Topic Last Modified: 2009-02-04

The Microsoft Exchange Server Best Practices Analyzer examines security permissions on the %PROGRAMFILES%\Microsoft\Exchange\ClientAccess\OAB\<GUID> folders on Microsoft Exchange Server 2007 Client Access servers. The Best Practices Analyzer performs this operation to determine whether particular security groups have the appropriate rights assigned. Specifically, the tool examines the following permissions for the following folders:

Security group Permission requirement

Authenticated Users

Read

Enterprise Admins

Read

Domain Admins

Read

Exchange Organization Administrators

Read

Exchange Servers

Full Control

Administrators

Full Control

If the Best Practices Analyzer determines that incorrect permissions are assigned to a group, the tool generates the following error message:

'<GroupName>' does not have '<RequiredPermission>' permission of folder '<OfflineAddressBookPath>' on server <ServerName>. This will cause clients to fail to download Offline Address Book via HTTP(s). Please add '<RequiredPermission>' permission of this folder to this group.

In Exchange 2007, the Microsoft Exchange System Attendant service that runs on mailbox servers generates Offline Address Book (OAB) data. Also, the Microsoft Exchange System Attendant service publishes the data files to a network share. By default, this network share is \\<ServerName>\ExchangeOAB. The OAB files are published to folders that are represented by GUIDs.

Because you can install Exchange 2007 without public folder databases, no public folder distribution mechanism may be available for OABs. Instead, Exchange 2007 uses HTTP-based or HTTPS-based OAB distribution. On Client Access servers, the Microsoft Exchange File Distribution service (MSExchangeFDS.exe) is responsible for keeping the local OAB files synchronized with the copies on the Mailbox server.

The Microsoft Exchange File Distribution Service on each Client Access server picks up the OAB files from the file share and copies them to the local virtual directory. Typically, this virtual directory is named /Oab.

Microsoft Office Outlook 2007 obtains a URL that points to the .xml index of the OAB data files, also known as the OAB manifest, and then retrieves the OAB data files.

Note:
The URL to the OAB manifest is provided by the Autodiscover service. This URL may resemble https://web.contoso.com/oab/<GUID>/oab.xml.

If incorrect or insufficient permissions are configured on the %PROGRAMFILES%\Microsoft\Exchange\ClientAccess\OAB\<GUID> folders on the Client Access server, Outlook clients cannot use the HTTP protocol or the HTTPS protocol to download the OAB.

To address this issue, modify the permissions on the OAB-related folders.

To modify folder permissions
  1. On the Client Access server, start Windows Explorer, and then locate the following folder:

    %PROGRAMFILES%\Microsoft\Exchange\ClientAccess\OAB

    Note:
    Modify this path as appropriate for your Exchange installation directory.
  2. In the right pane, right-click an OAB folder (represented by a GUID), and then click Properties.

  3. Click the Security tab, and then modify the permissions as shown in the table that appears earlier in this topic.

  4. When you have finished modifying the OAB folder permissions, click OK.

For More Information

For more information about OAB distribution, see the following Exchange Server Team Blog articles:

Note:
The content of each blog and its URL are subject to change without notice. The content within each blog is provided "AS IS" with no warranties, and confers no rights. Use of included script samples or code is subject to the terms specified in the Microsoft Terms of Use.