Oh, and actually I made a mistake, the one group was managed by a user and not the DL, if I set the DL then the does get the managedobjects as well.
[Mon 03/29/2004 8:18:49.97] F:\DEV\cpp\OldCmp>adfind -default -f managedby=* AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003 Using server: 2k3dc01.joe.com Base DN: DC=joe,DC=com dn:CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >objectClass: top >objectClass: group >cn: TestOU-GroupTestOU-DL1 >distinguishedName: CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >instanceType: 4 >whenCreated: 20040327224354.0Z >whenChanged: 20040329003348.0Z >uSNCreated: 130338 >uSNChanged: 134833 >name: TestOU-GroupTestOU-DL1 >objectGUID: {51D054EA-CD6D-4BD4-B619-1A1B3830BEE5} >objectSid: S-1-5-21-1862701446-4008382571-2198042679-1118 >sAMAccountName: TestOU-GroupTestOU-DL1 >sAMAccountType: 268435457 >managedBy: CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >managedObjects: CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >groupType: 8 >objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com >dSCorePropagationData: 20040327224635.0Z >dSCorePropagationData: 16010101000001.0Z dn:CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >objectClass: top >objectClass: group >cn: TESTOU-GroupTestOU-GrpAdmin >distinguishedName: CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >instanceType: 4 >whenCreated: 20040327224440.0Z >whenChanged: 20040329134031.0Z >uSNCreated: 130343 >uSNChanged: 139487 >name: TESTOU-GroupTestOU-GrpAdmin >objectGUID: {8700F729-8B9F-4BD0-BAB9-60BB1B99A1E9} >objectSid: S-1-5-21-1862701446-4008382571-2198042679-1119 >sAMAccountName: TESTOU-GroupTestOU-GrpAdmin >sAMAccountType: 536870912 >managedBy: CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >managedObjects: CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >groupType: -2147483644 >objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com >dSCorePropagationData: 20040327224635.0Z >dSCorePropagationData: 16010101000001.0Z 2 Objects returned [Mon 03/29/2004 8:40:35.11] F:\DEV\cpp\OldCmp> ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Monday, March 29, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL Thanks for the clarification Joe - now we just need to get the UI to support it, as these medium companies tend to use the UI a lot ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 29. März 2004 15:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL I agree there are more medium companies than large ones. Couldn't be any other way. However, I think the best practices are good for anyone as you shouldn't depend on a single user for any given work unless the company is tiny (like you know everyone and very little turnover). Especially if it involves granting access to things. Small/Medium companies need to follow good practices as much as or possibly even more than large companies simply because they don't have the resources to bail them out when it gets screwed up. On the second statement, that is incorrect. Here is a dump from my environment with two group managing each other. Only the non-Security DL doesn't have the managedobjects backlink filled in. [Mon 03/29/2004 8:17:26.66] F:\DEV\cpp\OldCmp>adfind -default -f managedby=* AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003 Using server: 2k3dc01.joe.com Base DN: DC=joe,DC=com dn:CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >objectClass: top >objectClass: group >cn: TestOU-GroupTestOU-DL1 >distinguishedName: CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >instanceType: 4 >whenCreated: 20040327224354.0Z >whenChanged: 20040329003348.0Z >uSNCreated: 130338 >uSNChanged: 134833 >name: TestOU-GroupTestOU-DL1 >objectGUID: {51D054EA-CD6D-4BD4-B619-1A1B3830BEE5} >objectSid: S-1-5-21-1862701446-4008382571-2198042679-1118 >sAMAccountName: TestOU-GroupTestOU-DL1 >sAMAccountType: 268435457 >managedBy: CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >groupType: 8 >objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com >dSCorePropagationData: 20040327224635.0Z >dSCorePropagationData: 16010101000001.0Z dn:CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >objectClass: top >objectClass: group >cn: TESTOU-GroupTestOU-GrpAdmin >distinguishedName: CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >instanceType: 4 >whenCreated: 20040327224440.0Z >whenChanged: 20040329003101.0Z >uSNCreated: 130343 >uSNChanged: 134814 >name: TESTOU-GroupTestOU-GrpAdmin >objectGUID: {8700F729-8B9F-4BD0-BAB9-60BB1B99A1E9} >objectSid: S-1-5-21-1862701446-4008382571-2198042679-1119 >sAMAccountName: TESTOU-GroupTestOU-GrpAdmin >sAMAccountType: 536870912 >managedBy: CN=NormalUser,CN=Users,DC=joe,DC=com >managedObjects: CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com >groupType: -2147483644 >objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com >dSCorePropagationData: 20040327224635.0Z >dSCorePropagationData: 16010101000001.0Z 2 Objects returned [Mon 03/29/2004 8:18:49.97] F:\DEV\cpp\OldCmp> ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Sunday, March 28, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL Joe, I do basically agree with you on this, however it is not so uncommon for medium sized companies (of which there simply are more of than really large ones), to allow just the owner of a group to change membership. For these companies this feature is rather handy, as you don't need to take care of creating another group to manage a group... The mechanism can't be used to allow granting the rights for a group to manage a group, since group objects don't have the managedObjects backlink, which is required to allow to set the managedBy attribute on an object in AD. So you can just use a single users or contact. /Guido -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Montag, 29. März 2004 02:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL I was actually pretty unhappy when I saw this functionality. You should almost NEVER place single users on ACLs. MS themselves tell people this is a best practice, use groups... Then they make it easy to do. At least allow people to select security groups to be placed in that attribute... You can place groups in it if you use scripts... The larger the company the less likely you will be wanting single users listed as who can manage any one group. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Sunday, March 28, 2004 7:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL if you're running E2k3 in a Win2003 AD, you might want to use the ManagedBy attribute of the group afterall: 2003 has a new function in ADUC, which simplifies setting the permissions for managing group-memberships for the user defined as the manager of a group. You just have to select the new option "Allow Manager of group to change membership" on the same tab in ADUC, which automatically grants "Write Members" for the User Object on the respective Group object. The obvious downside here is, that you can only use this for a single user object who is defined to be the manager of the group - you can't use this approach to assign the permissions for multiple users or for a group that contains all your users who should be granted the specific permissions... But if you only have 1 delegated user for managing the group memberships, this may still be a valid option. /Guido -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 27. März 2004 23:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2003 DL They need WP (Write Property) on the member attribute of the group. Assuming the following OU: GroupTestOU Delegated Admin Group: joe\TestOU-GroupTestOU-GrpAdmin You can use the following DSACLS command on the OU to delegate the ability to change membership to all groups within the OU. dsacls OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:S /G joe\TestOU-GroupTestOU-GrpAdmin:WP;member;group Note I highly recommend doing the delegation on the OUs versus on individual groups as it tends to be easier to track down later. If you wanted it on one specific group the command would be like dsacls cn=testou-grouptestou-dl1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:P /G joe\TestOU-GroupTestOU-GrpAdmin:WP;member; Note that if you have multiple domains and especially GCs from multiple domains in the site with the Exchange Servers you will almost certainly run into issues modifying group memberships through Outlook. It is all FUBAR right now and being looked at to be corrected - look for previous posts from me in the archives concerning the issues. If you have a single domain deployment you will be fine. If you have multiple domains, I don't even recommend using Outlook to do the management. Use the Find Person dialogs or use ADUC or a custom web site. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, March 25, 2004 12:18 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Exchange 2003 DL I have a issue here that I am struggling with. On Exchange 5.5, I was able to add people to be able to modify the membership of DL through outlook without them having to be the Manager or owner of the DL. Now that I am on Exchange 2003, what permissions do groups or user accounts need to have in order to modify the groups through outlook? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/