Could be a couple of things. First off though, being an owner of a DL doesn't give someone the permission to modify it. It is permissions in AD that do that. There are versions of ADUC that will stamp an ACE on an object when you specify an owner for that object, but not all versions do this and none of the scripting methods will do this when you set the owner attribute. The very first thing you want to do is verify the permissions on the objects. It is possible someone went through and smacked your permissions you had in place. Use DSACLs, it is much easier to use than fishing through the GUI.
The next thing is the issue that Jorge mentioned. Outlook uses NSPI to work with AD and NSPI isn't a referral capable mechanism. DSACCESS currently is not smart enough to give you a GC that is a DC that the user is a member of and even so, if it did, it is possibly the DL is in another domain and that won't even help. So anyway, you must be using a GC that is a DC of the domain that hosts the DL you want to modify if you do it through outlook. If you have permissions configured correctly on the groups and you have multiple Domains, your problem is most likely here. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, December 31, 2004 11:41 AM To: 'Cariglia, Daniel '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Problem with DL owners not able to modify lists Hi, Do you have a multi domain environment? I presume you are using universal DLs... This problem occurs when a user in domain A wants to modify a DL in domain B, although the user has the correct permissions to modify the DL. To be able to modify the DL the user needs the correct permissions and it also needs to use a GC that is also a DC that is authoritative for the DL. In other words... The user in domain A needs a DC/GC in domain B to modify the DL in domain B. A DC/GC of domain A will not work as it has only a read-only copy of the DL I know there have been some threads on this (check the archives for it). I also think Joe can tell more about this. Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/31/2004 5:15 PM Subject: [ActiveDir] Problem with DL owners not able to modify lists Hello, Having a rather odd problem with distribution lists, some owners can modify the lists while others cannot. It does not seem dependent upon which GC their Outlook client uses. Nothing has changed in the domain or forest recently and everything was working fine until about a week ago when some owners started reporting the problem. They are shown as the owner in the Global Address List as well as in ADUC with the "manager can update membership" box checked. They get an error that states "changes could not be saved, you do not have sufficient permissions to perform an operation on this object". I have compared permissions of managers of lists who are experiencing the problem and those who are not having issues and they are identical. Any ideas would be appreciated. Dan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
