Configuring Public Folder Permissions
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
You can configure public folder permissions for both administrators of Microsoft Exchange Server 2007 or for users of client programs such as Microsoft Office Outlook 2007. Public folder permissions consist of various access rights that specify the level of control a client user or administrator has over a public folder or public folder hierarchy.
This topic includes the following information about public folder permissions:
The access rights and predefined roles (which consist of specific access rights) that you can configure for client users. The access rights that you can configure for administrators.
Note
In Exchange 2007 Service Pack 1 (SP1), you can create a Public Folder Administrator role. For more information about the Public Folder Administrator role, see "Administrator Access Rights" later in this topic.
Links to the management tasks you can perform for client users and administrators.
Note
When you create a new public folder within an existing public folder hierarchy, that public folder inherits the permissions of the parent folder.
Client User Access Rights and Roles
In Exchange 2007, you use the Exchange Management Shell to configure the permissions for the users who use client programs such as Outlook to access public folders. Whether you want to manually select the access rights or use predefined roles that contain specific access rights, you will use the Add-PublicFolderClientPermissions cmdlet to perform the tasks.
Important
To ensure that users can send e-mail messages to a mail-enabled public folder, the public folder must have at least the CreateItems access right granted to the Anonymous account.
The following is a list of client user access rights (followed by a table that shows the predefined permission roles):
ReadItems The user has the right to read items within the specified public folder.
CreateItems The user has the right to create items within the specified public folder and send e-mail messages to the public folder if it is mail-enabled.
EditOwnedItems The user has the right to edit the items that the user owns in the specified public folder.
DeleteOwnedItems The user has the right to delete items that the user owns in the specified public folder.
EditAllItems The user has the right to edit all items in the specified public folder.
DeleteAllItems The user has the right to delete all items in the specified public folder.
CreateSubfolders The user has the right to create subfolders in the specified public folder.
FolderOwner The user is the owner of the specified public folder. The user has the right to view and move the public folder, create subfolders, and set permissions for the folder. The user cannot read items, edit items, delete items, or create items.
FolderContact The user is the contact for the specified public folder.
FolderVisible The user can view the specified public folder, but cannot read or edit items within the specified public folder.
The following table lists the predefined public folder client access roles and the access rights that are included in each role. The table headers reflect the access rights listed previously in this document.
Note
The FolderOwner access right and the Owner role have different permissions as shown in the following table.
Role |
CreateItems |
ReadItems |
CreateSubfolders |
FolderOwner |
Folder Contact |
FolderVisible |
EditOwnItems |
EditAllItems |
DeleteOwnItems |
DeleteAllItems |
None |
|
|
|
|
|
X |
|
|
|
|
Owner |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
PublishingEditor |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
Editor |
X |
X |
|
|
|
X |
X |
X |
X |
X |
PublishingAuthor |
X |
X |
X |
|
|
X |
X |
|
X |
X |
Author |
X |
X |
|
|
|
X |
X |
|
X |
|
Non-EditingAuthor |
X |
X |
|
|
|
X |
|
|
|
|
Reviewer |
|
X |
|
|
|
X |
|
|
|
|
Contributor |
X |
|
|
|
|
X |
|
|
|
|
Note
Client users can use Outlook to manage public folder client access permissions. For information about how to manage public folder permissions from Outlook 2007, see Create and Share a Public Folder. For information about how to manage public folder permissions from Outlook 2003, see Outlook folder permissions.
Administrator Access Rights
In the release to manufacturing (RTM) version of Exchange 2007, you can only use the Add-ExchangeAdministrator cmdlet to grant public folder administrative rights to a user.
In Exchange 2007 Service Pack 1 (SP1), there are two methods you can use to grant public folder administrative rights to a user:
Use the Add-ExchangeAdministrator cmdlet or the Add Exchange Administrator wizard to add a user to the Public Folder Administrator role.
Use the Add-PublicFolderAdministrativePermission cmdlet to grant or deny specific rights to public folders.
The following table describes the differences between the rights that are granted by the Public Folder Administrator role and the rights that are granted by using the Add-PublicFolderAdministrativePermission cmdlet.
