Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
  MAPI Permissions in E2K

There is an interesting problem with MAPI based permission roles for public folders in Exchange 2000 that I recently stumbled upon, and it took me some time to understand what happened and get it fixed. This article describes the problem, its cause, and how to solve it.

Exchange 5.5 and earlier versions handled all access to public folders without any correlation to the security system in Windows NT 4. Both the creator of the public folder (i.e. the Outlook user) who automatically got the Owner role, and the Exchange administrator could modify the permission settings for the public folder. This has changed in Exchange 2000. Now is the access to all objects, including public folders, govern by the Windows 2000 security system. However, this is actually hidden both from the Outlook user and the Exchange 2000 administrator, using ESM; both will still see the MAPI permission roles, (see Figure 1), instead of the actual Windows 2000 security settings. In other words, things looks the same as before.

It is possible to view the real W2K settings that corresponds to the MAPI roles (see Figure 2) by one of these methods:
a) Use the File Explorer and open the property page for a public folder; then check the security tab. (requires that you have access to the M: drive)
b) Use the ESM tool, open the property page for the public folder, switch to the Permissions tab; while pressing the CTRL key, click on the Client Permission button.

You should be very careful not to change anything when using the Win2K security view! If you do, then you must stick to this type of security settings from now on whenever you want to modify; you can't go back to the old MAPI style - at least that it was I first thought! See down at the end of this article how to restore the MAPI view again. We also noticed that if you run a script that changed security settings it could in some cases also convert the permission view to Win2K. Please note that I am talking about modifying the security settings here; if you simply want to view them, you can use any view you like. So what happens if you have converted the modify view to Win2K security settings? A lot of things! Below is a list of the more important ones:

  • Owners of the Public Folder can't modify the permission tab
  • Owners can't recover deleted items in this PF
  • Administrators can't change the permissions using the MAPI view
  • Administrators can't propagate permission settings to sub-folders

This also means that only an administrator can change public folder permissions, using the ESM tool and the Win2K security settings. Which raises a new question: exactly how is each MAPI role represented in Win2K security settings? I didn't find this information anywhere so I did some testing and came to the following results (A=Allow, D=Deny):

WK2 Permissions None Contri-butor Reviewer Non editing Author Author Publishing Author Editor Publishing Editor Owner
Delete D A A A
Read permissions D A
Change permissions D A
Take ownership D A
Synchonize D (A)
List Content D A A A A A A A
Create Item D A A A A A A A
Create Container D A A A
Read Property D A A A A A A A
Write Property D A A A
Execute D A
Delete Child D A
Read Attributes D A A A A A A A
Write Attributes - Note 1 D A
View Item D A A A A A A A A
Owner D A
Contact D A
Read Body D A A A A A A A
Write Body D A A A A A A A
Append Message D A A A
Write Own Property D D D A A A A A
Delete Own Item D A A A A A A
Note 1: The attribute "View Item" controls the PF's visibility: Allow  = Visible, Deny = Not Visible
Note 2: The MAPI group Default = Everyone, MAPI group Anonymous = Anonymous Logon
Note 3: Users that are Hidden will be listed as <Domain>\<user account>

The Solution:

As you can see, it's easiest if the public folders can be modified using the MAPI roles. If it for some reason has been converted to Win2K security settings you can restore the MAPI view by the following steps:

  1. Use the ESM tool, open the properties for the public folder
  2. View its client permissions, using the MAPI view. Write down every permission settings, then close the MAPI view
  3. Open the Win2k view instead (Press CTRL and click on the Client Permission button)
  4. Remove every user and group account in the Folder Rights tab; then click OK, and then Apply
  5. Open the MAPI view again - now it lists the MAPI roles Default and Anonymous
  6. Change the permission settings back to its original - click OK.

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008