The PFDavAdmin Tool

If you've ever had anyone who's mucked with permissions in the M: drive, you'll know that the repercussions can be serious. The most common thing seen is where someone modifies permissions to public folders via the M: drive, which changes the order of permissions from MAPI canonical to NTFS canonical. The result is that if you then try to add someone to the permissions list of the public folder via Exchange System Manager, you get the classic Invalid windows handle ID no: 80040102 error, as documented in MSKB 313333.

In MSKB 313333, you are advised to use PFINFO.EXE to resolve the problem. Well, there's another tool on offer to resolve such problems - PFDavAdmin. This is a fantastic tool which I had to use recently on a customer site, after I couldn't add any permissions to the Organizational Forms library. I've managed to get Microsoft to upload the PFDavAdmin tool to their PSS site. The tool can be found here. However, you should note that this utility is not supported, and that you use it entirely at your own risk.

If you download the tool, you'll find a Word document attached that nicely explains the features of PFDavAdmin. PFDavAdmin must be run on a computer that has the .NET Framework 1.1 installed, running Windows 2000, Windows XP, or Windows 2003. It must also be a member of the forest in which the target Exchange 2000 server resides. The user running the tool must be logged into Windows as an Exchange Administrator.

This utility lets you do several things:

• Modify folder permissions on folders in the MAPI tree using an interface similar to ESM
• Propagate the addition/replacement or removal of one or more ACEs down the public folder tree without overwriting the entire ACL
• Fix non-canonical and otherwise damaged DACLs on folders in bulk
• Report the DACL state of folders in bulk
• Export and Import folder permissions on both public folders and mailboxes
• Export and Import replica lists
• Propagate changes to the replica list down the tree without overwriting
• Check for and remove item-level permissions in bulk
• Check for event registrations
• Exceed limits imposed by the ESM GUI for values on the Limits tab

This tool accesses the store via webDAV, so you will notice that bulk operations are quite slow and will take a long time to complete against thousands of folders when running against Exchange 2000. If you use this tool against Exchange 2003, it is much faster. Be sure to check out the Known Issues section of the document before using it.

The screen shot below shows you PFDavAdmin looking at the permissions on the Organizational Forms library folder. In the top-right corner, you'll see the DACL state listed as Good. This is what you'll expect to see once the utility has done its magic, assuming of course that you had problems with the folder in the first place. Of course, the utility can work against normal public folders and mailboxes too.

PFDavAdmin Utility

Be sure to check this tool out, as it will make a very good addition to your toolkit. Treat it with the respect it deserves, though.

(Update - Kyle Lewallen from Microsoft PSS has also written about a real world situation where PFDavAdmin came in very handy - CM)

Account Deleted on October 30, 2003 at 12:50 AM in Useful Info
« NDRs & Attachments | Main | Listing Security Updates »

Comments

Can the PFDavAdmin tool be used for an Exchnage 5.5 server (windows 2000, service pack4)
Thanks..

Posted by: Ricci Horchar at Dec 16, 2003 12:29:53 PM

Exchange 200x only I believe.

Posted by: Neil Hobson at Dec 17, 2003 1:54:45 AM

Hi. Thanks for your comment. Sorry when I say gone I mean from that department, they are still with the company.

Also can you use the PFDavAdmin tool if we are using Exchange 5.5 (Service Pack 4) or only with Exchange 2000...Thanks

Posted by: Ricci Horchar at Dec 23, 2003 8:01:44 AM

MS seems to have locked down the location "ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/PFDavAdmin/" Do you know of another location.
Thanks
Vic Seeley

Posted by: Vic at Jan 8, 2004 1:03:45 PM

The link just worked for me, so it must be you. :-)

Posted by: Neil Hobson at Jan 8, 2004 11:57:42 PM

Ya mixed up some names there... Amanda Langowski, Kyle Lewallen =)

Posted by: KC Lemson at Feb 17, 2004 8:32:43 PM

Link isn't working over here either. They have either removed access, or only some ip's were allowed.

Posted by: alpha at Feb 20, 2004 6:14:33 AM

Does anyone know of an http download location? Microsoft's FTP site always gives me trouble at my workplace.

