I was working with a customer last week who had just done an Exchange 2007 to Exchange 2010 migration. They said an issue they had in Exchange 2007 that had carried over into Exchange 2010 is that users were still able to create top-level public folders. They wanted to deny this privilege going forward. Now, Exchange 2010 is supposed to prevent this via RBAC permissions. And when doing my initial research, I found several forum posts stating that selecting “Deny” on the “Create Top-Level Public Folder” permission for “Everyone” on your Administrative Group in ADSIEDIT, would resolve the issue. However, for us that did not work.
After troubleshooting the issue more, I found the same process against the Public Folder Hierarchies object resolved our issue. Here’s how:
1.) Open ADSIEDIT.msc
2.) Navigate to Configuration > Services > Microsoft Exchange > (Your Exchange Org) > Administrative Groups > (Your Administrative Group) > Folder Hierarchies
3.) In “Folder Hierarchies” right click and open the Properties on the Public Folders Object
4.) Switch to the “Security” tab and highlight “Everyone”
5.) In the bottom pane, find “Create Public Folder” and check the “Deny” checkbox. (I know you see the “create top-level public folder”, but denying just the “Create Public Folder” did the trick. Their permissions should still be intact for creating subfolders)