Friday, August 18, 2006

Exchange in resource forest and public folder access problems

I spent the better part of yesterday and today working on a problem with a new customer. The customer runs Exchange 2003 in a resource forest. The resource forest has a trust relationship with the accounts forest. The original consultant that set up the Exchange organization configured Outlook so that the user must enter their user name and password; they then instructed the users to logon to Exchange using their resource forest credentials.

I know, I know, brain dead design. But, I'm the one FIXING it.

The user logging on each time they accessed Outlook was a major pain point for the user community.

I helped configure a few accounts with additional Mailbox Rights. We assigned the user's account from the accounts forest the "Read Permissions", "Full Mailbox Access", and "Associated External Account" permissions. The user could immediately open their mailbox without being challenged for credentials! Hoorah!

The problem came for users that were explicitly delegated permissions to a public folder (such as the folder's Owners, Publishing Editors, Publishing Author's, etc...). If a group was assigned the permissions, the access was fine. I tried disabling the account in the resouce forest (per Planning for a Complex Exchange Organization paper, but that was not effective.

Finally, after burning another 4 hours, a PSS incident and explaining the concept of resource forests and folder permissions versus directory rights to the first line PSS guy, he managed to get someone that could answer the question.

Not only do you have to disable the account in the resource forest, but you have to re-assign the public folder permissions for the mailbox so that SID that is used for the public folder belongs to the account specified in the Associated External Account permissions. First disable, then re-assign individual permissions.

This should be a KB article.

2 Comments:

At 3:01 AM, Blogger Hans-Werner said...

did the users have accounts only in one domain or in both domains?

 
At 1:27 PM, Anonymous Anonymous said...

When you work with a user account forest and a resource forest delegation will work if the following criteria are met.

1) There is an Enabled account in the user account forest.
2) There is a Disabled account in the resouce forest (this is the one with Exchange 2003).
3) The Enabled account has been granted full mailbox access and Associated External
4) Account right on Disabled account.
4) The delegate and mailbox owner mailboxes reside on the same server.

 

Post a Comment

<< Home