locked
Modify Public Folder permissions for Default user. RRS feed

  • Question

  • Users can create public folders willy nilly and I need to put a stop to it.

    When I look at the permissions for the root folder:

    [PS] C:\Windows\system32>Get-PublicFolder | Get-PublicFolderClientPermission

    Identity                                                           User                                                               AccessRights
    --------                                                           ----                                                               ------------
    \                                                                  Default                                                            {PublishingAuthor}
    \                                                                  Anonymous                                                          {Reviewer}

    I'd like to modify the Default user to "None".  I've tried modifying the permissions and they won't stick.

    Get-PublicFolder | Add-PublicFolderClientPermission -User "Default" -AccessRights "None"

    I was going to try using PFDaveAdmin but that tries to propogate all the way down the tree and I don't want to screw up current permissions.

    Anyone know how to midify the default user?  Can I add a specific group to the root folder to deny access?


    David Jenkins
    Thursday, October 6, 2011 3:08 PM

Answers

  • Check adsiedit.

    1.Start the ADSI Edit utility

    2.Double-click Configuration Container.
    3.Expand CN=Configuration, CN=Services, CN=Microsoft Exchange. Right-click your organizational name's container, and select Properties.

    4..Select the Security tab.
    5.Click Advanced.

    6.On the Permissions tab, find the entry with a name of Everyone and a permission of "Create top level public folder." You shouldn't need to click deny just make sure allow is unchecked.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, October 6, 2011 3:21 PM

All replies

  • I've also tried removing.

    Get-PublicFolder | Get-PublicFolderClientPermission -User "Default" | Remove-PublicFolderClientPermission

    Remove-PublicFolderClientPermission : Failed to commit the change on object "000000001A447390AA6611CD9BC800AA002FC45A0300B8EFF359CDC69641BCD71F34D1A12DA30000
    At line:1 char:106
    + Get-PublicFolder | Get-PublicFolderClientPermission -User "Default" | Remove-PublicFolderClientPermission <<<<
        + CategoryInfo          : NotSpecified: (0:Int32) [Remove-PublicFolderClientPermission], MapiAccessDeniedException
        + FullyQualifiedErrorId : 2D66E147,Microsoft.Exchange.Management.MapiTasks.RemovePublicFolderClientPermission


    David Jenkins
    Thursday, October 6, 2011 3:17 PM
  • Check adsiedit.

    1.Start the ADSI Edit utility

    2.Double-click Configuration Container.
    3.Expand CN=Configuration, CN=Services, CN=Microsoft Exchange. Right-click your organizational name's container, and select Properties.

    4..Select the Security tab.
    5.Click Advanced.

    6.On the Permissions tab, find the entry with a name of Everyone and a permission of "Create top level public folder." You shouldn't need to click deny just make sure allow is unchecked.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, October 6, 2011 3:21 PM
  • Thanks.  I had just found it when you posted.

    http://www.petri.co.il/limit_creation_of_top-level_exchange_public_folders.htm

     


    David Jenkins
    Thursday, October 6, 2011 3:22 PM
  • I don't have a server available to test this right now, but I think you may have more luck with

    Remove-PublicFolderClientPermission

    I'm not sure what happens when existing permissions are overwritten - do they get added to (in which case adding "None" will have no effect), or are they replaced?  I honestly don't know.


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, October 6, 2011 3:23 PM
  • Already ran through that.  See entry above.  ADSI is the way to go.  Stay away from PFDaveAdmin it will wipe your settings.

     


    David Jenkins
    Thursday, October 6, 2011 3:24 PM
  • Hi James

    I am also facing the same problem, I want to block all users adding any content (Folder/files/post) in public folder without Exchange Administrator permits them..

    I tried your above steps and unable to find the entry "Everyone with a permission of Create top level public folder", then I created the value manually and set allow but still same problem.

    Thanks..


    George-Canar
    Wednesday, December 7, 2011 2:25 PM
  • The fix above is only for the top level folder right.

    You have to use regular public folder security for subfolders.

    Use the PowerShell command 'Get-PublicFolderClientPermission'" and of course it's brother Set-....


    David Jenkins
    Wednesday, December 7, 2011 2:28 PM
  • Hi David / James

    I am talking about top level folder / Root folder permission only.

    I tried do the following... but didn't find the value "Create top level public folder" with Everyone.

    http://www.petri.co.il/limit_creation_of_top-level_exchange_public_folders.htm

     


    George-Canar
    Thursday, December 8, 2011 6:45 AM