Microsoft KB Archive/261185

= XADM: Errors Logged When Recipient Update Service Cannot Update Certain User Objects in the Directory =

PSS ID Number: 261185

Article Last Modified on 6/17/2003

-

The information in this article applies to:


 * Microsoft Exchange 2000 Server

-



This article was previously published under Q261185



SUMMARY
The address list/Recipient Update Service logs an Event ID 8315 in two known cases:

Event Type: Warning

Event Source: MSExchangeAL

Event Category: Replication

Event ID: 8315

Date: 4/26/2000

Time: 12:42:13 PM

User: N/A

Computer: SERVERDC

Description:

The service could not update the entry 'CN=Jason Spahr ,CN=Users,DC=serverdc,DC=domain,DC=com' because inheritable permissions are not propagated to this object. The inheritable permissions may be disabled because the object belongs to a Windows 2000 administrative group or the inheritable permissions were disable explicitly by an administrator. DC=serverdc,DC=domain,DC=com

For more information, click http://www.microsoft.com/contentredirect.asp

The first case involves groups where the hideDLMembership attribute is equal to TRUE and is discussed in the following article in the Microsoft Knowledge Base:

253828 XADM: How The Recipient Update Service Populates Address Lists

The second case involves user objects that belong to any of the following administrative groups and is discussed in this article:

Enterprise Admins

Schema Admins

Domain Admins

Builtin\Administrators

If you delete and then recreate the Default Global Address List object, the user objects that belong to any of the above groups will not show up in the Address List and Event ID 8315 is logged.

This behavior occurs because the Allow inheritable permissions from the parent to propagate to this object check box that is located on the object's Security tab is not checked.

When Exchange 2000 Setup runs, it stamps the Domain Naming Context (DC=serverdc) container with a set of permissions that allows the Address List service to write attributes on all objects under that container, which makes permissions inheritable. If an object doesn't have that permission, the Address List service cannot configure several attributes, such as proxyAddresses, showInAddressBook, and so on.

The showInAddressBook attribute is necessary to resolve a name with a MAPI client and for the object to appear in the address list.



MORE INFORMATION
You can modify this behavior by following these steps; however, doing so may increase your security risk:
 * 1) In the user object's properties, click the Security tab.
 * 2) Click to select the Allow inheritable permissions from the parent to propagate to this object check box.
 * 3) Wait a few minutes, and the Address List service stamps that object with the showInAddressBook attribute.

Windows 2000 sets the value of Allow inheritable permissions from the parent to propagate to this object to FALSE to avoid security issues stemming from elevation of privilege attacks.

For example, if Group X is made a member of the Administrators group and someone left Access Control Lists (ACLs) on Group X such that Group Y can modify the group, members of Group Y could make themselves a member of Group X and transitively become a member of the Administrators group.

Additional query words: exch2kp2w

Keywords: kbinfo KB261185

Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchangeSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.