I was actually pretty unhappy when I saw this functionality. You should almost NEVER place single users on ACLs. MS themselves tell people this is a best practice, use groups... Then they make it easy to do.
At least allow people to select security groups to be placed in that attribute... You can place groups in it if you use scripts... The larger the company the less likely you will be wanting single users listed as who can manage any one group. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Sunday, March 28, 2004 7:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL if you're running E2k3 in a Win2003 AD, you might want to use the ManagedBy attribute of the group afterall: 2003 has a new function in ADUC, which simplifies setting the permissions for managing group-memberships for the user defined as the manager of a group. You just have to select the new option "Allow Manager of group to change membership" on the same tab in ADUC, which automatically grants "Write Members" for the User Object on the respective Group object. The obvious downside here is, that you can only use this for a single user object who is defined to be the manager of the group - you can't use this approach to assign the permissions for multiple users or for a group that contains all your users who should be granted the specific permissions... But if you only have 1 delegated user for managing the group memberships, this may still be a valid option. /Guido -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 27. März 2004 23:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL They need WP (Write Property) on the member attribute of the group. Assuming the following OU: GroupTestOU Delegated Admin Group: joe\TestOU-GroupTestOU-GrpAdmin You can use the following DSACLS command on the OU to delegate the ability to change membership to all groups within the OU. dsacls OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:S /G joe\TestOU-GroupTestOU-GrpAdmin:WP;member;group Note I highly recommend doing the delegation on the OUs versus on individual groups as it tends to be easier to track down later. If you wanted it on one specific group the command would be like dsacls cn=testou-grouptestou-dl1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:P /G joe\TestOU-GroupTestOU-GrpAdmin:WP;member; Note that if you have multiple domains and especially GCs from multiple domains in the site with the Exchange Servers you will almost certainly run into issues modifying group memberships through Outlook. It is all FUBAR right now and being looked at to be corrected - look for previous posts from me in the archives concerning the issues. If you have a single domain deployment you will be fine. If you have multiple domains, I don't even recommend using Outlook to do the management. Use the Find Person dialogs or use ADUC or a custom web site. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, March 25, 2004 12:18 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Exchange 2003 DL I have a issue here that I am struggling with. On Exchange 5.5, I was able to add people to be able to modify the membership of DL through outlook without them having to be the Manager or owner of the DL. Now that I am on Exchange 2003, what permissions do groups or user accounts need to have in order to modify the groups through outlook? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
