I’m still working on clearing up an enormous number of public folders prior to migration to Exchange 2010 (from 2007).<\/p>\n
The permissions structure was not well managed so I have been applying a set of standard groups (Read, Update and Change) to each PF, and at the same time removing any rights granted to Everyone and ANONYMOUS LOGON, and tidying up ACLs left over from deleted accounts.
\n<\/p>\n
PF permissions are difficult to fix because they are applied directly to each group. When a PF is created it inherits the rights of its parent, but after that its ACL is individually managed. You can’t just change a permission at the top and expect it to filter down.<\/p>\n
Another thing to note about PF permissions is that they are cumulative and\u00c2\u00a0there is\u00c2\u00a0no deny<\/strong>. The only way to prevent someone seeing a PF is to not give them any rights in the first place.<\/p>\n The final point to note is that deleted accounts don’t seem to get cleared out of the ACL automatically, so by far the best practise is to use groups.\u00c2\u00a0Here I have previously created a set of permissions groups for each\u00c2\u00a0major folder tree, with their names denoted by the $pfgroupstub that is passed to the script..<\/p>\n To run the script I call it like so (the double-quoting is needed if there are spaces in the folder names):<\/p>\n This would have the effect of setting the permissions like this:<\/p>\n Note: Any other explicit rights that were already applied will not be affected.<\/p>\n <\/code><\/p>\n","protected":false},"excerpt":{"rendered":" I’m still working on clearing up an enormous number of public folders prior to migration to Exchange 2010 (from 2007). The permissions structure was not well managed so I have been applying a set of standard groups (Read, Update and Change) to each PF, and at the same time removing any rights granted to Everyone…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[26,23],"tags":[],"class_list":["post-1126","post","type-post","status-publish","format-standard","hentry","category-exchange2007","category-powershell"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-ia","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/1126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=1126"}],"version-history":[{"count":6,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/1126\/revisions"}],"predecessor-version":[{"id":1132,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/1126\/revisions\/1132"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=1126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=1126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=1126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}.\/fix-pfacl.ps1 -pfroot \"'\/Top Folder\/sub-folder'\" -pfgroupstub 'PF_subfolder'<\/code><\/p>\n\n\n
\n \\Everyone<\/td>\n None<\/td>\n<\/tr>\n \n NT AUTHORITY\\ANONYMOUS LOGON<\/td>\n None<\/td>\n<\/tr>\n \n MYDOMAIN\\PF_subfolder_Read<\/td>\n Reviewer<\/td>\n<\/tr>\n \n MYDOMAIN\\PF_subfolder_Update<\/td>\n Author<\/td>\n<\/tr>\n \n MYDOMAIN\\PF_subfolder_Change<\/td>\n Publishing Editor<\/td>\n<\/tr>\n \n MYDOMAIN\\PF_ALL_Read<\/td>\n Reviewer<\/td>\n<\/tr>\n \n MYDOMAIN\\PF_ALL_Update<\/td>\n Author<\/td>\n<\/tr>\n \n MYDOMAIN\\PF_ALL_Change<\/td>\n Publishing Editor<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n The Script<\/h3>\n
<\/p>\nPARAM([string]$pfroot,[string]$pfgroupstub)\r\n\r\n[string]$pfserver = 'MyServer'\r\n\r\n[string]$read_group = $pfgroupstub + '_Read'\r\n[string]$update_group = $pfgroupstub + '_Update'\r\n[string]$change_group = $pfgroupstub + '_Change'\r\n\r\n[boolean]$stdok = $false\r\n\r\nfunction fixacl([string]$pfname) {\r\n\r\n\u00c2\u00a0 $pfacl = get-publicfolderclientpermission -server $pfserver -identity $pfname\r\n\r\n\u00c2\u00a0 write-host $pfname\r\n\r\n\u00c2\u00a0 foreach ($acl in $pfacl){\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 if ($acl.User.IsAnonymous -eq $true -and $acl.AccessRights[0].Permission -ne 'None'){\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 remove-publicfolderclientpermission -server $pfserver -identity $pfname -user $acl.User -AccessRights $acl.AccessRights -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 write-host \"Removed ANONYMOUS\"\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 }\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 if ($acl.User.IsDefault -eq $true -and $acl.AccessRights[0].Permission -ne 'None'){\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 remove-publicfolderclientpermission -server $pfserver -identity $pfname -user $acl.User -AccessRights $acl.AccessRights -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 write-host \"Removed Everyone\"\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 }\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 if (($acl.User.ExchangeAddressBookDisplayName -ne $null) -and ($acl.User.ExchangeAddressBookDisplayName.StartsWith('NT User:S-1-5'))){\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 remove-publicfolderclientpermission -server $pfserver -identity $pfname -user $acl.User -AccessRights $acl.AccessRights -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 write-host \"Removed deleted\"\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 }\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 if (($acl.User.ExchangeAddressBookDisplayName -ne $null) -and ($acl.User.ExchangeAddressBookDisplayName.Contains($pfgroupstub))){\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 $stdok = $true\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 }\r\n\u00c2\u00a0 }\r\n\r\n\u00c2\u00a0 if ($stdok -eq $false){\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 write-host \"Adding default groups\"\r\n\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 add-publicfolderclientpermission -server $pfserver -identity $pfname -user $read_group -AccessRights Reviewer -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 add-publicfolderclientpermission -server $pfserver -identity $pfname -user $update_group -AccessRights Author -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 add-publicfolderclientpermission -server $pfserver -identity $pfname -user $change_group -AccessRights PublishingEditor -Confirm:$false -erroraction silentlycontinue\r\n\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 add-publicfolderclientpermission -server $pfserver -identity $pfname -user 'PF_ALL_Read' -AccessRights Reviewer -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 add-publicfolderclientpermission -server $pfserver -identity $pfname -user 'PF_ALL_Update' -AccessRights Author -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 add-publicfolderclientpermission -server $pfserver -identity $pfname -user 'PF_ALL_Change' -AccessRights PublishingEditor -Confirm:$false -erroraction silentlycontinue\r\n\u00c2\u00a0 }\r\n}\r\n\r\n$getpfcmd = \"get-publicfolder -identity $pfroot -server $pfserver -Recurse -resultsize unlimited\"\r\n\r\ninvoke-expression $getpfcmd | foreach {\r\n\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 fixacl -pfname $_.Identity\r\n}\r\n<\/pre>\n