Re: Interesting Exchange 2000/2003 problem
From: Anderson, Kelly (kjanders_at_UMICH.EDU)
Date: 03/30/04
- Previous message: Marcio Vieira: "Re: EEYE: RealSecure/BlackICE Server Problems/Witty"
- Maybe in reply to: Rene: "Interesting Exchange 2000/2003 problem"
- Next in thread: Brian Arkills: "Re: Interesting Exchange 2000/2003 problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 14:09:14 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Rene -
FWIW, this is "by design" to make it easier for users to work with
complex ACL's by changing them to "roles" in Exchange permissions.
Anyhow, you can change this behavior using ADSIEDIT
MsExchDisableUDGConversion = 1 (block client-initiated conversion) or 2
(block all conversion). 0 permits all conversion.
- Kelly
********************************************
Kelly J. Anderson, MCSE
ITCS Windows Infrastructure
University of Michigan
http://www.umich.edu/~lannos/win2000
********************************************
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Rene
Sent: Tuesday, March 16, 2004 11:21 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Interesting Exchange 2000/2003 problem
Environment
Exchange 2000 or 2003 running in Native mode in a W2K AD.
Problem
Regular users with no rights to modify ad security groups have the
ability to change a distribution list to a security group.
Steps to recreate problem.
1: User opens a mailbox with Outlook 2000 / XP / 2003
2: Navigates to mailbox permissions
3: Add distribution list from Gal access as contributor.
4: Save changes
Once the user adds the distribution list Exchange will convert the
distribution list to a like security group
for example if you have a All_Users universal distribution list Exchange
will convert to a Universal Security group.
This can cause some serious Kerberos issues if you are running close to
the Kerberos key size limits.
Has anyone come across this and if so have they found a solution to
stopping this behavior?
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is
configured such that just hitting reply is going to result in the
message coming to the list, not to the individual who sent the message.
This was done to help reduce the number of Out of Office messages
posters received. So if you want to send a reply just to the poster,
you''ll have to copy their email address out of the message and place it
in your TO: field.
-----
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Marcio Vieira: "Re: EEYE: RealSecure/BlackICE Server Problems/Witty"
- Maybe in reply to: Rene: "Interesting Exchange 2000/2003 problem"
- Next in thread: Brian Arkills: "Re: Interesting Exchange 2000/2003 problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