Exchange Public Folder Administrator role |
Add-PublicFolderAdministrativePermission |
The user can create top-level public folders. |
The user cannot create top-level public folders. |
The user is granted AllExtendedRights to public folders. |
The user can be granted or denied specific rights to public folders. |
The user can administer any top-level public folder, child public folder, and system public folders in the public folder tree. In addition, this user's access rights cannot be revoked by using the Remove-PublicfolderAdministrativePermission cmdlet. |
The user can be granted the right to administer specific top-level public folders and specific child public folders. However, the user's access rights can be revoked by using the Remove-PublicfolderAdministrativePermission cmdlet. |
By default, when you create a top-level public folder, users who have permissions that are granted by specific Exchange administrator roles and Microsoft Windows security groups are automatically added as administrators to that public folder because of the group's inherited rights. The following list shows which roles and groups automatically have administrative rights to a new top-level public folder, including the specific access rights that are granted to each:
Exchange administrator roles:
- Exchange Public Folder Administrator (granted AllExtendedRights)
Note
This role is available only in Exchange 2007 SP1.
Exchange Server Administrator (granted AllExtendedRights)
Exchange Organization Administrator (granted AllExtendedRights)
Exchange View-Only Administrator (granted ViewInformationStore)
Windows security groups:
Enterprise Admins (granted AllExtendedRights)
Administrator (granted AllExtendedRights)
Domain Admins (granted AllExtendedRights)
The following list describes the standard set of administrative access rights that can be set on a public folder:
None The administrator does not have any rights to modify public folder attributes.
ModifyPublicFolderACL The administrator has the right to modify client access permissions for the specified folder.
ModifyPublicFolderAdminACL The administrator has the right to modify administrator permissions for the specified public folder.
ModifyPublicFolderDeletedItemRetention The administrator has the right to modify the Public Folder Deleted Item Retention attributes (RetainDeletedItemsFor, UseDatabaseRetentionDefaults).
ModifyPublicFolderExpiry The administrator has the right to modify the Public Folder Expiration attributes (AgeLimit, UseDatabaseAgeDefaults).
ModifyPublicFolderQuotas The administrator has the right to modify the Public Folder Quota attributes (MaxItemSize, PostQuota, PostWarningQuota, UseDatabaseQuotaDefaults)
ModifyPublicFolderReplicaList The administrator has the right to modify the replica list attribute for the specified public folder (Replicas).
AdministerInformationStore The administrator has the right to modify all other public folder properties not defined previously.
ViewInformationStore The administrator has the right to view public folder properties.
AllExtendedRights The administrator has the right to modify all public folder properties.
Management Tasks for Configuring Public Folder Permissions
This section lists the management tasks that you can perform to configure and maintain public folder permissions:
How to Add Permissions for Client Users to Access Public Folder Content
You can use the Add-PublicFolderClientPermission cmdlet or the AddUsersToPFRecursive.ps1 user management script to specify the permissions for the client user. You can create the access rights by using either the predefined permission roles or by creating custom access rights.
How to Remove or Replace Public Folder Client Permissions
You can use the Remove-PublicFolderClientPermission cmdlet or the RemoveUserFromPFRecursive.ps1 script to remove permissions for the client user. You can remove access rights by using either the predefined permission roles or by using the access rights.
You can use the ReplaceUserWithUserOnPFRecursive.ps1 and ReplaceUserPermissionOnPFRecursive.ps1 scripts to replace client permissions on a public folder. For more information about the public folder management scripts, see Scripts for Managing Public Folders in the Exchange Management Shell.
How to View Public Folder Client Permissions Settings
You can use the Get-PublicFolderClientPermission cmdlet to view the client access rights associated with a public folder.
How to Grant the Send As Permission for a Mail-Enabled Public Folder
You can use Send As permissions to configure a mail-enabled public folder so that users other than the public folder owner can use the mail-enabled public folder to send messages.
The Send As permission is not granted until after replication has occurred. Replication times depend on your Microsoft Exchange and network configuration.
How to Add Administrative Permissions for Users to Access Public Folders
You can use the Add-PublicFolderAdministrativePermission cmdlet, the Add-ExchangeAdministrator cmdlet, or the Add Exchange Administrator wizard to grant administrative rights for a user to access a public folder or public folder hierarchy.
How to Remove Public Folder Administrative Permissions
You can use the Remove-PublicFolderAdministrativePermission cmdlet, the Remove-ExchangeAdministrator cmdlet, or the Add Exchange Administrator wizard to remove administrative access rights from a user for a public folder or public folder hierarchy.
How to View Public Folder Administrative Permission Settings
You can use the Get-PublicFolderAdministratorPermission cmdlet, the Get-ExchangeAdministrator cmdlet, or the Organization Configuration node to view the administrative rights that are associated with a public folder or public folder hierarchy.
For More Information
To learn more about public folders, see Understanding Public Folders.
For more information about managing public folders, see Managing Public Folders.