2. Define Public Folder Permissions
You can classify
public folder permissions into two categories: administrator permissions
and client permissions. Administrators will use tools such as the
Public Folder Management Console to manage public folders. When granting
permissions to public folder content, administrators will typically
need access that allows them to create top-level folders, manage the
permissions on folders, and manage system folders. Content access for
users typically consists of the ability to create new child public
folders, post new content, and manage existing content.
When a new folder is
created, the permissions on that folder are inherited from the parent
folder. However, if you add permissions to an existing parent folder,
only new child folders inherit the permissions. Existing child folders
maintain the permissions that were inherited at the time the folder was
created.
2.1. Grant Users Access to a Public Folder
Users accessing
public folders through their client applications will primarily be
concerned with creating new content and accessing or modifying existing
content. Exchange has a set of predefined roles that users can be
assigned on a public folder. Table 3 displays each of these predefined roles and the privileges that each has.
Table 3. Predefined Public Folder Client Roles
| Role Name | Create Items | Create Subfolders | Read Items | Edit Items | Delete Items |
|---|
| Author | Yes | No | Yes | Only items the user owns | Only items the user owns |
| Contributor | Yes | No | No | No | No |
| Editor | Yes | No | Yes | Yes | Yes |
| None | No | No | No | No | No |
| Non-EditingAuthor | Yes | No | Yes | No | No |
| Owner | Yes | Yes | Yes | Yes | Yes |
| PublishingAuthor | Yes | Yes | Yes | Only items the user owns | Yes |
| PublishingEditor | Yes | Yes | Yes | Yes | Yes |
| Reviewer | No | No | Yes | No | No |
You cannot add client
permissions to public folders through the Public Folder Management
Console. Instead, permissions must be managed through the Exchange
Management Shell.
To give a user rights to a public folder, use the Add-PublicFolderClientPermission
cmdlet. In addition to identifying the public folder that you want to
change permissions on, you will also need to use the User parameter to
specify the user, and the AccessRights
parameter to specify the role that you are assigning that user. The
following command makes Nora Shea an Editor on the Helpdesk folder:
Add-PublicFolderClientPermission "\Helpdesk" -User
"Nora Shea" -AccessRights Editor
One thing that the Add-PublicFolderClientPermission
cmdlet does not allow you to do is add permissions recursively down the
tree of public folders. The cmdlet only affects the folder that you
specified. To get around this, you can create a one-liner to recursively
read the list of public folders and then pipe them into the cmdlet.
This one-liner would look like this:
Get-PublicFolder "\Helpdesk" -Recurse |
Add-PublicFolderClientPermission -User "Nora Shea"
-AccessRights Editor
A problem with this
approach is that if the user already has permissions defined on one of
the folders, the command line generates an error and does not add the
new permission. So instead of using this method, you can use a
PowerShell script called AddUsersToPFRecursive.ps1 that is included with Exchange 2010. This script is located in the \Scripts directory in your Exchange installation path. When you use this script, you must include the TopPublicFolder parameter to specify the public folder that you want to add permissions to. You will need to specify the user with the User parameter, and the privileges using the Permissions parameter. The following example demonstrates the syntax of this script:
.\AddUsersToPFRecursive.ps1 -TopPublicFolder "\Helpdesk"
-User "Nora Shea" -Permissions Editor
2.2. Remove Access to a Public Folder
In addition to granting
users access to public folders, you should know how to remove access.
Since you can't work with client permissions on public folders in the
Public Folder Management Console, you will have to use the EMS for
removing permissions.
To remove existing rights from a public folder, you use the Remove-PublicFolderClientPermission
cmdlet. When running this command, you must identify the public folder
that you want to modify the permissions on and the user that you want to
remove, using the User parameter. You will also need to give the command the AccessRights parameter and use it to specify the role that you are removing the user from, as shown in the following example.
Remove-PublicFolderClientPermission "\Helpdesk" -User
"Nora Shea" -AccessRights Editor
This cmdlet also suffers from the same problem as the Add-PublicFolderClientPermission
cmdlet—it does not remove permissions from the folder's subfolders.
