Hi,
In an environment running Exchnage 2003 SP1
under Windows 2003 SP1...I've delegated WP (write property) on the member
attribute of a mail-enabled distribution list to a specific user. That
user is now able to modify the members of the group via ADUC (the change
does get applied), but a dialog pops up on the screen which reads as
follows:
Window
Title = Microsoft Active Directory - Exchange Extension
Window
Text = Access denied.
Facility: LDAP Provider
ID no: 80070005
Microsoft Active Directory - Exchange Extension
In
addition, the DC where this change is made logs the following event in the
security log:
Event
Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 5/19/2006
Time: 4:48:52 PM
User: DOMAIN\End.User
Computer: DomainController
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=DistributionList,OU=Exchange,DC=company,DC=com
Handle ID: -
Primary User Name: DomainController$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: End.User
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7C51DB79)
Accesses: Write Property
Properties:
---
Public Information
proxyAddresses
group
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 5/19/2006
Time: 4:48:52 PM
User: DOMAIN\End.User
Computer: DomainController
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=DistributionList,OU=Exchange,DC=company,DC=com
Handle ID: -
Primary User Name: DomainController$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: End.User
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7C51DB79)
Accesses: Write Property
Properties:
---
Public Information
proxyAddresses
group
Additional Info:
Additional Info2:
Access Mask: 0x20
Additional Info2:
Access Mask: 0x20
Would anyone know why
this operation is trying to modify the proxyAddresses attribute in the Public
Infomation property set? I was hoping to not have to grant WP on any other
attributes for this task. If I use the delegated account to modify the
member attribute of this group object
using a tool other than ADUC, it is successful without generating any error
messages.
I first posted this on the Exchange
list at Yahoo and received a good suggestion to check the backlink [memberOf
attribute] of the user object being modified to make sure that it listed this
group after a test modification. It does. So again, seems
everything works but still get the popup.
Thanks for your time,
DaveC
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
