Sharing Non Default Folders
One of the most common tasks that an Exchange administrator is asked to do is adjust permissions on Mailboxes to allow access to the content for others. However from the server side, all that you can do is grant Full Mailbox access, which means exactly that - full access. The user who has the permissions can do what they like to any part of the mailbox. What you may have already discovered is sharing of mailbox folders, which allows another user to be given permissions to specific folders.
However in Outlook if you choose File, open, Other User's folders then you are restricted on what folders you can open, and there is no way to have that folder permanently open in your own Outlook. By setting the permissions correctly, you can provide a limited permanent view of another user's mailbox, where the third party can only see what you have granted them access to. This article will explain what permissions to set.
If you want to simply use the File, Open Other User's folders, then instructions on that feature are here.
With careful training, this is a setting that can be setup and administrated by the users themselves, without any intervention from the Exchange administrator.
Base Permission
To open another's users set of folders in Outlook, you need to set a basic permission at the top of the tree. This allows them to open your mailbox. It does NOT allow them to see the contents of your mailbox.
- Right click on Outlook Today at the top of the tree. It may simply say "Mailbox - User Name". See figure one.
Fig 1: Right click on Mailbox and choose Properties - Click on the third tab permissions and add the user or group in the usual way to the list. Grant the user the permission "Folder Visible". Nothing else. DO NOT touch Default or Anonymous permissions. See figure two. With those permissions set, the user can open the mailbox.
Fig 2: Choose Permissions Tab and Set "Folder Visible" permission
Use A Group Rather than Users
Remember - if you are going to be granting the permission to a number of users, and perhaps the same permissions to a number of mailboxes then it may be better to set the permissions once to a group. This also means that if the members of the group change, even temporarily, the permissions can be quickly adjusted centrally by the network administrator.
Granting Permissions to the required folders
Now you have the base permission set, you need to grant the permissions to the folders that you want to provide access to.
If the folder is a sub folder, or even a sub-sub folder, then you need to grant permissions down the entire tree. What this means is the "Folder Visible" permission that you set at the top of the tree needs to apply to each folder that you want to grant permissions to.
For example, if you had a folder in your Contacts called "Sales Contacts" and then further sub folders called "Southern Contacts" and "Northern Contacts", and wanted to allow access to a certain number of users to just "Southern Contacts" then you would need to grant the Folder Visible permission to the Contacts folder, the "Sales Contacts" folder. You could then set the actual access permissions on the "Southern Contacts" folder. The folder visible permission does not allow the user to see the contents of the folder, just the folder name.
Furthermore, if you had some users who needed access to content in the Sales Contacts folder as well as "Northern Contacts" and "Southern Contacts", you could grant the permissions on the Sales Contacts folder and to the sub folders.
Preset Permissions Types
There are a number of preset permissions within Outlook, which are outlined below. If you change any of the permissions after choosing a role then it will become a custom permission.
- Contributor - can add items but cannot see anything. This is fairly restricted is usually only used on mail enabled Public Folders.
- Reviewer - can see everything but cannot add, change or delete any entries.
- Non editing Author - can see everything and can add entries. Cannot edit the entries once they have been made.
- Author - can create new entries. Can also work with entries they have created themselves, delete, modify etc.
- Publishing author - as author, but can create sub folders.
- Editor - can work with all items including creation, modification and deletion of any items in the folder
- Publishing editor - as editor but can create sub folders.
- Owner - can do everything, including assign permissions.
Permissions Quirks
There are a couple of things you need to be aware of when it comes to setting the permissions
Permissions Inheritance
A quick note on permissions heritance.
With mailbox folders (and this also applies to public folders) inheritance only occurs at the point of creation of the sub folder. Therefore if the structure is already in place, you will need to grant the permissions to the sub folders as well. However, any NEW folders that you create will inherit the permissions of their parent. Users should be warned of that when creating folders.
Which Permissions Apply
Another thing that can catch people out is how permissions are applied.
The least restrictive permission wins.
For example, if you had a user called Carol who was a member of Sales and you granted Sales the permission of Editor, even if you granted Carol the permission of Author (which is more restrictive setting) she would still be an Editor.
Therefore if you are using groups to control access, use the groups as the base permission, and then elevate individuals, or have multiple groups with the elevated users in a separate group.
Full Mailbox Access permission at the Domain
If the user or group has been granted the permission "Full Mailbox Access" at the domain level, then any permissions set on the folders will have no effect, as the higher permissions win. Furthermore these permissions cannot be used to restrict the owner of the mailbox from being able to delete their own content. That isn't possible with Outlook/Exchange. If you need to keep a copy of all content then that has to be stored outside of the mailbox.
Opening the Shared Folders in Outlook
Once the permissions have been granted, then you are ready to open the new set of folders in Outlook.
This is done in the same way as opening an additional full mailbox.
- Right click on the Mailbox - User Name (or Outlook Today) and choose Properties (as fig 1 above).
- On the General tab. Click on Advanced in the lower right corner.
Fig 3: Click on the Advanced Button in the Lower Right Corner - Click on the TAB Advanced.
Fig 4: Click on the Advanced TAB and then choose Add... to add the mailbox - Choose Add
- Find the mailbox in the usual way.
- Apply/OK out of each box.
When you look in Outlook under the Folder view, you should find the new mailbox listed, showing just the folders that you have permissions to. In the example shown below (fig 5) The user has permissions to the Inbox and "Special Contacts".
|
| Fig 5: Outlook with the Additional User Mailbox |
Questions
Q: Are these additional folders available offline?
Q: Does the original user need to be online for others to access the data?
A: As long as the folders are NOT mail folders, then additional folders can be made available offline in Outlook 2007 ONLY. The data is always available online as it is using server data, not local data.
Q: I changed the permissions on a folder, but the person the permissions were granted to cannot see the folder.
A: Restart Outlook to see the updated folder list.
Q: I want to allow another user to use my Contacts list when composing messages, how can I do that?
A: Follow the above procedure to have the Contacts folder open all the time, then right click on the Contacts folder and choose Properties, then the tab "Outlook Address Book" and enable the option "Show this folder as an email Address Book". If you the option is dimmed and unavailable, then follow this KB article:
http://support.microsoft.com/kb/197577
Related Links
- Sharing Default Folders with Other Users- Accessing the Default Folders using Open Other User's Folders.
- Public Folder Permissions - Best Practises for setting Permissions on Public Folders.