Never hesitate. Best way to learn is to hang your
knowledge out there and see who salutes. :o)
I am sure there
aren't less than 10 people who are happy you posted that response on this list
and who knows how many from the blog entry.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Monday, December 13, 2004 4:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Printing Distribution Lists
I KNEW you'd have something to say. :-)
I hesitated to post...thanks for the feedback. I'll update
later tonite.
M
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, December 13, 2004 3:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Printing Distribution Lists
Hey Michael I am sensing royalties.....
:o)
LOL J/K.
Ok a
couple of items, get ready to edit. ;o)
1. Change your objectclass=group to
objectcategory=group in those queries...
2. This filter has an issue -> "objectclass=group,mail=*"
3.
Adfind defaults to subtree so you don't have to specify it, obviously specifying
it doesn't hurt anything except for the wear and tear on the nubs at the ends of
your hands.
4. AD
Distribution groups DON'T always have mail attribute set. Only if they are DLs
for mail delivery - mail enabled in Exchange parlance. I know of a couple of
companies that actually use DLs for security groups in UNIX apps. They don't
need the NT Security enabled because it is all handled within the UNIX app
and updating the Windows security token does nothing for UNIX. It
is good to just use DLs if you can as it decreases kerb cert and token bloat as
you have some hard limits there... That is one of the reason why you should
clean up sidhistories as fast as you can. I realize that you are talking about
DLs as directly related to Exchange, but good to make clear distinction as
someone else may not be using Exchange but using DLs and come upon across
this blog and go WTF! when it doesn't seem to do what they expect.
5.
Security groups CAN have the mail attribute set. Any DL that ANYONE in an
Org decides to apply to a folder for permissioning gets changed to a security
group automagically. The only way I am aware of to prevent this is to take
away Exchange's ability to modify the grouptype attribute. I am not sure I would
do this. Exchange has blown itself to bits for lesser
things.
Here
is a quick run through for a DL...
Step 1: Check an existing DL. Note the that
mail isn't set and your grouptype and samaccounttype values (note that -samdc on
adfind v01.25.xx will decode those values to
strings...
F:\DEV\cpp\AdFind>adfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe Richards ([EMAIL PROTECTED]) December
2004
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20040625234655.0Z
>uSNCreated: 20573
>uSNChanged: 20573
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435457
>groupType: 2
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20040625234655.0Z
>uSNCreated: 20573
>uSNChanged: 20573
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435457
>groupType: 2
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
The command completed successfully.
Step 2: mail enable
DL.
F:\DEV\cpp\AdFind>exchmbx -b CN=DLTEST,CN=Users,DC=joe,DC=com -me
ExchMbx V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004
Using server: 2k3dc01.joe.com
DN Count: 1
Mail Enabling Objects...
DN: cn=dltest,cn=users,dc=joe,dc=com...
DN Count: 1
Mail Enabling Objects...
DN: cn=dltest,cn=users,dc=joe,dc=com...
The command completed successfully.
Step 3: verify mail enable occurred, note that not all mail attributes will be set yet. RUS hasn't swung through yet.
F:\DEV\cpp\AdFind>adfind
-b CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>mailNickname: DLTEST
>reportToOriginator: TRUE
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20041213203144.0Z
>displayName: dltest
>uSNCreated: 20573
>uSNChanged: 811817
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435457
>legacyExchangeDN: /o=joeware/ou=First Administrative Group/cn=Recipients/cn=DLTEST
>groupType: 2
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>mailNickname: DLTEST
>reportToOriginator: TRUE
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20041213203144.0Z
>displayName: dltest
>uSNCreated: 20573
>uSNChanged: 811817
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435457
>legacyExchangeDN: /o=joeware/ou=First Administrative Group/cn=Recipients/cn=DLTEST
>groupType: 2
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
The command completed successfully.
Step 4:
RUS swings through and stamps object with more Exchange attribs. Object is now
ready to go, at least on any Exchange machines that use the DC the info has
replicated to.
F:\DEV\cpp\AdFind>adfind -b CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>msExchALObjectVersion: 21
>msExchPoliciesIncluded: {3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
>mailNickname: DLTEST
>reportToOriginator: TRUE
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20041213203216.0Z
>displayName: dltest
>uSNCreated: 20573
>uSNChanged: 811823
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: SMTP:[EMAIL PROTECTED]
>proxyAddresses: X400:c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435457
>showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=co
m
>showInAddressBook: CN=All Groups,CN=All Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=com
>legacyExchangeDN: /o=joeware/ou=First Administrative Group/cn=Recipients/cn=DLTEST
>groupType: 2
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>textEncodedORAddress: c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>mail: [EMAIL PROTECTED]
>msExchALObjectVersion: 21
>msExchPoliciesIncluded: {3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
>mailNickname: DLTEST
>reportToOriginator: TRUE
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20041213203216.0Z
>displayName: dltest
>uSNCreated: 20573
>uSNChanged: 811823
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: SMTP:[EMAIL PROTECTED]
>proxyAddresses: X400:c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435457
>showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=co
m
>showInAddressBook: CN=All Groups,CN=All Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=com
>legacyExchangeDN: /o=joeware/ou=First Administrative Group/cn=Recipients/cn=DLTEST
>groupType: 2
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>textEncodedORAddress: c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>mail: [EMAIL PROTECTED]
1 Objects returned
The command completed successfully.
Step 5:
In Outlook use a normal userid and set that DL to permission some folder. Any
folder.
Step 6:
Look at the AD object again. Note that now the group is a security group - note
the samaccountype and grouptype.
