You cannot create a new public folder in Exchange 2000 Server, in Exchange Server 2003, or in Exchange Server 2007

Symptoms

You try to use Microsoft Outlook to create a public folder in Microsoft Exchange 2000 Server, in Microsoft Exchange Server 2003, or in Microsoft Exchange Server 2007. When you do this, you may receive one of the following error messages:
Unable to create the folder. You do not have sufficient permission to perform this operation on this object. See the folder contact or your system administrator.
Failed to commit the change on object because access is denied. See inner exception for more information.

MapiExceptionNoAccess: Unable to create folder. (hr=0x80070005, ec=-2147024891)
Additionally, an event that resembles the following event may be logged in the Application event log : Note In this event, server_name is the name of the server, ORGANIZATION is the name of the Exchange Server organization, and
administrative_group is the name of the administrative group.

The data section of this event contains the entry ID of the folder. If you right-click the folder in Exchange System Manager, the shortcut menu command to create public folders may not exist. You may also be prompted for Hypertext Transfer Protocol (HTTP) authentication when you try to expand the public folder tree in Exchange System Manager.

Cause

This issue may occur if the permissions of the following object are not correctly configured and differ from the permissions of the root public folder tree as viewed in Exchange System Manager:
CN=Public Folders,CN=Folder Hierarchies,CN=administrative_group,CN=Administrative Groups,CN=ORGANIZATION,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ORGANIZATION,DC=com
Note In this object, ORGANIZATION is the name of the Exchange Server organization and
administrative_group is the name of the administrative group.

The Everyone group is set with an explicit Deny for the Create public folder or Create top level public folder permissions.

Resolution

To resolve this issue, configure the permissions correctly. To do so, you have to use the ADSI Edit snap-in. To configure the permissions, follow these steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Start ADSI Edit. In the CN=Configuration container, locate the following container:
    CN=Services,CN=Microsoft Exchange,CN=ORGANIZATION,CN=Administrative Groups,CN=administrative_group,CN=Folder Hierarchies,CN=Public Folders
    Note In this container, ORGANIZATION is the name of the Exchange Server organization and
    administrative_group is the name of your administrative group.
  2. Right-click CN=Public Folders, and then click Properties.
  3. Click the Security tab.
  4. Make sure that the Allow inheritable permissions from parent to propagate to this object check box is selected.
  5. Make sure that the Everyone group has the following Allow permissions:
    • Create named properties in the information store
    • Create public folder
    • Create top level public folder
    If the Allow inheritable permissions from parent to propagate to this object check box is selected, the Everyone group should already have these permissions. Make sure that the Deny check boxes are not selected.

More Information

You can use Exchange System Manager to view and change the permissions to create public folders. Permissions that you modify in Exchange System Manager should contain the same permissions as the CN=Public Folders object in Active Directory. However, if permissions are modified externally, the permissions may be out of synchronization. Deny overrides all Allow permissions.
Properties

Article ID: 313866 - Last Review: Feb 14, 2008 - Revision: 1

Feedback