Lesson 3: Public Folder Security

You configure public folder security to define and control the level of access users have to a public folder. You can grant or deny permissions to different aspects of a public folder, enabling you to ensure that users can access the content they need but not the content that they shouldn't have access to.

After this lesson, you will be able to

• Understand inherited permissions and assigned permissions

• Configure client permissions, directory rights, and administrative rights

Estimated lesson time: 45 minutes

Inherited and Assigned Permissions

Permissions control the creation, management, and use of public folders and their contents and are either granted by inheritance or assigned. A public folder inherits its permissions from parent objects. For example, a top-level folder will inherit permissions from the administrative group and from the Exchange organization. Similarly, a child folder will inherit permissions from its parent folder in the public folder tree. When you create a public folder, you need to assign permissions that specify the individuals or groups that will have the rights to perform designated activities in that folder. You can assign both client access permissions and administrative rights to the folder.

Child folders inherit parent folder settings only at the time they are created. By default, any changes that you later make to a parent folder will not automatically be inherited by child folders. However, you can have the permission changes that you make to a parent folder applied to every child folder. To do this, perform the following steps:

1. Right-click the parent folder whose permissions you want to propagate, point to All Tasks, and then click Propagate Settings. The Propagate Folder Settings dialog box is shown in Figure 8-15.

   
   Figure 8-15: Propagating public folder permissions

2. While you can propagate a number of settings, here you only want to click Folder Rights. Click OK to finish.

   Important

   Any changes you make specifically to a child folder will be lost if you choose to propagate those settings from the parent folder.

Permission Categories

There are three categories of permissions for public folders in Exchange, as shown in Table 8-1.

Configuring Permissions

Client permissions are the type of permissions an administrator most commonly works with, and there are two ways to configure them. The first way is by using Exchange System Manager. Right-click a public folder, click Properties, then click the Permissions tab, and then click Client Permissions to open a dialog box similar to the one shown in Figure 8-16.

Figure 8-16: Configuring client permissions in Exchange System Manager

Here, you can add users and groups and configure a granular level of access to the folder. You can also configure advanced Folder Rights by clicking Advanced. By default, everyone can read and write to public folders that are created.

The easier way to configure client permissions is by using Outlook, which uses roles-based permissions rather than the more detailed Folder Rights.

1. Open Outlook, expand the Public Folders node in the folder list, and then expand All Public Folders.

2. Right-click a public folder and click Properties, and then click the Permissions tab, shown in Figure 8-17.

   
   Figure 8-17: Configuring client permissions in Outlook

3. By default, everyone has the Author permission level, which gives them the right to read and create items and to edit and delete their own items.

   Tip

   The Permissions tab is available only to users and groups that have been configured with the Folder Owner permission role. Non-owners cannot manipulate permissions.

4. To add users and groups, click Add and then assign each the desired role.

   Exam Tip

   Because Outlook can see only public folders in the Default public folder tree, it cannot be used to configure permissions for public folders that reside in General Purpose trees. You will have to use Exchange System Manager to configure those permissions.

More client security settings can be configured by clicking the Administration tab, shown in Figure 8-18, in the public folder's properties.

Figure 8-18: Configuring additional security settings

The settings on this tab that are related to security are This Folder Is Available To and Moderated Folder. You can choose whether all users with access permission can use the folder (the default) or whether only users and groups assigned the Folder Owner role can use the folder. A moderated folder is one that requires a moderator to approve all messages that get posted to the folder. This is often used in customer mailing lists or forums where it is highly desirable to limit the amount of off-topic traffic that gets posted. When you click Moderated Folder, the Moderated Folder dialog box, shown in Figure 8-19, opens.

Figure 8-19: Configuring moderated folder settings

To configure a moderated folder, you must first select the check box to make the folder a moderated folder. Next, you need to assign a user or group to which new messages to the folder should be forwarded. These users will view a message for content and decide if it should be posted. Finally, you assign moderators that have the authority to move the messages into the folder upon approval. You can also have an automatically generated e-mail sent in reply to new messages to explain to the sender that the folder is moderated and that they will not see their post until it is approved. You can use a standard response or create your own custom response.

