This article describes common scenarios that arise in the context of managing permissions on Microsoft Exchange Server. While the article was written for earlier versions of Microsoft Exchange, the information applies to all versions of Exchange server, however, the exact path to the user accounts will vary.
How to view shared subfolders in an Exchange mailbox explains in detail how to configure permissions to folders using Outlook. It includes a video tutorial.
Microsoft Exchange Server Public Folder DAV-based Administration Tool allows the admin to change permissions on the mailboxes on the Exchange server. It works with all mailbox folders.
If you don't see permissions on objects in the Exchange Administrator program (4.0 - 5.5), choose Tools | Options, switch to the Permissions tab, then check the box for Show Permissions pages for all objects.
Existing folders do not automatically propagate permission changes to child folders. However, new folders do inherit permissions from their parents. Also, using the Exchange Administrator program, you can propagate settings to child folders.
If you are not the administrator and need to manage folder permissions, ask the administrator to set up some distribution lists that you can use for setting permissions on the folders. You will need to have permission to edit the DL. Then, when someone new needs to be added, you'll just change the DL -- adding and removing members through Outlook -- not the permissions on each folder.
User Reply Address
- You want a user to be able to reply to messages sent to a public folder with the folder's address.
- You want a user to be able to reply with another mailbox's address -- without the user's own address appearing anywhere on the reply.
- You want to be able to send using the return address of a distribution list in the Global Address List (GAL).
The solution is the same in all cases: You must grant Send As permission on the folder or mailbox using the Exchange Administrator program or Active Directory. Send As is granted via accounts and groups, not mailboxes and Exchange distribution lists. If you want a user to send with a folder's address, the folder must not be hidden.
Once the user has Send As permission, they can use View | From Field in Outlook to display the From box and either click From to choose from the Address Book or type in the name of the public folder or other mailbox. If the public folder is hidden from the GAL, the user should go to the folder's Properties page and add the folder's address to their own address book.
Remove Mailbox Permission Cmdlet
The powershell command Remove-MailboxPermission allows you to remove permissions from a user's mailbox, for example, removing full access to another user's mailbox.
For example, this code would remove Diane's permission to Mary's mailbox.
Remove-MailboxPermission -Identity mary -User diane -AccessRights FullAccess -InheritanceType All
For more information, see Remove-MailboxPermission (TechNet)
Symprex Folder Permissions Manager allows administrators to centrally manage all permissions on mailbox folders and public folders on Exchange 5.5, 2000 and 2003. Folder permissions can be listed and changed manually, or using templates with permissions settings created using the built-in wizard. Permissions can be applied to any number of mailboxes and folders at the click of a button.
Messageware NavGuard monitors an OWA user's activity and alerts the user to security exposures that occur when they browse to other sites without first logging off OWA. Leaving an active OWA session in the background where it is available to other users creates a critical security vulnerability. With NavGuard, a friendly prompt alerts users that a security event is about to occur and requires them to choose to log off before continuing to another web page or to return to their active OWA session.
Messageware TimeGuard protects OWA sessions from unauthorized access. When users leave their active OWA sessions idle for a specified period of time TimeGuard will automatically log the user off to enforce corporate security policies specifying the amount of time a user can leave a session inactive. Notification of inactivity will provide the user with the option to either extend the session or logoff. A maximum session timeout forces users to re-authenticate after a configurable period of time.
View folder permissions and other properties. Export folder properties and permissions to a text file or relational database for analysis. Send customized messages to folder owners. Manage orphaned public folder client permissions.
Set All Calendars to Reviewer
Many organizations want people to not only see each other's free/busy times but also get appointment details. Therefore, they want to enforce a policy of using Reviewer as the default permission on each user's Calendar folder. This is not a capability built into Outlook, but you can perform this task with some of the tools above.
If you want to experiment, you could also create a custom application using CDO and the ACL Component from the Platform SDK to manage permissions; a version of Acl.dll compiled for Windows NT/2000 is available from Microsoft's FTP site (this site is not always responsive). If you need a Windows 95/98 version, you'll have to compile the C++ source yourself. More information:
- Sue Mosher's pre-conference Workshop from Microsoft Exchange Conference 99 -- The PowerPoint presentation for Segment 5 (324kb) includes details on the ACL model. The source code (473kb) includes a sample Outlook 2000 VBA project that runs on Windows NT only.