Setting Default Permissions for Exchange Resources

December, 2008. The subject is migrating proxies from Meeting Maker. Among our clients in December were two sites each with 1000 users, about 100 of which were resources. One had 90,000 proxy objects, the other had 5,000.

Why the 1:18 ratio on what were otherwise similar data sets?

The one with 90,000 proxy objects in Meeting Maker wanted to give everybody in Outlook Delegate access to each resource. In round figures 100 resources times 900 people gives you 90,000 Delegates.

So we were looking at using our usual method for setting Delegates (which would take a long time).

But it's actually simpler than that.

Meeting Maker does not have a default level for giving EVERYONE access to a resource.

BUT Outlook DOES!

And PFDAVAdmin makes it easy to propagate these permissions centrally (so long as you have an Exchange Admin who's willing). In this case it's criminal not to use it.

You can set up an import file as we've documented before, using

\Everyone Reviewer

to provide read-only access.

Or (quoting liberally from the documentation for PFDAVAdmin),

The Set Calendar Permissions option enables you to perform a bulk edit specifically to change permissions of the Calendar folder so that a single operation can modify the settings of thousands of users on a server. This is useful for changing the default permissions setting of the Calendar folder of all or many users, so that team members can view other member's calendars. Using Microsoft Office Outlook® enables changing only one user at a time, so the Set Calendar Permissions option is a good solution for this kind of task. In addition to changing the permissions of the Calendar folder, by using this option, a bulk-change also occurs on the permissions of the FreeBusy Data folder (hidden folder) of all the users on a server. If the FreeBusy Data folder permissions were not changed, the users will not be able to access another user's calendar.

I was going to start taking screen shots of how to do this exactly, when I said to myself, "Self, someone must have already done this."

And so they had. Thank Amit Tank whose FAQ: Give Calendar Read Permission on all Mailboxes - PFDavAdmin admirably takes you through this.

For international users, Set calendar permissions with PFDAVADMIN goes over how to filter for translated "Calendar" folders.

Migrating Oracle Calendar Permissions to Exchange Part 2 DIY

So you want to migrate from OCS to Exchange and you can handle your own data migration (i.e., you don't want live meetings or recreated recurrence patterns) but you still want to migrate permissions.

We'll tell you how you can accomplish that using free off-the-shelf tools from Oracle and Microsoft.

The process proceeds in two phases:

1. EXTRACT the permissions data from Oracle


2. INSERT the permissions into Exchange

You may need to modify your user names between the first and second step, but if you're handling your own data migration this should not be too difficult. You're also going to have to write your own script to convert the output from the Extract phase to the input for the Insert phase. Since we get these requests from universities and they have lots of undergraduate computer talent that programs in between beer blasts we don't think this will be too difficult.

Extracting permissions data from Oracle Calendar Server

This is done using the OCS tool UNIACCESSRIGHTS. See the Oracle Calendar Reference Manual for your full set of options.

Let's take the example of John Lennon giving permissions to Jerry Garcia.

Running UNIACCESSRIGHTS to get the Designate data for Lennon is simple:

uniaccessrights -ls -grantor "S=Lennon/G=Johnny" -grantee "S=*" -n 1 -p PASSWORD

This results in the following output (which you can redirect to a text file), split here for clarity:

Grantee: S=Garcia/G=Jerry/UID=Jerry.Garcia/ID=256/NODE-ID=1 Designate Right: CONFIDENTIALEVENT=REPLY /CONFIDENTIALTASK=NONE /NORMALEVENT=MODIFY /NORMALTASK=NONE /PERSONALEVENT=VIEWTIME /PERSONALTASK=MODIFY /PUBLICEVENT=MODIFY /PUBLICTASK=MODIFY

The connections between the OCS User Interface and the output are pretty clear.

You have now successfully extracted the data. Part 1 is complete.

Inserting permissions data into Exchange

This is done using PFDAVAdmin, whose formal name is the Exchange Public Folder DAV-based Administration Tool. You should check out our earlier postings on PFDAVAdmin. First let's say that on Exchange in Active Directory we already have a John Lennon who has created the same Calendar permissions for his co-worker Jerry Garcia. What would those look like in Exchange saved with PFDAVAdmin?

