Wow, another good question in the newsgroups that makes for good Blog fodder….
Question:
We are running W2k3 AD and Exchange 2003 SP1 in a multiple child domain environment. When we create a Universal Distribution Group in say domain A and add a user in domain B to the Manager tab (we also check ‘Manager can update membership list’), that user is unable to modify the membership via Outlook 2003. The user receives a message that she does not have permissions to modify the members. Replication is working fine and the we dont’ receive any errors when we set the UDG up.
What am I missing?
Response:
The outlook client is talking to a GC that is a DC for Domain B. The group membership can be retrieved from that GC since universal groups publish membership to the global catalogs but, being read-only, can’t be updated there. The protocol being used is NSPI and it doesn’t support referrals so you get the error that you don’t have permissions to modify the membership, which is correct, no one has permissions to modify a Domain A group on a Domain B Domain Controller.
If the user and the DL were in the same domain it could still happen as long as a GC was used that wasn’t from the same domain as the DL. There is a fix for this in Exchange 2003 SP2 but it forces DSPROXY to try and always give a client in Domain B a Domain B GC, this won’t help your case of course.
This is why MS themselves do not use Outlook to manage DLs, they use web based DL management software. Previously it was AutoDL, now it is AutoGroups which is (or soon will be) a function of MIIS.
Bonus Material
Note that this fix is a VERY IMPORTANT fix however. Why? Because there are times when your Outlook client needs to modify your own ID, for instance, public delegates and certificates. If your client is pointing at a GC that is a member of a Domain other that the domain your account exists in, the update will fail. Depending on the update and the client version, you may or may not see an error when this occurs.
This is a security issue because what if you are trying to remove a public delegate from your mailbox? A public delegate for those of you who don’t know, is someone who can send mail ON YOUR BEHALF. The message will say, from so so on behalf of someone else. Some people think that a public delegate is someone who has permissions on mailbox folders, no, that isn’t it, though the tab that sets public delegates can also let you set those roles. A public delegate is simply someone who can send on your behalf. Oh but back to the issue. If you try to remove someone as a public delegate but are pointing at a GC that doesn’t maintain a writeable copy of your user object, the info will be removed from the store, but will remain in Active Directory. Outlook will not display the user as being a delegate anymore… So someone can sit there and send email on your behalf even though you told Outlook that you don’t want that…
I found and reported this issue back in August of 2003. It is good to see it being corrected. At least partially, I don’t ever really expect to see a fix for the DL problem though unless Outlook is corrected to use LDAP instead of NSPI. If you use Exchange DLs, yuck, then consider managing them outside of Outlook.
joe
