Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2010-01-13
You can configure public folder permissions for administrators or for users of client programs such as Microsoft Outlook. Public folder permissions consist of various access rights that specify the level of control a client user or administrator has over a public folder or public folder hierarchy.
Looking for management tasks related to public folder permissions? Check out Managing Public Folder Permissions.
Client User Access Rights and Roles
Use the Exchange Management Shell to configure the permissions for users who use client programs such as Outlook to access public folders. Whether you want to manually select the access rights or use predefined roles that contain specific access rights, you'll use the Add-PublicFolderClientPermission cmdlet.
Important: |
---|
To make sure users can send e-mail messages to a mail-enabled public folder, the public folder must have at least the CreateItems access right granted to the Anonymous account. |
The following is a list of client user access rights (followed by a table that shows the predefined permission roles):
- ReadItems The user can read items
within the specified public folder.
- CreateItems The user can create items
within the specified public folder and send e-mail messages to the
public folder if it's mail-enabled.
- EditOwnedItems The user can edit the
items that the user owns in the specified public folder.
- DeleteOwnedItems The user can delete
items that the user owns in the specified public folder.
- EditAllItems The user can edit all
items in the specified public folder.
- DeleteAllItems The user can delete all
items in the specified public folder.
- CreateSubfolders The user can create
subfolders in the specified public folder.
- FolderOwner The user is the owner of
the specified public folder. The user can view and move the public
folder, create subfolders, and set permissions for the folder. The
user can't read, edit, delete, or create items.
- FolderContact The user is the contact
for the specified public folder.
- FolderVisible The user can view the
specified public folder, but can't read or edit items within the
specified public folder.
The following table lists the predefined public folder roles and the access rights that are included in each role. The table headers reflect the access rights listed previously in this topic.
Note: |
---|
The FolderOwner access right and the Owner role have different permissions as shown in the following table. |
Access rights included with each predefined public folder role
Role | CreateItems | ReadItems | CreateSubfolders | FolderOwner | Folder Contact | FolderVisible | EditOwnedItems | EditAllItems | DeleteOwnedItems | DeleteAllItems |
---|---|---|---|---|---|---|---|---|---|---|
None |
|
|
|
|
|
X |
|
|
|
|
Owner |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
PublishingEditor |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
Editor |
X |
X |
|
|
|
X |
X |
X |
X |
X |
PublishingAuthor |
X |
X |
X |
|
|
X |
X |
|
X |
X |
Author |
X |
X |
|
|
|
X |
X |
|
X |
|
Non-EditingAuthor |
X |
X |
|
|
|
X |
|
|
|
|
Reviewer |
|
X |
|
|
|
X |
|
|
|
|
Contributor |
X |
|
|
|
|
X |
|
|
|
|
Note: |
---|
Client users can use Outlook to manage public folder permissions for public folders that reside on a server running Microsoft Exchange Server 2010. For information about how to manage public folder permissions from Microsoft Office Outlook 2007 or Outlook 2010, see Create and Share a Public Folder. For information about how to manage public folder permissions for public folders that reside on Exchange 2010 servers from Office Outlook 2003, see Outlook folder permissions. |
Administrator Access Rights
In Exchange 2010, there are two ways to grant administrators the rights to manage public folders:
- Public Folder Management role group
- Add-PublicFolderAdministrativePermission
cmdlet
The following table describes the differences between the rights that are granted by the Public Folder Management role group and the rights that are granted by using the Add-PublicFolderAdministrativePermission cmdlet.
Administrator access rights differences
Public Folder Management role group | Add-PublicFolderAdministrativePermission cmdlet |
---|---|
The user can create top-level public folders. |
The user can't create top-level public folders. |
The user is granted the AllExtendedRights permission to public folders and the rights to run the public folder cmdlets. |
The user can be granted or denied specific rights to public folders. |
The user can administer any top-level public folder, child public folder, and system public folders in the public folder tree. In addition, this user's access rights can't be revoked by using the Remove-PublicFolderAdministrativePermission cmdlet. |
The user can be granted the right to administer specific top-level public folders and specific child public folders. However, the user's access rights can be revoked by using the Remove-PublicFolderAdministrativePermission cmdlet. |
The Public Folder Management role group is a Role Based Access Control (RBAC) role group that consists of the following roles:
For more information, see Public Folder Management. |
Not applicable |
The following list describes the standard set of administrative access rights that can be set on a public folder:
- None The administrator doesn't have any
rights to modify public folder attributes.
- ModifyPublicFolderACL The administrator
has the right to modify Client Access server role permissions for
the specified folder.
- ModifyPublicFolderAdminACL The
administrator has the right to modify administrator permissions for
the specified public folder.
-
ModifyPublicFolderDeletedItemRetention The
administrator has the right to modify the Public Folder Deleted
Item Retention attributes (RetainDeletedItemsFor,
UseDatabaseRetentionDefaults).
- ModifyPublicFolderExpiry The
administrator has the right to modify the Public Folder Expiration
attributes (AgeLimit, UseDatabaseAgeDefaults).
- ModifyPublicFolderQuotas The
administrator has the right to modify the Public Folder Quota
attributes (MaxItemSize, PostQuota,
PostWarningQuota, UseDatabaseQuotaDefaults)
- ModifyPublicFolderReplicaList The
administrator has the right to modify the replica list attribute
for the specified public folder (Replicas).
- AdministerInformationStore The
administrator has the right to modify all other public folder
properties not defined previously.
- ViewInformationStore The administrator
has the right to view public folder properties.
- AllExtendedRights The administrator has
the right to modify all public folder properties.
Creating Custom Role Groups
In addition to the Public Folder Management role group and the Add-PublicFolderAdministrativePermission cmdlet, you can create custom role groups that will allow a user to only perform certain tasks. For example, if you want to allow an administrator to manage public folders and mail-enabled public folders, but not public folder replication, you can create a custom role group that includes only the Mail Enabled Public Folders role and the Public Folders role. For more information about creating role groups, see Create a Role Group.