Lesson 2: Creating and Managing Public Folders

Exchange System Manager provides the required interfaces for public folder administration. Using this utility, you can create and manage public folder hierarchies and stores, as well as create and configure public folder resources. However, Exchange System Manager is not the only program you can use. Outlook 2000, for instance, allows you to administer public folder settings as well, and you can use other programs, such as Windows Explorer or Web browsers, to create public folder resources. You may also work with public folders programmatically using Collaboration Data Objects (CDO).

This lesson focuses on public folder management using Exchange System Manager and Outlook 2000. You will learn about public folder creation and specific configuration settings. Public folder property sheets differ between Exchange System Manager and Outlook 2000.


At the end of this lesson, you will be able to:

  • Create and manage public folder resources using Exchange System Manager.
  • Create and manage public folder resources using Outlook 2000.

Estimated time to complete this lesson: 75 minutes


Security Settings for Public Folder Hierarchies

Before creating public folders, you should implement essential rules that govern public folder creation across the organization. For instance, the default MAPI-based hierarchy, replicated everywhere, may get out of hand if all users in the organization have permissions to create arbitrary public folder resources at all levels. Top-level folder creation, especially, should be restricted to a small group of administrators because these folders are at the top of the All Public Folders tree. The public folder administrators group can then grant permissions to other groups to manage the creation, content, and permissions of subfolders. By default, all users can create top-level folders.

Centralizing Public Folder Resources

Top-level folders are placed on the user's default public store server. This is typically the user's home server where his or her mailbox store resides—until you change the default public store. Top-level folders, in turn, determine the location of all subfolders regardless of the user who created them (see Figure 17.7). Hence, if you want to centralize the location of all existing public folders, you must ensure that top-level folders are created on only one server. You have two options. The first is to modify the public folder server attribute of all mailbox stores in your administrative group to point to only one common server. The disadvantage of this option is that it relies heavily on a single server, and users cannot browse the public folder hierarchy if the server is unavailable. The second option is to restrict the permissions to create top-level folders to a small group of users, thereby ensuring that top-level folders will be created only on the desired server. If you go with this option, this server must be the default public store server of all those users who can create top-level folders—in other words, it should be their home server. This option has advantages because it achieves the desired result by controlling who can create folders at the top of your public folder hierarchy.

NOTE


Exchange System Manager allows you to specify the server where new top-level folders should be created. Right-click the desired hierarchy object in Exchange System Manager (such as Public Folders under the Folders branch), and select Connect To to select the desired server.

click to view at full size

Figure 17.7 Top-level folder and subfolder creation

Configuring Security Settings

To determine who is able to create top-level folders, display the hierarchy's property sheets using Exchange System Manager (for instance, for the Public Folders hierarchy), and click on the Security tab. In the list of permissions, you will find a specific right called Create Top Level Public Folder (see Table 17.1). Make sure only the desired administrators have the right to create folders at the top of the hierarchy.

NOTE


Because Exchange 2000 Server relies on Windows 2000 security features, you can deny the top-level folder creation explicitly. Deny permissions take precedence over granted permissions.

Table 17.1 Important Permissions for Public Folder Hierarchies

Permission Description
Create Public Folder Specifies who can create a public folder in this hierarchy.
Create Top Level Public Folder Specifies who can create top-level folders, which represent the first level in the tree structure.
Modify Public Folder ACL Specifies who can change client permissions.
Modify Public Folder Admin ACL Specifies who can change administrative permissions.

Creating a Public Folder

With required permissions, the creation of public folders is a trivial task. In Exchange System Manager, expand the desired Folders hierarchy, right-click the desired parent container, such as Public Folders, point to New, and select Public Folder. The only parameter you need to provide is a value for the Name field. When you click OK, the public folder will be created in the hierarchy, and it is immediately available to users.

In Outlook 2000, several options are available to create a public folder. Perhaps the easiest way is to open the File menu, point to Folder, and select the New Folder command. This command is disabled if required permissions are missing. For example, if you do not have the permission to create top-level folders, but select All Public Folders in the Public Folders tree, the command is grayed out. If you have the permission, on the other hand, clicking this command launches the Create New Folder dialog box, which asks you for a folder name and the folder type (Appointment, Mail, Contact, Journal, Task, or Note Items). You can select the parent folder under Select Where To Place The Folder to finish the job.

