Re: Managed by parameter not working on a Universal Group between 2 do

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Thu, 08 Sep 2005 18:02:27 -0400

The outlook client is talking to a GC that is a DC for domain B. The group membership can be retrieved from that GC since uni groups publish membership to the global catalogs but can't be updated there. The protocol being used is NSPI and it doesn't support referrals so you get the error that you don't have permissions to modify the membership which is correct, no one has permissions to modify a Domain A group on a Domain B Domain Controller.

If the user and the DL were in the same domain it could still happen as long as a GC was used that wasn't from the same domain as the DL. There is a fix for this in Exchange 2003 SP1 but it forces DSPROXY to try and always give a client in Domain B a Domain B GC, this won't help your case of course.

This is why MS themselves do not use Outlook to manage DLs, they use web based DL management software. Previously it was AutoDL, now it is AutoGroups which is (or soon will be) a function of MIIS.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

John wrote:

We are running W2k3 AD and Exchange 2003 SP1 in a multiple child domain environment. When we create a Universal Distribution Group in say domain A and add a user in domain B to the Manager tab (we also check 'Manager can update membership list'), that user is unable to modify the membership via Outlook 2003. The user receives a message that she does not have permissions to modify the members. Replication is working fine and the we dont' receive any errors when we set the UDG up.

What am I missing?

Any help is greatly appreciated.

Follow-Ups:
- Re: Managed by parameter not working on a Universal Group between 2 do
  - From: Joe Richards [MVP]

References:
- Managed by parameter not working on a Universal Group between 2 do
  - From: John

Prev by Date: Re: Calendar Permissions
Next by Date: Re: Managed by parameter not working on a Universal Group between 2 do
Previous by thread: Managed by parameter not working on a Universal Group between 2 do
Next by thread: Re: Managed by parameter not working on a Universal Group between 2 do
Index(es):
- Date
- Thread

Relevant Pages

Re: Group manager
... You only modify distribution groups from Outlook. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... and select the "Manager can update membership list" ...
(microsoft.public.windows.server.active_directory)
Re: corrupted user account?
... > been having some weird issues using Outlook 2000 sp3. ... > manager for items that might have been read 2 weeks prior. ... > 3) USERA is owner of a security group called Sales Department. ... > She was able to change membership a few weeks ago. ...
(microsoft.public.win2000.active_directory)
Re: Group manager
... If you're reading members of a Distribution ... "Jorge de Almeida Pinto" ... membership of group that is in another domain through outlook, ...
(microsoft.public.windows.server.active_directory)
Re: Group manager
... membership of group that is in another domain through outlook, ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > modify the membership via Global Catalog in the Outlook 2003. ...
(microsoft.public.windows.server.active_directory)
Re: Corrupted user account?
... It sounds like a big mess (most probably becausesome default permissions ... > been having some weird issues using Outlook 2000 sp3. ... > 3) USERA is owner of a security group called Sales Department. ... > She was able to change membership a few weeks ago. ...
(microsoft.public.win2000.active_directory)