Folder Permissions

You can classify public folder permissions into two categories: administrator permissions and client permissions. Administrators will use tools such as the Public Folder Management Console to manage public folders. When granting permissions to public folder content, administrators will typically need access that allows them to create top-level folders, manage the permissions on folders, and manage system folders. Content access for users typically consists of the ability to create new child public folders, post new content, and manage existing content.

When a new folder is created, the permissions on that folder are inherited from the parent folder. However, if you add permissions to an existing parent folder, only new child folders inherit the permissions. Existing child folders maintain the permissions that were inherited at the time the folder was created.

2.1. Grant Users Access to a Public Folder

Users accessing public folders through their client applications will primarily be concerned with creating new content and accessing or modifying existing content. Exchange has a set of predefined roles that users can be assigned on a public folder. Table 3 displays each of these predefined roles and the privileges that each has.

Table 3. Predefined Public Folder Client Roles
Role NameCreate ItemsCreate SubfoldersRead ItemsEdit ItemsDelete Items
AuthorYesNoYesOnly items the user ownsOnly items the user owns
ContributorYesNoNoNoNo
EditorYesNoYesYesYes
NoneNoNoNoNoNo
Non-EditingAuthorYesNoYesNoNo
OwnerYesYesYesYesYes
PublishingAuthorYesYesYesOnly items the user ownsYes
PublishingEditorYesYesYesYesYes
ReviewerNoNoYesNoNo

You cannot add client permissions to public folders through the Public Folder Management Console. Instead, permissions must be managed through the Exchange Management Shell.

To give a user rights to a public folder, use the Add-PublicFolderClientPermission cmdlet. In addition to identifying the public folder that you want to change permissions on, you will also need to use the User parameter to specify the user, and the AccessRights parameter to specify the role that you are assigning that user. The following command makes Nora Shea an Editor on the Helpdesk folder:

Add-PublicFolderClientPermission "\Helpdesk" -User 

"Nora Shea" -AccessRights Editor

One thing that the Add-PublicFolderClientPermission cmdlet does not allow you to do is add permissions recursively down the tree of public folders. The cmdlet only affects the folder that you specified. To get around this, you can create a one-liner to recursively read the list of public folders and then pipe them into the cmdlet. This one-liner would look like this:

Get-PublicFolder "\Helpdesk" -Recurse | 

Add-PublicFolderClientPermission -User "Nora Shea"

-AccessRights Editor

A problem with this approach is that if the user already has permissions defined on one of the folders, the command line generates an error and does not add the new permission. So instead of using this method, you can use a PowerShell script called AddUsersToPFRecursive.ps1 that is included with Exchange 2010. This script is located in the \Scripts directory in your Exchange installation path. When you use this script, you must include the TopPublicFolder parameter to specify the public folder that you want to add permissions to. You will need to specify the user with the User parameter, and the privileges using the Permissions parameter. The following example demonstrates the syntax of this script:

.\AddUsersToPFRecursive.ps1 -TopPublicFolder "\Helpdesk" 

-User "Nora Shea" -Permissions Editor

2.2. Remove Access to a Public Folder

In addition to granting users access to public folders, you should know how to remove access. Since you can't work with client permissions on public folders in the Public Folder Management Console, you will have to use the EMS for removing permissions.

To remove existing rights from a public folder, you use the Remove-PublicFolderClientPermission cmdlet. When running this command, you must identify the public folder that you want to modify the permissions on and the user that you want to remove, using the User parameter. You will also need to give the command the AccessRights parameter and use it to specify the role that you are removing the user from, as shown in the following example.

Remove-PublicFolderClientPermission "\Helpdesk" -User 

"Nora Shea" -AccessRights Editor

This cmdlet also suffers from the same problem as the Add-PublicFolderClientPermission cmdlet—it does not remove permissions from the folder's subfolders. Because of this, there is another PowerShell script included with Exchange 2010 that solves this problem. You can use the RemoveUserFromPFRecursive.ps1 script to remove the user's access rights to all the subfolders as well. This script is located in the \Scripts directory of your Exchange Server 2010 installation path. To run this script, use the TopPublicFolder parameter to specify the folder that permissions are stripped from. You will also need to use the User parameter to identify the user who is losing their rights. The following example demonstrates this command:

.\RemoveUserFromPFRecursive -TopPublicFolder "\Helpdesk" 

-User "Nora Shea"

2.3. Manage Public Folder Administrators

Public folder administrators have a different set of privileges than clients. For clients, the access rights are different roles, which define what permissions clients have to view, add, and change content. Since administrators are focused more on managing the configuration of public folders, the list of access rights used is focused on the mechanics of public folders rather than the content. Table 4 describes the access rights available for administering public folders.

Table 4. Public Folder Administrative Access Rights
Access RightDescription
AdministerInformationStoreModify properties of the folder in the information store.
AllExtendedRightsChange every setting on the folder.
ModifyPublicFolderACLAdd and remove client permissions on a folder.
ModifyPublicFolderAdminACLAdd and remove administrator permissions on a folder.
ModifyPublicFolderDeletedItemRetentionChange the settings for retaining deleted items.
ModifyPublicFolderExpiryChange the settings for content expiration.
ModifyPublicFolderQuotasChange the quotas for items in the folder and determine whether the default database quotas are overwritten.
ModifyPublicFolderReplicaListAdd and remove folder replicas.
NoneNo rights to modify folder settings.
ViewInformationStoreView properties of the folder in the information store.

