none
Exchange 2010 Public Folders and Outlook Folder Assistant

    Question

  • Hi,

    hope someone can point me to right direction.

    We recently migrated from Exchange 2003 to Exchange 2010.
    We also migrated public folders. We used PF replication for migration.
    Although everything seems to be fine for end users, there are some issues for PF’s admins.

    There seems to be some weird permissions problem. I can assign PFClientPermissions and PFAdministrativePermissions without any problems, however it’s completely different story with PF’s active directory permissions (add-adpermissions).
    I’m using the same admin user that I used, to doo the migration from Exchange 2003 to 2010. This user is in almost every thinkable admin group (Domain Admins, Enterprise admins and most of the Exchange Security groups. I can do pretty much anything in AD, without any permissions problems.

    When I try to “Manage Send As Permissions” (via PF Management Console) I get the following error:
    ---
    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:00
    DOMAIN\username
    Failed
    Error:
    Active Directory operation failed on server.domain.com. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    The user has insufficient access rights.
    Exchange Management Shell command attempted:
    Add-ADPermission -Identity 'CN=PFNAME,CN=Microsoft Exchange System Objects,DC=domain,DC=com' -User 'DOMAIN\username' -ExtendedRights 'Send-as'
    Elapsed Time: 00:00:00
    ---
    Needless to say, that if I run the same command from management shell, I get the same error. Actually, I get the same error if I run any add-adpermission command on any migrated PF.

    Since I’m able to get past this problem via ADSIEDIT (look below), the actual problem is a different one (although I’ve come to believe, related). If I try to add a "Reply with template" to a PF with Outlook (using Folder Assistant) – I get the following error in Outlook:  Changes to the rule could not be saved.

    I can make any other rules with Folder Assistant without any problems (for example: forward to someone) – but once I add “Reply with Template” condition, I’ll start getting this error. The most common solution that I could google, was to add “send as” permission to my admin user for that PF in order for the “reply with template” to work. Needless to say - no luck here.

    Have made some tests:
    1 – Using ADSIEDIT, I can modify permissions on a PF object. I tried following: just removed permissions inheritance and copied existing permissions. There were no “Deny” permissions. And weirdly enough, now I can use the add-adpermission cmdlet. So I could add “send as” right to my admin account - since this didn’t help, I added full control permissions – still no good in adding “reply with Template”. When I re-enable permissions inheritance in ADSIEDIT, the add-adpermission problems reappear.

    2 – I created a new PF. I can add “send as” right to this new PF without any problems. However, still can’t add “reply with template” – same error.

    3 – I created another admin account, added it only to relevant Exchange security groups (Organization Management, Public Folder Management), and granted “send as” permission (and later Full Controll) on the PF – same behavior. Tried adding him to Exchange Servers group, and some other groups (domain admins and such) – still no change. Adding “reply with template” in Outlook just keeps failing.

    4 – I tried to remove all the default permissions on the PF object with ADSIEDIT, and replaced them with only some Full control permissions (Exchange server, excnage admins, and some other such groups) – no change. I can see the folder, manage it, change folder assistant rules on it, but just until I keep clear from “reply with template” action – then it fails, as above.

    Just for info – the auto-reply rules made in Exchange 2003 and migrated with PF work fine (replies are being sent). However, if I try to change the working folder assistant rule, I get into the same problems as described above.

    I still believe now, this to be some permissions related problem – main suspect being, that by default I cannot manage adpermissions on migrated PF’s, without modify’ing PF permissions via ADSIEDIT.

    Does anyone have a suggestion what to try?
    I’d really like to “reset” AD permissions on all the PF’s (Public Folder Store?) to “default”. Can this be done? Is there any documentation on that – and what permissions are needed, for Exchange to keep working properly.
    Any suggestions are appreciated.

