Thursday, September 04, 2008

PFDAVAdmin and Calendar Delegate Permissions

Update on August 28, 2011: I noticed the popularity of this posting has risen A LOT lately.  If you are in Exchnage 2010, ignore this and read our more recent post Exchange 2010 Calendar Permissions Using PowerShell.


In every generation a utility comes along which can address some of nastier sturm und drang of the harried calendar administrator trying to set up Delegate permissions. In ours it is PFDAVAdmin.

Now those of you who have been faithful followers of the vagaries of migrating Proxy or Designate information into Exchange/Outlook Delegate information will be a little surprised by what comes next: this method looks like it works, it looks like it works for both Exchange 2003 and 2007, and it looks like it takes way less time than any of our previous methods. AND it's all built around the off-the-shelf PFDAVAdmin.

So Step 1. is to Install PFDAVAdmin

It comes with its own documentation but there are also some good online examples and debugging:

http://www.msexchange.org/articles/PFDavAdmin-tool-Part2.html

http://technet.microsoft.com/en-us/library/bb508858(EXCHG.65).aspx

http://mostlyexchange.blogspot.com/2008/01/pfdavadmin-exchange-2007-and-v11-net.html

To run this in Exchange 2003 do not forget to use a service account with appropriate permissions:
http://support.microsoft.com/default.aspx?scid=kb;en-us;821897

For Exchange 2007 your usual migration service account should suffice.

Step 2.) Run the appropriate Database Query (from Sumatra) to generate an output text file. If you are already in the middle of testing your database migration you can ask us to take you through the query. Your output file will look like this:


# ************************************************************************
# Created for PFDAVAdmin 2.8
# Friday, August 29, 2008 3:47:25 PM
# ************************************************************************
#
# This export format is only usable with PFDAVAdmin 2.0 and later.
#
# ************************************************************************
SETACL Mailboxes\riuliano\Freebusy Data VM\zyg Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\riuliano\Top of Information Store\Calendar VM\zyg Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\zyg\Freebusy Data VM\riuliano Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO
SETACL Mailboxes\zyg\Top of Information Store\Calendar VM\riuliano Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO




Here riuliano makes zyg on domain VM his Reviewer (which corresponds to a Read-Only Proxy) and vice-versa. International users may have to modify this to translate "Calendar" as appropriate (i.e., Calendario, Calendrier, Kalender, Calendário). I do not know if PFDAVAdmin will work with 2-byte character sets.

Step 3
Open PFDAVADMIN. Connect to your Exchange server (you will need adequate Permissions to do this). Select Tools-Import and point to the output file above.

Step 4
PFDAVAdmin will set up all appropriate permissions to share calendars as per your Meeting Maker options.

The log file for PFDAVAdmin will contain any problems (which in our experience with this have usually involved permissions).

2 comments:

Anonymous said...

You can also manage calendar permissions as well as other public folders like inbox, contacts permissions with a new version of scriptlogic's security explorer for exchange.

zyg said...

Interesting suggestion. Can you tell everyone how they would feed a list of pre-existing permissions in a legacy calendar system INTO your application to set the same permission on Exchange? That's the realistic scenario we're talking here. For a recent 200 user migration there were 2900 proxy settings -- or about 10 delegates for each individual.