Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Help with delegating permission to Exchange Attribute in AD
Prev Next
You are not authorized to post a reply.

AuthorMessages
BrianBUser is Offline

Posts:42

05/06/2008 2:31 PM  
I am trying to delegate permission to three MS Exchange attributes in AD
to a specific security group in AD. The problem is that if I go the
Users container > security>advanced>edit>properties tab for the group I
do not see the attribute listed. The attributes are:



MSExchHomeServername

homeMTA

homeMDB



I am not an Exchange Admin but do control the AD and therefore need to
assign permissions accordingly. I can see the attribute using ADSIEDIT
but I am unsure if setting permission there would allow the EX Admins to
write to it or just give them permission on the attribute properties
itself.



How can I view the attribute in ADUC to assign permission?





Brian Britt

Vanderbilt University

Directory Services Specialist

615-322-4676




bdesmondUser is Offline

Posts:374

05/06/2008 3:02 PM  
I think ADUC may do some kind of filtering. Doing the edits with adsiedit
will get you the effect you want.

--brian

On Tue, May 6, 2008 at 2:28 PM, Britt, Brian <brian.britt@vanderbilt.edu>
wrote:

> I am trying to delegate permission to three MS Exchange attributes in AD
> to a specific security group in AD. The problem is that if I go the Users
> container > security>advanced>edit>properties tab for the group I do not see
> the attribute listed. The attributes are:
>
>
>
> MSExchHomeServername
>
> homeMTA
>
> homeMDB
>
>
>
> I am not an Exchange Admin but do control the AD and therefore need to
> assign permissions accordingly. I can see the attribute using ADSIEDIT but I
> am unsure if setting permission there would allow the EX Admins to write to
> it or just give them permission on the attribute properties itself.
>
>
>
> How can I view the attribute in ADUC to assign permission?
>
>
>
>
>
> Brian Britt
>
> Vanderbilt University
>
> Directory Services Specialist
>
> 615-322-4676
>
>
>



--
Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

dmitrigUser is Offline

Posts:59

05/06/2008 3:17 PM  
See http://support.microsoft.com/kb/296490 "How to modify the filtered properties of an object"
Keep in mind that if you update these attributes directly, then you will lose the mailbox (if it exists).

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, May 06, 2008 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Help with delegating permission to Exchange Attribute in AD

I am trying to delegate permission to three MS Exchange attributes in AD to a specific security group in AD. The problem is that if I go the Users container > security>advanced>edit>properties tab for the group I do not see the attribute listed. The attributes are:

MSExchHomeServername
homeMTA
homeMDB

I am not an Exchange Admin but do control the AD and therefore need to assign permissions accordingly. I can see the attribute using ADSIEDIT but I am unsure if setting permission there would allow the EX Admins to write to it or just give them permission on the attribute properties itself.

How can I view the attribute in ADUC to assign permission?


Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676


danholmeUser is Offline

Posts:134

05/06/2008 4:12 PM  
Correct.



Any line in DSSEC.DAT that has attribute=7 will be hidden

Any line with attribute=0 (or any attribute NOT listed) will be shown.

MAKE SURE you modify the attribute= line under the correct object class
section !!! (e.g. [user]) Easy mistake!!



File must be modified on system on which you use ADUC.

Any attribute you've delegated you should also make sure is 'visible' in
the Security interfaces by setting the line to =0 or removing the line.

I prefer setting lines to =0 because it "clearly" marks a customization
in the file (all lines in the file are =7 by default)



BACK UP DSSEC.DAT!!! It is technically open for overwrites by
patches/Service Packs.



Restart ADUC for the changes you make in DSSEC to be visible.



Dan



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, May 06, 2008 9:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



BTW, correction to the KB: the dssec.dat file needs to be edited on the
workstation where you run ADUC, not on all DCs.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, May 06, 2008 12:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



See http://support.microsoft.com/kb/296490 "How to modify the filtered
properties of an object"

Keep in mind that if you update these attributes directly, then you will
lose the mailbox (if it exists).



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, May 06, 2008 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



I am trying to delegate permission to three MS Exchange attributes in AD
to a specific security group in AD. The problem is that if I go the
Users container > security>advanced>edit>properties tab for the group I
do not see the attribute listed. The attributes are:



MSExchHomeServername

homeMTA

homeMDB



I am not an Exchange Admin but do control the AD and therefore need to
assign permissions accordingly. I can see the attribute using ADSIEDIT
but I am unsure if setting permission there would allow the EX Admins to
write to it or just give them permission on the attribute properties
itself.



How can I view the attribute in ADUC to assign permission?





Brian Britt

Vanderbilt University

Directory Services Specialist

615-322-4676




BrianBUser is Offline

Posts:42

05/06/2008 4:58 PM  
Thanks, everyone. Best AD group I've been a part of yet!



Brian Britt

Vanderbilt University

Directory Services Specialist

615-322-4676



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Tuesday, May 06, 2008 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



Correct.



Any line in DSSEC.DAT that has attribute=7 will be hidden

Any line with attribute=0 (or any attribute NOT listed) will be shown.

MAKE SURE you modify the attribute= line under the correct object class
section !!! (e.g. [user]) Easy mistake!!



File must be modified on system on which you use ADUC.

Any attribute you've delegated you should also make sure is 'visible' in
the Security interfaces by setting the line to =0 or removing the line.

I prefer setting lines to =0 because it "clearly" marks a customization
in the file (all lines in the file are =7 by default)



BACK UP DSSEC.DAT!!! It is technically open for overwrites by
patches/Service Packs.



Restart ADUC for the changes you make in DSSEC to be visible.



Dan



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, May 06, 2008 9:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



BTW, correction to the KB: the dssec.dat file needs to be edited on the
workstation where you run ADUC, not on all DCs.



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, May 06, 2008 12:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



See http://support.microsoft.com/kb/296490 "How to modify the filtered
properties of an object"

Keep in mind that if you update these attributes directly, then you will
lose the mailbox (if it exists).



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, May 06, 2008 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Help with delegating permission to Exchange
Attribute in AD



I am trying to delegate permission to three MS Exchange attributes in AD
to a specific security group in AD. The problem is that if I go the
Users container > security>advanced>edit>properties tab for the group I
do not see the attribute listed. The attributes are:



MSExchHomeServername

homeMTA

homeMDB



I am not an Exchange Admin but do control the AD and therefore need to
assign permissions accordingly. I can see the attribute using ADSIEDIT
but I am unsure if setting permission there would allow the EX Admins to
write to it or just give them permission on the attribute properties
itself.



How can I view the attribute in ADUC to assign permission?





Brian Britt

Vanderbilt University

Directory Services Specialist

615-322-4676




You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Help with delegating permission to Exchange Attribute in AD



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:cthart
New TodayNew Today:1
New YesterdayNew Yesterday:4
User CountOverall:4285
People OnlinePeople Online:
VisitorsVisitors:111
MembersMembers:0
TotalTotal:111
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use