    Regards,
    Vahur

    Wednesday, December 16, 2009 1:03 PM

All replies

  • Hello

    I have the same problem with "Reply with Template" (Changes to the rule could not be saved), I also tried everything and still nothing and still should be enough to setup just right "Send As permission"

    I have new install Exchange 2010 and new PF's
    Wednesday, January 20, 2010 7:52 AM
  • Same problem here, haven't found any solution yet... still looking into it. Post if you get it fixed!
    Wednesday, February 10, 2010 2:14 PM
  • Solution is...

    To resolve the issue, we need to provide user following permission

    Ø  Owner permission on Public Folder

    Ø  "Receive as" permission on Exchange Administrative Group

     

    Here is an example 

    -------------------------

    Ø  Create public Folder (Pub04)

    Ø  Mail enable the public folder

    Ø  Created a new mailbox test04 (Using the EMC)

    Ø  Provide Owner permision to test04 on pub04 public folder by running below command

    Add-publicFolderClientPermission \pub04 -AccessRights Owner -User test04

    Ø  Go to Adsiedit and follow below step to provide "Receive as" permission on Exchange Administrative Group (FY DIBOHF23SPDLT)

    ·        Go to Configuration à services à Microsoft Exchange à Org Name à Administrative Groups à Exchange Administrative Group (FY DIBOHF23SPDLT)

    ·        Go to properties of Exchange Administrative Group and select Security tab

    ·        Select "Advanced" option for security tab

    ·        Select Add and choose test04 users, it should open up another window to provide permissions

    ·        Make sure under "Apply to" section we have "This object and all descendant objects"

    ·        Check "Receive as" permission and select apply

    Ø  Log in to client machine with test04 account and try to create rule with Reply With template option

     

    • Proposed as answer by David Bencic Friday, June 03, 2011 5:07 AM
    Thursday, February 18, 2010 9:37 AM
  • I too have this same problem.  I finally was able to get the rule created, but when I go to save it I get the "Changes to the rule could not be saved" error that the first two people in this post get.  I get this error as well even if I make a new Public Folder where I am the owner and have full Send-As rights.
    Thursday, May 20, 2010 1:38 PM
  • At first this Solution works for me in my testlab.

    The Question is why does it work in Exchange 2003 and Exchange 2007 by default but not in Exchange 2010?

    The risk of a mail loop is well known to me but an official statement from Microsoft regarding Exchange 2010 like a KB or a Exchange Team Blog post would be great.

    In addition I would like to know if these changes to the Exchange Administrative Group AD object through ADSIEdit could be dangerous in any way.

    Tuesday, April 12, 2011 3:43 PM
  • Having to give a user Receive As at that level seems like a hack to me and is not a secure solution. Is it possible to set the permissions, make the rule then remove the permissions. Will the rule still work?

     

    I recall having similar issues in a Exch 2003 server but it did work without all this trouble just can't remember what we did to make it work. Where is the actual reply-template being saved?


    Stunpals - Disclaimer: This posting is provided "AS IS" with no warranties.
    Friday, May 20, 2011 6:09 PM
  • I have just spent the past 5 hours narrowing down the exact AD object that needs the “Receive As” permission, as I also agree that granting it to the Exchange Administrative Group is too broad (but it was easy).  FYI, my config: Had Ex2003 then migrated directly to Ex2010.  Had Public Folder issues when Ex2003 was removed (missing ‘Folder Hierarchies’ from AD Configuration [which is where the needed permission is missing from] and ‘Public Folders’ object in that folder).

     

    Thank you to ‘robikra_cdcp.sk’ for presenting what he did, it did solve my issue (but it grants the right to too many objects). 

      

    BTW, you may want to create a Security Group (i.e. PublicFolder-ReceiveAs) or you could even select ‘Domain Users’ for granting the permission.  FYI, don't bother with ‘Public Folder Management’ it won't work for some reason.  Also if you add a Domain / Exchange admin to the new Security Group it won't work due to the Deny permissions all over AD, you must add the Admin level user to the AD object described below.

