At some point you will probably want to modify the permissions on the mailbox and/or public folder stores on your Exchange server. You may have several reasons why you want to do this, but the most probable of them is that you want to tighten security for your server.
It's generally a good rule for security's sake that if someone doesn't need to access something, then don't allow that person the access despite what other security clearances he or she might have. For example, just because someone has read/write/modify file access on some file servers, and is therefore a trustworthy person, does not mean that the same person should have modify permissions on the mailbox stores or the public folder stores on your Exchange server.
As you audit your permissions, you may find some need modification. If that's the case, you should tune up your permission scheme, but keep one caveat in mind: Make sure you maintain the minimum permissions necessary for the proper operation of the server. That may sound obvious, but if you're going to make sure that you have the minimum permissions in place, then you have to know what those permissions are.
Microsoft has come to the rescue in this case by detailing the minimum permissions that you must have in place for proper operation of the stores. Here they are, from a How-to paper posted on the Microsoft site:
- Administrators group: Full Control
- Authenticated Users group: Read and Execute, List Folder Contents, and Read
- Creator Owner: None
- Server Operators group: Modify, Read and Execute, List Folder Contents, Read, and Write
- System account: Full Control
If you don't have these permissions in effect, you could see a number of different error messages, such as, "An internal processing error has occurred. Try restarting the Exchange System Manager…"
You need to make sure that all of the listed permissions stay in effect. But just on the off chance that you don't, you can always add the permissions back that you deleted inadvertently. When you are adjusting permissions, keep the list of minimum required permissions in mind so that you will not delete, or modify, those necessary for proper operation of the Exchange server. You can run into similar problems if you have turned off inheriting permissions from parents to specified objects. To add the permissions back, right click on the public folder MAPI tree, and select properties. Under the security tab, make the appropriate settings.
David Gabel has been testing and writing about computers for more than 25 years.
Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.