Microsoft Exchange and Blackberry Server Specialists

Public Folder Permissions

Public Folders Section Home Page

One of the reasons that public folders are so popular is because of the control you have over them with permissions. You can actually hide public folders from users totally, so that they don't even know that they are there.

To get the best from public folders though, there are some things that you need to consider.

Highest Permission Setting Wins

If a user is a member of a group and that group is given one set of permissions, you cannot lock the user out by restricting their access as a named individual.
Similarly, if the Default permission is set too high, then that give unforeseen access (see below).

Review the "Default" Permissions

The "Default" permission is what a user gets when they are aren't controlled by another permission to their user or group.
Therefore it can give a user unintentional access to a folder.
To combat that, change the "Default" permission to none for all of your public folders.

If you have a folder that everyone in the company needs to see and possibly review the contents of, then use your equivalent of "All Staff" to set the basic permission.

Anonymous Permission and Mail Enabled Folders

If the folder is mail enabled, then the anonymous permission needs at least contributor rights to be able to receive email. Contributor can email the folder, but cannot see it or modify the contents.

This permission can catch people out when they have a mail enabled folder which they want to use internally but hide from the users. The anonymous permission does not apply to a user with Outlook on the same server. They are not anonymous, but are an authenticated user.
Therefore if you want internal users to be able to email a public folder, then they need at contributor rights.
Use your equivalent of "All Staff" to grant that permission to everyone, then increase the permissions as required for the people who need to access it.

Use Groups and not Individuals Where Possible

This is quite obvious really. Using a group is always better than setting permissions to individuals. Particularly when you are setting the owner right to someone in the IT team.
For Owner type permissions, create a group called "Email Admins" and then grant this group owner of all of your public folders. Should someone in IT then leave, they can be removed from the group without having to worry about permissions on the individual folders. It also helps if you need to delegate access to someone without giving them access to their entire Exchange system.

Owner Rights

In many cases users don't need owner rights. This can give them more permissions than they need. It may also lead to someone deleting a folder in error, particularly if they are a non-technical user. Modify the permissions so that the user has just the rights that they need, without giving them too many. If your number of public folders is quite small, then it no trouble for the administrator to have to make some changes to the public folders which the users cannot.

Permission Propagation

Public Folder permissions only propagate automatically when the sub folder is first created. Therefore if you are going to be creating a significant hierarchy of public folders, create the parent folder first and set the permissions that you want to propagate down to the new folders. Once you are happy with the permissions, then create the new folders.
If you need to add someone or a group later on, then use the tools in ESM to propagate the settings. Exchange 2003 SP2 is the best tool for this as you can add someone or a group and propagate down without overwriting the existing permissions. There is no equivalent in Exchange 2007.