RE: [ActiveDir] Empty Group Lists

[joe]

Also you can add yourself to account operators as that ace is up there as well. My recommendation I sent to MS on this was that if they had to maintain that hacked way of doing this they should at least allow you to specify what security principals get placed in the list to see the members.   The good way of course to do this is to groups that need hidden membership into a special protected OU, then you don't have a dorked up ACL that you have no idea how various ACL / Role management tools and scripts will handle (the answer is unless they are aware of how to handle it, they will probably unscrew the ACL up and make the membership visible) and you can specify who can see the group membership be it a non-admin/non-account op owner or or everyone in the group for cases where the people in the group should see the membership but no one else should.   I recall when I figured out what they were doing. I took a long lunch that day and spent it chewing out my MCS friends. They didn't even believe me when I told them. Shortly after that I learned how poorly DSACCESS/DSPROXY worked in a multidomain environment and promptly stopped worrying about the hidden membership hack.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, July 21, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Empty Group Lists sounds like groups with hidden group-memberships, where the Exchange store process kindly "screws-up" the ACLs of the groups for you => Exchange puts the ACEs in a non-canonical order, which basically allows an Allow ACE (for the Exchange Enterprise Server group) to be listed before the Deny Read ACE for Everyone.  You can add your own Admin account to the Exchange Enterprise Server group to get around that problem.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diel,Nick (Work) Sent: Tuesday, July 20, 2004 7:25 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Empty Group Lists I am new to this list and have a problem hopefully someone can help me out with.  In several of my groups (both security and distribution, all universal) the Members section is blank.  There are still members in them, but I just can’t see the members.  The distribution and security groups still work and what not.  The list is blank on both DCs (one is an exchange server), also blank on my local MMC (have AdminPak), and blank when looking at the groups through Outlook.  These groups are roughly my largest groups (some will have 50+, while others not as many).   Any help would be great, Nick