Thanks. I suspected this when
both DSMOD and ADMOD modified the object without error during
testing. We'd rather go with the principal of least
privilege!
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 22, 2006 2:35 PM
To: [email protected]
Subject: RE: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated accountThe Exchange GUIs (and many MSFT GUIs) are traditionally bad with this kind of stuff. The GUIs will suprisingly often require more permissions than you really need to do things because they aren't necessarilly doing the work correctly. On the flip side MSFT likes to try and enforce security in the GUIs at times too like for instance Exchange and mailbox enabling users (in order to mailbox enable a user in ADUC with the ESM addon you need Exchange view, in reality, you don't need Exchange View) or like in the old user manager which wouldn't let non admins see the administrator group membership but every other tool did.When you delegate, you usually want to step away from using ADUC and ESM because you will end up giving out more rights than necessary just to make the GUI work "normal".joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Monday, May 22, 2006 9:18 AM
To: [email protected]
Subject: [ActiveDir] Error dialog while modifying a mail enabled group (DL) with delegated accountHi,In an environment running Exchnage 2003 SP1 under Windows 2003 SP1...I've delegated WP (write property) on the member attribute of a mail-enabled distribution list to a specific user. That user is now able to modify the members of the group via ADUC (the change does get applied), but a dialog pops up on the screen which reads as follows:Window Title = Microsoft Active Directory - Exchange ExtensionWindow Text = Access denied.Facility: LDAP ProviderID no: 80070005Microsoft Active Directory - Exchange ExtensionIn addition, the DC where this change is made logs the following event in the security log:Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 5/19/2006
Time: 4:48:52 PM
User: DOMAIN\End.User
Computer: DomainController
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=DistributionList,OU=Exchange,DC=company,DC=com
Handle ID: -
Primary User Name: DomainController$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: End.User
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7C51DB79)
Accesses: Write Property
Properties:
---
Public Information
proxyAddresses
groupAdditional Info:
Additional Info2:
Access Mask: 0x20Would anyone know why this operation is trying to modify the proxyAddresses attribute in the Public Infomation property set? I was hoping to not have to grant WP on any other attributes for this task. If I use the delegated account to modify the member attribute of this group object using a tool other than ADUC, it is successful without generating any error messages.I first posted this on the Exchange list at Yahoo and received a good suggestion to check the backlink [memberOf attribute] of the user object being modified to make sure that it listed this group after a test modification. It does. So again, seems everything works but still get the popup.Thanks for your time,DaveC
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
