Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-03-17
You can configure public folder permissions for both administrators of Microsoft Exchange Server 2007 or for users of client programs such as Microsoft Office Outlook 2007. Public folder permissions consist of various access rights that specify the level of control a client user or administrator has over a public folder or public folder hierarchy.
This topic includes the following information about public folder permissions:
- The access rights and predefined roles (which consist of
specific access rights) that you can configure for client users.
The access rights that you can configure for administrators.
Note: In Exchange 2007 Service Pack 1 (SP1), you can create a Public Folder Administrator role. For more information about the Public Folder Administrator role, see "Administrator Access Rights" later in this topic. - Links to the management tasks you can perform for client users
and administrators.
Note: |
---|
When you create a new public folder within an existing public folder hierarchy, that public folder inherits the permissions of the parent folder. |
Client User Access Rights and Roles
In Exchange 2007, you use the Exchange Management Shell to configure the permissions for the users who use client programs such as Outlook to access public folders. Whether you want to manually select the access rights or use predefined roles that contain specific access rights, you will use the Add-PublicFolderClientPermissions cmdlet to perform the tasks.
Important: |
---|
To ensure that users can send e-mail messages to a mail-enabled public folder, the public folder must have at least the CreateItems access right granted to the Anonymous account. |
The following is a list of client user access rights (followed by a table that shows the predefined permission roles):
- ReadItems The user has the right to
read items within the specified public folder.
- CreateItems The user has the right to
create items within the specified public folder and send e-mail
messages to the public folder if it is mail-enabled.
- EditOwnedItems The user has the right
to edit the items that the user owns in the specified public
folder.
- DeleteOwnedItems The user has the right
to delete items that the user owns in the specified public
folder.
- EditAllItems The user has the right to
edit all items in the specified public folder.
- DeleteAllItems The user has the right
to delete all items in the specified public folder.
- CreateSubfolders The user has the right
to create subfolders in the specified public folder.
- FolderOwner The user is the owner of
the specified public folder. The user has the right to view and
move the public folder, create subfolders, and set permissions for
the folder. The user cannot read items, edit items, delete items,
or create items.
- FolderContact The user is the contact
for the specified public folder.
- FolderVisible The user can view the
specified public folder, but cannot read or edit items within the
specified public folder.
The following table lists the predefined public folder client access roles and the access rights that are included in each role. The table headers reflect the access rights listed previously in this document.
Note: |
---|
The FolderOwner access right and the Owner role have different permissions as shown in the following table. |
Role |
CreateItems |
ReadItems |
CreateSubfolders |
FolderOwner |
Folder Contact |
FolderVisible |
EditOwnItems |
EditAllItems |
DeleteOwnItems |
DeleteAllItems |
None |
|
|
|
|
|
X |
|
|
|
|
Owner |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
PublishingEditor |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
Editor |
X |
X |
|
|
|
X |
X |
X |
X |
X |
PublishingAuthor |
X |
X |
X |
|
|
X |
X |
|
X |
X |
Author |
X |
X |
|
|
|
X |
X |
|
X |
|
Non-EditingAuthor |
X |
X |
|
|
|
X |
|
|
|
|
Reviewer |
|
X |
|
|
|
X |
|
|
|
|
Contributor |
X |
|
|
|
|
X |
|
|
|
|
Note: |
---|
Client users can use Outlook to manage public folder
client access permissions. For information about how to manage
public folder permissions from Outlook 2007, see Create and Share a Public Folder. For information
about how to manage public folder permissions from
Outlook 2003, see Outlook folder permissions. |
Administrator Access Rights
In the release to manufacturing (RTM) version of Exchange 2007, you can only use the Add-ExchangeAdministrator cmdlet to grant public folder administrative rights to a user.
In Exchange 2007 Service Pack 1 (SP1), there are two methods you can use to grant public folder administrative rights to a user:
- Use the Add-ExchangeAdministrator cmdlet or the Add
Exchange Administrator wizard to add a user to the Public Folder
Administrator role.
- Use the Add-PublicFolderAdministrativePermission cmdlet
to grant or deny specific rights to public folders.
The following table describes the differences between the rights that are granted by the Public Folder Administrator role and the rights that are granted by using the Add-PublicFolderAdministrativePermission cmdlet.