Managing Public Folder Properties

Outlook assigns Outlook-specific properties to new public folders, which cannot be created using Exchange System Manager. Exchange System Manager is the right choice, on the other hand, to manage Exchange-specific settings, such as public folder replication, and to manage hierarchies that are not available in Outlook.

Using Exchange System Manager, you can work with the following tabs for mail-enabled folders:

  • Details. Use this tab to specify an administrative note for informative purposes.
  • E-Mail Addresses. Use this tab to manage e-mail addresses for a public folder and to specify whether the e-mail addresses should be updated based on recipient policies (see Chapter 13, "Creating and Managing Recipients").
  • Exchange Advanced. Use this tab to specify a simple display name and to determine whether to show or hide the public folder in Exchange address lists. You can also specify custom attributes.
  • Exchange General. Use this tab to specify Delegate permissions and forwarding addresses for a public folder and to modify the public folder alias, if desired.
  • General. Use this tab to specify a description of the public folder, define a name to be displayed in the Global Address List instead of the public folder name, and determine whether read/unread information should be maintained for this folder. Read/unread information gives Outlook 2000 the option to indicate per user which items have been read, similar to messages in the mailbox. This information is maintained and cached on the server, which consumes resources.
  • Limits. Use this tab to specify storage and age limits and a deleted item retention time. Deleted item retention is explained in Chapter 20, "Microsoft Exchange 2000 Server Maintenance and Troubleshooting."
  • Permissions. Use this tab to configure client permissions, directory rights, and administrative rights on the public folder.
  • Replication. Use this tab to specify which servers contain replicas and to set times at which this public folder is replicated to other replicas. Public folder replication is covered in detail in Chapter 18, "Public Folder Replication."

Using Outlook 2000, the following core tabs are available:

  • Administration. Use this tab to specify a default view for this folder, add it to a personal address book if it isn't included in the Global Address List, determine the folder availability, and configure public folder rules. You also have the option to build moderated public folders (see later).
  • Forms. Use this tab to manage electronic forms, as explained in Chapter 21, "Microsoft Outlook Forms Environment."
  • General. Use this tab to specify a name and details for a public folder, define the standard electronic form to be used when posting items to this folder, determine whether to create Exchange Client-compatible views, and check public folder sizes.
  • Home Page. Use this tab to specify a Web page, such as a digital dashboard, to be displayed when the user opens the public folder. Public folder home pages displayed instead of the folder view can display information from various sources, including the public folder content.
  • Permissions. Use this tab to specify client permissions for this public folder. Users who are not explicitly listed receive the permissions granted to the Default account.

NOTE


Outlook 2000 may display additional tabs, such as Activities for public folders that contain contact items, or Synchronization for folder shortcuts created under the Favorites container. Refer to the Outlook 2000 Online Help and the Office 2000 Resource Kit when working with these tabs.

Configuring Moderated Folders

Using Outlook 2000, you can configure moderated folders, which are the censored version of public folders, allowing you to review posted items before they appear. Exchange 2000 Server forwards all posted messages without modifications to a moderator. The moderator, in turn, reviews and places accepted items in the destination folder. Moderated folders are especially useful when you are setting up discussions across the Internet because they provide control over the tone, style, and topic of communication. In Exercise 3 of Chapter 1, "Introduction to Microsoft Exchange 2000 Server," you configured a public folder repository for contact items as a moderated public folder.

NOTE


Using a public folder's Exchange General tab (Delivery Options button) in Exchange System Manager, you can configure a forwarding address to deliver messages to an alternate address instead of the folder. However, specifying a forwarding address does not result in a moderated folder configuration.

Managing Public Folder Access Permissions

Exchange 2000 Server supports a new security model, which allows you to assign permissions to folders, items, and properties similar to security settings on directories and files on an NT file system (NTFS) volume. Permissions can be inherited from higher level containers, such as the organization, administrative group, public folder hierarchy, and parent folder.