[Mon 12/13/2004
15:32:28.67]
F:\DEV\cpp\AdFind>adfind -b CN=DLTEST,CN=Users,DC=joe,DC=com
F:\DEV\cpp\AdFind>adfind -b CN=DLTEST,CN=Users,DC=joe,DC=com
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December 2004
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>msExchALObjectVersion: 21
>msExchPoliciesIncluded: {3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
>mailNickname: DLTEST
>reportToOriginator: TRUE
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20041213203355.0Z
>displayName: dltest
>uSNCreated: 20573
>uSNChanged: 811831
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: SMTP:[EMAIL PROTECTED]
>proxyAddresses: X400:c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435456
>showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=co
m
>showInAddressBook: CN=All Groups,CN=All Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=com
>legacyExchangeDN: /o=joeware/ou=First Administrative Group/cn=Recipients/cn=DLTEST
>groupType: -2147483646
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>textEncodedORAddress: c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>mail: [EMAIL PROTECTED]
>msExchALObjectVersion: 21
>msExchPoliciesIncluded: {3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
>mailNickname: DLTEST
>reportToOriginator: TRUE
>objectClass: top
>objectClass: group
>cn: DLTEST
>distinguishedName: CN=DLTEST,CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040311144823.0Z
>whenChanged: 20041213203355.0Z
>displayName: dltest
>uSNCreated: 20573
>uSNChanged: 811831
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: SMTP:[EMAIL PROTECTED]
>proxyAddresses: X400:c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>name: DLTEST
>objectGUID: {F2FE5F60-0BE6-4E29-ACEE-DA5706972661}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1113
>sAMAccountName: DLTEST
>sAMAccountType: 268435456
>showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=co
m
>showInAddressBook: CN=All Groups,CN=All Address Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=joe,DC=com
>legacyExchangeDN: /o=joeware/ou=First Administrative Group/cn=Recipients/cn=DLTEST
>groupType: -2147483646
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>textEncodedORAddress: c=US;a= ;p=joeware;o=Exchange;s=DLTEST;
>mail: [EMAIL PROTECTED]
1 Objects returned
The command completed successfully.
As for going back the other way. This time I turned on -samdc so you can see the strings
Step 1:
Grab group but only the two attribs we are interested
in.
F:\DEV\cpp\AdFind>adfind
-b CN=DLTEST,CN=Users,DC=joe,DC=com -samdc samaccounttype grouptype
AdFind V01.25.01cpp Joe
Richards ([EMAIL PROTECTED]) December
2004
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>sAMAccountType: 268435456 [GROUP(268435456)]
>groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)]
>sAMAccountType: 268435456 [GROUP(268435456)]
>groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)]
1 Objects returned
The command completed successfully.
Step 2: Clear mail
attribs
F:\DEV\cpp\AdFind>exchmbx -b CN=DLTEST,CN=Users,DC=joe,DC=com -clear
ExchMbx V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004
Using server: 2k3dc01.joe.com
DN Count: 1
Clearing Exchange Attributes...
DN: cn=dltest,cn=users,dc=joe,dc=com...
DN Count: 1
Clearing Exchange Attributes...
DN: cn=dltest,cn=users,dc=joe,dc=com...
The command completed successfully.
Step 3: This doesn't correct the group type
F:\DEV\cpp\AdFind>adfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com -samdc samaccounttype grouptype
AdFind V01.25.01cpp Joe Richards ([EMAIL PROTECTED]) December 2004
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>sAMAccountType: 268435456 [GROUP(268435456)]
>groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)]
>sAMAccountType: 268435456 [GROUP(268435456)]
>groupType: -2147483646 [GLOBAL(2);SECURITY(2147483648)]
1 Objects returned
The command completed successfully.
Step 4: So change group type manually
F:\DEV\cpp\AdFind>admod -b CN=DLTEST,CN=Users,DC=joe,DC=com
grouptype::2
AdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=dltest,cn=users,dc=joe,dc=com...
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=dltest,cn=users,dc=joe,dc=com...
The command completed successfully
Step 5: Now you see the original samaccounttype and grouptype values again.
F:\DEV\cpp\AdFind>adfind -b
CN=DLTEST,CN=Users,DC=joe,DC=com -samdc samaccounttype grouptype
AdFind V01.25.01cpp Joe Richards ([EMAIL PROTECTED]) December 2004
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Directory: Windows Server 2003
dn:CN=DLTEST,CN=Users,DC=joe,DC=com
>sAMAccountType: 268435457 [NON-SEC_GROUP(268435457)]
>groupType: 2 [GLOBAL(2)]
>sAMAccountType: 268435457 [NON-SEC_GROUP(268435457)]
>groupType: 2 [GLOBAL(2)]
1 Objects returned
The command completed successfully.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Monday, December 13, 2004 3:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Printing Distribution Lists
Well, here's a way:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, December 13, 2004 3:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Printing Distribution Lists
You'd need to
write something custom to actually output a text file or something like that.
Here's my cheap but effective way though:
Give the user
Outlook 2003
Have them compose
a new message
In the To box, put
the DL in, and hit the little plus button to expand it
Print the unsent
message, all members are listed in the To area.
--Brian
Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
From: [EMAIL PROTECTED] on behalf of Christine Allen
Sent: Mon 12/13/2004 1:48 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Printing Distribution Lists
Running Exchange
2003 and ad 2000 (not on the same box).
Is there a way to
allow user to print out DL membership? Thanks.
-Christine
Christine N. Allen
Citrix/Windows 2000
Engineer
BMC Healthnet Plan
One Design Center Place
Boston, MA
02210
Work: 617-748-6034
Cell:
617-290-4407