The Exchange GUIs (and many MSFT GUIs) are traditionally
bad with this kind of stuff. The GUIs will suprisingly often require more
permissions than you really need to do things because they aren't necessarilly
doing the work correctly. On the flip side MSFT likes to try and enforce
security in the GUIs at times too like for instance Exchange and mailbox
enabling users (in order to mailbox enable a user in ADUC with the ESM addon you
need Exchange view, in reality, you don't need Exchange View) or like in the old
user manager which wouldn't let non admins see the administrator group
membership but every other tool did.
When you delegate, you usually want to step away from using
ADUC and ESM because you will end up giving out more rights than necessary just
to make the GUI work "normal".
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Monday, May 22, 2006 9:18 AM
To: [email protected]
Subject: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated account
Hi,
In an environment running Exchnage 2003 SP1
under Windows 2003 SP1...I've delegated WP (write property) on the member
attribute of a mail-enabled distribution list to a specific user. That
user is now able to modify the members of the group via ADUC (the change
does get applied), but a dialog pops up on the screen which reads as
follows:
Window
Title = Microsoft Active Directory - Exchange Extension
Window
Text = Access denied.
Facility: LDAP Provider
ID no: 80070005
Microsoft Active Directory - Exchange Extension
In
addition, the DC where this change is made logs the following event in the
security log:
Event
Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 5/19/2006
Time: 4:48:52 PM
User: DOMAIN\End.User
Computer: DomainController
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=DistributionList,OU=Exchange,DC=company,DC=com
Handle ID: -
Primary User Name: DomainController$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: End.User
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7C51DB79)
Accesses: Write Property
Properties:
---
Public Information
proxyAddresses
group
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 5/19/2006
Time: 4:48:52 PM
User: DOMAIN\End.User
Computer: DomainController
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=DistributionList,OU=Exchange,DC=company,DC=com
Handle ID: -
Primary User Name: DomainController$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: End.User
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7C51DB79)
Accesses: Write Property
Properties:
---
Public Information
proxyAddresses
group
Additional Info:
Additional Info2:
Access Mask: 0x20
Additional Info2:
Access Mask: 0x20
Would anyone know why
this operation is trying to modify the proxyAddresses attribute in the Public
Infomation property set? I was hoping to not have to grant WP on any other
attributes for this task. If I use the delegated account to modify the
member attribute of this group object
using a tool other than ADUC, it is successful without generating any error
messages.
I first posted this on the Exchange
list at Yahoo and received a good suggestion to check the backlink [memberOf
attribute] of the user object being modified to make sure that it listed this
group after a test modification. It does. So again, seems
everything works but still get the popup.
Thanks for your time,
DaveC
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
