Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Fri, 20 Jun 2008 10:59:01 -0700,    group: microsoft.public.exchange.admin        back       


Public Folder Permission problem    
Hello everyone,

I am using a fully patched Exchange 2003 server running on a fully patched 
SBS 2003 box. There are 8 clients accessing the XSVR box thru OL2003.

The problem is with some public folders created by the Admin user (me). I 
created several public folders (one for each employee) and set permissions on 
them so that the employee had "owner" rights to their named folder, and 
members of the security group "employees" had Publishing Editor rights. 
Default and Anonymous have "none" rights. The idea was, of course, that 
everyone had their own public folder, and everyone else can see into it.

Well, that didn't out so well. Each user can see their own public folder, 
and the Admin and one other user can see everything as intended. None of the 
other users can see into anyone else's public folder.  There's no error 
message when they click on someone else's folder; it just says that there are 
no messages in the folder (I have confirmed that there ARE messages in the 
folders).

So, I have done the following:
1. triple checked permissions and membership in appropriate groups
2, verified that all public folders do, in fact, have messages in them
3. checked the NTDS permission by ctrl-clicking the "client permissions" 
button
4. Tried explicitly adding individual user IDs to the public folders and 
granting explicit permissions to the user IDs themselves (in addition to the 
group perms)
5. Even tried the pfdavadmin tool to repair the ACLs.

Nothing seems to be working - not even no 4, EXPLICITLY ADDING AN INDIVIDUAL 
UID TO THE FOLDER PERMS LIST.

Help!  How can I get my other users able to see the contents of these public 
folders?

Thanks in advance,

-Bruce D.
date: Fri, 20 Jun 2008 10:59:01 -0700   author:   Bruce D

Re: Public Folder Permission problem    
How are the users navigating to the folders?  Or are they top level folders? 
To navigate down a tree they need permissions all the way down, unless they 
specifically put in the full path (this may be achieved with favorites).

-- 
Peter O'Dowd
Exchange Server MVP
http://www.blade.net.nz
"Bruce D"  wrote in message 
news:18109222-06AE-4DFD-AF78-A6951A6676E5@microsoft.com...
> Hello everyone,
>
> I am using a fully patched Exchange 2003 server running on a fully patched
> SBS 2003 box. There are 8 clients accessing the XSVR box thru OL2003.
>
> The problem is with some public folders created by the Admin user (me). I
> created several public folders (one for each employee) and set permissions 
> on
> them so that the employee had "owner" rights to their named folder, and
> members of the security group "employees" had Publishing Editor rights.
> Default and Anonymous have "none" rights. The idea was, of course, that
> everyone had their own public folder, and everyone else can see into it.
>
> Well, that didn't out so well. Each user can see their own public folder,
> and the Admin and one other user can see everything as intended. None of 
> the
> other users can see into anyone else's public folder.  There's no error
> message when they click on someone else's folder; it just says that there 
> are
> no messages in the folder (I have confirmed that there ARE messages in the
> folders).
>
> So, I have done the following:
> 1. triple checked permissions and membership in appropriate groups
> 2, verified that all public folders do, in fact, have messages in them
> 3. checked the NTDS permission by ctrl-clicking the "client permissions"
> button
> 4. Tried explicitly adding individual user IDs to the public folders and
> granting explicit permissions to the user IDs themselves (in addition to 
> the
> group perms)
> 5. Even tried the pfdavadmin tool to repair the ACLs.
>
> Nothing seems to be working - not even no 4, EXPLICITLY ADDING AN 
> INDIVIDUAL
> UID TO THE FOLDER PERMS LIST.
>
> Help!  How can I get my other users able to see the contents of these 
> public
> folders?
>
> Thanks in advance,
>
> -Bruce D.
>
>
date: Sat, 21 Jun 2008 10:05:06 +1200   author:   Peter O'Dowd \(MVP\)

Re: Public Folder Permission problem    
They are navigating through the Folder list. Public Folders --> All Public 
Folders --> <employee name>



"Peter O'Dowd (MVP)" wrote:

> How are the users navigating to the folders?  Or are they top level folders? 
> To navigate down a tree they need permissions all the way down, unless they 
> specifically put in the full path (this may be achieved with favorites).
> 
> -- 
> Peter O'Dowd
> Exchange Server MVP
> http://www.blade.net.nz
date: Fri, 20 Jun 2008 15:53:09 -0700   author:   Bruce D

Re: Public Folder Permission problem    
On Fri, 20 Jun 2008 10:59:01 -0700, Bruce D
 wrote:

>I am using a fully patched Exchange 2003 server running on a fully patched 
>SBS 2003 box. There are 8 clients accessing the XSVR box thru OL2003.
>
>The problem is with some public folders created by the Admin user (me). I 
>created several public folders (one for each employee) and set permissions on 
>them so that the employee had "owner" rights to their named folder, and 
>members of the security group "employees" had Publishing Editor rights. 
>Default and Anonymous have "none" rights. The idea was, of course, that 
>everyone had their own public folder, and everyone else can see into it.

You really don't want the security group to be given the role of
"Publishing Editor" if you only intend for others to "see into it".
For that you only need the "Reviewer" role.

>Well, that didn't out so well. Each user can see their own public folder, 

Because they have permissions to do so.

>and the Admin and one other user can see everything as intended. 

