Article ID: 907434
Article Last Modified on 10/25/2007
APPLIES TO
- Microsoft Exchange Server 5.5 Standard Edition
- Microsoft Exchange 2000 Server Standard Edition
- Microsoft Exchange 2000 Enterprise Server
- Microsoft Exchange Server 2003 Standard Edition
- Microsoft Exchange Server 2003 Enterprise Edition
SYMPTOMS
You explicitly configure the Send As right on a user object in the Active Directory Users and Computers snap-in in Microsoft Exchange Server. However, the Send As right is removed from the user object about one hour after you configure the Send As right.
Additionally, other changes that you made to the security descriptor on the user object may be removed. For example, the Allow inheritable permissions from parent to propagate to this object check box may no longer be selected.
If you have an environment that includes Microsoft Exchange Server 5.5 and a functioning Active Directory Connector (ADC), Exchange Server 5.5 mailboxes that are configured to use Active Directory user accounts that are members of protected groups may appear as "CUSTOM" in the Exchange Server 5.5 Administrator program.
CAUSE
The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.
The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour.
RESOLUTION
We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.
WORKAROUND
The following information can help you work around the problem in which Exchange Server 5.5 mailboxes appear as "CUSTOM" for the user in the Exchange Server 5.5 Administrator program. The workaround relies on the fact that the SELF access control entries (ACEs) should be present on the user object when the user object is replicated to Active Directory by the Active Directory Connector (ADC).
You can use the Dsacls.exe utility to add the entries that are being stripped off the user objects. To do this, change the AdminSDHolder permissions. Then, add the entries that you want. Because all the entries use the security principal SELF, this workaround should not introduce any security problems.
Note You must run the Dsacls.exe utility one time to add the one access control entry that is missing from the AdminSDHolder security descriptor. For example, if you want to add six different entries, you may run the Dsacls.exe utility six times.
The following workaround changes the AdminSDHolder object. Then, the AdminSDHolder object is propagated to each user account that is a member of a protected group. Follow these steps:
- Install the Microsoft Windows 2000 Support Tools from the Windows 2000 CD. These tools include the Dsacls.exe utility. You can use the Dsacls.exe utility to view, modify, or remove ACEs on objects in Active Directory.
Create a batch file that contains the following code.
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information"
Note Replace "dc=<mydomain>,dc=com" with the distinguished name of your domain.
- Wait for an hour so that Active Directory has time to rewrite the security descriptor of all the user accounts that are members of any propagated groups.
- After the ADC replicates the changes, all users appear as "user" instead of as "CUSTOM."
You might apply security update 916803, security update 912442, or the daylight saving time update for Exchange Server that is described in the following article in the Microsoft Knowledge Base:
926666 Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2
If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, create a batch file that contains the following code:
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As"
Note In this batch file, BlackBerrySA is a placeholder for name of the BlackBerry Service account. If you have accounts in multiple domains, you can also specify the domain in the commnad line by using the following format:Domain\BlackberrySA.
Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
For more information about how to delegate "Send As" rights to a user account, click the following article number to view the article in the Microsoft Knowledge Base:
281208 How to grant a user "Send As" rights in Exchange Server 5.5 and Exchange 2000
For more information about the AdminSDHolder object, click the following article numbers to view the articles in the Microsoft Knowledge Base:
232199 Description and update of the Active Directory AdminSDHolder object
817433 Delegated permissions are not available and inheritance is automatically disabled
The location of the AdminSDHolder object is as follows:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com
Note Replace DC=MyDomain,DC=Com in this path with the distinguished name of your domain.
The following list contains the protected groups in Windows 2000:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
The following list contains the protected groups in Microsoft Windows Server 2003 and in Windows 2000 after you apply hotfix 327825 or after you install Windows 2000 Service Pack 4 (SP4):
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers
Additionally, the following users are considered protected:
- Administrator
- Krbtgt
For more information about hotfix 327825, click the following article number to view the article in the Microsoft Knowledge Base:
327825 New resolution for problems with Kerberos authentication when users belong to many groups
Additional query words: XADM
Keywords: kbexchdirectory kbtshoot kbprb KB907434