Posted by: JoltinJoe at Apr 23, 2004 7:38:16 AM

I have to say a huge thank you to the designer of this program. What an excellent tool! It resolved my annoying and seemingly unresolvable issue with Public Folders permissions, and it did so with ease. I am very impressed.

Thanks again!

Posted by: Jonathen Winterburn at Jun 15, 2004 1:17:52 AM

Send me an email ( at rb@123Together.com ) and I can email PFDavAdmin to you.

Robert

=> Exchange 2003 Hosting - $8.99/user/mo.
=> Exchange 2003 Dedicated Servers start at $499/mo.
=> Sell Exchange Hosting under your name & brand - $8.00/user/mo.

(800) 9-MS-EXCH
www.123Together.com
121 Middlesex Tpke., Ste. 201, Burlington, MA 01803

Posted by: Robert Baron at Jun 15, 2004 11:41:44 PM

Help, I used the tool to fix permissions on my Exchange server, and now my M drive is gone. When I try to manually mount the the drive from Exchange System Manager I get an error that says "an internal processing error has occurred" ID c10u1724 Exchange System Manager. Can anyone help me?

Posted by: kathy at Jul 1, 2004 3:18:46 PM

I always get the following error when connection to an Exchange server:

Exception: The remote server returned an error: (407) Proxy Authentication required

We´re using Exchange 2000, latest SP on windows 2000 Server.
I´mn trying to connect from an XP box, Outlook 2003 and .Net framework installed.
We´re using a corporate authenticating Proxy server for internet access, but my client´s IE is configured without Proxy server.

Any ideas?

Thanks,
Stephan

Posted by: Stephan at Jul 2, 2004 1:54:41 AM

ftp link for microsoft will work if -
1st: browse in ftp://ftp.microsoft.com/PSS/Tools/
2nd: go to Exchange Support Tools
3rd: go to PFDavAdmin

clicking this site directly will not work: ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/PFDavAdmin/

Just use the above procedure.

Posted by: Alvin at Jul 6, 2004 1:24:50 AM

I'm in need of using this tool - however, I don't believe I have .NET installed on my Exhange 2000 box. Is it necessary? I really just want to extract permissions to a file for a monthly report. Is there a better tool for extracting permissions (view only)for Public Folders?

Posted by: Katherine at Jul 27, 2004 8:59:08 AM

You dont need to have .NET on your server. You can use PFDavAdmin from your work station as long as it has .NET installed. The tool has a connect option that is required to point to the Exchange database you wish to read.

Posted by: Marty at Sep 30, 2004 10:41:53 AM

From the PFDavAdmin tools menu if I try to Export Permissions for all mailboxes on this server I only ever get the first 256 mailboxes.

Is this a bug or am I doing something wrong?

Thanks,

Brandon

Posted by: Brandon at Oct 1, 2004 8:49:33 AM

Can you help me with PFDavAdmin ?

I keep getting the following message:

The underlying connection was closed: Unable to connect to remote server.

I'm sitting on my exchange 2000 box, i'm using the correct enterprise admin
account and i've installed .NET 1.1 as requested.

This is a real pain as i think the tool will fix the problem but I can't get
it to see the server (although it does show the Public Folder & System Folder
top level tree but I can't see the actual public folders). I've also tried this from a workstation.

Any help would be greatly appreciated!

Regards
AH

Posted by: Andy at Oct 27, 2004 4:50:28 AM

Can this tool be used to remove duplicate public folders in Exchange 5.5?

Posted by: Kevin at Oct 27, 2004 2:39:37 PM

I have downloaded PFDavAdmin and initially I was impressed with the tool, but I have found that I am unable to export permissions for Top Level Public Folders! Is anyone else having the same problem? Does anyone know how to get round this?
I have successfully exported permissions for all Sub Folders, messed the permissions up and then imported the original permissions but need to be able to import the permissions for Top Level!

Any help would be greatly appreciated.

Thanks

Leighton

Posted by: Leighton at Nov 2, 2004 5:02:34 AM

Dig this tool. It worked quite well. I'm going to strangle whoever changed permissions on the M drive!

Posted by: novachild at Nov 12, 2004 12:54:10 PM