Share via


Configuring Public Folder Permissions

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

You can configure public folder permissions for both administrators of Microsoft Exchange Server 2007 or for users of client programs such as Microsoft Office Outlook 2007. Public folder permissions consist of various access rights that specify the level of control a client user or administrator has over a public folder or public folder hierarchy.

This topic includes the following information about public folder permissions:

  • The access rights and predefined roles (which consist of specific access rights) that you can configure for client users. The access rights that you can configure for administrators.

    Note

    In Exchange 2007 Service Pack 1 (SP1), you can create a Public Folder Administrator role. For more information about the Public Folder Administrator role, see "Administrator Access Rights" later in this topic.

  • Links to the management tasks you can perform for client users and administrators.

Note

When you create a new public folder within an existing public folder hierarchy, that public folder inherits the permissions of the parent folder.

Client User Access Rights and Roles

In Exchange 2007, you use the Exchange Management Shell to configure the permissions for the users who use client programs such as Outlook to access public folders. Whether you want to manually select the access rights or use predefined roles that contain specific access rights, you will use the Add-PublicFolderClientPermissions cmdlet to perform the tasks.

Important

To ensure that users can send e-mail messages to a mail-enabled public folder, the public folder must have at least the CreateItems access right granted to the Anonymous account.

The following is a list of client user access rights (followed by a table that shows the predefined permission roles):

  • ReadItems   The user has the right to read items within the specified public folder.

  • CreateItems   The user has the right to create items within the specified public folder and send e-mail messages to the public folder if it is mail-enabled.

  • EditOwnedItems   The user has the right to edit the items that the user owns in the specified public folder.

  • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified public folder.

  • EditAllItems   The user has the right to edit all items in the specified public folder.

  • DeleteAllItems   The user has the right to delete all items in the specified public folder.

  • CreateSubfolders   The user has the right to create subfolders in the specified public folder.

  • FolderOwner   The user is the owner of the specified public folder. The user has the right to view and move the public folder, create subfolders, and set permissions for the folder. The user cannot read items, edit items, delete items, or create items.

  • FolderContact   The user is the contact for the specified public folder.

  • FolderVisible   The user can view the specified public folder, but cannot read or edit items within the specified public folder.

The following table lists the predefined public folder client access roles and the access rights that are included in each role. The table headers reflect the access rights listed previously in this document.

Note

The FolderOwner access right and the Owner role have different permissions as shown in the following table.

Role

CreateItems

ReadItems

CreateSubfolders

FolderOwner

Folder Contact

FolderVisible

EditOwnItems

EditAllItems

DeleteOwnItems

DeleteAllItems

None

  

  

  

  

  

X

  

  

  

  

Owner

X

X

X

X

X

X

X

X

X

X

PublishingEditor

X

X

X

  

  

X

X

X

X

X

Editor

X

X

  

  

  

X

X

X

X

X

PublishingAuthor

X

X

X

  

  

X

X

  

X

X

Author

X

X

  

  

  

X

X

  

X

  

Non-EditingAuthor

X

X

  

  

  

X

  

  

  

  

Reviewer

  

X

  

  

  

X

  

  

  

  

Contributor

X

  

  

  

  

X

  

  

  

  

Note

Client users can use Outlook to manage public folder client access permissions. For information about how to manage public folder permissions from Outlook 2007, see Create and Share a Public Folder. For information about how to manage public folder permissions from Outlook 2003, see Outlook folder permissions.

Administrator Access Rights

In the release to manufacturing (RTM) version of Exchange 2007, you can only use the Add-ExchangeAdministrator cmdlet to grant public folder administrative rights to a user.

In Exchange 2007 Service Pack 1 (SP1), there are two methods you can use to grant public folder administrative rights to a user:

  • Use the Add-ExchangeAdministrator cmdlet or the Add Exchange Administrator wizard to add a user to the Public Folder Administrator role.

  • Use the Add-PublicFolderAdministrativePermission cmdlet to grant or deny specific rights to public folders.

The following table describes the differences between the rights that are granted by the Public Folder Administrator role and the rights that are granted by using the Add-PublicFolderAdministrativePermission cmdlet.

Exchange Public Folder Administrator role

Add-PublicFolderAdministrativePermission

The user can create top-level public folders.

The user cannot create top-level public folders.

The user is granted AllExtendedRights to public folders.

The user can be granted or denied specific rights to public folders.

The user can administer any top-level public folder, child public folder, and system public folders in the public folder tree. In addition, this user's access rights cannot be revoked by using the Remove-PublicfolderAdministrativePermission cmdlet.

The user can be granted the right to administer specific top-level public folders and specific child public folders. However, the user's access rights can be revoked by using the Remove-PublicfolderAdministrativePermission cmdlet.

By default, when you create a top-level public folder, users who have permissions that are granted by specific Exchange administrator roles and Microsoft Windows security groups are automatically added as administrators to that public folder because of the group's inherited rights. The following list shows which roles and groups automatically have administrative rights to a new top-level public folder, including the specific access rights that are granted to each:

  • Exchange administrator roles:

    • Exchange Public Folder Administrator (granted AllExtendedRights)

    Note

    This role is available only in Exchange 2007 SP1.

    • Exchange Server Administrator (granted AllExtendedRights)

    • Exchange Organization Administrator (granted AllExtendedRights)

    • Exchange View-Only Administrator (granted ViewInformationStore)

  • Windows security groups:

    • Enterprise Admins (granted AllExtendedRights)

    • Administrator (granted AllExtendedRights)

    • Domain Admins (granted AllExtendedRights)

The following list describes the standard set of administrative access rights that can be set on a public folder:

  • None   The administrator does not have any rights to modify public folder attributes.

  • ModifyPublicFolderACL   The administrator has the right to modify client access permissions for the specified folder.

  • ModifyPublicFolderAdminACL   The administrator has the right to modify administrator permissions for the specified public folder.

  • ModifyPublicFolderDeletedItemRetention   The administrator has the right to modify the Public Folder Deleted Item Retention attributes (RetainDeletedItemsFor, UseDatabaseRetentionDefaults).

  • ModifyPublicFolderExpiry   The administrator has the right to modify the Public Folder Expiration attributes (AgeLimit, UseDatabaseAgeDefaults).

  • ModifyPublicFolderQuotas   The administrator has the right to modify the Public Folder Quota attributes (MaxItemSize, PostQuota, PostWarningQuota, UseDatabaseQuotaDefaults)

  • ModifyPublicFolderReplicaList   The administrator has the right to modify the replica list attribute for the specified public folder (Replicas).

  • AdministerInformationStore   The administrator has the right to modify all other public folder properties not defined previously.

  • ViewInformationStore   The administrator has the right to view public folder properties.

  • AllExtendedRights   The administrator has the right to modify all public folder properties.

Management Tasks for Configuring Public Folder Permissions

This section lists the management tasks that you can perform to configure and maintain public folder permissions:

For More Information

To learn more about public folders, see Understanding Public Folders.

For more information about managing public folders, see Managing Public Folders.