Most likely I'll use that "Manager can
update...." attribute and have him do this via Outlook. The end user
previously had ADUC for this when permissions were also 'a bit
heavy' (!), so I didn't even have that in mind at first, and then of course
I got curious about the errors...
Thanks for your comments
guys!
-DaveC
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven
Sent: Monday, May 22, 2006 1:48 PM
To: [email protected]
Subject: RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated accountOutlook does indeed let you manage groups if, in ADUC, you tick the check box "Manager can update membership list" and you define a manager of the list (on the "Managed By" tab).
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 22, 2006 1:21 PM
To: [email protected]
Subject: Re: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated accountNothing specific, but I think you can say that the Exchange-enhanced ADUC is trying to do something it doesn't need to do. You have a better answer which is to give the user a different tool. Trying to remember if the Outlook tools allow you to manage the groups (I believe they will if you have the rights and you use a GC from the same domain that Exchange is in.)ADUC for what they want to do is a bit heavy, and it looks like you have an unneccessary process going on in the background. You may also want to check that the Exchange bits are the latest available.Al
On 5/22/06, David Cliffe <[EMAIL PROTECTED]> wrote:Hi,In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is now able to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows:Window Title = Microsoft Active Directory - Exchange ExtensionWindow Text = Access denied.Facility: LDAP ProviderID no: 80070005Microsoft Active Directory - Exchange ExtensionIn addition, the DC where this change is made logs the following event in the security log:Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 5/19/2006
Time: 4:48:52 PM
User: DOMAIN\End.User
Computer: DomainController
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=DistributionList,OU=Exchange,DC=company,DC=com
Handle ID: -
Primary User Name: DomainController$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: End.User
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7C51DB79)
Accesses: Write Property
Properties:
---
Public Information
proxyAddresses
groupAdditional Info:
Additional Info2:
Access Mask: 0x20Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of this group object using a tool other than ADUC, it is successful without generating any error messages.I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again, seems everything works but still get the popup.Thanks for your time,DaveC
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
