By default, end users will be able to see any of the folders we created -- Everyone, Forms, Policies, and Marketing....
They will also be able to post content to any of the folders, by default. However, users are currently forbidden from creating subfolders.
It's great that users can read the contents of the Everyone folder and its subfolders.
But now we need to prevent anyone outside of the human resources department from being able to post to them.
We also need to change the default Exchange public folder permissions so employees in the marketing department can create subfolders; and lock down the Marketing folder so nobody outside of the marketing department can see it.
Locking down the 'Everyone' folder
Let's start by locking down the Everyone folder. Open Exchange System Manager -> Administrative Groups -> your administrative group -> Folders -> Public Folders -> Everyone. Now right click on the Everyone folder and select Properties. Go to the Permissions tab and click the Client Permissions button to view the Client Permissions dialog box shown in Figure B.
Figure B: This is what the Client Permissions dialog box looks like.
You can see the default permissions assigned to the folder. Each existing permission associates a particular user or group with a role. The Default permission is the permission that gets assigned to all users, unless they are members of some other group that you specify.
Notice that the default permission has been assigned the Author role. If you look at the checkboxes in the lower portion of the figure, you will see that users holding the Author role can create and read items within the public folder. They also have permission to edit and delete items they own, meaning they can modify or erase posts they've created.
Removing the 'Create Item' permission from the default user
Since the operational requirements for our fictitious company mandate that only members of the human resources department can create items in the Exchange Server public folder, we now want to remove the Create Item permission from the default user.
There are two different ways that we can do this. One way is to simply deselect the Create Item checkbox, which changes the default user's role to Custom. I prefer instead to set the default user's role to Reviewer.
The Reviewer role gives the default user permission to read items in the Exchange public folder. But they are not allowed to edit or delete items, regardless of whether they previously created those items or not.
Personally, I don't really care whether or not the default user is able to edit or delete old public folder posts they made. I recommend using the Reviewer role instead of removing the Create Items permission for ease of management.
If you assign the default user the Reviewer role, then you can tell at a glance that the default user has read-only permissions to the Exchange public folder. If you use a custom role, then you have to take the time to look at the individual permissions to see what has been assigned to the default user.
Granting department-level permission to manage an Exchange public folder
Now that we have prevented the default user from posting to the Everyone folder, we can grant the human resources department the ability to manage the folder by clicking the Add button and adding the human resources group to the list of permissions.
Which role you would assign them is up to you, but I would probably go with the Publishing Editor role. That role will give the human resources department almost full control over the Exchange public folder and even allow them to create Exchange public folder subfolders. If you wanted the human resources group to have full control but don't want them to create public folder subfolders, you can use the Editor role instead.
Click OK to accept the permissions you've set and let's turn our attention to the Marketing folder. We want the marketing group to have full control over the public folder (including the ability to create subfolders), but the folder should be invisible to everyone else.
To accomplish this, add Marketing to the list of client permissions and assign them Publishing Editor permissions. Next, assign the None role to the default user. This blocks the default user from accessing the folder, but the folder remains visible. To hide the Exchange public folder, deselect the Folder Visible checkbox.
I have personally found that hiding folders from users who do not have access to them is helpful. Doing so gives the users a less cluttered view of the Exchange public folder tree and helps eliminate confusion.
TUTORIAL: EXCHANGE SERVER PUBLIC FOLDER PERMISSIONS
Part 1: Creating an Exchange public folder tree structure
Part 2: Customizing Exchange public folder roles and permissions
Part 3: Propagating permissions from a parent public folder to all subfolders
Part 4: Related links on Exchange public folder management
|ABOUT THE AUTHOR:|
| Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
I have a newly created public folder calendar. Under the client permissions, I only have the option to add individual users. Is there any way to handle security with a security group?
I mail-enabled the public folder in an attempt to use security groups with the Directory rights option. I added one individual user with permissions to add/delete calendar items, and this works. I then tried to lock it down so that the folder would not be visible to "everyone" by setting the default user to "none," but then it is not visible to the one user. I don't want to add the individual user in the client permissions, because this would be an Admin nightmare to administer.
Do you have any suggestions?
My suggestion would be to hold out for Exchange Server 2007 SP1. Service Pack 1 will greatly improve the ability to manage public folders in Exchange 2007.
Brien Posey, contributor