How to add group permissions to Public Folders in Exchange 2010?



We recently migrated our current domain with Exchange 2003 to a new domain name with Exchange 2010. Since it was a cross forest migration, I exported all of the Public Folders to PST and them imported them into the Exchagne 2010 server as new folders. All seemed well until I went to go fix up the permissions on the folders. I have noticed a few things I am unable to do via the " Permissions" tab in Outlook 2007/2010 as well as using the ExFolders tool.

1) I cannot add Groups to a Public Folder using ExFolders.

2) I cannot add Groups to a Public Folder using the Permissions tab when you right click a folder and goto Properties.

In Exchange 2003 we were able to add the " Everyone" group to many of your Public Folders that were open to all for viewing. When I try to add the Everyone group using ExFolders in Exchange 2010 I get an error stating:

" An error occurred. Exception: SecurityPrincipal must at least have a valid index string. Parameter name: securityPrincipal"

I then went to the Exchange 2010 Technet manual to see if there was a cmdlet that would let me add a group, but I can only find an option to add a User with the " Add-PublicFolderClientPermission" cmdlet. There does not seem to be a " -Group" option or " Add-PublicFolderGroupPermission" cmdlet.

When I try to add a group using Outlook 2007, I can see " some" of the Groups we have defined in AD, but they are either greyed out or have a red circle with a strikethrough on them. I am trying to do all of this using an account with Organizational Management rights as well as PublicFolder Management rights.

I don't know if Public Folders no longer have the ability to add groups to the permissions or if I am just missing something horribly simple. Hopefully there is a work around as putting permissions in for each user in each Public Folder would be time consuming to do and administer. Any and all help is most appreciated.

Rajkumar System Admin

Hi USR667

you can use the following command to give access to a group on public folde. you can specify -user and pass a Group Nam. I tried this in my test Environment

>>Add-PublicFolderClientPermission -Identity \careers -AccessRights publishingeditor -user HR_managers<<


-HR_Managers are Universal Distribution Group

-\Careers => specifies the Public folder under Default Public Folder




Thank you so much. You have gotten me one step further, but I seem have run into another problem.

I was able to add a Group to a Public Folder using your powershell command once I had fixed the Group as being visable in the Exchange 2010 ESM as well as making the group a universal distribution group instead of a security group.

Now I can see the Group at the top level of a public folder in ExFolders, but when I go to propogate the folder permissions I get an error in the log file that says:

" Public Folders\Test Public Folder\Sub Folder Test 1 Merge permissions failed with exception: Cannot use TestGroup as security principal Parameter name: securityPrincipal"

The name of the root Public Folder is " Test Public Folder" and the subfolder is " Sub Folder Test 1" . The group I am trying to propogate is " TestGroup" . I was digging around in ADSI thinking this was a parameter I could try defining , but was I unable to find anything.

Any and all help is most appreciated.


&ldquo;In Microsoft Exchange, only Active Directory objects that have security principals can be used to grant permission to a public folder or to a mailbox folder. However, it's possible for a Microsoft Outlook user to use a universal distribution group to grant permission to a public folder or to a mailbox folder. In this case, the universal distribution group is automatically converted to a universal security group by the Microsoft Exchange Information Store service. This is the default behavior in Exchange Server 2010 and Exchange Server 2007&rdquo;

----------Refer to <Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups>

Please add a universal security group instead of a universal distribution group, and then see if the issue still persists

James Luo




I created a new group (TestPubFolder) and made it a Universal Distribution Group instead of a Universal Security Group. I added the Group using the powershell command since I could not see the new group using the Browse function in ExFolders:

Add-PublicFolderClientPermission -Identity " \Test Public Folder" -AccessRights reviewer -user TestPubFolder

Once I added the group via the Powershell cmdlet I was able to see the Group permissions in ExFolders. However I still get the same error when I try to propogate the permissions to the fodlers underneath " \Test Public Folder"

" Public Folders\Test Public Folder\Sub Folder Test 1 Merge permissions failed with exception: Cannot use TestPubFolder as security principal
Parameter name: securityPrincipal"

Let me know if you want me to try anything else.



What"s the result if you use the universal security group?

James Luo



I have this problem when using ExFolders to propagate permissions with both Universal Security Groups as well as Universal Distribution Groups. It gives me the same

I was really hoping to find a way to propgate the " Everyone" group to most of these folders, but I am starting to think that is a pipe dream.


I was able to get around most of this using the .\AddUsersToPFRecursive.ps1 script that ships with E14. This will work when ExFodlers will not except for the " Everyone" group.