Public Folders in a Shared Environment
Originally published June 15, 2004
(Note November 13, 2007: the process described in this article does not work with Exchange 2007.)
It's pretty obvious that you don't want one company to be able to modify another company's Public Folders. It's also pretty obvious that you want a company to be able to fully control their Public Folders without you having to get involved each time they want a new PF or want to delete a PF.
So what do we do?
We have a couple of options, but only one real solution. It's possible to have multiple public folder stores. However, we run into some serious limitations very quickly: a) you can only have a total of 20 stores, and more seriously b) it's only possible to have one public folder store that MAPI (and therefore Outlook) talks to per server.
When you are using OWA (either 2000 or 2003 versions), it's possible to completely hide the fact that PF's are spread all over the place. OWA always uses the “public” virtual directory as the basis for public folder access and you can configure that to point whereever you wish.
But Outlook doesn't afford us this luxury. Outlook recognizes a maximum of one public folder store, per server (I think this is a MAPI limitation, not an Outlook limitation). (Remember - with PF's you create the hierarchy and then associate a store with the hierarchy.)
This means (since we do want our clients to have access to PF's from Outlook, right?) we've got to deal with some moderately painful security issues.
First things first - you know how to use ADSIEdit, right? :-) You have a good backup of your system, right? :-)
Take a look at KB 313866 for almost what we want to do as out first step - except we want to UNCHECK under the Allow column for “Create top level public folder” for “Everyone“. This prevents any arbitrary user from any arbitrary company creating any arbitrary TLF at the top level.
Then, we will create a top level folder (I like calling mine “Hosting Public Folders”).
Next, we change the security of that TLF. On the Properties -> Permissions tab, I change “Default” and “Anonymous” to only allow “Folder Visible”. I remove all other groups except for “Domain Admins“, who retain “Full Control.” (Note: this leaves three items in the list: Default, Anonymous, and Domain Admins - and for some reason, the Permission Level displayed is “None” instead of “Special”.)
Now, for each company I create a Public Folder under Hosting Public Folders. Personally, I use the company name, since I don't think that that is confidential information. However, if you have clients that find that unacceptable, you can name them arbitrarily (just to complicate your life). For each client's public folder, on the Properties -> Permissions tab, I set “Default” and “Anonymous” to “None”. I leave “Domain Admins” at “Full Control” and finally set the “Allusers@domain.com” group to “Publishing Editor”. There are four items in the list: Default, Anonymous, Allusers@domain.com, and Domain Admins. If other groups are present, I remove them.
Whew.
There are two downsides to this:
a) All the PF trees are displayed (that is, each company that has a PF is displayed under Hosting Public Folders), and
b) A user in a company has to click-down in Outlook to get to their PF tree. But, with Outlook 2003, this can be added to “Favorites”, so even that isn't a big deal.
So how do you map the public directory for OWA? Like this:
ISM is Internet Services Manager. I presume Windows 2000 Server here. The directions are similar for Windows Server 2003.
Proceed to:
ISM -> <servername> -> mail.domain.com
Right-click on mail.domain.com and select “New -> Virtual Directory”.
Click “Next” to get past the wizard introductory dialog.
Enter “public” as the alias, and then click “Next”.
For Exchange 2000, browse to the public folder via the M: drive:
M: -> BRNETS.COM -> PUBLIC FOLDERS -> Hosting Public Folders -> Client
For Exchange 2003, browse to the public folder via:
\\.\BackOfficeStorage\brnets.com\Public Folders\Hosting Public Folders\Client
Click “Next”.
Click “Next” again.
Click “Finish”.
You may receive an “Access Denied” permission error. That is perfectly OK.
The domain name referenced above is the default SMTP address (i.e., the one in bold) in the Default Recipient Policy. Using brnets.com will not work on your Exchange server. :-)
Is there an easier way to do this? Sure. Write a script or use IIS 6's export to file and import to file. Both are items for future posts.
Is any of this documented? I really don't know. As I was building my systems, I didn't note any KB articles for this part...but it's all pretty straightforward and uses separately documented features.