Exchange Public Folder Administrator role |
Add-PublicFolderAdministrativePermission |
The user can create top-level public folders. |
The user cannot create top-level public folders. |
The user is granted AllExtendedRights to public folders. |
The user can be granted or denied specific rights to public folders. |
The user can administer any top-level public folder, child public folder, and system public folders in the public folder tree. In addition, this user's access rights cannot be revoked by using the Remove-PublicfolderAdministrativePermission cmdlet. |
The user can be granted the right to administer specific top-level public folders and specific child public folders. However, the user's access rights can be revoked by using the Remove-PublicfolderAdministrativePermission cmdlet. |
By default, when you create a top-level public folder, users who have permissions that are granted by specific Exchange administrator roles and Microsoft Windows security groups are automatically added as administrators to that public folder because of the group's inherited rights. The following list shows which roles and groups automatically have administrative rights to a new top-level public folder, including the specific access rights that are granted to each:
- Exchange administrator roles:
- Exchange Public Folder Administrator (granted
AllExtendedRights)
Note: This role is available only in Exchange 2007 SP1. - Exchange Server Administrator (granted
AllExtendedRights)
- Exchange Organization Administrator (granted
AllExtendedRights)
- Exchange View-Only Administrator (granted
ViewInformationStore)
- Exchange Public Folder Administrator (granted
AllExtendedRights)
- Windows security groups:
- Enterprise Admins (granted AllExtendedRights)
- Administrator (granted AllExtendedRights)
- Domain Admins (granted AllExtendedRights)
- Enterprise Admins (granted AllExtendedRights)
The following list describes the standard set of administrative access rights that can be set on a public folder:
- None The administrator does not have
any rights to modify public folder attributes.
- ModifyPublicFolderACL The administrator
has the right to modify client access permissions for the specified
folder.
- ModifyPublicFolderAdminACL The
administrator has the right to modify administrator permissions for
the specified public folder.
-
ModifyPublicFolderDeletedItemRetention The
administrator has the right to modify the Public Folder Deleted
Item Retention attributes (RetainDeletedItemsFor,
UseDatabaseRetentionDefaults).
- ModifyPublicFolderExpiry The
administrator has the right to modify the Public Folder Expiration
attributes (AgeLimit, UseDatabaseAgeDefaults).
- ModifyPublicFolderQuotas The
administrator has the right to modify the Public Folder Quota
attributes (MaxItemSize, PostQuota,
PostWarningQuota, UseDatabaseQuotaDefaults)
- ModifyPublicFolderReplicaList The
administrator has the right to modify the replica list attribute
for the specified public folder (Replicas).
- AdministerInformationStore The
administrator has the right to modify all other public folder
properties not defined previously.
- ViewInformationStore The administrator
has the right to view public folder properties.
- AllExtendedRights The administrator has
the right to modify all public folder properties.
Management Tasks for Configuring Public Folder Permissions
This section lists the management tasks that you can perform to configure and maintain public folder permissions:
- How to Add
Permissions for Client Users to Access Public Folder
Content
You can use the Add-PublicFolderClientPermission cmdlet or the AddUsersToPFRecursive.ps1 user management script to specify the permissions for the client user. You can create the access rights by using either the predefined permission roles or by creating custom access rights.
- How to
Remove or Replace Public Folder Client Permissions
You can use the Remove-PublicFolderClientPermission cmdlet or the RemoveUserFromPFRecursive.ps1 script to remove permissions for the client user. You can remove access rights by using either the predefined permission roles or by using the access rights.
You can use the ReplaceUserWithUserOnPFRecursive.ps1 and ReplaceUserPermissionOnPFRecursive.ps1 scripts to replace client permissions on a public folder. For more information about the public folder management scripts, see Scripts for Managing Public Folders in the Exchange Management Shell.
- How to View
Public Folder Client Permissions Settings
You can use the Get-PublicFolderClientPermission cmdlet to view the client access rights associated with a public folder.
- How to Grant
the Send As Permission for a Mail-Enabled Public Folder
You can use Send As permissions to configure a mail-enabled public folder so that users other than the public folder owner can use the mail-enabled public folder to send messages.
The Send As permission is not granted until after replication has occurred. Replication times depend on your Microsoft Exchange and network configuration.
- How to Add
Administrative Permissions for Users to Access Public
Folders
You can use the Add-PublicFolderAdministrativePermission cmdlet, the Add-ExchangeAdministrator cmdlet, or the Add Exchange Administrator wizard to grant administrative rights for a user to access a public folder or public folder hierarchy.
- How to
Remove Public Folder Administrative Permissions
You can use the Remove-PublicFolderAdministrativePermission cmdlet, the Remove-ExchangeAdministrator cmdlet, or the Add Exchange Administrator wizard to remove administrative access rights from a user for a public folder or public folder hierarchy.
- How to View
Public Folder Administrative Permission Settings
You can use the Get-PublicFolderAdministratorPermission cmdlet, the Get-ExchangeAdministrator cmdlet, or the Organization Configuration node to view the administrative rights that are associated with a public folder or public folder hierarchy.
For More Information
To learn more about public folders, see Understanding Public Folders.
For more information about managing public folders, see Managing Public Folders.