I would like to be able to assign permissions to Exchange 2007 public folders using groups. Preferably these groups would be dynamic (which necessitates them being exchange groups as opposed to AD), but AD groups would do if that is the only way.When I try to add any groups to the permissions of a public folder, I receive the following error message:One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this serverAll Domain Users are included in the local user group on the server.The only groups that even appear on the <add> permissions list are distribution groups from the global address book. The only AD option I see is <Users> which does not include the AD security groups. If I "mail-enable" a universal security group, it will appear in the list, but it still throws the same error as above.I find it hard to believe that there would not be group functionality for user permissions on these folders as that is pretty much SOP when setting permissions.I do not see ANY option for assigning PF permissions through the PF tool in the Exchange Management Console. And, Unfortunately, I am still unable to run PFDAVADmin (http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/70d20960-5295-4573-91ef-a475cdadbe37/) so I am hoping that is not the only solution to this issue.Maybe I am just missing something that is evident? Can anyone help?Thanks,Andi

Have you found this article?http://support.microsoft.com/kb/941318

That does seem to be on target, but like I said, when I go to <Add> in the permissions tab of the PF, AD security groups are not an option. To get around this, I tried using a mail enabled AD Security Group (because that does show as an Add option), but, that produces the same error message ??????Any other thoughts?Thanks,Andi

Here is an article I found that might point you in the right direction, I tried replicating your issue but i was able to add a mail enabled sec. group to my 2003 exchange without any errors. I used the ESM and just added the group like you would a user.http://www.pro-exchange.eu/modules.php?$1&name=News&file=article&sid=886

The issue is happen to all public folders with all clients, right? Whether it’s a pure exchange 2007 environment, or migrated one? Please verify that the recipient type of the account that you used to perform the action isn’t “Shared Mailbox” Get-Mailbox AliasOfUser | fl *recipienttype* Please use EMS to grant the permission with “Add-PublicFolderClientPermission”, see if there’s any error output or event Configuring Public Folder PermissionsJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

The recipient type of the group account I tried to add is not "Shared Mailbox". The groups I would really like to use are AD security groups and these have no mailbox associated with them at all. The other groups I tried to use are distribution lists. Neither worked. Both resulted as above. What I would like to do is add these permissions via the Outlook client the same way that I can with individual users. I was afraid folks were going to say that this required the management shell. While I have been a fan of command line utilities in the past (DOS whose syntax was logical to me), I am disappointed that in 2009, MS feels that this is an appropriate way to require one to manage one of their major products. The problem - syntax. I have yet to be able to easily format any command in this utility. I am willing to try, though I am still disappointed if this is the only answer. Will need a little help if you could/would: - My remote exchange tools for W7 (unlike the install I had on XP), does not seem to include the shell. Is there a separate download? -Can someone help me to format the command correctly? Thanks in advance, Andi

My Bad, the shell is indeed in my W7 Exchange tools installation. Could still use help with syntax though.Thanks,Andi

Please refer the example in this articleJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Thanks! I will play with this next week.......HNYAndi

How's the issue now? HNY James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Haven't had a chance to get back to this yet. Will aim for tomorrow. In Exchange 2003 you could just do this via the outlook client. Seems a move backwards to remove that capability in 2007 and force reliance on a command line utility. Thought someone had also directed me to powergui and I would like to look at that as well. Am a little leary though, as I have been told that before my time here someone tried to run a third party piece and that it resulted in the Public Folders loosing all permission functionality which I was able to fix with help from this forum.http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/93932ebe-5a0b-4174-840b-abc637157eceWill post back. Thanks for the help!!!!Andi

Hi James,Thanks for your patience. Yes, this did work. However, I was hoping to assign the permissions to an MsExchDynamicDistributionList and this does not seem possible. Is that correct? Creating and managing departmental folders would be a lot more powerful with that ability.Also, I know that public folders are not going to be around forever, but do you know if there are any plans to allow group permissions to be assigned via the Outlook client as they could be in 2003?Thanks,Andi

On Mon, 11-Jan-10 19:06:51 GMT, VtAndi wrote:>Hi James,Thanks for your patience. Yes, this did work. However, I was hoping to assign the permissions to an MsExchDynamicDistributionList and this does not seem possible. Is that correct? Yes. Dynamic DLs aren't security principals -- and for goo reason! Canyou imagine having to do AD searches (possibly on un-indexedproperties) every time someone accessed a particular object? Yikes!>Creating and managing departmental folders would be a lot more powerful with that ability.Keeping a group updated with a script isn't that difficult. Runningthe script a couple of time a day would probably cover almost everysituation.>Also, I know that public folders are not going to be around forever, but do you know if there are any plans to allow group permissions to be assigned via the Outlook client as they could be in 2003?Thanks,Andi You can manage public folder permissions in Outlook 2007 just as youcan with 2003.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks for the feedback Rich, Actually, I meant I wanted to be able to manage the public folders in the Outlook client (whatever version) for Exchange 2007 as I could for Exchange 2003. If I remember correctly, it was not a problem to assign a group permissions to the folder right from the client. Sorry if I was not clear. I appreciate your point on the dynamic groups. Unfortunately my programming skills are not quite what they would need to be to manage groups with scripts, but we should be instituting a process soon that could make this more manageable. Best, Andi, MVP

On Tue, 12-Jan-10 11:13:23 GMT, VtAndi wrote:>Thanks for the feedback Rich, Actually, I meant I wanted to be able to manage the public folders in the Outlook client (whatever version) for Exchange 2007 as I could for Exchange 2003. If I remember correctly, it was not a problem to assign a group permissions to the folder right from the client. If it's a problem, I'd say it's probably a limitation of Outlook.Unless, of course, you're trying to use a group that's not a securityprincipal.---Rich MatheisenMCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Andi, Given the date of your post I'm hopeful you found a solution. I too just tried to add a new DL on a PF for permissions using OL2003 and received the same error. FIX: ADSIEdit, open group, find attribute msExchRecipientDisplayType (likely a 1) and clear the value (<Not Set>). Worked like a charm for me, I was able to immediately add the DL and set permissions on the PF using OL2003. Background: Exchange 2007 upgraded from 2003. I noticed that I was able to add the bulk of our DLs onto the PF for permissions, but the few newer DLs showed the red circle/slash. FYI, for the DL I used 2003 ADU&C to create a universal DL, then EMC07 to turn the existing group into a DL. Next back in ADU&C the newly mail-enabled group was converted again, this time to a global security group (still a DL of course). We are a single domain forest so no need to stick with universal groups, plus the bulk of our pre-existing DLs are the same global security. Anyway knowing that we have no issues with the bulk of our pre-existing DLs that are available for PF permissions, I did an attribute by attribute comparison and came up with changing msExchRecipientDisplayType from the existing vlaue of 1 and clearing it <Not Set>. Hope this helps you and others. Regards, Brian