Configuring Directory Rights

Directory rights control what users and groups have permission to change e-mail-related attributes of a mail-enabled public folder. By default, only the Administrator account and members of the Administrators, Enterprise Admins, Exchange Domain Servers, and Exchange Enterprise Servers groups have these permissions. Authenticated Users are able to read permissions but not to do anything else. Generally, these settings are sufficient and don't need to be changed. To change the directory rights, perform the following steps:

1. Right-click the public folder in Exchange System Manager and click Properties.

2. Click the Permissions tab, and then click Directory Rights.

3. Add users or groups as desired and configure the permissions you want them to have.

4. Click OK when you are done, and then click OK again to finish.

Configuring Administrative Rights

Administrative rights control the users and groups that can use Exchange System Manager, a custom Microsoft Management Console (MMC) console, or any other administrative utility to change the replication, storage limits, and other settings for a public folder. By default, only administrators in the Active Directory domain and enterprise have administrative rights to a public folder.

Configuring administrative rights is similar to configuring directory rights. Both are configured on the Permissions page of a public folder's properties.

Practice: Public Folder Security

In this practice, you will use Outlook to assign permission roles to a public folder to two Active Directory user accounts. Then, you will configure the folder as a moderated folder and assign a forwarding address and moderators to the folder.

Before you begin, create user accounts for the following users:

• Jenny Lysaker

• Bob Gage

• Chris Meyer

Also, create the following public folders in the Default public folder tree:

• Feedback

• Support

Exercise 1: Assign Client Permission Roles

1. Open Outlook and expand the Folders container, and then expand All Public Folders.

2. Right-click the Feedback public folder, and then click Properties. Click the Permissions tab.

3. Click Add, and then add Jenny Lysaker, Bob Gage, and Chris Meyer. Assign Jenny the Folder Owner permission, assign Bob the Publishing Editor role, and assign Chris the Editor role. Note the differences in permissions each role has.

4. Click OK to finish.

Exercise 2: Configure a Moderated Public Folder

1. Right-click the Support public folder, and then click Properties. Click the Administration tab.

2. Click Moderated Folder.

3. Select the check box to Set Folder Up As A Moderated Folder.

4. Assign Jenny Lysaker to Forward New Replies To.

5. Add Jenny Lysaker and Bob Gage as moderators to the folder.

6. Click OK to finish.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

1. You are the senior Exchange Server administrator for Litware, Inc. You receive a call from the customer support manager, who is concerned because customers are calling to say that their e-mail messages sent to support@litwareinc.com are being returned as undeliverable. That address is associated with a public folder, so you check the folder properties and find that the e-mail address has been changed to litwaresupport@litwareinc.com. After investigating, you determine that the address was changed by your junior administrator, who normally is responsible only for setting up e-mail addresses for new users. How would you restrict him from being able to edit public folder e-mail addresses in the future?

2. You are the Exchange Server administrator for Contoso, Inc. The company has a CustomerSupport public folder that functions as a discussion forum. The folder resides in the Default public folder tree. The customer service manager, Bob, says he needs to have administrator permissions to the folder in order to configure settings such as limits, as needed, and to assign permissions to other support techs. However, you have concerns about giving a non-administrator administrator access. What permissions should you give Bob to ensure that he can do his job, but not give him too much authority?

3. You are the senior Exchange Server administrator for Litware, Inc., a software development company that sells a number of productivity applications. You have a General Purpose public folder tree for your Customer Support forums. There is a top-level folder called Support, which contains child folders named for each product your company sells. Those folders contain child folders for different versions of each product. Support personnel regularly interact in these folders with customers who post questions. Because each support tech works only on a particular product, each one is given permission to access only the parent folder and child folders of the product he or she supports. You have a junior administrator who configures the permissions to the folders for the support staff as required.

   One afternoon, you receive a call from the department manager, who states that none of his support staff can access any of the public forums. You ask your junior administrator, and he tells you he made a permission change on the top-level folder but nowhere else. What did he do that is causing this problem?

Lesson Summary

• Client permissions can be configured through Exchange System Manager for any public folder and through Outlook for public folders that are in the Default public folder tree.

• Directory rights control the permissions to configure e-mail-related properties for mail-enabled public folders.

• Administrative rights control the permissions to run administrative utilities, such as Exchange System Manager, to configure public folder settings such as limits and replication.