So glad you asked. Running our friend PFDAVAdmin and looking at John Lennon,


we first EXPORT his permissions to see what our end goal is:

Pick the easiest format to read,

We get a LOT of data for folders. I invite you to look at your own output.

However, we can comfortably reduce it to the data we need for Calendars and Tasks:

SETACL Mailboxes\john.lennon\Freebusy Data SUMATRA\jerry.garcia Editor NO SETACL Mailboxes\john.lennon\TopofInformationStore\Calendar SUMATRA\jerry.garcia Editor NO SETACL Mailboxes\john.lennon\TopofInformationStore\Tasks SUMATRA\jerry.garcia Reviewer NO

Your step is to turn your UNIACCESSRIGHTS export into a file of this format that you can IMPORT into PFDAVADMIN to set the ACLs for Exchange. This is not very hard.

Of course it's in our test domain so everything is "SUMATRA," and "TopofInformationStore" should be "Top of Information Store" (but it breaks oddly in Blogger). You might also want to set the INBOX and OUTBOX permissions if you want them to respond to meeting requests for you.

NOTE: Be careful making any modifications to this file – it is very important that it be tab-delimited.

But you get the idea and there is enough information here for you to fly on your own now should you so choose.

Note the key things about this:

• With your own scripting the cost to you is zero for additional tools
• It puts the permissions part of the migration entirely within your hands

PFDAVAdmin and Calendar Delegate Permissions

Update on August 28, 2011: I noticed the popularity of this posting has risen A LOT lately.  If you are in Exchnage 2010, ignore this and read our more recent post Exchange 2010 Calendar Permissions Using PowerShell.


In every generation a utility comes along which can address some of nastier sturm und drang of the harried calendar administrator trying to set up Delegate permissions. In ours it is PFDAVAdmin.

Now those of you who have been faithful followers of the vagaries of migrating Proxy or Designate information into Exchange/Outlook Delegate information will be a little surprised by what comes next: this method looks like it works, it looks like it works for both Exchange 2003 and 2007, and it looks like it takes way less time than any of our previous methods. AND it's all built around the off-the-shelf PFDAVAdmin.

So Step 1. is to Install PFDAVAdmin

It comes with its own documentation but there are also some good online examples and debugging:

http://www.msexchange.org/articles/PFDavAdmin-tool-Part2.html

http://technet.microsoft.com/en-us/library/bb508858(EXCHG.65).aspx

http://mostlyexchange.blogspot.com/2008/01/pfdavadmin-exchange-2007-and-v11-net.html

To run this in Exchange 2003 do not forget to use a service account with appropriate permissions:
http://support.microsoft.com/default.aspx?scid=kb;en-us;821897

For Exchange 2007 your usual migration service account should suffice.

Step 2.) Run the appropriate Database Query (from Sumatra) to generate an output text file. If you are already in the middle of testing your database migration you can ask us to take you through the query. Your output file will look like this:

# ************************************************************************ # Created for PFDAVAdmin 2.8 # Friday, August 29, 2008 3:47:25 PM # ************************************************************************ # # This export format is only usable with PFDAVAdmin 2.0 and later. # # ************************************************************************ SETACL Mailboxes\riuliano\Freebusy Data VM\zyg Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\riuliano\Top of Information Store\Calendar VM\zyg Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\zyg\Freebusy Data VM\riuliano Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\zyg\Top of Information Store\Calendar VM\riuliano Reviewer NT AUTHORITY\ANONYMOUS LOGON None NO

Here riuliano makes zyg on domain VM his Reviewer (which corresponds to a Read-Only Proxy) and vice-versa. International users may have to modify this to translate "Calendar" as appropriate (i.e., Calendario, Calendrier, Kalender, Calendário). I do not know if PFDAVAdmin will work with 2-byte character sets.

Step 3
Open PFDAVADMIN. Connect to your Exchange server (you will need adequate Permissions to do this). Select Tools-Import and point to the output file above.

Step 4
PFDAVAdmin will set up all appropriate permissions to share calendars as per your Meeting Maker options.

The log file for PFDAVAdmin will contain any problems (which in our experience with this have usually involved permissions).