Public Folder Permission Types

Using Exchange System Manager to display the properties of a public folder, there are three buttons in the Permissions tab labeled Client Permissions, Directory Rights, and Administrative Rights, which allow you to specify who can access and administer a public folder. The Client Permissions button launches a dialog box where you can configure permissions similar to the Permissions tab in Outlook 2000. Client permissions are maintained in conformance with the old legacy security model, which is based on roles, such as Publishing Author, Editor, and Owner, and MAPI address book entries. Exchange 2000 Server configures the corresponding Windows 2000 permissions automatically.

Client permissions correspond to folder and message rights. Folder rights allow you to control folder access, such as Read and Write permissions on a folder. Message rights, conversely, determine on a per-user level what form of access to messages is permitted (that is, edit and delete items). In contrast, when clicking the Directory Rights button, you can determine whether a user is allowed to mail-enable (or disable) a public folder, manage public folder recipient objects, or grant Send As permissions on the folder. Finally, when you click Administrative Rights, you can assign specific rights to administrators, such as the right to add or remove replicas to a public folder.

NOTE


Public folder permissions are divided into four separate categories: folder rights, message rights, directory rights, and administrative rights. Outlook 2000 prevents you from managing public folder permissions if you are not a public folder owner (client permission). In Exchange System Manager, you can administer the same folder if you have the required administrative permissions. Folder ownership is not required in this case.

Working with Client Permissions

When setting client permissions, you are working with security identifiers (SIDs) of Windows 2000 users and groups. Even though you are selecting MAPI address book entries, you are in fact working with mailbox- and mail-enabled Windows 2000 security principals. This is also the reason you cannot assign permissions to mail-enabled distribution groups. Unlike mail-enabled security groups, distribution groups do not represent security principals.

By default, three accounts have access permissions:

  • Anonymous. Granted the Contributor role
  • Default. Granted the Author role
  • The user who created the public folder. Granted the Owner role

The user who created the public folder is listed explicitly because every public folder must have at least one owner. This user is also specified as the folder contact who receives replication conflict notifications, folder design conflict notifications, and quota notifications. You cannot delete any of these three accounts right away, but you can designate an additional owner and contact accounts to remove the original owner entry.

The Anonymous account corresponds to the Anonymous Logon system account of Windows 2000. Default is synonymous for the Everyone group. Users who are not explicitly listed receive the permissions granted to the Default account.

Public Folder Properties Propagation

When you assign permissions to a parent folder, subfolders inherit those permissions when they are created. Changes in permissions to the parent folder are not automatically propagated to existing child folders. Be aware of this because it can lead to a security issue. For example, Outlook 2000 supports shortcuts on the Outlook taskbar and displays a Favorites list next to All Public Folders, which provides an easy way to reach popular public folders. Shortcuts and favorites are links that are similar to shortcuts in Windows 2000; they open the desired public folder without the need to navigate all its parent folders first. They can bypass permissions set on parent folders.

To prevent this way of bypassing permissions, you need to change the permissions for subfolders to those that apply to the parent folder. Exchange System Manager allows you to do this conveniently. Right-click the parent folder in the hierarchy, point to All Tasks, and select Propagate Settings.

The following folder properties can be propagated:

  • Administrative and folder rights
  • Age and storage limits
  • Deleted item retention time
  • Keep per user read/unread state
  • Mail-enabled and show in address book information
  • Replicas, replication message priority, and replication schedule

NOTE


You need to be an owner (client permissions) on the subfolder to successfully propagate configuration changes.

Item-Level Permissions

Item-level permissions refer to security settings applied to individual messages, documents, and other objects in a public folder. Similar to standard file system permissions, you can set these when accessing a public folder through ExIFS. To give an example, place a Microsoft Word document in a public folder using Windows Explorer, then right-click it, select Properties, click on the Security tab, and specify the desired security settings. If you deny a user Read access to items, Outlook will display error messages, such as "Can't open this item, you don't have appropriate permission to perform this operation," or "The custom form could not be opened." Be careful when denying permissions to avoid confusion. It is not possible to hide individual items in a public folder and document properties may be exposed in folder views.

Exercise 2: Creating and Managing Public Folder Resources

In this exercise you will create various public folder resources and manage security settings. You will also use the Exchange System Manager to propagate configuration changes to subfolders.

To view a multimedia demonstration that displays how to perform this procedure, run the EX2CH17*.AVI files from the \Exercise_Information\Chapter17 folder on the Supplemental Course Materials CD.

