none
Folder permission replication issue in Outlook RRS feed

  • Question

  • Hi all,

    I was wondering whether you can help, basically we create shared mail folders in Outlook under a profile that has the Full Access permission configured for the mailbox called SharedMail in Exchange Management Console 2010, each Mail Universal Distribution and Security Group is assigned to the Mailbox via AD under the profile called SharedMail. Once this is configured we then assign each Mail Universal Distribution and Security Group to the designated folders and sub folders created in Outlook with the permissions we want them to have, however the problem comes when certain users aren't able to access certain folders and sub folders, folders or sub folders in their Outlook even though they have the correct permissions to see, view, edit, modify and/or to delete under the Mail Universal Distribution and Security Groups. I've also noticed that permissions on a parent folder aren't being passed down to the child folders and have to keep applying the same Mail Universal Distribution and Security Groups with the same permissions over and over again. Your assistance would be much appreciated.

    Kind regards,

    RocknRollTim


    Tuesday, October 6, 2015 3:26 PM

Answers

  • No, you should be doing one mailbox with editor permissions.  Period.  Additionally, the following from the article I mentioned applies:

    "Even if you only grant Editor permissions to one delegate, avoid adding a large number of delegates with Reviewer or Contributor permissions. This is because adding large numbers of delegates may exhaust other resources."

    And I go back to my original statement - if you really want this to scale the way you are driving, you need to use SharePoint, which was built for this type of functionality.


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })


    • Edited by Will Martin, PFE Wednesday, October 7, 2015 3:34 PM
    • Proposed as answer by David Wang_ Thursday, October 8, 2015 1:21 AM
    • Marked as answer by David Wang_ Tuesday, October 20, 2015 5:18 AM
    Wednesday, October 7, 2015 3:31 PM
  • Hi Will,

    Just to let you know I have managed to fix the replication issue by un-ticking Exchange Cached Mode and reopening Outlook on each client. Thank you for all your help.

    Many thanks,

    RocknRollTim 

    • Marked as answer by RocknRollTim Saturday, November 14, 2015 6:00 PM
    Saturday, November 14, 2015 5:57 PM

All replies

  • OK, first off, folder permissions in Outlook are not inherited from the parent except at time of creation.  Secondly, if you grant a user full access to a mailbox, that person is going to have full access to all folders in that mailbox, regardless of folder settings - there is no "Deny" setting for a mailbox and a mailbox owner owns all mailbox folders.

    That being said, I'm still trying to fully understand what you are doing, as well as what your goal is.  You say you granted Full Access to the SharedMail mailbox for a list of Mail Universal Distribution and Security groups - I assume by this that you mean mail-enabled Universal Security groups.  As my first paragraph said, this action gave everyone in these groups full access to all folders of the mailbox.  Then you went and changed the folder permissions to different permissions - which as my first paragraph stated, did nothing to limit anything; all these users will still have full access to these folders.  Then you state you have some users who are having issues accessing folders in the mailbox - this is most likely due to the fact that Exchange and Outlook have issues when there are many users granted rights to any folder in a given mailbox.

    If your final goal is to have a central location for information that can be made available to everyone in your corporation, I highly recommend that you use SharePoint for this task.  Exchange can be made to do this, but only after a fashion.  SharePoint was built to do this, from the ground up.


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Tuesday, October 6, 2015 3:45 PM
  • Hi Will,

    Thank you for responding to my forum thread and suggesting future improvements for our mail system, I forgot to mention that we restarted the Microsoft Exchange Active Directory Topology Service today on the server in Services which included restarting all other Microsoft Exchange services such as the Microsoft Exchange Information Store Service and read up on the Internet in several sources that this is supposed to help propagate the permissions in the folder structures within the mail client such as Outlook but could have been mistaken though, would you say power cycling the server would be the next option to try or do you think I need to do a review on folder permissions? I would send you a diagram of our mail folder structures but I am not sure whether this would help you with determining our problem.

