The client permissions of a public folder show a different owner than you expect in Exchange 2000 and Exchange 2003

After a user creates a public folder, when you use Exchange System Manager or Microsoft Outlook to view the client permissions of the folder, the user appears as the owner of the public folder.

If you select the public folder in Exchange System Manager, click Properties, click the Permissions tab, and then click Client Permissions, you expect to find that the user is the owner of the public folder. However, you obtain the Microsoft Windows NT security descriptor for the owner instead of the MAPI permissions. The Windows NT security descriptor indicates that the Builtin\Administrators group is the owner of the object. If the server that is running Microsoft Exchange is a domain controller, the security descriptor indicates that the Domain\Administrators group is the owner of the object. Therefore, the Windows NT security descriptor appears to be incorrect.

The Windows NT security descriptor is designed to work in this way. On the Client Permissions tab, Owner is actually a set of rights. The owner in the Windows NT security descriptor is the name of the user who owns the object. If the user is a member of the Administrators group, the whole group is considered to be the owner of the object.

Using the Windows NT security descriptor to modify permissions on a public folder is the same as modifying the permissions through drive M. This practice is strongly discouraged because after you modify permissions in this manner, you cannot set client permissions for public folders by using Exchange System Manager or Outlook.

For additional information and a complete explanation of access control lists (ACL) on public folders in Microsoft Exchange 2000, click the following article number to view the article in the Microsoft Knowledge Base:

Note By default, drive M does not exist in Microsoft Exchange Server 2003. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Modifying the Windows NT security descriptor on permissions for Exchange 2000 public folders is the same as modifying the permissions by using Windows Explorer on drive M. For additional information about the problems that may occur when you modify the Windows NT Security Descriptor and how to resolve those problems, click the following article numbers to view the articles in the Microsoft Knowledge Base: