In the Daily Drill Down “Discovering Exchange 2000 management tools,” I showed you how to implement basic public folder security. However, the technique that I demonstrated applied only to root-level folders. The idea was that you could apply a set of permissions to the root level and have the permissions trickle down to the individual public folders. However, in the real world, the various public folders usually have their own individual security needs. So, let’s take a look at how to manage individual public folders. For all of the techniques in this Daily Feature, I’ll be using the Exchange System Manager.
Creating new public folders
When you installed Exchange 2000, there’s a good chance that you may have upgraded from an earlier version of Exchange. If that’s the case, there’s a good chance that public folders may already exist on your Exchange server, and permissions will already be set for those folders. To avoid messing up an established folder, let’s create a new folder for demonstration purposes.
To do so, navigate through the Exchange System Manager tree to your organization | Administrative Groups | your group | Folders | Public Folders. Now, right-click Public Folders and select the New | Public Folder command from the resulting context menu. When you do, you’ll see an empty Properties sheet. On this Properties sheet’s General tab, enter a name for the new folder and enter Test Folder in the Public Folder Description field. Click OK to create the folder.
Working with the folder’s properties
Now that you’ve got a folder that you can play with, right-click the newly created folder and select the Properties command from the resulting context menu. When you do, you’ll see the folder’s Properties sheet. This Properties sheet will be identical to the previous one, except there will be a Permissions tab.
Since security will be one of your primary concerns when it comes to public folders, select the Permissions tab. The Permissions tab contains three buttons. The first button is the Client Permissions button. As the name implies, clicking this button allows you to access a dialog box used to set permissions for clients who may be accessing the folder.
As you can see in Figure A, the top portion of the folder displays the various users and security groups with permissions to the folder. The list also displays the role that the various users and groups have to the folder. At first, the role that’s assigned to the user or group may be confusing. However, if you look carefully at Figure A, you’ll notice that the default user is selected from the list.
|You can set the client permissions for each individual folder.|
The default user has been granted the role of Author. Beneath the list, you’ll see a Roles drop-down list. You can use this drop-down list to change the role of the default user. The section below the Roles drop-down list contains a list of individual permissions. The permissions with their check boxes selected are granted to the selected user. As you change roles, the selected permissions also change. It’s also possible to manually select a set of permissions to define a custom role.
Finally, the section below the individual permissions contains an Edit Items section and a Delete Items section. These two sections allow you to decide whether the selected user or group can edit or delete any item in the folder, the items that they own, or nothing at all.
Now that you’ve seen how to change the client permissions for a folder, you may be curious about the existing permissions scheme. The Administrator’s role is pretty much self-explanatory. However, the Default and Anonymous roles deserve a little explanation. The Default role applies to any client that’s accessing the folder, unless they have a specific permission defined within the list. For example, the Administrator wouldn’t be subject to the Default permissions because the Administrator has his/her own entry in the list. However, the user USER1 doesn’t have a specific entry in the list, so User1 would be subject to the default permissions.
The entry for Anonymous applies to users who might access the Exchange Server through the Internet without actually authenticating through a domain controller. By default, anonymous users are allowed to post entries into a newly created public folder. Therefore, if you don’t want Internet users posting to your public folders, you should change the permissions to block anonymous users.
Now that I’ve explained the client permissions, let’s look at the two other buttons on the folder’s properties sheet’s Permissions tab. The second button that you’ll encounter is the Directory Rights button. This button controls rights to the public folder as it applies to Active Directory. This button is disabled by default, and you may never have to use it.
The final button on the Permissions tab is the Administrative Rights button. Clicking this button allows you to control which users and groups have permissions to administer the public folder. When you click the Administrative Rights button, you’ll see the Permissions For Test dialog box. This dialog box is fairly simple to understand. The top portion of the dialog box contains a list of groups and users that could potentially have administrative permissions. Below the user list is a list outlining the various permissions. Simply select a user and then select which administrative permissions apply to the user. You can see a sample of this in Figure B.
|The Permissions For Test dialog box allows you to control a public folder’s administrative permissions.|
Once you create public folders on your Exchange 2000 server, you don’t necessarily want just anyone to access them. By setting permissions, you can exercise control over who can access them and what they can do with that access.