Everyone security group is not denied the right to create top-level public folders

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-12-04

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine whether the security identifier (SID) for the Everyone security group is listed in the ntSecurityDescriptor of the Exchange Organization object. If the Exchange Server Analyzer finds the SID for the Everyone group present in the ntSecurityDescriptor of the Organization object, a warning is displayed. This warning indicates that the Everyone group has not been denied the right to create top-level public folders.

In Exchange 2000 Server, the right to create top-level public folders is allowed by default. However, when the Exchange Server 2003 version of ForestPrep or the Exchange Server 2007 of PrepareAD is run, the Everyone security group is denied access to create top-level public folders. The deny functionality has been implemented as a security measure. Allowing the Everyone security group to create top-level public folders may leave your organization vulnerable to denial of service attacks.

Therefore, it is a best practice to deny the right to create top-level public folders to the Everyone security group. If you have Exchange Server 2003 or Exchange Server 2007, you should run the Exchange Server 2003 version of ForestPrep or the Exchange Server 2007 version of PrepareAD, respectively. You can run the Exchange Server 2003 version of ForestPrep in an Exchange 2000 Server environment. However, subsequent installations of Exchange 2000 Server will reset the permissions to allow the Everyone security group to create top-level public folders.

If you do not have Exchange Server 2003 or Exchange Server 2007, you can set this permission manually. Remember that subsequent installations of Exchange 2000 Server will reset this permission. Therefore, you must manually configure this permission after each installation of Exchange 2000 Server. Before you can set the permission, you must enable the Security tab to be displayed in Exchange System Manager, which you can do by adding the ShowSecurityPage entry to the registry on the Exchange Server computer.

Important

This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry, if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To add the ShowSecurityPage entry to the registry

  1. Open a registry editor, such as Regedit.exe or Regedt32.exe.

  2. Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin

  3. Click Edit, click New, and then click DWORD Value.

  4. For the new value name, type ShowSecurityPage, and then press ENTER.

  5. Double-click ShowSecurityPage, type 1 in the Value data field, and then click OK.

To manually deny the Everyone security group the right to create top-level public folders in an Exchange 2000 Server environment

  1. Open Exchange System Manager.

  2. Right-click Organization_Name, and then click Properties.

  3. On the Organization_Name properties page, click the Security tab.

  4. On the Security tab, in Group or user names, select Everyone. In the Permissions for Everyone box, scroll down to the Create top-level public folder permission, clear the check box in the Allow column, and then click Apply.

Before you edit the registry, and for information about how to edit the registry, read Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows registry" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).

For more information about running Exchange Server 2003 ForestPrep, see the Exchange Server 2003 Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=47569).

For more information about running Exchange Server 2007 PrepareAD, see "How to Prepare Active Directory and Domains" (https://go.microsoft.com/fwlink/?LinkId=78453).

For more information about how to deny the Everyone security group the rights to create a top-level public folder in Exchange 2000 Server, see the Knowledge Base article 328808, "HOW TO: Remove User Permission from the Create Top-Level Public Folder in Exchange 2000" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=328808).