locked
Ex2013: new created public folder visible to all users RRS feed

  • Question

  • Dear NC,
    i have the following issue on an Exchange 2013CU1 System:
    When I add a Public Folder and grant a specific Usergroup permissions the Folder is also visible in Outlook for all other Users. They cannot access this Folder but they can see it. After a Restart of Outlook the Folder is gone.....*strange* I have this issue with Outlook 2010 and 2013 and also on OWA.

    I removed the default Access Rights:
    Remove-PublicFolderClientPermission -Identity "\demo" -User Default
    Remove-PublicFolderClientPermission -Identity "\demo" -User Anonymous

    and add the wanted Usergroup:
    Add-PublicFolderClientPermission -Identity "\demo" -User demo -AccessRights Owner


    Get-PublicFolderClientPermission -Identity \demo |fl

    RunspaceId   : 4c2a72f6-dd8a-428a-8069-ea9f92d06620
    Identity     : \demo
    FolderName   : demo
    User         : Default
    AccessRights : {None}
    IsValid      : True
    ObjectState  : New

    RunspaceId   : 4c2a72f6-dd8a-428a-8069-ea9f92d06620
    Identity     : \demo
    FolderName   : demo
    User         : Anonymous
    AccessRights : {None}
    IsValid      : True
    ObjectState  : New

    RunspaceId   : 4c2a72f6-dd8a-428a-8069-ea9f92d06620
    Identity     : \demo
    FolderName   : demo
    User         : demo
    AccessRights : {Owner}
    IsValid      : True
    ObjectState  : New

    any ideas on that...??

    -Bernd

    Thursday, June 13, 2013 12:33 PM

All replies

  • In OWA you cannot see exchange 2013 public folders. Apply permission to the public folder as soon as you create it. If you apply proper permissions then only those user are able to view the folder.

    Thursday, June 27, 2013 6:08 AM
  • This is wrong!
    You can add Public Folders in Ex2013CU1 to Favorites.

    In the mean Time this behavior has been adressed as an issue by MS Support.
    When a solution becomes available i will post it here.

    Thursday, June 27, 2013 6:17 AM
  • I got it man. You are right. You installed CU1 2013. I forgot to consider that.

    Thursday, June 27, 2013 6:50 AM
  • Bernd,

    This is a known behavior of Outlook. Outlook will refresh its cache for granted permissions faster than it does for revoked permissions. The permissions are still enforced on the server side, so even if users see folders and items they are not supposed to, any operation that is disallowed by the server will ultimately fail.

    Is there any specific scenario that you are trying to accomplish by revoking permissions after the folder has been created? If this is the case where you want new folders to be created with a set of specific permissions but remain invisible from currently opened sessions in Outlook, there is a way for doing that on Exchange 2013: you can create the folders under NON_IPM_SUBTREE (which is invisible from Outlook), assign the proper permissions and finally move the folder under the proper parent (see Set-PublicFolder documentation, Path parameter).

    Let us know if that fixes your question.

    Monday, July 8, 2013 11:25 PM
  • Hi Bernd,

    If I understand correctly, your scenario is something like this:

    \

    \Customer1 (only visible by users in the Customer1 group)

    \Customer2 (only visible by users in the Customer2 group)

    Then you try to create CustomerN and hide it from everyone, but as soon as Outlook finds out that the folder has been created it will display \CustomerN for everyone that is connected until it refreshes its tree view.

    The problem here is that there is a time lapse between the creation of the folder and the assignment of permissions. Even if Outlook refreshes its tree view after receiving a notification, there is always the chance that network delays/outages cause folders to be visible for a while.

    To make things worse in your case, since you are hosting each folder in a separate mailbox, you still have to account for the synchronization delay between the master hierarchy and the secondary mailbox. When you create the folder to be hosted on a secondary mailbox, the folder is created in the master and immediately synchronized to that secondary. When you change the folder permissions, they are only going to be updated immediately on the secondary that holds that folder's contents. If the folder + permissions have ever been synchronized to other secondary mailboxes, the new permission assignment will be only synchronized in the next update cycle (15 minutes if someone is connected to them, 24h if not).

    The only way you would be able to reliably have the folders showing up with the permissions you want at creation time is if you were able to assign the permissions at creation time, which is not supported by the New-PublicFolder cmdlet.

    The recommended approach that was given to another customer in the same scenario as yours (hosting) was to create the folders in a path that can't be seen by Outlook, then after setting the proper permissions, move the folder in the tree via Set-PublicFolder. To be even more strict, you can create a provisioning path that nobody can see and then create your customer root folders within that. Something like:

    \NON_IPM_SUBTREE (visible by everyone, but not displayed by Outlook)

    \NON_IPM_SUBTREE\MyProvisioningRoot (visible only to your admin staff)

    Then you can create CustomerN under \NON_IPM_SUBTREE\MyProvisioningRoot (remember, it will be stamped with all permissions from its parent, so only your admin staff); remove and add the proper permissions; Set-PublicFolder \NON_IPM_SUBTREE\MyProvisioningRoot\CustomerN -Path \

    The trick here is that you can create \NON_IPM_SUBTREE\MyProvisioningRoot ahead of time so that any out-of-sync copies have been already updated. And you only need to create that path once.

    Fred

    Thursday, July 11, 2013 12:15 AM
  • Hi Fred,

    I have a question for you about public folders in a multitenant Exchange 2013 installation. I have a theory, I never tried this setup.

    If I create a secondary hierarchy public folder mailbox in order to store each customer public folder and I set the new public folder mailbox to be excluded to serve hierarchy:

    Set-Mailbox <Tenant1_PublicFolder_Mailbox> -PublicFolder -IsExcludedFromServingHierarchy $True

    Now I link every user mailbox account in the tenant with the relative public folder mailbox account:

    Set-Mailbox -Identity <Tenant1_Mailbox_Account1> -DefaultPublicFolderMailbox <Tenant1_PublicFolder_Mailbox>

    Set-Mailbox -Identity <Tenant1_Mailbox_Account2> -DefaultPublicFolderMailbox <Tenant1_PublicFolder_Mailbox>

    and so on for every mailbox account in Tenant1.

    Then I create public folder structure in the Tenant1_PublicFolder_Mailbox and assign permissions.

    Do you think that creating public folders that way won't isolate them from users in different tenants? If I understood the documentation only Tenant1_PublicFolder_AccountN users I linked can access the public folders created in Tenant1_PublicFolder_Mailbox and I won't have privacy problems described in the previous posts, right?

    Davide

    • Edited by C0ReDuMPX Saturday, February 8, 2014 2:10 AM
    Saturday, February 8, 2014 2:06 AM
  • Hi Davide,

    I don't have reasons to believe that this approach would work or even if it is supported. The -IsExcludedFromServingHierarchy flag has to do with AutoDiscover presenting or not that mailbox as a hierarchy server for the users. Besides, configuring a mailbox that is marked as not serving hierarchy as the primary hierarchy for a user shouldn't work either, because of the way we calculate/distribute the load among the hierarchies in an organization.

    The root cause of the problem isn't because there are copies of the hierarchy, that's just an extra complication. The reason why the folder is visible by other tenants is that Outlook caches whatever permissions that a folder has and follows those permissions for displaying the folders (although the server always validates the current permissions). Then, since a folder is created with the same permissions as its parent, by the time you modify the permissions to hide the folder Outlook already has a cached copy of the original permissions.

    As far as I can tell, the only known way of configuring permissions on folders before Outlook can see them is via the NON_IPM_SUBTREE technique that is explained in this thread.

    Regards,

    Fred

    Thursday, February 13, 2014 11:54 PM
  • Hi Fred,

    thanks for your reply.

    That's ok, you are talking about public folder created and related permissions. I was searching information about isolation of public folder mailboxes in multi tenant installations that is a different theme.

    Can you help me? I have a multi tenant Exchange 2013 installation and I'm trying to isolate public folder mailboxes between tenants.

    I was reading TechNet documentation and it says:

    "IsExcludedFromServingHierarchy   This parameter prevents users from accessing the public folder hierarchy on the specified public folder mailbox. For load-balancing purposes, users are equally distributed across public folder mailboxes by default. When this parameter is set on a public folder mailbox, that mailbox isn't included in this automatic load balancing and won't be accessed by users to retrieve the public folder hierarchy. However, if you set the DefaultPublicFolderMailbox property on a user mailbox to a specific public folder mailbox, the user will still access the specified public folder mailbox even if the IsExcludedFromServingHierarchy parameter is set for that public folder mailbox."

    If it is true if I exclude a mailbox from serving hierarchy it can't be accessed by users that tries to access full hierarchy but, if I set that mailbox as DefaultPublicFolderMailbox for all users of a hosted organization (tenant), they can access that mailbox. Right?

    If it works that way, the limitation of this approach is that a tenant user can't access the full hierarchy but only to the linked DefaultPublicFolderMailbox so you can create only 1 Public Folder Mailbox for every tenant.

    I don't know if this configuration can work or if it is supported. In the Microsoft Exchange 2013 multi tenancy whitepaper I can't find information about public folder creation nor isolation.

    I hope you can help me. :)

    Regards,

    Davide

    Friday, February 14, 2014 3:43 AM
  • Hello,

    isn't there some official documentation from Microsoft to setup public folders in a multi-tenant environment? I think it is very sad that after a product is more than 2 years rtm there still nog decent info on this.

    Best regards

    Anthony

    Monday, November 24, 2014 7:26 AM
  • FYI.

    #Modern Public Folders in Multi-Tenant Environments
    http://clintboessen.blogspot.com.br/2016/06/modern-public-folders-in-multi-tenant.html
    https://technet.microsoft.com/en-us/library/jj552408.aspx
    http://www.itnotes.eu/?p=3117
    http://www.itnotes.eu/?p=3039
    Saturday, July 29, 2017 2:26 PM