Managing Exchange Server Permissions

Last reviewed on June 4, 2012

This article describes common scenarios that arise in the context of managing permissions on Microsoft Exchange Server. While the article was written for earlier versions of Microsoft Exchange, the information applies to all versions of Exchange server, however, the exact path to the user accounts will vary.

How to view shared subfolders in an Exchange mailbox explains in detail how to configure permissions to folders using Outlook. It includes a video tutorial.

Microsoft Exchange Server Public Folder DAV-based Administration Tool allows the admin to change permissions on the mailboxes on the Exchange server. It works with all mailbox folders.

Viewing Permissions | Folder Permissions | User Reply Address | Tools | Set All Calendars to Reviewer | More Information

Viewing Permissions

If you don’t see permissions on objects in the Exchange Administrator program (4.0 – 5.5), choose Tools | Options, switch to the Permissions tab, then check the box for Show Permissions pages for all objects.

Folder Permissions

Existing folders do not automatically propagate permission changes to child folders. However, new folders do inherit permissions from their parents. Also, using the Exchange Administrator program, you can propagate settings to child folders.

If you are not the administrator and need to manage folder permissions, ask the administrator to set up some distribution lists that you can use for setting permissions on the folders. You will need to have permission to edit the DL. Then, when someone new needs to be added, you’ll just change the DL — adding and removing members through Outlook — not the permissions on each folder.

Also see:

User Reply Address

Several scenarios:

  • You want a user to be able to reply to messages sent to a public folder with the folder’s address.
  • You want a user to be able to reply with another mailbox’s address — without the user’s own address appearing anywhere on the reply.
  • You want to be able to send using the return address of a distribution list in the Global Address List (GAL).

The solution is the same in all cases: You must grant Send As permission on the folder or mailbox using the Exchange Administrator program or Active Directory. Send As is granted via accounts and groups, not mailboxes and Exchange distribution lists. If you want a user to send with a folder’s address, the folder must not be hidden.

Once the user has Send As permission, they can use View | From Field in Outlook to display the From box and either click From to choose from the Address Book or type in the name of the public folder or other mailbox. If the public folder is hidden from the GAL, the user should go to the folder’s Properties page and add the folder’s address to their own address book.

See:

Remove Mailbox Permission Cmdlet

The powershell command Remove-MailboxPermission allows you to remove permissions from a user’s mailbox, for example, removing full access to another user’s mailbox.

For example, this code would remove Diane’s permission to Mary’s mailbox.

Remove-MailboxPermission -Identity mary -User diane -AccessRights FullAccess -InheritanceType All

For more information, see Remove-MailboxPermission (TechNet)

Tools

Access Security Manager

Access Security Manager controls and verifies Exchange/Outlook mailbox and public folder access rights and permissions. ASM enables you to audit and update users' permissions in line with approved security policy and practices, e.g. when an employee changes roles within or leaves the company. Recent updates allow you to dump the permissions into a database for more granular auditing. ASM is used by some of the largest banks is US, Europe and Japan to assist with security management

ADDelegates

Use U-BTech's ADDelegates to manage recipient and mailbox folder permissions. Delegate control, including the "Deliver meeting requests" setting, outlook folder permissions, Free/Busy options for controlling the time, subject and location details are now at your Active Directory MMC.

ExFolders

ExFolders is a port of PFDAVAdmin to Exchange 2010 but must be run from an Exchange 2010 server. Used to manage folder permissions on Exchange 2010 or Exchange 2007 (but not older versions).

Folder Permissions Manager

Symprex Folder Permissions Manager allows administrators to centrally manage all permissions on mailbox folders and public folders on Exchange 5.5, 2000 and 2003. Folder permissions can be listed and changed manually, or using templates with permissions settings created using the built-in wizard. Permissions can be applied to any number of mailboxes and folders at the click of a button.

Messageware NavGuard for OWA

Messageware NavGuard prevents confidential company data from being exposed when users attempt to leave an active OWA session to browse other sites without first logging off. In native OWA, navigating away from active OWA sessions opens up a security vulnerability by leaving OWA sessions accessible to other users. With NavGuard, users are alerted that a security event is about to occur and they must choose to first log off before navigating to another page or return to their active OWA session.

Messageware TimeGuard for OWA

Messageware TimeGuard protects OWA accounts from users who leave their OWA accounts open or fail to logoff by automatically ending OWA sessions after a preset period of inactivity. TimeGuard prompts users when their session has been inactive for the preset amount of time and gives them the option to extend the session or logoff. A max timeout also forces users to re-authenticate after a preset max session time has elapsed. TimeGuard works in conjunction with ISA and forms-based authentication.

PFAdmin

Tool from the Exchange 2000 Resource Kit to change permissions and replication settings for a folder and its subfolders. Does not work with any version of Exchange after Exchange 2000 SP1. Also see:

  • XADM The Pfadmin Utility Does Not Work with Error Message OpenAddressBook Failed, Error 0x40380
  • XADM Error Message When You Set Permissions on Public Folders Invalid Windows Handle ID No 80040102 Exchange System Manager
  • PFDavAdmin

    Free tool from Microsoft for managing permissions on public and mailbox folders, including all the way down to the item level. Requires .NET Framework. For use with Exchange 2000 Server, Exchage Server 2003 and Exchange Server 2007.

    Public Folder Utility

    View folder permissions and other properties. Export folder properties and permissions to a text file or relational database for analysis. Send customized messages to folder owners. Manage orphaned public folder client permissions.

    SetPerm

    Allows you to set default permissions on individual folders within mailboxes throughout your organization or on groups of mailboxes. Free.

    Set All Calendars to Reviewer

    Many organizations want people to not only see each other’s free/busy times but also get appointment details. Therefore, they want to enforce a policy of using Reviewer as the default permission on each user’s Calendar folder. This is not a capability built into Outlook, but you can perform this task with some of the tools above.

    If you want to experiment, you could also create a custom application using CDO and the ACL Component from the Platform SDK to manage permissions; a version of Acl.dll compiled for Windows NT/2000 is available from Microsoft’s FTP site (this site is not always responsive). If you need a Windows 95/98 version, you’ll have to compile the C++ source yourself. More information:

    • Sue Mosher’s pre-conference Workshop from Microsoft Exchange Conference 99 — The PowerPoint presentation for Segment 5 (324kb) includes details on the ACL model. The source code (473kb) includes a sample Outlook 2000 VBA project that runs on Windows NT only.

    Written by

    Diane Poremsky
    A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

    If the Post Coment button disappears, press your Tab key.