How to retain folder permissions after restoring/migrating public folders with CodeTwo software
You want to restore/migrate public folders to another Exchange environment by using CodeTwo Backup or CodeTwo migration software. At the same time, you want to keep the same folder permissions as configured on your source environment in order to restrict access to some of the folders to a specific group of users.
By default, each user in Office 365 or on-premises Exchange is assigned the Author permission level (role) to the top-level folder in the public folders tree. This role enables users to view that folder and gives them other privileges (see Fig. 1. for more details). And since permissions are inherited by child folders, users have the same permissions assigned to each newly created subfolder.
The same happens when you restore or migrate public folders by using CodeTwo software – our programs only recreate the contents of the public folders, not the folder permissions themselves. This means the default permissions are applied to each folder created by CodeTwo backup or migration software. And if the default permission level is Author, all users in your organization will have access to the restored/migrated public folders data.
If you need to keep some of the public folders hidden from certain users or you want to assign specific folder permissions to selected users before or after the recovery/migration of the public folders data, below are a couple of solutions you could try:
- Change the permissions for the top-level public folder
- Prepare an empty folder structure for public folders and assign appropriate permissions
- Disable access to public folders from Outlook clients
Depending on your scenario, you can either:
- Change permissions for public folders in the Exchange admin center – this method is recommended if the number of users for whom you need to set certain folder permissions is rather small.
- Change the default public folder permissions via PowerShell – this solution allows you to set folder permissions for all users in your organization.
- In the Exchange admin center, go to Public folders > Public folders (Fig. 2., Item 1) in the navigation menu on the left.
- On the Public folders screen, select your top-level folder (Fig. 2., Item 2). If there are more than one, you need to repeat steps 2-9 for each top-level folder.
- In the details pane on the right, click Manage under Folder permissions (Fig. 2., Item 3).
- In the Public Folder Permissions window, click the Add (+) button (Fig. 3.).
- Click Browse, select the user for whom you want to change the folder permission settings, and click OK (Fig. 4.).
- You can now either:
- use the drop-down menu to select a predefined role which has specific access rights assigned, or
- use the checkboxes to choose access rights you want to assign to the selected user (Fig. 5.).
You need to select at least one access right. In case you don’t want a particular user to be able to view any public folders at all, make sure the Folder visible checkbox is unmarked, but select another checkbox instead, e.g. Edit own, which probably is the safest option.
- Click Save.
- Repeat steps 4-7 to assign folder permissions to other users.
- Click Save to apply your changes.
The Apply changes to this public folder and all its subfolders option
The use of this checkbox (Fig. 6.) is optional. If you haven’t restored/migrated any public folders data yet, you don’t have to use it, as permissions to subfolders will be automatically inherited from the top-level folder. And even if you have already restored/migrated that data, once you make the top-level folder hidden for specific users, they will not be able to access lower-level folders as well (unless they have already added particular folders to Favorites).
You can now proceed with the restore or migration job.
This solution involves using PowerShell and the Add-PublicFolderClientPermission cmdlet to hide the recovered/migrated public folders from all users or to limit users’ access to them. If you’re not sure how to connect to your Exchange server (including Exchange Online) via PowerShell, this article might help you out.
You can check the current default permission settings of your top-level folder with the following cmdlet:
Get-PublicFolderClientPermission -Identity "\<public folder name>"
You have backed up public folders from your Office 365 tenant, and now you want to restore that data to another tenant. However, some of the folders contain sensitive data that can only be viewed by selected users.
You can change the default permissions to the top-level folder, e.g. Public Folders, prior to running the restore job, so that none of the users in the target Office 365 tenant will access the contents of that folder (or see the folder itself). To do so, you first need to remove the current default access rights to that folder by using this cmdlet:
Remove-PublicFolderClientPermission -Identity "\Public Folders" -User Default
Now, add new default permission.
- If you want all folders to be visible but inaccessible to all users, use the following cmdlet:
Add-PublicFolderClientPermission -Identity "\Public Folders" -User Default -AccessRights None
- If you don’t want any user to see the public folder tree itself, use the cmdlet below:
Add-PublicFolderClientPermission -Identity "\Public Folders" -User Default -AccessRights EditOwnedItems
Keep in mind that the None role, as well as any other predefined role, is assigned the FolderVisible access right. So, in order to make the public folders invisible to your users, you need to assign any access right aside from FolderVisible to the Default user. In the example above, the EditOwnedItems AccessRight parameter is used, as it is probably the safest one, but you can also use other parameters. It is not possible to create the default permission without assigning any access rights at all.
The list of all AccessRights parameters and roles is available on this Microsoft page.
After the public folders data has been restored to the new Office 365 tenant, you can use the same cmdlet to assign default permissions to selected folders and users:
- use the -Identity parameter to point out to a particular folder (e.g. -Identity "\Public Folders\Management\Personal data")
- use the -User parameter to point out to a specific user (e.g. -User AdeleV).
You can also use the Exchange admin center to assign permissions to public folders for individual users.
As mentioned in this section, CodeTwo software restores/migrates only the contents of public folders, not the permissions assigned to these folders. This also means that if the same folder structure already exists on the target server, with specific folder permissions configured, these permissions will not be changed in any way once the restore/migration job is finished.
With that in mind, you can first recreate an entire (empty) folder structure on your target environment and assign appropriate access rights to selected users. Once that’s completed, you can run the recovery/migration job.
Refer to this section of the article to learn how to change the public folders permissions in Exchange admin center.
This solution applies only to Office 365 organizations. In addition, if your users have access to their emails via Outlook on the web (OWA), the steps described below will not prevent them from viewing public folders through their web browsers (or other email clients). If so, use one of the other solutions instead.
You can disable the access to public folders via Outlook for all users by using the following cmdlet:
Set-OrganizationConfig -PublicFolderShowClientControl $true
Once the -PublicFolderShowClientControl is set to true, the only way to allow any user to see public folders in Outlook is to use the cmdlet below:
Set-CASMailbox "<user>" -PublicFolderClientAccess $true
where <user > is the name or email address of the user.
If you want to allow access to public folders in Outlook once you have configured the permissions to specific folders according to your needs (e.g. in Exchange admin center, as described above), use the following cmdlet:
Set-OrganizationConfig -PublicFolderShowClientControl $false