Re: Strange Public Folder permission assignments

Hey,

Ta for the pointer, am digesting it now.

I didnt replicate the folders over, but imported them via the ebd file,
then (manually) mimmicked the permissions using the AD gal entries, to
reflect the perms that were sert on the 5.5 server.

The users are not logging in with the AD creds, but still the NT
accounts. So this is why I am so perplexed as to why a security group
grants permissions to users in the group (AD accounts) but the actual
GAL entry does not...

Im sure it will become clearer as I read the paper.

ta




Rich Matheisen [MVP] wrote:
shonkyholdings@xxxxxxxxx wrote:

Hi,

I just migrated a 5.5 server to a 2k3 one. The biz are still using the
NT domain accounts to access the migrated resources.

This is working fine for mailbox stuff, but the public folder access is
a bit flakey. I gather this is because public folders are assigned
permissions from the GAL, which refers to AD and not the NT directory.

After much knashing of teeth i realised that if i apply permissions to
the folders using mail enabled security groups (which contain the users
in AD) then they have access to the folders. Wheras if i grant the
individual user access - they get nothing....

Does this seem like normal behaviour? Where permissions applied per
user do not stick, wheras if the (same) user is in a mail enabled
security group they do?

And sadly, the domain is not Native, so i cannot change the Dist Groups
i migrated over to Security groups :(

Start here:
XADM: White Paper - Public Folder Permissions in a Mixed-Mode
Microsoft Exchange Organization [326266]

Public Folder permissions in mixed-mode are ugly. 5.5 uses the
obj-dist-name while e2k/3 uses NTFS permissions. The translation can
break, leaving you with what you *think* is working but it isn't.

One of the things to look at is in the ESM, Ctrl+Click on the "Client
Permissions..." and you'll see the NTFS permissions that are effective
on the folder.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx

.

Relevant Pages

  • RE: Limit a VPN user to a specific area of the filestore
    ... To avoid the VPN users accessing to other shared folders, ... to create a security group and then remove the group from NTFS Permissions ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: help with this
    ... Create a Security Group and give that Security Group ... "Full Mailbox Permission" to the shared mailbox. ... You can also do this with a mail enabled Public Folder. ... Group and give that Security Group "Owner" level permissions on the folder. ...
    (microsoft.public.exchange.misc)
  • Re: NTFS Security Question.
    ... A subordinate object DOES not inherit the PARENT perms (in ... will assume "Nebulous" permissions that refer to the LINK ... The trick is to PROPOGATE to all FILES (not Folders and Files - that would ... Since Windows 2000 deny NTFS permission does not work ...
    (microsoft.public.windowsxp.security_admin)
  • RE: ISA 2004 REPORT FAILURE
    ... Did as you suggested and turned auditing on for the system and folders ... that is setting the wrong permissions of the folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Mail enabled public folder
    ... public folder for incoming support emails etc. ... special security group as well but even that doesn't work. ... I have propagated the permissions through the ... Its a fairly hefty amount of data too so I dont want ...
    (microsoft.public.exchange.admin)
Loading