Who's the "one other user", and how was he given permissions (and what
role has been delegated to him)?

>None of the 
>other users can see into anyone else's public folder.  

Those would be the one's in the security group? Is the security group
mail-enabled? Is it a group with Universal scope? Is your AD running
in native-mode?

>There's no error 
>message when they click on someone else's folder; it just says that there are 
>no messages in the folder (I have confirmed that there ARE messages in the 
>folders).
>
>So, I have done the following:
>1. triple checked permissions and membership in appropriate groups
>2, verified that all public folders do, in fact, have messages in them
>3. checked the NTDS permission by ctrl-clicking the "client permissions" 
>button
>4. Tried explicitly adding individual user IDs to the public folders and 
>granting explicit permissions to the user IDs themselves (in addition to the 
>group perms)
>5. Even tried the pfdavadmin tool to repair the ACLs.
>
>Nothing seems to be working - not even no 4, EXPLICITLY ADDING AN INDIVIDUAL 
>UID TO THE FOLDER PERMS LIST.

Well, that's unusual. Do the folders have more than one replica?
date: Fri, 20 Jun 2008 21:21:42 -0400   author:   Rich Matheisen

Re: Public Folder Permission problem    
"Rich Matheisen" wrote:

> On Fri, 20 Jun 2008 10:59:01 -0700, Bruce D
>  wrote:
> 
> >I am using a fully patched Exchange 2003 server running on a fully patched 
> >SBS 2003 box. There are 8 clients accessing the XSVR box thru OL2003.
> >
> >The problem is with some public folders created by the Admin user (me). I 
> >created several public folders (one for each employee) and set permissions on 
> >them so that the employee had "owner" rights to their named folder, and 
> >members of the security group "employees" had Publishing Editor rights. 
> >Default and Anonymous have "none" rights. The idea was, of course, that 
> >everyone had their own public folder, and everyone else can see into it.
> 
> You really don't want the security group to be given the role of
> "Publishing Editor" if you only intend for others to "see into it".
> For that you only need the "Reviewer" role.

Good point by you; poor description by me. The goal is for all of the 
employees to be able to see, create, delete, edit, etc., anything in any of 
the folders.


> 
> >Well, that didn't out so well. Each user can see their own public folder, 
> 
> Because they have permissions to do so.

Yes, but see my Point 4, below.

> 
> >and the Admin and one other user can see everything as intended. 
> 
> Who's the "one other user", and how was he given permissions (and what
> role has been delegated to him)?

The one user is, well, just one of the users. He does belong to a different 
set of groups, but I switched his groups to match all of the others, and 
there was no practical effect.  I also tried the reverse - switched another 
user's groups to match the one's; no effect.

> 
> >None of the 
> >other users can see into anyone else's public folder.  
> 
> Those would be the one's in the security group? Is the security group
> mail-enabled? Is it a group with Universal scope? Is your AD running
> in native-mode?
> 

Yes, all of the users are part of the "employees" security group; yes, the 
AD is running in Native mode; yes, the group is mail-enabled; no, it's a 
Global group - this is an SBS box and the only server, hardly any point to 
having Universal groups.

> >There's no error 
> >message when they click on someone else's folder; it just says that there are 
> >no messages in the folder (I have confirmed that there ARE messages in the 
> >folders).
> >
> >So, I have done the following:
> >1. triple checked permissions and membership in appropriate groups
> >2, verified that all public folders do, in fact, have messages in them
> >3. checked the NTDS permission by ctrl-clicking the "client permissions" 
> >button
> >4. Tried explicitly adding individual user IDs to the public folders and 
> >granting explicit permissions to the user IDs themselves (in addition to the 
> >group perms)
> >5. Even tried the pfdavadmin tool to repair the ACLs.
> >
> >Nothing seems to be working - not even no 4, EXPLICITLY ADDING AN INDIVIDUAL 
> >UID TO THE FOLDER PERMS LIST.
> 
> Well, that's unusual. Do the folders have more than one replica?

No. As I said, just the one server and just the one location. This is about 
as plain vanilla a setup as there is.
date: Sat, 21 Jun 2008 11:37:00 -0700   author:   Bruce D

Re: Public Folder Permission problem    
On Sat, 21 Jun 2008 11:37:00 -0700, Bruce D
 wrote:

				[ snip ]

>> >and the Admin and one other user can see everything as intended. 
>> 
>> Who's the "one other user", and how was he given permissions (and what
>> role has been delegated to him)?
>
>The one user is, well, just one of the users. He does belong to a different 
>set of groups, but I switched his groups to match all of the others, and 
>there was no practical effect.  I also tried the reverse - switched another 
>user's groups to match the one's; no effect.

What other groups he's a member of shouldn't matter unless he's a
member of the same group that gives the Admin the ability to see the
messages in the folder.

Are the Admin and the security group the only entities that have
permissions on the folders? I'm assuming that "Default" and
"Anonymous" have the role of "None".

				[ snip ]

>Yes, all of the users are part of the "employees" security group; yes, the 
>AD is running in Native mode; yes, the group is mail-enabled; no, it's a 
>Global group - this is an SBS box and the only server, hardly any point to 
>having Universal groups.

Still, I'd make it a Universal scope and see if there's any change in
the results. There's no downside to making it a Univeral group.
date: Sat, 21 Jun 2008 17:49:02 -0400   author:   Rich Matheisen

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us