Pages

Tuesday, November 4, 2003

The PFDavAdmin Tool

Boy, I wish we had this back when I was with the big S. 

If you've ever had anyone who's mucked with permissions in the M: drive, you'll know that the repercussions can be serious. The most common thing seen is where someone modifies permissions to public folders via the M: drive, which changes the order of permissions from MAPI canonical to NTFS canonical. The result is that if you then try to add someone to the permissions list of the public folder via Exchange System Manager, you get the classic Invalid windows handle ID no: 80040102 error, as documented in MSKB 313333.

In MSKB 313333, you are advised to use PFINFO.EXE to resolve the problem. Well, there's another tool on offer to resolve such problems - PFDavAdmin. This is a fantastic tool which I had to use recently on a customer site, after I couldn't add any permissions to the Organizational Forms library. I've managed to get Microsoft to upload the PFDavAdmin tool to their PSS site. The tool can be found here. However, you should note that this utility is not supported, and that you use it entirely at your own risk.

If you download the tool, you'll find a Word document attached that nicely explains the features of PFDavAdmin. PFDavAdmin must be run on a computer that has the .NET Framework 1.1 installed, running Windows 2000, Windows XP, or Windows 2003. It must also be a member of the forest in which the target Exchange 2000 server resides. The user running the tool must be logged into Windows as an Exchange Administrator.

This utility lets you do several things:

• Modify folder permissions on folders in the MAPI tree using an interface similar to ESM
• Propagate the addition/replacement or removal of one or more ACEs down the public folder tree without overwriting the entire ACL
• Fix non-canonical and otherwise damaged DACLs on folders in bulk
• Report the DACL state of folders in bulk
• Export and Import folder permissions on both public folders and mailboxes
• Export and Import replica lists
• Propagate changes to the replica list down the tree without overwriting
• Check for and remove item-level permissions in bulk
• Check for event registrations
• Exceed limits imposed by the ESM GUI for values on the Limits tab

This tool accesses the store via webDAV, so you will notice that bulk operations are quite slow and will take a long time to complete against thousands of folders when running against Exchange 2000. If you use this tool against Exchange 2003, it is much faster. Be sure to check out the Known Issues section of the document before using it.

The screen shot below shows you PFDavAdmin looking at the permissions on the Organizational Forms library folder. In the top-right corner, you'll see the DACL state listed as Good. This is what you'll expect to see once the utility has done its magic, assuming of course that you had problems with the folder in the first place. Of course, the utility can work against normal public folders and mailboxes too.

PFDavAdmin Utility

Be sure to check this tool out, as it will make a very good addition to your toolkit. Treat it with the respect it deserves, though.


[MS Exchange Blog]

2 comments:

  1. I have read that the PFDavAdmin Tool will help in determining (getting a report) of who has permissions to someone else's outlook 2000 folders (inbox, sent items, etc.) We have a site that inadvertently gave all the secretaries rights to their bosses folders without the boss knowing. Now the secretaries are gone but they still have the rights because we don't know who everyone is. We want a list so we can change the permissions. Can this tool help?

    ReplyDelete
  2. Hi. Thanks for your comment. Sorry when I say gone I mean from that department, they are still with the company.

    Also can you use this tool if we are using Exchange 5.5 (Service Pack 4) or only with Exchange 2000...Thanks

    ReplyDelete