Nigel Boulton's Blog

Delegating and propagating Exchange folder permissions using PFDAVAdmin

Every so often the requirement comes up to be able to give a colleague access to a specific folder hierarchy within my Exchange mailbox. As you may know, this is not easy to do using Outlook - it's fine for one folder but if there are a number of nested subfolders, you have to assign permissions to each of these individually. Life's just too short for that..!

The answer to this is a tool provided by Microsoft - the Microsoft Exchange Server Public Folder DAV-based Administration Tool - "PFDAVAdmin" for short. This is a very powerful tool which should be a key component of any Exchange Admin's toolkit. It can be downloaded from PFDAVAdmin is compatible with Exchange 2000, 2003 and 2007 (for Exchange 2010 it has been replaced by ExFolders).

PFDAVAdmin isn't limited to working with Public Folders as its name suggests. It allows you - among many other things - to propagate Exchange folder Access Control Entries (ACEs) down through a tree, much like you can do with NTFS.

However, as I do this so infrequently the one thing I can never remember is the syntax to use to specify my mailbox location, and the included documentation doesn't help that much - hence this blog post!

Once you have PFDAVAdmin installed and up and running (it needs .Net Framework 1.1 by the way), click File - Connect, and provide the appropriate details:

PFDAVAdmin Connect dialog

PFDAVAdmin Connect dialog

The key thing here being what you need to type into the Connection field. For "Specified mailbox", this needs to be in the format http://<mail_server_name>/exadmin/<your_email_domain>/mbx/<email_address>/ - in the above example this is "http://mailserver/exadmin/EMAILDOMAIN.COM/mbx/[email protected]/". Alternatively (assuming you have the necessary rights) you can select the option to connect to All Mailboxes and locate the mailbox in question that way, but of course you might not want to do this in a large organisation with thousands of Exchange mailboxes.

Once you have successfully connected and have PFDAVAdmin's view of the mailbox in front of you, follow these steps:

Folder permissions context menu1. Right-click the desired folder and select Folder permissions

Choose user to delegate to2. Click Add

3. Enter the alias for the user you wish to delegate access to (you will notice that this builds a nice LDAP query as you type) and click Search, followed by OK once the user is found and selected

Add permissions for user4. Select the user in the list

5. Select the desired permissions

6. Finally, click Commit changes

So far, we have only set permissions on the selected (parent) folder, so now we need to propagate these down to all subfolders:

Propagate folder ACEs context menu7. Right-click the folder again and select Propagate folder ACEs

Propagate ACEs selection dialog8. Select the ACE in question and click OK

...that's it! Obviously the usual caveats apply with regard to making sure you have a reliable up-to-date Exchange backup before attempting any of the above. Further information on PFDAVAdmin can be found at

Filed under: Exchange 4 Comments