2.3.1. Add Administrators to a Public Folder

You can add administrative rights to a public folder using the Add-PublicFolderAdministrativePermission cmdlet in the EMS. This command will take the name of the folder, the name of the administrator using the User parameter, and the rights that you want assign using the AccessRights parameter. The access rights need to be entered as defined in Table 8.4. For example, the following command delegates the Quota Admins group to have the ability to manage quotas on every public folder:

Add-PublicFolderAdministrativePermission "\" -User 

"Quota Admins" -AccessRights ModifyPublicFolderQuotas

-InheritanceType All

2.3.2. Remove Administrators from a Public Folder

To remove administrative permissions from a public folder, you can use the Remove-PublicFolderAdministrativePermission cmdlet. You will need to specify the administrator with the User parameter and the rights that you want to remove with the AccessRights parameter. The following example demonstrates this command:

Remove-PublicFolderAdministrativePermission "\Helpdesk" 

-User "Nora Shea" -AccessRights ModifyPublicFolderQuotas

2.4. List the Permissions on a Folder

You can view the permissions on specific public folders and determine who has what kind of access rights. To get a complete list of these permissions, you need to view both the permissions assigned to administrators and the permissions assigned to clients. Both of these permission sets can be viewed in the EMS.

2.4.1. View Client Permissions

To list the permissions that clients have to a public folder, you can use the Get-PublicFolderClientPermission cmdlet. The only parameter required to run this command is the name of the public folder that you want to retrieve the permissions for. The following command lists each client who has permissions defined on the folder and lists what each client's permissions are:

Get-PublicFolderClientPermission "\Helpdesk"

You can further refine this command with the User parameter so it gives you information for a specific user. For example, if you want to know what permissions Nora Shea has on the Helpdesk folder, the following command will tell you and format the results into a table:

Get-PublicFolderClientPermission "\Helpdesk" -User 

"Nora Shea" | ft User, AccessRights

2.4.2. View Administrator Permissions

To get a list of the administrator permissions on a public folder, you can use the Get-PublicFolderAdministrativePermission cmdlet. Similar to the cmdlet for listing client permissions, this cmdlet only requires the name of the public folder that you want to view the permissions for. The following command will list all the administrative permissions on a folder:

Get-PublicFolderAdministrativePermission "\Helpdesk"

One thing that you will notice if you run this command on a public folder is that the default set of permissions are applied to universal security groups that Exchange created in Active Directory when it was installed. These groups correspond to the role groups that Exchange uses.

When using the Get-PublicFolderAdministrativePermission cmdlet, you can specify the User parameter. Use the User parameter along with the name of a user to view the administrative permissions that are assigned to that user, as shown here:

Get-PublicFolderAdministrativePermission "\Helpdesk" 

-User "Nora Shea"

When using this cmdlet to check user permissions, the permissions are listed only if the user is assigned rights directly to the folder. Group memberships are not evaluated. So if the user is a member of a group and the group has permissions defined on the folder, the cmdlet does not return these permissions. If you want to view the permissions that are assigned through a group membership, you will need to run the cmdlet with the name of the groups that the user is a member of instead of the user's name.

Other -----------------
- Microsoft Dynamics CRM 2011 : Using Microsoft Dynamics CRM for Outlook - Configuring Synchronization Filters
- Microsoft Dynamics CRM 2011 : Going Offline with Microsoft Dynamics CRM for Outlook
- Microsoft Dynamics CRM 2011 : Deleting Records in Microsoft Dynamics CRM for Outlook
- SharePoint 2010 : Securing a Web Application (part 2) - Managing Web Part Security & Self-Service Site Creation
- SharePoint 2010 : Securing a Web Application (part 1) - How Zones, Web Applications, and Security Work Together to Provide Secure Solutions
- BizTalk 2009 : WCF LOB Adapter SDK (part 6)
- BizTalk 2009 : WCF LOB Adapter SDK (part 5) - Implementing the Message Exchange Handlers
- BizTalk 2009 : WCF LOB Adapter SDK (part 4) - Implementing the Metadata Handlers
- BizTalk 2009 : WCF LOB Adapter SDK (part 3) - Implementing the Connection
- BizTalk 2009 : WCF LOB Adapter SDK (part 2) - UI Logical Grouping
 
 
Top 10 video Game
-   Minecraft Mods - MAD PACK #10 'NETHER DOOM!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Minecraft Mods - MAD PACK #9 'KING SLIME!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Minecraft Mods - MAD PACK #2 'LAVA LOBBERS!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Minecraft Mods - MAD PACK #3 'OBSIDIAN LONGSWORD!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Total War: Warhammer [PC] Demigryph Trailer
-   Minecraft | MINIONS MOVIE MOD! (Despicable Me, Minions Movie)
-   Minecraft | Crazy Craft 3.0 - Ep 3! "TITANS ATTACK"
-   Minecraft | Crazy Craft 3.0 - Ep 2! "THIEVING FROM THE CRAZIES"
-   Minecraft | MORPH HIDE AND SEEK - Minions Despicable Me Mod
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 92 "IS JOE DEAD?!"
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 93 "JEDI STRIKE BACK"
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 94 "TATOOINE PLANET DESTRUCTION"
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 95 "TATOOINE CAPTIVES"
-   Hitman [PS4/XOne/PC] Alpha Gameplay Trailer
-   Satellite Reign [PC] Release Date Trailer
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Trailer game
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer