View products that this article applies to.
Expand all | Collapse all
SYMPTOMSYou explicitly configure the Send As right on a user object in the Active Direct...You explicitly configure the Send As right on a user object in the Active Directory Users and Computers snap-in in Microsoft Exchange Server. However, the Send As right is removed from the user object about one hour after you configure the Send As right.
Additionally, other changes that you made to the security descriptor on the user object may be removed. For example, the Allow inheritable permissions from parent to propagate to this object check box may no longer be selected.
If you have an environment that includes Microsoft Exchange Server 5.5 and a functioning Active Directory Connector (ADC), Exchange Server 5.5 mailboxes that are configured to use Active Directory user accounts that are members of protected groups may appear as "CUSTOM" in the Exchange Server 5.5 Administrator program.
Back to the top
CAUSEThe Active Directory directory service has a process that makes sure that member...The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.
The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour.
Back to the top
RESOLUTIONWe recommend that you do not use accounts that are members of protected groups f...We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.
Back to the top
WORKAROUNDThe following information can help you work around the problem in which Exchange...The following information can help you work around the problem in which Exchange Server 5.5 mailboxes appear as "CUSTOM" for the user in the Exchange Server 5.5 Administrator program. The workaround relies on the fact that the SELF access control entries (ACEs) should be present on the user object when the user object is replicated to Active Directory by the Active Directory Connector (ADC).
You can use the Dsacls.exe utility to add the entries that are being stripped off the user objects. To do this, change the AdminSDHolder permissions. Then, add the entries that you want. Because all the entries use the security principal SELF, this workaround should not introduce any security problems.
Note You must run the Dsacls.exe utility one time to add the one access control entry that is missing from the AdminSDHolder security descriptor. For example, if you want to add six different entries, you may run the Dsacls.exe utility six times.
The following workaround changes the AdminSDHolder object. Then, the AdminSDHolder object is propagated to each user account that is a member of a protected group. Follow these steps:
Install the Microsoft Windows 2000 Support Tools from the Windows 2000 CD. These tools include the Dsacls.exe utility. You can use the Dsacls.exe utility to view, modify, or remove ACEs on objects in Active Directory.
Create a batch file that contains the following code.
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As"
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
Note Replace "dc=
Wait for an hour so that Active Directory has time to rewrite the security descriptor of all the user accounts that are members of any propagated groups.
After the ADC replicates the changes, all users appear as "user" instead of as "CUSTOM."
You might apply security update 916803, security update 912442, or the daylight saving time update for Exchange Server that is described in the following article in the Microsoft Knowledge Base:
926666 (http://support.microsoft.com/kb/926666/ ) Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2
If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, create a batch file that contains the following code:
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As"
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As"
Note In this batch file, BlackBerrySA is a placeholder for name of the BlackBerry Service account. If you have accounts in multiple domains, you can also specify the domain in the command line by using the following format:Domain\BlackberrySA.
Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.
Back to the top
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that ar...Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
MORE INFORMATIONFor more information about how to delegate "Send As" rights to a user account, c...For more information about how to delegate "Send As" rights to a user account, click the following article number to view the article in the Microsoft Knowledge Base:
281208 (http://support.microsoft.com/kb/281208/ ) How to grant a user "Send As" rights in Exchange Server 5.5 and Exchange 2000
For more information about the AdminSDHolder object, click the following article numbers to view the articles in the Microsoft Knowledge Base:
232199 (http://support.microsoft.com/kb/232199/ ) Description and update of the Active Directory AdminSDHolder object
817433 (http://support.microsoft.com/kb/817433/ ) Delegated permissions are not available and inheritance is automatically disabled
The location of the AdminSDHolder object is as follows:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com
Note Replace DC=MyDomain,DC=Com in this path with the distinguished name of your domain.
The following list contains the protected groups in Windows 2000:
Enterprise Admins
Schema Admins
Domain Admins
Administrators
The following list contains the protected groups in Microsoft Windows Server 2003 and in Windows 2000 after you apply hotfix 327825 or after you install Windows 2000 Service Pack 4 (SP4):
Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
Additionally, the following users are considered protected:
Administrator
Krbtgt
For more information about hotfix 327825, click the following article number to view the article in the Microsoft Knowledge Base:
327825 (http://support.microsoft.com/kb/327825/ ) New resolution for problems with Kerberos authentication when users belong to many groups
Back to the top
--------------------------------------------------------------------------------
APPLIES TO
Microsoft Exchange Server 5.5 Standard Edition
Microsoft Exchange 2000 Server Standard Edition
Microsoft Exchange 2000 Enterprise Server
Microsoft Exchange Server 2003 Standard Edition
Microsoft Exchange Server 2003 Enterprise Edition
Back to the top
Keywords: kbexchdirectory kbtshoot kbprb KB907434
Back to the top
No comments:
Post a Comment