Re: Managed by parameter not working on a Universal Group between 2 do

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Thu, 08 Sep 2005 18:36:02 -0400

That fix is in SP2, not SP1.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Joe Richards [MVP] wrote:

The outlook client is talking to a GC that is a DC for domain B. The group membership can be retrieved from that GC since uni groups publish membership to the global catalogs but can't be updated there. The protocol being used is NSPI and it doesn't support referrals so you get the error that you don't have permissions to modify the membership which is correct, no one has permissions to modify a Domain A group on a Domain B Domain Controller.

If the user and the DL were in the same domain it could still happen as long as a GC was used that wasn't from the same domain as the DL. There is a fix for this in Exchange 2003 SP1 but it forces DSPROXY to try and always give a client in Domain B a Domain B GC, this won't help your case of course.

This is why MS themselves do not use Outlook to manage DLs, they use web based DL management software. Previously it was AutoDL, now it is AutoGroups which is (or soon will be) a function of MIIS.
   joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
John wrote:
We are running W2k3 AD and Exchange 2003 SP1 in a multiple child domain environment. When we create a Universal Distribution Group in say domain A and add a user in domain B to the Manager tab (we also check 'Manager can update membership list'), that user is unable to modify the membership via Outlook 2003. The user receives a message that she does not have permissions to modify the members. Replication is working fine and the we dont' receive any errors when we set the UDG up.

What am I missing? Any help is greatly appreciated.

References:
- Managed by parameter not working on a Universal Group between 2 do
  - From: John
- Re: Managed by parameter not working on a Universal Group between 2 do
  - From: Joe Richards [MVP]

Prev by Date: Re: Managed by parameter not working on a Universal Group between 2 do
Next by Date: create 2 same username in AD
Previous by thread: Re: Managed by parameter not working on a Universal Group between 2 do
Next by thread: GAL Error Creating Distribution Groups
Index(es):
- Date
- Thread

Relevant Pages

Re: Group Policy and Local Admin rights
... If you used Restricted Groups ... feature of the GP to restrict membership in the Administrators group, ... They need to write files somewhere where normal users dont have Modify ... > have LOCAL admin rights for a very "picky" application. ...
(microsoft.public.windows.server.active_directory)
Re: restrict users from changing group membership
... no one should be able to modify group membership by default...someone has ... granted inappropriate permissions somewhere for them to be able to do ... When a user opens the global address book in Outlook, they can modify ... List Contents; Read Properties; and List Object. ...
(microsoft.public.exchange.admin)
Re: Group manager
... You only modify distribution groups from Outlook. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... and select the "Manager can update membership list" ...
(microsoft.public.windows.server.active_directory)
Re: Restricting Domain Admins
... Just after posting I noticed that what you were attempting to modify does ... not prevent then from changing the membership of those groups, ... > Removed Modify permission ... > Removed modify owner permission ...
(microsoft.public.windows.server.security)
Re: Hide member in Distribution Lists
... > because it has reach outside of just Exchange. ... >>>question in ADUC and select Exchange Tasks and select Hide Membership. ... >>>Account Operators ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ...
(microsoft.public.windows.server.active_directory)