Microsoft KB Archive/242039

= PRB: Windows NT Permissions for Distribution List when Owner Set ADSI/LDAP =

Article ID: 242039

Article Last Modified on 9/28/2007

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 1.0
 * Microsoft Active Directory Service Interfaces 2.0

-



This article was previously published under Q242039



SYMPTOMS
The owner of a distribution list is set through a Lightweight Directory Access Protocol (LDAP) and the new owner is unable to modify the membership of the list.



CAUSE
When the owner for a distribution list (DL) is set, the Microsoft Exchange Administrator program (Admin.exe) retrieves the associated Windows NT account of the owning object, usually a mailbox. This Windows NT account is then given user permissions on the distribution list. This allows the owner of the mailbox to add and remove members of the distribution list.

If the owner of the distribution list is set through ADSI/LDAP, the owner is not automatically retrieved and permissions for the associated Windows NT account are not set. This prevents the new owner from altering the list's membership.

NOTE: Improper permissions can also occur by changing the associated Windows NT account of the mailbox set as the owner. For further information see the following Knowledge Base article:

177838 XADM: NT Security Descriptor Associated w/ DL Owner Not Updated



RESOLUTION
In order to allow the distribution list owner to be able to add and remove members, the permissions must be properly set. This can be done by either making a change through Microsoft Exchange Administrator program (see the Knowledge Base Article 177838) or by explicitly setting the security descriptor via LDAP.

Normally, when an owner is set on a distribution list, the only permissions which are added are for the associated Windows NT account. Setting a user to a distribution list requires LDAP to read the security descriptor of the distribution list, removing the Discretionary Access Control List (DACL), adding an Access Control Entry (ACE) with a trustee for that Windows NT account, replacing the DACL, then writing the security descriptor back to the directory.



MORE INFORMATION
For simplicity, the following ADSI code example copies the entire security descriptor from the owner's mailbox and places it on the distribution list. This will have the effect of giving all the users who have permission on that mailbox the same permissions on the distribution list. strDNofDL = "cn=MyDL,cn=Recipients,ou=MySite,o=MyOrg" strDNofMailbox = "cn=MyMailbox,cn=Recipients,ou=MySite,o=MyOrg" strServer = "MyExchangeServerName" set oDL = GetObject("LDAP://" + strServer + "/" + strDNofDL ) oDL.put "owner", strDNofMailbox set oMailbox = GetObject("LDAP://" + strServer + "/" + strDNofMailbox) oMailbox.GetInfoEx Array("NT-Security-Descriptor"), 0 oDL.Put "NT-Security-Descriptor", oMailbox.Get("NT-Security-Descriptor") oDL.SetInfo