    Kind regards,

    RocknRollTim

    Tuesday, October 6, 2015 10:08 PM
  • Tim,

    Keep in mind the last thing I mentioned in my discussion of your issues - "Then you state you have some users who are having issues accessing folders in the mailbox - this is most likely due to the fact that Exchange and Outlook have issues when there are many users granted rights to any folder in a given mailbox."  Placing a large number of users on a mailbox as delegates will almost always cause issues, and I've never seen it work well for more than 10 added accounts.  And Microsoft has a recommended limit of 1 user with Reviewer permissions no a mailbox - https://support.office.com/en-us/article/Best-practices-when-using-the-Outlook-Calendar-d93f72d3-2361-4e0d-8d6a-5c4939c17f39?ui=en-US&rs=en-US&ad=US

    I'll restate my original position - if you have granted your group full control to the mailbox, any changes to explicit rights to folders will grant all members of the group full access to the entire mailbox.  Adding specific permissions to the folders is causing their Outlook clients to lose their minds trying to reconcile the limited permissions with the full control, and ends up granting not allowing any access.


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Wednesday, October 7, 2015 12:08 PM
  • Hi Will,

    Thanks for getting back to me, I have been reading the info you have posted and I can confirm that we have mail folders containing sub mail folders with each of them being assigned with 4 mail-enabled Universal Security groups, each containing 2-12 members, 3 with Editor permissions and 1 with Reviewer permissions, so really we should be using 1 mail-enabled Universal Security group with Editor permissions as opposed to 3 mail-enabled Universal Security groups with Editor permissions? Have I interpreted the info correctly?

    Kind regards,

    RocknRollTim





    Wednesday, October 7, 2015 2:19 PM
  • No, you should be doing one mailbox with editor permissions.  Period.  Additionally, the following from the article I mentioned applies:

    "Even if you only grant Editor permissions to one delegate, avoid adding a large number of delegates with Reviewer or Contributor permissions. This is because adding large numbers of delegates may exhaust other resources."

    And I go back to my original statement - if you really want this to scale the way you are driving, you need to use SharePoint, which was built for this type of functionality.


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })


    • Edited by Will Martin, PFE Wednesday, October 7, 2015 3:34 PM
    • Proposed as answer by David Wang_ Thursday, October 8, 2015 1:21 AM
    • Marked as answer by David Wang_ Tuesday, October 20, 2015 5:18 AM
    Wednesday, October 7, 2015 3:31 PM
  • Hi Will,

    Just to let you know I have managed to fix the replication issue by un-ticking Exchange Cached Mode and reopening Outlook on each client. Thank you for all your help.

    Many thanks,

    RocknRollTim 

    • Marked as answer by RocknRollTim Saturday, November 14, 2015 6:00 PM
    Saturday, November 14, 2015 5:57 PM
  • I have two questions, one that I asked previously and never got an answer to, and a new one that is related:  Did you grant full mailbox access to all members of the group?  And if you did, have you checked to see if the users are able to change the permissions on the folders, thereby granting themselves more rights than you intend?  If the users have full control to the mailbox, they own all the folders - you can't change this permanently by changing the folder rights.  Online mode just makes the client check its rights on the server directly - it doesn't take its ownership away.

    I'll add that placing Outlook in online mode will break things that you didn't intend to break.  These are related to sending email from a shared mailbox (any shared mailbox, not just this one), so if you find that your users complain about not being able to send email from shared mailboxes, or that when they do, the message just sits in their outbox, you will know why.


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Sunday, November 15, 2015 1:05 PM
  • Hi Will,

    Sorry for the delay in getting back to you I did grant full mailbox access but only for IT members and checked permissions on each folder in Outlook for each user and group but not granting them with full permissions to all or some folders.

    I am taking note with what you are saying though.

    Regards,

    RocknRollTim

    Friday, November 27, 2015 5:08 PM