How to add group permissions to Public Folders in Exchange 2010?

U

usr667

We recently migrated our current domain with Exchange 2003 to a new domain name with Exchange 2010. Since it was a cross forest migration, I exported all of the Public Folders to PST and them imported them into the Exchagne 2010 server as new folders. All seemed well until I went to go fix up the permissions on the folders. I have noticed a few things I am unable to do via the " Permissions" tab in Outlook 2007/2010 as well as using the ExFolders tool.

1) I cannot add Groups to a Public Folder using ExFolders.

2) I cannot add Groups to a Public Folder using the Permissions tab when you right click a folder and goto Properties.

In Exchange 2003 we were able to add the " Everyone" group to many of your Public Folders that were open to all for viewing. When I try to add the Everyone group using ExFolders in Exchange 2010 I get an error stating:

" An error occurred. Exception: SecurityPrincipal must at least have a valid index string. Parameter name: securityPrincipal"

I then went to the Exchange 2010 Technet manual to see if there was a cmdlet that would let me add a group, but I can only find an option to add a User with the " Add-PublicFolderClientPermission" cmdlet. There does not seem to be a " -Group" option or " Add-PublicFolderGroupPermission" cmdlet.

When I try to add a group using Outlook 2007, I can see " some" of the Groups we have defined in AD, but they are either greyed out or have a red circle with a strikethrough on them. I am trying to do all of this using an account with Organizational Management rights as well as PublicFolder Management rights.

I don't know if Public Folders no longer have the ability to add groups to the permissions or if I am just missing something horribly simple. Hopefully there is a work around as putting permissions in for each user in each Public Folder would be time consuming to do and administer. Any and all help is most appreciated.
 
R

Rajkumar System Admin

Hi USR667

you can use the following command to give access to a group on public folde. you can specify -user and pass a Group Nam. I tried this in my test Environment

>>Add-PublicFolderClientPermission -Identity \careers -AccessRights publishingeditor -user HR_managers<<

where

-HR_Managers are Universal Distribution Group

-\Careers => specifies the Public folder under Default Public Folder

Rajkumar
 
U

usr667

Rajkumar,

Thank you so much. You have gotten me one step further, but I seem have run into another problem.

I was able to add a Group to a Public Folder using your powershell command once I had fixed the Group as being visable in the Exchange 2010 ESM as well as making the group a universal distribution group instead of a security group.

Now I can see the Group at the top level of a public folder in ExFolders, but when I go to propogate the folder permissions I get an error in the log file that says:

" Public Folders\Test Public Folder\Sub Folder Test 1 Merge permissions failed with exception: Cannot use TestGroup as security principal Parameter name: securityPrincipal"

The name of the root Public Folder is " Test Public Folder" and the subfolder is " Sub Folder Test 1" . The group I am trying to propogate is " TestGroup" . I was digging around in ADSI thinking this was a parameter I could try defining , but was I unable to find anything.

Any and all help is most appreciated.
 
J

James-Luo

&ldquo;In Microsoft Exchange, only Active Directory objects that have security principals can be used to grant permission to a public folder or to a mailbox folder. However, it's possible for a Microsoft Outlook user to use a universal distribution group to grant permission to a public folder or to a mailbox folder. In this case, the universal distribution group is automatically converted to a universal security group by the Microsoft Exchange Information Store service. This is the default behavior in Exchange Server 2010 and Exchange Server 2007&rdquo;

----------Refer to <Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups>

Please add a universal security group instead of a universal distribution group, and then see if the issue still persists

James Luo

 
U

usr667

James,

I created a new group (TestPubFolder) and made it a Universal Distribution Group instead of a Universal Security Group. I added the Group using the powershell command since I could not see the new group using the Browse function in ExFolders:

Add-PublicFolderClientPermission -Identity " \Test Public Folder" -AccessRights reviewer -user TestPubFolder

Once I added the group via the Powershell cmdlet I was able to see the Group permissions in ExFolders. However I still get the same error when I try to propogate the permissions to the fodlers underneath " \Test Public Folder"

" Public Folders\Test Public Folder\Sub Folder Test 1 Merge permissions failed with exception: Cannot use TestPubFolder as security principal
Parameter name: securityPrincipal"

Let me know if you want me to try anything else.

-Rob
 
J

James-Luo

What"s the result if you use the universal security group?

James Luo

 
U

usr667

I have this problem when using ExFolders to propagate permissions with both Universal Security Groups as well as Universal Distribution Groups. It gives me the same

I was really hoping to find a way to propgate the " Everyone" group to most of these folders, but I am starting to think that is a pipe dream.
 
U

usr667

I was able to get around most of this using the .\AddUsersToPFRecursive.ps1 script that ships with E14. This will work when ExFodlers will not except for the " Everyone" group.
 

Top