This article describes common scenarios that arise in the context of managing permissions on Microsoft Exchange Server. While the article was written for earlier versions of Microsoft Exchange, the information applies to all versions of Exchange server, however, the exact path to the user accounts will vary.
How to view shared subfolders in an Exchange mailbox explains in detail how to configure permissions to folders using Outlook. It includes a video tutorial.
Microsoft Exchange Server Public Folder DAV-based Administration Tool allows the admin to change permissions on the mailboxes on the Exchange server. It works with all mailbox folders.
If you don’t see permissions on objects in the Exchange Administrator program (4.0 – 5.5), choose Tools | Options, switch to the Permissions tab, then check the box for Show Permissions pages for all objects.
Existing folders do not automatically propagate permission changes to child folders. However, new folders do inherit permissions from their parents. Also, using the Exchange Administrator program, you can propagate settings to child folders.
If you are not the administrator and need to manage folder permissions, ask the administrator to set up some distribution lists that you can use for setting permissions on the folders. You will need to have permission to edit the DL. Then, when someone new needs to be added, you’ll just change the DL — adding and removing members through Outlook — not the permissions on each folder.
- XCLN: How to Create Public Folders and Set Default Properties on All Subsequently Created Folders
- XADM: Propagating Permissions to All Public Folder Subfolders
- XADM: Using PFADMIN to Remove Public Folder Permissions
- XADM You Cannot Add a Distribution Group to Permissions of a Public Folder in Exchange 2000 — If you want to use a distribution group, you need AD in native mode.
- XADM White Paper – Public Folder Permissions in a Mixed-Mode Microsoft Exchange Organization
- Using a Security Group to Create Public Folder Permissions
- Working with Store Permissions in Microsoft Exchange 2000 and 2003
User Reply Address
- You want a user to be able to reply to messages sent to a public folder with the folder’s address.
- You want a user to be able to reply with another mailbox’s address — without the user’s own address appearing anywhere on the reply.
- You want to be able to send using the return address of a distribution list in the Global Address List (GAL).
The solution is the same in all cases: You must grant Send As permission on the folder or mailbox using the Exchange Administrator program or Active Directory. Send As is granted via accounts and groups, not mailboxes and Exchange distribution lists. If you want a user to send with a folder’s address, the folder must not be hidden.
Once the user has Send As permission, they can use View | From Field in Outlook to display the From box and either click From to choose from the Address Book or type in the name of the public folder or other mailbox. If the public folder is hidden from the GAL, the user should go to the folder’s Properties page and add the folder’s address to their own address book.
- HOW TO Grant Send As and Send on Behalf Permissions in Exchange 2000 Server
- XADM How to Grant a User Send As Rights in Exchange Server 5.5 and Exchange 2000
Remove Mailbox Permission Cmdlet
The powershell command Remove-MailboxPermission allows you to remove permissions from a user’s mailbox, for example, removing full access to another user’s mailbox.
For example, this code would remove Diane’s permission to Mary’s mailbox.
Remove-MailboxPermission -Identity mary -User diane -AccessRights FullAccess -InheritanceType All
For more information, see Remove-MailboxPermission (TechNet)
Access Security Manager controls and verifies Exchange/Outlook mailbox and public folder access rights and permissions. ASM enables you to audit and update users' permissions in line with approved security policy and practices, e.g. when an employee changes roles within or leaves the company. Recent updates allow you to dump the permissions into a database for more granular auditing. ASM is used by some of the largest banks is US, Europe and Japan to assist with security management
Use U-BTech's ADDelegates to manage recipient and mailbox folder permissions. Delegate control, including the "Deliver meeting requests" setting, outlook folder permissions, Free/Busy options for controlling the time, subject and location details are now at your Active Directory MMC.
ExFolders is a port of PFDAVAdmin to Exchange 2010 but must be run from an Exchange 2010 server. Used to manage folder permissions on Exchange 2010 or Exchange 2007 (but not older versions).
Symprex Folder Permissions Manager allows administrators to centrally manage all permissions on mailbox folders and public folders on Exchange 5.5, 2000 and 2003. Folder permissions can be listed and changed manually, or using templates with permissions settings created using the built-in wizard. Permissions can be applied to any number of mailboxes and folders at the click of a button.
Messageware NavGuard prevents confidential company data from being exposed when users attempt to leave an active OWA session to browse other sites without first logging off. In native OWA, navigating away from active OWA sessions opens up a security vulnerability by leaving OWA sessions accessible to other users. With NavGuard, users are alerted that a security event is about to occur and they must choose to first log off before navigating to another page or return to their active OWA session.
Messageware TimeGuard protects OWA accounts from users who leave their OWA accounts open or fail to logoff by automatically ending OWA sessions after a preset period of inactivity. TimeGuard prompts users when their session has been inactive for the preset amount of time and gives them the option to extend the session or logoff. A max timeout also forces users to re-authenticate after a preset max session time has elapsed. TimeGuard works in conjunction with ISA and forms-based authentication.
Tool from the Exchange 2000 Resource Kit to change permissions and replication settings for a folder and its subfolders. Does not work with any version of Exchange after Exchange 2000 SP1.
Free tool from Microsoft for managing permissions on public and mailbox folders, including all the way down to the item level. Requires .NET Framework. For use with Exchange 2000 Server, Exchage Server 2003 and Exchange Server 2007.
View folder permissions and other properties. Export folder properties and permissions to a text file or relational database for analysis. Send customized messages to folder owners. Manage orphaned public folder client permissions.
Allows you to set default permissions on individual folders within mailboxes throughout your organization or on groups of mailboxes. Free.
Set All Calendars to Reviewer
Many organizations want people to not only see each other’s free/busy times but also get appointment details. Therefore, they want to enforce a policy of using Reviewer as the default permission on each user’s Calendar folder. This is not a capability built into Outlook, but you can perform this task with some of the tools above.
If you want to experiment, you could also create a custom application using CDO and the ACL Component from the Platform SDK to manage permissions; a version of Acl.dll compiled for Windows NT/2000 is available from Microsoft’s FTP site (this site is not always responsive). If you need a Windows 95/98 version, you’ll have to compile the C++ source yourself. More information:
- Sue Mosher’s pre-conference Workshop from Microsoft Exchange Conference 99 — The PowerPoint presentation for Segment 5 (324kb) includes details on the ACL model. The source code (473kb) includes a sample Outlook 2000 VBA project that runs on Windows NT only.
- XADM Changes to Primary Windows NT Account on Mailbox Do Not Take Effect — How to make your permissions changes take effect right away
- XADM Send As Rights Granted to Local Administrators — fixed in Exchange 2000 SP2
- MAPI based permission roles for public folders in Exchange 2000