Exchange System Manager provides the required interfaces for public folder administration. Using this utility, you can create and manage public folder hierarchies and stores, as well as create and configure public folder resources. However, Exchange System Manager is not the only program you can use. Outlook 2000, for instance, allows you to administer public folder settings as well, and you can use other programs, such as Windows Explorer or Web browsers, to create public folder resources. You may also work with public folders programmatically using Collaboration Data Objects (CDO).
This lesson focuses on public folder management using Exchange System Manager and Outlook 2000. You will learn about public folder creation and specific configuration settings. Public folder property sheets differ between Exchange System Manager and Outlook 2000.
At the end of this lesson, you will be able to:
Estimated time to complete this lesson: 75 minutes
Before creating public folders, you should implement essential rules that govern public folder creation across the organization. For instance, the default MAPI-based hierarchy, replicated everywhere, may get out of hand if all users in the organization have permissions to create arbitrary public folder resources at all levels. Top-level folder creation, especially, should be restricted to a small group of administrators because these folders are at the top of the All Public Folders tree. The public folder administrators group can then grant permissions to other groups to manage the creation, content, and permissions of subfolders. By default, all users can create top-level folders.
Top-level folders are placed on the user's default public store server. This is typically the user's home server where his or her mailbox store resides—until you change the default public store. Top-level folders, in turn, determine the location of all subfolders regardless of the user who created them (see Figure 17.7). Hence, if you want to centralize the location of all existing public folders, you must ensure that top-level folders are created on only one server. You have two options. The first is to modify the public folder server attribute of all mailbox stores in your administrative group to point to only one common server. The disadvantage of this option is that it relies heavily on a single server, and users cannot browse the public folder hierarchy if the server is unavailable. The second option is to restrict the permissions to create top-level folders to a small group of users, thereby ensuring that top-level folders will be created only on the desired server. If you go with this option, this server must be the default public store server of all those users who can create top-level folders—in other words, it should be their home server. This option has advantages because it achieves the desired result by controlling who can create folders at the top of your public folder hierarchy.
NOTE
Exchange System Manager allows you to specify the server where new top-level folders should be created. Right-click the desired hierarchy object in Exchange System Manager (such as Public Folders under the Folders branch), and select Connect To to select the desired server.
Figure 17.7 Top-level folder and subfolder creation
To determine who is able to create top-level folders, display the hierarchy's property sheets using Exchange System Manager (for instance, for the Public Folders hierarchy), and click on the Security tab. In the list of permissions, you will find a specific right called Create Top Level Public Folder (see Table 17.1). Make sure only the desired administrators have the right to create folders at the top of the hierarchy.
NOTE
Because Exchange 2000 Server relies on Windows 2000 security features, you can deny the top-level folder creation explicitly. Deny permissions take precedence over granted permissions.
Table 17.1 Important Permissions for Public Folder Hierarchies
Permission | Description |
---|---|
Create Public Folder | Specifies who can create a public folder in this hierarchy. |
Create Top Level Public Folder | Specifies who can create top-level folders, which represent the first level in the tree structure. |
Modify Public Folder ACL | Specifies who can change client permissions. |
Modify Public Folder Admin ACL | Specifies who can change administrative permissions. |
With required permissions, the creation of public folders is a trivial task. In Exchange System Manager, expand the desired Folders hierarchy, right-click the desired parent container, such as Public Folders, point to New, and select Public Folder. The only parameter you need to provide is a value for the Name field. When you click OK, the public folder will be created in the hierarchy, and it is immediately available to users.
In Outlook 2000, several options are available to create a public folder. Perhaps the easiest way is to open the File menu, point to Folder, and select the New Folder command. This command is disabled if required permissions are missing. For example, if you do not have the permission to create top-level folders, but select All Public Folders in the Public Folders tree, the command is grayed out. If you have the permission, on the other hand, clicking this command launches the Create New Folder dialog box, which asks you for a folder name and the folder type (Appointment, Mail, Contact, Journal, Task, or Note Items). You can select the parent folder under Select Where To Place The Folder to finish the job.
Outlook assigns Outlook-specific properties to new public folders, which cannot be created using Exchange System Manager. Exchange System Manager is the right choice, on the other hand, to manage Exchange-specific settings, such as public folder replication, and to manage hierarchies that are not available in Outlook.
Using Exchange System Manager, you can work with the following tabs for mail-enabled folders:
Using Outlook 2000, the following core tabs are available:
NOTE
Outlook 2000 may display additional tabs, such as Activities for public folders that contain contact items, or Synchronization for folder shortcuts created under the Favorites container. Refer to the Outlook 2000 Online Help and the Office 2000 Resource Kit when working with these tabs.
Using Outlook 2000, you can configure moderated folders, which are the censored version of public folders, allowing you to review posted items before they appear. Exchange 2000 Server forwards all posted messages without modifications to a moderator. The moderator, in turn, reviews and places accepted items in the destination folder. Moderated folders are especially useful when you are setting up discussions across the Internet because they provide control over the tone, style, and topic of communication. In Exercise 3 of Chapter 1, "Introduction to Microsoft Exchange 2000 Server," you configured a public folder repository for contact items as a moderated public folder.
