I know exactly what you mean - I also mistrust users and am quite happy to be mistrusted. Even though I never lie (!) I know it's very easy to not give all the info which is needed either because you're sure it doesn't matter or you've forgotten it or you're too embarrassed to own up to what you really did!
Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 07 February 2006 23:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Nothing personal, I assume everyone is lying to me. When I entered the world of enterprise class corporate support back in like 1996, my supervisor sat me down the first day and told me words to live by 1. Believe none of what you hear and only half of what you see. 2. Users lie. He further clarified #2 with several points. First that users were defined as anyone asking you for help so that could be end users or other admins or even your boss. Second, they don't necessarily do it on purpose, some of them truly believe what they tell you. Others are out and out not telling you the truth and don't want you to figure out the truth, they just want you to make it so they can continue doing whatever it was that they were doing when they ran into the occasion that required your assistance. I agree that the changes you mention shouldn't have made a difference. Possibly there was something else going on when the message was sent previously, I would just keep an eye open. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, February 07, 2006 7:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups It really is a single domain; would I lie to you?? :-) I've now gone through all the groups. They were all mail enabled and permissions haven't been changed but I think there are two things which were causing problems - one I've now fixed the other I'm still working on. The names of some of the groups have been changed; normally, I would make the name, display name, pre-Windows 2000 name and alias all the same but some of these had been renamed and not all the names matched up (and a couple had spaces - I think this is allowed but I always avoid spaces in names!) I've now made sure that they're all the same (and even the SMTP address is the same although I doubt that matters??) and it now seems to work (I sent an email to the top level list and all the names appear in the Exchange log; yesterday that wasn't the case) The one issue I've still got is the way Outlook 2003 in cached mode doesn't seem to update the address book properly. If I log on to a machine with Outlook 2003 and don't set up cached mode then I get to see all the groups. If I log on in cached mode then the Global Address List in the address book doesn't show all the groups. If I pick "All Groups" from the "All Address Lists" section then I get to see all the groups. I'm pretty sure this is a client-side issue (Office XP sees it OK; using Find in OWA also works OK) Thanks for all the suggestions. Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 07 February 2006 08:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Just one of the standard questions I use for DL expansion issues. Not relevant to a single domain forest but we don't know in this case if this is for sure a single domain forest or they simply manage a single domain in a forest. I've made that assumption based on verbiage in the past and paid for it, little more careful now[1]. Anyway, the one group specifically not receiving the message sounds very much like it isn't mail enabled, the group is a global/dlg that isn't being expanded on the correct GC, or the permissions for the group have been modified incorrectly. Actually that reminds me, another question I should have specifically spelled out below is "are the permissions standard for the groups and users?", i.e. has anyone tried to tighten down the directory? joe [1]"No, the forest has multiple domains, the other domain is just an empty root and is run by the schema admin folks until the rest of the company converts, we don't have any groups or users in that domain so we didn't figure you wanted to hear about it...". You have to love hearing that after several hours of trying to troubleshoot from descriptions and start catching inconsistencies. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Joe, What would be the point of B? Deji -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 06, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups No limits that I am aware of, I swear I have tested in the past to 4 or 5 layers and seen it work. I know I definitely tested three layers as I have done that several times to mimic various environments. I would A. Make sure all groups/users in question are mail-enabled. B. Make sure that the groups truly are universal. C. Make sure that the groups are all replicating properly to the GCs that the Exchange servers are using. D. Doublecheck settings on the groups that you think are involved in users not getting mail. E. For testing, Send mail to each of the lists individually and check for recipt. Step up a level in nesting, repeat. The size of the DL is relatively small so it isn't an issue with number of users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Monday, February 06, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nesting groups Is there a limit to the amount of nesting which can be carried out on Universal Security Groups? We have a single domain (mix of Windows 2003 and 2000 servers) with Exchange 2003 and a number of nested groups but we've just discovered a problem - mail sent to some of the lists is not reaching all the members of the list. Some detail: Top level list: Technology_Faculty This comprises: Technology_Teaching, Technology_Support, Technology_Admin, Technology_Technicians Each of those groups is split further; eg: Technology_Teaching contains: School_Auto_Engineering, School_Building_Crafts, School_Mech_Engineering etc The schools then split eg: School_Auto_Engineering: Curriculum_Body_Paint, Curriculum_Mechanical and users are added to the lowest level groups. Email sent to the Technology_faculty group doesn't get delivered to all the people - as far as I can tell (by looking at the Exchange log) it misses completely the group called "technology_teaching" In total, there are only about 200 people across all the sub-groups. If this is "working as designed" then is there a way round it? If it's broken, then suggestions, please, for fixing it! Steve List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/