XADM: One User Appears Able to Post to a Public Folder as Another User (251819)

SUMMARY

Given the following conditions, it may appear that one user can post items to a public folder as another user.

UserA doesn't have Send As permissions for the mailbox UserB.
UserA has permission to post to the public folder called PF1.
UserA creates a new post, types UserB in the From field, and then posts the item successfully.
The From field of the posted item reads: "UserA on behalf of USERB."

NOTE: The public folder must also be configured so that a drag-and-drop posting is treated as a Move/Copy procedure.

MORE INFORMATION

This behavior is by design. The Microsoft Outlook 2000 Help describes the functionality of a Move/Copy procedure as:

...format[ing] a moved or copied item exactly as it appears in its original location. The person who originally posted the item remains the owner of the item, and the user who moved or copied the item to the folder is not indicated.

If you change the properties of the public folder so that a drag-and-drop posting is treated as a Forward, then UserA cannot successfully post an item to the folder if UserB is in the From field.

Note that even though the folder is configured so that a drag-and-drop posting is treated as a Move/Copy procedure, a user cannot maliciously post items to a folder. The From field still indicates who the true poster of the item is, unless the user has Send As permissions to the mailbox in the From field.

To change the drag-and-drop posting behavior in Outlook 2000, log on as a mailbox that has owner permissions on the folder:

Right-click the folder.
Click Properties.
Click the Administration tab.
Select the behavior that you want from the Drag/Drop posting is a list.