NOTE
Using a public folder's Exchange General tab (Delivery Options button) in Exchange System Manager, you can configure a forwarding address to deliver messages to an alternate address instead of the folder. However, specifying a forwarding address does not result in a moderated folder configuration.
Exchange 2000 Server supports a new security model, which allows you to assign permissions to folders, items, and properties similar to security settings on directories and files on an NT file system (NTFS) volume. Permissions can be inherited from higher level containers, such as the organization, administrative group, public folder hierarchy, and parent folder.
Using Exchange System Manager to display the properties of a public folder, there are three buttons in the Permissions tab labeled Client Permissions, Directory Rights, and Administrative Rights, which allow you to specify who can access and administer a public folder. The Client Permissions button launches a dialog box where you can configure permissions similar to the Permissions tab in Outlook 2000. Client permissions are maintained in conformance with the old legacy security model, which is based on roles, such as Publishing Author, Editor, and Owner, and MAPI address book entries. Exchange 2000 Server configures the corresponding Windows 2000 permissions automatically.
Client permissions correspond to folder and message rights. Folder rights allow you to control folder access, such as Read and Write permissions on a folder. Message rights, conversely, determine on a per-user level what form of access to messages is permitted (that is, edit and delete items). In contrast, when clicking the Directory Rights button, you can determine whether a user is allowed to mail-enable (or disable) a public folder, manage public folder recipient objects, or grant Send As permissions on the folder. Finally, when you click Administrative Rights, you can assign specific rights to administrators, such as the right to add or remove replicas to a public folder.
NOTE
Public folder permissions are divided into four separate categories: folder rights, message rights, directory rights, and administrative rights. Outlook 2000 prevents you from managing public folder permissions if you are not a public folder owner (client permission). In Exchange System Manager, you can administer the same folder if you have the required administrative permissions. Folder ownership is not required in this case.
When setting client permissions, you are working with security identifiers (SIDs) of Windows 2000 users and groups. Even though you are selecting MAPI address book entries, you are in fact working with mailbox- and mail-enabled Windows 2000 security principals. This is also the reason you cannot assign permissions to mail-enabled distribution groups. Unlike mail-enabled security groups, distribution groups do not represent security principals.
By default, three accounts have access permissions:
The user who created the public folder is listed explicitly because every public folder must have at least one owner. This user is also specified as the folder contact who receives replication conflict notifications, folder design conflict notifications, and quota notifications. You cannot delete any of these three accounts right away, but you can designate an additional owner and contact accounts to remove the original owner entry.
The Anonymous account corresponds to the Anonymous Logon system account of Windows 2000. Default is synonymous for the Everyone group. Users who are not explicitly listed receive the permissions granted to the Default account.
When you assign permissions to a parent folder, subfolders inherit those permissions when they are created. Changes in permissions to the parent folder are not automatically propagated to existing child folders. Be aware of this because it can lead to a security issue. For example, Outlook 2000 supports shortcuts on the Outlook taskbar and displays a Favorites list next to All Public Folders, which provides an easy way to reach popular public folders. Shortcuts and favorites are links that are similar to shortcuts in Windows 2000; they open the desired public folder without the need to navigate all its parent folders first. They can bypass permissions set on parent folders.
To prevent this way of bypassing permissions, you need to change the permissions for subfolders to those that apply to the parent folder. Exchange System Manager allows you to do this conveniently. Right-click the parent folder in the hierarchy, point to All Tasks, and select Propagate Settings.
The following folder properties can be propagated:
NOTE
You need to be an owner (client permissions) on the subfolder to successfully propagate configuration changes.
Item-level permissions refer to security settings applied to individual messages, documents, and other objects in a public folder. Similar to standard file system permissions, you can set these when accessing a public folder through ExIFS. To give an example, place a Microsoft Word document in a public folder using Windows Explorer, then right-click it, select Properties, click on the Security tab, and specify the desired security settings. If you deny a user Read access to items, Outlook will display error messages, such as "Can't open this item, you don't have appropriate permission to perform this operation," or "The custom form could not be opened." Be careful when denying permissions to avoid confusion. It is not possible to hide individual items in a public folder and document properties may be exposed in folder views.
In this exercise you will create various public folder resources and manage security settings. You will also use the Exchange System Manager to propagate configuration changes to subfolders.
To view a multimedia demonstration that displays how to perform this procedure, run the EX2CH17*.AVI files from the \Exercise_Information\Chapter17 folder on the Supplemental Course Materials CD.
To create public folders, set permissions, and propagate configuration changes to subfolders
Figure 17.8 Bypassing parent folder permissions
Figure 17.9 Propagating parent folder permissions
When creating sublevel public folders, configuration settings, such as client permissions, folder location, and replication settings, are inherited from the parent folder. An owner of a parent folder, for instance, will also become an owner of all sublevel folders by default—in addition to the user who has created the subfolder. When you change permissions for a parent folder either in Exchange System Manager or in Outlook 2000, you need to be aware that those changes are not automatically propagated to subfolders. You need to propagate configuration changes manually, which is only possible in Exchange System Manager.
If you want to revoke permissions for a parent folder but want users to be able to work with subfolders, it is a good idea to move the subfolders to a different location. Using Outlook 2000 or Exchange System Manager, you can move public folders within the same hierarchy via drag-and-drop. However, you cannot move or copy a folder from one public folder tree to another.