Article ID: 242039 - Last Review: September 28, 2007 - Revision: 3.2

PRB: Windows NT Permissions for Distribution List when Owner Set ADSI/LDAP

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
This article was previously published under Q242039
Expand all | Collapse all

SYMPTOMS

The owner of a distribution list is set through a Lightweight Directory Access Protocol (LDAP) and the new owner is unable to modify the membership of the list.
Back to the top

CAUSE

When the owner for a distribution list (DL) is set, the Microsoft Exchange Administrator program (Admin.exe) retrieves the associated Windows NT account of the owning object, usually a mailbox. This Windows NT account is then given user permissions on the distribution list. This allows the owner of the mailbox to add and remove members of the distribution list.

If the owner of the distribution list is set through ADSI/LDAP, the owner is not automatically retrieved and permissions for the associated Windows NT account are not set. This prevents the new owner from altering the list's membership.

NOTE: Improper permissions can also occur by changing the associated Windows NT account of the mailbox set as the owner. For further information see the following Knowledge Base article:
177838  (http://support.microsoft.com/kb/177838/EN-US/ ) XADM: NT Security Descriptor Associated w/ DL Owner Not Updated
Back to the top

RESOLUTION

In order to allow the distribution list owner to be able to add and remove members, the permissions must be properly set. This can be done by either making a change through Microsoft Exchange Administrator program (see the Knowledge Base Article 177838  (http://support.microsoft.com/kb/177838/EN-US/ ) ) or by explicitly setting the security descriptor via LDAP.

Normally, when an owner is set on a distribution list, the only permissions which are added are for the associated Windows NT account. Setting a user to a distribution list requires LDAP to read the security descriptor of the distribution list, removing the Discretionary Access Control List (DACL), adding an Access Control Entry (ACE) with a trustee for that Windows NT account, replacing the DACL, then writing the security descriptor back to the directory.
Back to the top

MORE INFORMATION

For simplicity, the following ADSI code example copies the entire security descriptor from the owner's mailbox and places it on the distribution list. This will have the effect of giving all the users who have permission on that mailbox the same permissions on the distribution list. 
strDNofDL = "cn=MyDL,cn=Recipients,ou=MySite,o=MyOrg"
strDNofMailbox = "cn=MyMailbox,cn=Recipients,ou=MySite,o=MyOrg"
strServer = "MyExchangeServerName"
set oDL = GetObject("LDAP://" + strServer + "/" + strDNofDL )
oDL.put "owner", strDNofMailbox
set oMailbox  = GetObject("LDAP://" + strServer + "/" + strDNofMailbox)
oMailbox.GetInfoEx Array("NT-Security-Descriptor"), 0
oDL.Put "NT-Security-Descriptor", oMailbox.Get("NT-Security-Descriptor")
oDL.SetInfo
Back to the top

REFERENCES

For additional information about this particular problem, please see the following article in the Microsoft Knowledge Base:
177838  (http://support.microsoft.com/kb/177838/EN-US/ ) XADM: NT Security Descriptor Associated w/ DL Owner Not Updated

For general information on Active Directory Services Interfaces(ADSI) please view the following Web site:
http://msdn2.microsoft.com/library/aa772170.aspx (http://msdn2.microsoft.com/library/aa772170.aspx)

For information about working with Exchange Mailboxes and Distribution Lists from ADSI, please see the following article in the Microsoft Knowledge Base:
220043  (http://support.microsoft.com/kb/220043/EN-US/ ) HOWTO: Find Distribution List Membership for a Given Recipient

Back to the top
APPLIES TO
  • Microsoft Exchange Server 5.5 Standard Edition
  • Microsoft Active Directory Service Interfaces 2.5
  • Microsoft Active Directory Service Interfaces 1.0
  • Microsoft Active Directory Service Interfaces 2.0
Back to the top
Keywords: 
kbmsg kbprb KB242039
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations