Re: Interesting Exchange 2000/2003 problem
From: Brian Arkills (barkills_at_CAC.WASHINGTON.EDU)
Date: 03/30/04
- Previous message: Anderson, Kelly: "Re: Interesting Exchange 2000/2003 problem"
- In reply to: Rene: "Interesting Exchange 2000/2003 problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 08:27:02 -0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
In order to change a group from a security group to a distribution group
(and vice versa) you need to be explicitly granted permissions.
Specifically, you need to be granted: allow write groupType. The Windows
security GUI displays this under the advanced settings, on the properties
tab of any particular ACE.
By default, I don't see that 'everyone', 'authenticated users', 'domain
users' or the 'pre-windows 2000 compatible access' groups have that
permission granted. However, I do see that 'exchange enterprise servers'
do. Unfortunately, I'm not actively running exchange myself (but do
administrate a shared forest that does have exchange), so I can't verify
the behavior you see.
To speculate, either you've granted this permission to users or exchange
uses its permission on behalf of the user. If it's exchange, then I'd say
this is a bug. And if that's so, hopefully Microsoft won't tell you this
is behavior "by design". :)
References:
Intro to understanding groups
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/group_objects.asp
AD Schema reference on grouptype
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad/win2k3_a_grouptype.asp
-B
On Tue, 16 Mar 2004, Rene wrote:
> Environment
>
> Exchange 2000 or 2003 running in Native mode in a W2K AD.
>
> Problem
>
> Regular users with no rights to modify ad security groups have the ability
> to change a distribution list to a security group.
>
> Steps to recreate problem.
>
> 1: User opens a mailbox with Outlook 2000 / XP / 2003
> 2: Navigates to mailbox permissions
> 3: Add distribution list from Gal access as contributor.
> 4: Save changes
>
> Once the user adds the distribution list Exchange will convert the
> distribution list to a like security group
>
> for example if you have a All_Users universal distribution list Exchange
> will convert to a Universal Security group.
> This can cause some serious Kerberos issues if you are running close to the
> Kerberos key size limits.
>
> Has anyone come across this and if so have they found a solution to stopping
> this behavior?
>
>
> -----
> NTBugtraq Editor's Note:
>
> Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
> -----
>
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Anderson, Kelly: "Re: Interesting Exchange 2000/2003 problem"
- In reply to: Rene: "Interesting Exchange 2000/2003 problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