Because of this, there is another PowerShell script included with
Exchange 2010 that solves this problem. You can use the RemoveUserFromPFRecursive.ps1
script to remove the user's access rights to all the subfolders as
well. This script is located in the \Scripts directory of your Exchange
Server 2010 installation path. To run this script, use the TopPublicFolder
parameter to specify the folder that permissions are stripped from. You
will also need to use the User parameter to identify the user who is
losing their rights. The following example demonstrates this command:
.\RemoveUserFromPFRecursive -TopPublicFolder "\Helpdesk"
-User "Nora Shea"
2.3. Manage Public Folder Administrators
Public folder
administrators have a different set of privileges than clients. For
clients, the access rights are different roles, which define what
permissions clients have to view, add, and change content. Since
administrators are focused more on managing the configuration of public
folders, the list of access rights used is focused on the mechanics of
public folders rather than the content. Table 4 describes the access rights available for administering public folders.
Table 4. Public Folder Administrative Access Rights
| Access Right | Description |
|---|
| AdministerInformationStore | Modify properties of the folder in the information store. |
| AllExtendedRights | Change every setting on the folder. |
| ModifyPublicFolderACL | Add and remove client permissions on a folder. |
| ModifyPublicFolderAdminACL | Add and remove administrator permissions on a folder. |
| ModifyPublicFolderDeletedItemRetention | Change the settings for retaining deleted items. |
| ModifyPublicFolderExpiry | Change the settings for content expiration. |
| ModifyPublicFolderQuotas | Change the quotas for items in the folder and determine whether the default database quotas are overwritten. |
| ModifyPublicFolderReplicaList | Add and remove folder replicas. |
| None | No rights to modify folder settings. |
| ViewInformationStore | View properties of the folder in the information store. |
2.3.1. Add Administrators to a Public Folder
You can add administrative rights to a public folder using the Add-PublicFolderAdministrativePermission cmdlet in the EMS. This command will take the name of the folder, the name of the administrator using the User parameter, and the rights that you want assign using the AccessRights parameter. The access rights need to be entered as defined in Table 8.4.
For example, the following command delegates the Quota Admins group to
have the ability to manage quotas on every public folder:
Add-PublicFolderAdministrativePermission "\" -User
"Quota Admins" -AccessRights ModifyPublicFolderQuotas
-InheritanceType All
2.3.2. Remove Administrators from a Public Folder
To remove administrative permissions from a public folder, you can use the Remove-PublicFolderAdministrativePermission cmdlet. You will need to specify the administrator with the User parameter and the rights that you want to remove with the AccessRights parameter. The following example demonstrates this command:
Remove-PublicFolderAdministrativePermission "\Helpdesk"
-User "Nora Shea" -AccessRights ModifyPublicFolderQuotas
2.4. List the Permissions on a Folder
You can view the
permissions on specific public folders and determine who has what kind
of access rights. To get a complete list of these permissions, you need
to view both the permissions assigned to administrators and the
permissions assigned to clients. Both of these permission sets can be
viewed in the EMS.
2.4.1. View Client Permissions
To list the permissions that clients have to a public folder, you can use the Get-PublicFolderClientPermission
cmdlet. The only parameter required to run this command is the name of
the public folder that you want to retrieve the permissions for. The
following command lists each client who has permissions defined on the
folder and lists what each client's permissions are:
Get-PublicFolderClientPermission "\Helpdesk"
You can further refine
this command with the User parameter so it gives you information for a
specific user. For example, if you want to know what permissions Nora
Shea has on the Helpdesk folder, the following command will tell you and
format the results into a table:
Get-PublicFolderClientPermission "\Helpdesk" -User
"Nora Shea" | ft User, AccessRights
2.4.2. View Administrator Permissions
To get a list of the administrator permissions on a public folder, you can use the Get-PublicFolderAdministrativePermission
cmdlet. Similar to the cmdlet for listing client permissions, this
cmdlet only requires the name of the public folder that you want to view
the permissions for. The following command will list all the
administrative permissions on a folder:
Get-PublicFolderAdministrativePermission "\Helpdesk"
One thing that you will notice
if you run this command on a public folder is that the default set of
permissions are applied to universal security groups that Exchange
created in Active Directory when it was installed. These groups
correspond to the role groups that Exchange uses.
When using the Get-PublicFolderAdministrativePermission cmdlet, you can specify the User parameter. Use the User parameter along with the name of a user to view the administrative permissions that are assigned to that user, as shown here:
Get-PublicFolderAdministrativePermission "\Helpdesk"
-User "Nora Shea"
|
When using this cmdlet to check user permissions, the permissions are listed only if the user is assigned rights directly
to the folder. Group memberships are not evaluated. So if the user is a
member of a group and the group has permissions defined on the folder,
the cmdlet does not return these permissions. If you want to view the
permissions that are assigned through a group membership, you will need
to run the cmdlet with the name of the groups that the user is a member
of instead of the user's name. |