Prerequisites

  • Complete Exercise 1 (BLUESKY-SRV2 holds the Administrator's default public store), and start BLUESKY-WKSTA in addition to BLUESKY-SRV1 and BLUESKY-SRV2.
  • Log on as Administrator to BLUESKY-SRV1.

To create public folders, set permissions, and propagate configuration changes to subfolders

  1. On BLUESKY-SRV1, launch Exchange System Manager, expand First Administrative Group and Folders, right-click Public Folders, point to New, and select Public Folder.
  2. Under Name, type BackDoor, and click OK. Verify that the new public folder was created successfully.
  3. Right-click BackDoor, select Properties, click on the Permissions tab, and click Client Permissions.
  4. In the Client Permissions dialog box, click Add, and add Carl Titmouse to the list of users with explicit permissions. Select Carl Titmouse and, under Roles, select Publishing Author. Click OK twice.
  5. Log on as Carl Titmouse to BLUESKY-WKSTA, and start Outlook 2000. Open the View menu, and select Folder List to display the list of folders besides the Outlook Bar.
  6. Press CTRL+SHIFT+E to launch the Create New Folder dialog box. Under Name, type Sub-BackDoor. Under Select Where To Place The Folder, expand Public Folders, then All Public Folders, and then select BackDoor. Click OK.
  7. In the Add Shortcut To Outlook Bar dialog box, click Yes. If this dialog box does not appear in your configuration, create a shortcut manually by dragging the folder called Sub-BackDoor from the folder list to My Shortcuts on the Outlook Bar.
  8. Verify that a shortcut to Sub-BackDoor has been created under My Shortcuts. Click it to open the folder, and then, in the toolbar, click New, and, in the Untitled - Discussion form, under Subject, type Changes to parent folder settings are not automatically propagated to subfolders. Then click Post and make sure the item is visible in the folder.
  9. In Exchange System Manager on BLUESKY-SRV1, right-click Public Folders, and then select Refresh to update the view. Right-click BackDoor and select Properties.
  10. Click on the Permissions tab, click Client Permissions, select Carl Titmouse, and, under Roles, select None. Deselect Folder Visible in addition, and click OK twice.
  11. On BLUESKY-WKSTA in Outlook 2000, notice that the public folder called BackDoor, together with all subfolders, disappears from the folder list.
  12. In the Outlook Bar, under My Shortcuts, click Sub-BackDoor, and notice that you have bypassed the parent folder. The contents of Sub-BackDoor are displayed in the details pane (see Figure 17.8).

    click to view at full size

    Figure 17.8 Bypassing parent folder permissions

  13. On BLUESKY-SRV1, in Exchange System Manager, right-click BackDoor, point to All Tasks, and select Propagate Settings.
  14. In the Propagate Folder Settings dialog box, select the Folder Rights check box. Click OK and verify that all subfolders are processed.
  15. On BLUESKY-WKSTA, in Outlook 2000, click the Sub-BackDoor shortcut again, and notice that Outlook is unable to display the folder contents (see Figure 17.9).

    click to view at full size

    Figure 17.9 Propagating parent folder permissions

Exercise Summary

When creating sublevel public folders, configuration settings, such as client permissions, folder location, and replication settings, are inherited from the parent folder. An owner of a parent folder, for instance, will also become an owner of all sublevel folders by default—in addition to the user who has created the subfolder. When you change permissions for a parent folder either in Exchange System Manager or in Outlook 2000, you need to be aware that those changes are not automatically propagated to subfolders. You need to propagate configuration changes manually, which is only possible in Exchange System Manager.

If you want to revoke permissions for a parent folder but want users to be able to work with subfolders, it is a good idea to move the subfolders to a different location. Using Outlook 2000 or Exchange System Manager, you can move public folders within the same hierarchy via drag-and-drop. However, you cannot move or copy a folder from one public folder tree to another.



MCSE Training Kit Exam 70-224(c) Microsoft Exchange 2000 Server Implementation and Administration
MCSE Training Kit Exam 70-224(c) Microsoft Exchange 2000 Server Implementation and Administration
ISBN: N/A
EAN: N/A
Year: 2001
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net