Any one can change the menmbership of Distribution Groups
in [Microsoft Exchange]
|
From: Laljeev M on 15 Apr 2010 09:58 Hi We are using Exchange 2003 on Windows 2003 platform. We found that any user can edit the memebership of any Distribution / Security groups through Outlook. We checked the permission in Domain and also for some of the groups and no where we mentioned Write Group permission, for testing we denied Write group for a particular group, but still he can able to edit all group memberships. Can any one help us Regards Lal -- ----Server Management Team----
From: Rich Matheisen [MVP] on 15 Apr 2010 22:20 On Thu, 15 Apr 2010 06:58:01 -0700, Laljeev M <news08(a)nospam.nospam> wrote: >Hi > >We are using Exchange 2003 on Windows 2003 platform. We found that any user >can edit the memebership of any Distribution / Security groups through >Outlook. We checked the permission in Domain and also for some of the groups >and no where we mentioned Write Group permission, for testing we denied Write >group for a particular group, but still he can able to edit all group >memberships. Can any one help us That sounds like you've granted a group (probably the "Everyone" group) something like "Full Control" at the OU or the whole domain. Since the "write member" permission is an AD permission that's where you should be looking. Use ADSI on one of the groups and see what's being inherited. Then work your way back up the OU hierarchy until you find where the permission's been granted. --- Rich Matheisen MCSE+I, Exchange MVP
From: Laljeev M on 17 Apr 2010 04:55 Hi Rich We created a new OU and a new Group, then we removed all inherited permission from AD and also using ADSIedit, then we give only the needed peramission and still everyone can edit this group. Is it a bug from Microsoft? Regards Lal ----Server Management Team---- "Rich Matheisen [MVP]" wrote: > On Thu, 15 Apr 2010 06:58:01 -0700, Laljeev M <news08(a)nospam.nospam> > wrote: > > >Hi > > > >We are using Exchange 2003 on Windows 2003 platform. We found that any user > >can edit the memebership of any Distribution / Security groups through > >Outlook. We checked the permission in Domain and also for some of the groups > >and no where we mentioned Write Group permission, for testing we denied Write > >group for a particular group, but still he can able to edit all group > >memberships. Can any one help us > > That sounds like you've granted a group (probably the "Everyone" > group) something like "Full Control" at the OU or the whole domain. > > Since the "write member" permission is an AD permission that's where > you should be looking. Use ADSI on one of the groups and see what's > being inherited. Then work your way back up the OU hierarchy until you > find where the permission's been granted. > --- > Rich Matheisen > MCSE+I, Exchange MVP > . >
From: Rich Matheisen [MVP] on 17 Apr 2010 13:03 On Sat, 17 Apr 2010 01:55:01 -0700, Laljeev M <news08(a)nospam.nospam> wrote: >We created a new OU and a new Group, then we removed all inherited >permission from AD and also using ADSIedit, then we give only the needed >peramission and still everyone can edit this group. Is it a bug from >Microsoft? I doubt it's a bug in the AD. Which groups have "Full Control", which have "write members" permission, which have "special" permission includes the "write members" permission. --- Rich Matheisen MCSE+I, Exchange MVP
From: Martin Therkelsen on 17 Apr 2010 13:17
Did you check the Group Manager to see if the there has been set an owner that allows editing of the group? br Martin "Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> skrev i meddelelsen news:5lpjs59brpcdar0ofaq8s7bq2ohj0iffb7(a)4ax.com... > On Sat, 17 Apr 2010 01:55:01 -0700, Laljeev M <news08(a)nospam.nospam> > wrote: > >>We created a new OU and a new Group, then we removed all inherited >>permission from AD and also using ADSIedit, then we give only the needed >>peramission and still everyone can edit this group. Is it a bug from >>Microsoft? > > I doubt it's a bug in the AD. > > Which groups have "Full Control", which have "write members" > permission, which have "special" permission includes the "write > members" permission. > --- > Rich Matheisen > MCSE+I, Exchange MVP |