Microsoft KB Archive/943864

= Hosted users can see other hosted users if they can access the HMC Active Directory by using LDAP tools in Microsoft Solution for Hosted Messaging and Collaboration version 4.0 =

Article ID: 943864

Article Last Modified on 11/2/2007

-

APPLIES TO


 * Microsoft Solution for Hosted Messaging and Collaboration 4.0

-



SYMPTOMS
In Microsoft Solution for Hosted Messaging and Collaboration version 4.0, users of a Hosted Messaging and Collaboration (HMC) system typically do not have direct access to the Active Directory directory service by using LDAP tools such as LDP. When users have access to Active Directory, for example through a virtual private network (VPN) connection, the users can browse Active Directory to see the entries for other hosted users. This breaks the isolated tenant principle of HMC.



CAUSE
This problem occurs if the following conditions are true:
 * A reseller organization is created under the hosting organizational unit.
 * The List Contents permission is granted to all hosted users.



Hotfix information
A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Microsoft Solution for Hosted Messaging and Collaboration service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

To resolve this problem, apply this hotfix. To do this, follow these steps:  On the server that is running Microsoft Provisioning Server (MPS), stop the MPS services to make sure that no more requests can be performed on the server. To do this, follow these steps.  Click Start, point to All Programs, click Administrative Tools, and then click Component Services. Expand Component Services, expand Computers, expand My Computer, expand COM+ Applications, right-click Provisioning Engine, click Disable, and then click Shut down.  Start the MPS Deployment Tool. Expand Core Platform, and then expand Cope MPF Install and MPF Core Namespaces. Right-click Managed Active Directory, and then click Uninstall.</li> Click Start Deployment.</li> Open the C:\MSIShare folder.</li> Change the name of the ManagedADNS.msi file to ManagedADNS_Orig.msi .</li> Copy the new ManagedADNS.msi file from the hotfix to the MSIShare folder.</li> In the MPS Deployment Tool, right-click Managed Active Directory, click Install, and then click Start Deployment.</li> In Component Services, right-click Provisioning Engine, and then click Enable and Start to restart the MPS engine.</li></ol>

Prerequisites
Microsoft Solution for Hosted Messaging and Collaboration version 4.0 must be installed before you apply this hotfix.

Restart requirement
You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace a previously released hotfix.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
You can apply this hotfix to make sure that any new resellers that are created have the correct access permissions applied.

To correct the existing permissions to prevent List Contents access to all users, follow these steps.

For the hosting organization

 * 1) In the Active Directory Users and Computers MMC snap-in, enable Advanced features on the View menu.
 * 2) Locate the hosting organization, and then right-click Properties.
 * 3) Click Security, and then click Advanced.
 * 4) Under Permission Entries, click the entry for AllUsersGroups ( \AllUsersGroups), and then click Edit.
 * 5) Under Permissions, click to clear the List Contents check box in the Allow column.

For each reseller organization that was created before you installed this hotfix

 * 1) In the Active Directory Users and Computers MMC snap-in, enable Advanced features on the View menu.
 * 2) Locate the appropriate reseller organization, and then right-click Properties.
 * 3) Click Security, and then click Advanced.
 * 4) Under Permission Entries, click the entry for AllCustomers@ , and then click Edit.
 * 5) Under Permissions, click to clear the List Contents check box in the Allow column.
 * 6) In the Apply onto field, click This object only.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional query words: HMC LDAP

Keywords: kbexpertiseinter kbqfe kbhotfixserver KB943864

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.