Re: Interesting Exchange 2000/2003 problem

From: Brian Arkills (barkills_at_CAC.WASHINGTON.EDU)
Date: 03/30/04

  • Next message: Russ: "Administrivia #30768 - Windows XP SP2 Feedback being sought"
    Date:         Tue, 30 Mar 2004 08:27:02 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    In order to change a group from a security group to a distribution group
    (and vice versa) you need to be explicitly granted permissions.
    Specifically, you need to be granted: allow write groupType. The Windows
    security GUI displays this under the advanced settings, on the properties
    tab of any particular ACE.

    By default, I don't see that 'everyone', 'authenticated users', 'domain
    users' or the 'pre-windows 2000 compatible access' groups have that
    permission granted. However, I do see that 'exchange enterprise servers'
    do. Unfortunately, I'm not actively running exchange myself (but do
    administrate a shared forest that does have exchange), so I can't verify
    the behavior you see.

    To speculate, either you've granted this permission to users or exchange
    uses its permission on behalf of the user. If it's exchange, then I'd say
    this is a bug. And if that's so, hopefully Microsoft won't tell you this
    is behavior "by design". :)

    References:

    Intro to understanding groups
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/group_objects.asp
    AD Schema reference on grouptype
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad/win2k3_a_grouptype.asp

    -B

    On Tue, 16 Mar 2004, Rene wrote:

    > Environment
    >
    > Exchange 2000 or 2003 running in Native mode in a W2K AD.
    >
    > Problem
    >
    > Regular users with no rights to modify ad security groups have the ability
    > to change a distribution list to a security group.
    >
    > Steps to recreate problem.
    >
    > 1: User opens a mailbox with Outlook 2000 / XP / 2003
    > 2: Navigates to mailbox permissions
    > 3: Add distribution list from Gal access as contributor.
    > 4: Save changes
    >
    > Once the user adds the distribution list Exchange will convert the
    > distribution list to a like security group
    >
    > for example if you have a All_Users universal distribution list Exchange
    > will convert to a Universal Security group.
    > This can cause some serious Kerberos issues if you are running close to the
    > Kerberos key size limits.
    >
    > Has anyone come across this and if so have they found a solution to stopping
    > this behavior?
    >
    >
    > -----
    > NTBugtraq Editor's Note:
    >
    > Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    > -----
    >

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Russ: "Administrivia #30768 - Windows XP SP2 Feedback being sought"

    Relevant Pages

    • Exchange 2007 - Send As security distribution group.
      ... We had exchange 2003 and just recently upgraded to 2007. ... However, I just added a new Distribution Group (Security Group), ... behalf of another sender without permission to do so. ...
      (microsoft.public.exchange.admin)
    • Re: Fax printer inaccessible
      ... Give "Print" permission to the security group on the shared fax printer. ... If it is a local user, it goes as anonymous to the server. ... >> with the default security settings, even if you have faxing permissions ...
      (microsoft.public.win2000.fax)
    • Re: Distribution Groups changing to Security Groups
      ... Try to reapply the permission now that you have changed your domain mode. ... > security group with the same members, the last group will have the given ... >>Joe Richards Microsoft MVP Windows Server Directory Services ...
      (microsoft.public.exchange2000.active.directory.integration)
    • RE: Home Folder - Users Shared Folders Issues
      ... even using security group. ... folder is combined with security permission and sharing permission. ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • Re: Txt and users levels?
      ... Is there a way to display on forms a message "You have permission to ... 'Determines whether UsrName is a member of a security group GrpName ... Dim IIG As Boolean ...
      (microsoft.public.access.formscoding)