4. Controlling the root
After
one or more public folder mailboxes have been created, but before you
create some public folders, explore how to control the public folder
root. Exchange 2013 follows the same naming convention as previous
versions, meaning that the root of the hierarchy is \. Thus, a folder
named \Projects is at the top level of the hierarchy, whereas a folder
named \Projects\Training is the Training folder under the Projects
top-level folder. This is referred to as the full folder path.
You
can create as many top-level folders as you like, but experience
demonstrates that it is wise to restrict folder creation to as small a
number of people as possible by editing permissions for the root.
Companies that ease the rules around public folder creation usually end
up with a proliferation of folders, many of which are used and quickly
discarded, contributing to a situation in which users literally can’t
find the information they need.
Users who are members of the
Public Folder Management or Organization Management role group can
manage public folders through EAC or EMS. This includes the ability to
set public folder permissions and create folders. Most users will work
with public folders through a client such as Outlook. The permissions
granted through EAC or EMS determine which public folder management a
user can perform through Outlook. To restrict top-level folder
creation, open Public Folders and click the ellipses (… [More]) to
expose the option to work with Root Permissions (Figure 3).
When
you edit the properties of the public folder root, you edit an object
called the IPM_SUBTREE. This is the same name used in older public
folders; it means the hierarchy of user-visible public folders. To
assign a user sufficient permission to create top-level public folders,
you browse through the Global Address List (GAL), select the user, and
then assign her one of the predefined roles or create a custom role
containing the desired set of permissions needed for the user to work
with the folder (Figure 4).
You can assign permissions to individual users or to mail-enabled
security groups but not to normal distribution groups because these
objects cannot hold Windows security principals.
Owner
is an all-powerful role and should be restricted to people who manage
the entire hierarchy; the Publishing Editor role is sufficient to
create folders. If you assign this role to people for the root folder,
they can create top-level public folders.
Note the Apply Changes To This Public Folder And Its Subfolders check box that can be seen to the far left of Figure 4.
If selected, the permissions applied to the level of the hierarchy in
which you are working will be applied to folders at lower levels. In
this case, you are working with the root at the top level of the
hierarchy, and the permissions that are assigned here will apply to
every folder in the hierarchy, including folders that are created in
the future. You probably will want to assign control over different
parts of the folder hierarchy to different users. To maintain maximum
control, assign permissions as the folder hierarchy is built out by
creating new folders under the root.
