Exchange in resource forest and public folder access problems
I spent the better part of yesterday and today working on a problem with a new customer. The customer runs Exchange 2003 in a resource forest. The resource forest has a trust relationship with the accounts forest. The original consultant that set up the Exchange organization configured Outlook so that the user must enter their user name and password; they then instructed the users to logon to Exchange using their resource forest credentials.
I know, I know, brain dead design. But, I'm the one FIXING it.
The user logging on each time they accessed Outlook was a major pain point for the user community.
I helped configure a few accounts with additional Mailbox Rights. We assigned the user's account from the accounts forest the "Read Permissions", "Full Mailbox Access", and "Associated External Account" permissions. The user could immediately open their mailbox without being challenged for credentials! Hoorah!
The problem came for users that were explicitly delegated permissions to a public folder (such as the folder's Owners, Publishing Editors, Publishing Author's, etc...). If a group was assigned the permissions, the access was fine. I tried disabling the account in the resouce forest (per Planning for a Complex Exchange Organization paper, but that was not effective.
Finally, after burning another 4 hours, a PSS incident and explaining the concept of resource forests and folder permissions versus directory rights to the first line PSS guy, he managed to get someone that could answer the question.
Not only do you have to disable the account in the resource forest, but you have to re-assign the public folder permissions for the mailbox so that SID that is used for the public folder belongs to the account specified in the Associated External Account permissions. First disable, then re-assign individual permissions.
This should be a KB article.