The "Allow Create Top Level Public Folder" Access Control Entry for the Exchange Organization container unexpectedly includes the Everyone and the Anonymous Logon groups (822576)
The information in this article applies to:
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition, when used with:
- Microsoft Exchange 2000 Server
SYMPTOMSIn your Exchange Server 2003 organization, the Allow create top level public folder access control entry (ACE) for the Exchange Organization container may unexpectedly include the Everyone group or the Anonymous Logon group. Note The Anonymous Logon security principal will only exist if the Active Directory directory service has been prepared for Microsoft Windows Server 2003.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
278259
Everyone group does not include anonymous security identifier
CAUSEThis problem occurs in an organization that has Exchange 2000 Server computers installed after the organization has been prepared for Exchange Server 2003. When you run the Exchange Server 2003 ForestPrep utility, the Everyone security principal or the Anonymous Logon security principal is configured to not have the Allow create top level public folder ACE for the Exchange Organization container. But when you install the Exchange 2000 server, Exchange 2000 Setup adds the Everyone ACE back to the Organization container because Exchange 2000 Setup resets certain permissions on the organization during normal setup.
For additional information about this issue in Exchange 2000 Server Setup, click the following article number to view the article in the Microsoft Knowledge Base:
320007
Permissions that are modified manually are reset to the default values
WORKAROUNDTo work around this problem, use either of the following methods: - Rerun the Exchange Server 2003 ForestPrep utility from any server in the forest.
-or- - Manually remove the following from the Organization container: the Create Top Level Public Folder allow permission that is associated with the Everyone ACE or with the Anonymous Logon ACE.
To manually remove the Create Top Level Public Folder allow permission from the Organization container for the Everyone ACE or the Anonymous Logon ACE, follow these steps: - Start Registry Editor.
- Locate the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin - On the Edit menu, click Add Value, and then add the following registry value:
Value Name: ShowSecurityPage
Data Type: REG_DWORD
Value: 1 - Quit Registry Editor.
- Start Exchange System Manager by using an account that has Exchange Full Administrator privileges at the organization context.
- Right-click the Organization, and then click Properties.
- Click the Security tab.
- Click the Everyone permission.
- In the Permissions For box, locate Create Top Level Public Folder, and then click to clear the Allow check box.
- If Active Directory has been prepared for Windows Server 2003, repeat steps 8 through 9 for ANONYMOUS LOGON.
- Click OK to apply the permission change.
Notes- If you reinstall or add another Exchange Server 2003 to the organization, this does not remove the Everyone ACE. This operation is completed as part of Exchange Server 2003 ForestPrep.
- After you complete this workaround, if you add another Exchange 2000 server to your organization, Exchange 2000 Setup will add the Everyone ACE back to the Organization container. Therefore, you must repeat the method that you used in the "Workaround" section.
STATUSMicrosoft has confirmed that this is a problem in Exchange 2000 Server setup.
| Modification Type: | Minor | Last Reviewed: | 11/10/2005 |
|---|
| Keywords: | kbtshoot kbBug KB822576 kbAudITPRO |
|---|
|