     

    To grant to the “Receive As” permission only to the needed object:

    -          Open ADSI and go to Configuration\Services\Microsoft Exchange\org name\Administrative Groups\Exchange Administrative Group (FYDIBOHF23SPDLT)\Folder Hierarchies

    -          Right Click on the Folder Hierarchies object and select Properties

    -          Click the Security tab

    -          Click the Advanced button

    -          Click the Add button

    -          Enter the Security Group or User Account of your choice

    -          In the ‘Permission Entry for Folder Hierarchies’ dialog you will select ‘Descendant User objects’ for the ‘Apply to’ field

    -          For Permissions scroll down to the bottom and select Allow for ‘Receive as’

    -          Ok, Ok, Ok

    -          Replicate your DCs as this change needs to be on the DC/GC that the Exchange Server happens to be looking at

     

    If someone installs an Ex2010 from scratch it would be great if they could post which AD User/Group is granted the Receive As right to the Folder Hierarchies CN (if the Ex2010 SP1 installs this correctly).

     

    I hope this works for you,

    David Bencic



    • Proposed as answer by David Bencic Friday, June 03, 2011 5:07 AM
    Friday, June 03, 2011 5:03 AM
  • I have the same issue - that is need to setup auto responses for a distribution group and when setting up a public folder with redirection to the group in question am not able to setup auto response rule for a folder with error message 'can't save rule'. Tried everything above and still the same thing. In addition, following above recommendation from David Bencic I did not find an option for 'receive as' permission for 'Folder Hierarchies' tree, it does not exist there (contrary to the whole Exchange Administrative Group tree). DOnt know where did David find it. THe last one maybe because of different version of AD (Im on 2008 R2 SP1) or Exchange sp\rollup, whatever. The bottom line is to setup a simple thing like that one should not spend hours of hacking. This is not the only one thing that does not work or quirky in 2010 - this edition is full of bugs, design flaws and quirks. I think that what is called 'lemon' in Auto industry. Its worse than 2007 and by far worse than 2003 (2003 did not have all the PROMISES of 2010 but it mostly worked as promised, was fast and relatively easy to manage). The only reason I am not staying on 2003 is pure selfish - doing side projects requres experience with latest software installation, nobody is looking for help with installation of Exchange 2003 these days.

    As to solution to this problem I am interested if there is somebody else who tried all the offered solutions and still did not make it work with all the 'receive as', 'send as' and 'owner' permissions set on the folder as suggested.

    For now I setup a separate mailbox instead of folder to auto response and to redirect to group and I'm telling users 'no, in 2010 you can't make group to auto respond as in the past'. They will need to go to this separate mailbox to turn the autoresponse off\on, And the group itself can not be hidden in address book, otherwise redirection will not work.

    And, by the way, if you have problem enabling it even for Mailbox (instead of folder) - you still might not able to turn on the Office Assistant or the autoresponse rule from Outlook 2007. In this case use either OWA or Outlook 2003 - it works fine. Speaking of bugs and design quality.

    Saturday, June 04, 2011 7:50 PM
  • I have the same issue - that is need to setup auto responses for a distribution group and when setting up a public folder with redirection to the group in question am not able to setup auto response rule for a folder with error message 'can't save rule'. Tried everything above and still the same thing. In addition, following above recommendation from David Bencic I did not find an option for 'receive as' permission for 'Folder Hierarchies' tree, it does not exist there (contrary to the whole Exchange Administrative Group tree). DOnt know where did David find it. THe last one maybe because of different version of AD (Im on 2008 R2 SP1) or Exchange sp\rollup, whatever. The bottom line is to setup a simple thing like that one should not spend hours of hacking. This is not the only one thing that does not work or quirky in 2010 - this edition is full of bugs, design flaws and quirks. I think that what is called 'lemon' in Auto industry. Its worse than 2007 and by far worse than 2003 (2003 did not have all the PROMISES of 2010 but it mostly worked as promised, was fast and relatively easy to manage). The only reason I am not staying on 2003 is pure selfish - doing side projects requres experience with latest software installation, nobody is looking for help with installation of Exchange 2003 these days.

    As to solution to this problem I am interested if there is somebody else who tried all the offered solutions and still did not make it work with all the 'receive as', 'send as' and 'owner' permissions set on the folder as suggested.

    For now I setup a separate mailbox instead of folder to auto response and to redirect to group and I'm telling users 'no, in 2010 you can't make group to auto respond as in the past'. They will need to go to this separate mailbox to turn the autoresponse off\on, And the group itself can not be hidden in address book, otherwise redirection will not work.

    And, by the way, if you have problem enabling it even for Mailbox (instead of folder) - you still might not able to turn on the Office Assistant or the autoresponse rule from Outlook 2007. In this case use either OWA or Outlook 2003 - it works fine. Speaking of bugs and design quality.


    hi ,

    advice to contact support http://support.microsoft.com/

    they have more options and will be in a better postion to help you , diagnostics etc , ...

    have a nice day


    Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! 
    • Proposed as answer by Arena Joe Thursday, June 23, 2011 6:46 AM
    • Unproposed as answer by Arena Joe Thursday, June 23, 2011 6:46 AM
    Thursday, June 09, 2011 8:42 PM
  • Exchange 2010 SP1 Rollup 4 resolves this issue

    http://support.microsoft.com/kb/2509910

    Thursday, June 23, 2011 6:47 AM
  • I've recently migrated from exchange 2003 to 2010 and also ran into issues giving send as permissions. Here is what I found works for me.  In Exchange Manager Public Folder Management 1) document the aliases because you lose them 2) Disable mail 3) Re-enable mail.  Give this a try, it has worked for me. 

    Regards,

    Rosalyn 

     

    Tuesday, August 02, 2011 3:14 PM
  • you can do it by just going to Public Folder Management Console and access the properties of the public folder.  go to Mail Flow Settings tab and access "Delivery Options" property and add the send as user from there.

     

    worked for me

    • Proposed as answer by NewFifa Wednesday, October 26, 2011 2:37 PM
    Wednesday, October 26, 2011 2:37 PM
  • Thanks! Disabling and re-enabling the email has worked for me. The owner of the public folder changed from exchange 2003 to exchange 2010 server


    • Edited by laurasss Thursday, February 23, 2012 1:33 PM
    Thursday, February 23, 2012 1:23 PM
  • Hi, came across this thread while looking for a solution for the same issue on a mail-enable folder.  Tried everything suggested here to no avail.  Our Exchange 2010 environment is on SP1, rollup 7.  An earlier post had suggested that rollup 4 would correct this, but we have rollup 4 v2 installed, as described in this article and still have the issue:  http://support.microsoft.com/kb/2579150. 

    Wanted to know if anyone here has installed Exchange 2010 SP2 yet and seen if that corrected the issue for them? 

    Thanks!

    Wednesday, August 22, 2012 3:06 PM
  • I have recently come across this issue and not been able to solve the problem.  We were running no service packs and went straight to Exchange 2010 SP2 but it did not fix the issue.  I have not added any of the roll ups for SP2 yet, just installed SP2 but it did not correct this issue.
    Friday, March 08, 2013 3:30 PM
  • update on this topic.  I created a brand new public folder and set all the necessary permissions and tested the objected and it worked.  For some reason it worked on the new AD object but nor on the existing object after installing SP2.  This was what worked for me.  I created a new folder but named it something different.  Set up all the permissions and tested to verified it worked.  After the succesful test I moved all the itmes out of the original folder and deleted it.  I renamed the new folder to match the old folder and ADDED the email address of the original object to this item while still leaving the original creation object email address.  tested again and verified working.  Hope this helps.
    Friday, March 08, 2013 4:34 PM