Hi,

I have created a new security group called "Restricted". I'm told that this restricted group isn't to have permissions to view any Exchange Public Folders. So I went into the Exchange System Manager and set a Deny Full Control for this group at the root level.

When I have one of the restricted Users logon to Outlook, they can still view the Public Folders. Other default entries in the ACL for this include Enterprise Admins, Everyone (no permissions checked), Exchange Domain Servers, Restricted (all deny's checked), SBS Mail Operators, SBS Mobile Users.


I've even gone so far as to create a Distribution group for these users as well, then in Exchange, for Example on the Contacts folder, I added a Client Permission of Role None, and Folder Visible Unchecked. Then in Directory Rights, i denied full control again to the contacts folder (there was no inheritance which is weird).

So I'm guessing Exchange uses the Least Restrictive.. and I really dont want to make an Unrestricted group, so anyone have an idea of why it isn't using this permissions? On The Contact folder, Default is None and Anonymous is None As well.

Thanks.

I think somewhere during the creation of permissions, something has been incorrectly set...check and confirm the permissions:

To configure the permissions:

1. Start ADSI Edit.
In the CN=Configuration container, locate the following container (where ORGANIZATION is the name of your Exchange 2003 organization and administrative_group is the name of your administrative group):
CN=Services,CN=Microsoft Exchange,CN=ORGANIZATION,CN=Administrative Groups,CN=administrative_group,CN=Folder Hierarchies,CN=Public Folders

2. Right-click CN=Public Folders, and then click Properties.

3. Click the Security tab.

4. Make sure that the Allow inheritable permissions from parent to propagate to this object check box is selected.

5. Make sure that the Everyone group has the following Allow permissions:

• Create named properties in the information store
• Create public folder
• Create top level public folder

If the Allow inheritable permissions from parent to propagate to this object check box is selected, the Everyone group should already have these permissions. Make sure that the Deny check boxes are not selected.

I think SBS does something different, because I have a CN=Microsoft Exchange System Objects with all the various Public Folder directories under it, but theres no root CN=Public Folders folder. As well I have no CN=Configuration either.

In terms of the MMC, I see ADSI Edit -> Domain [server.domain.local] -> DC=domain,DC=local, then I have CN=Builtin, CN=Computers, OU=Domain Controllers (with a CN=server and then CN=NTRFS Subscriptions under that), CN=ForeignSecurityPrincipals, CN=LostAndFound, CN=Microsoft Exchange System Objects, OU = MyBusiness (with all the AD folders under that), CN=NTDS Quotas, CN=Program Data, CN=System, CN=Users