Richard_St_Pierre
asked on
GAL, attachments et.al.
Hello all,
I have just subscribed to this group and I am having problems which I haven’t been able to solve. I've tried looking on Microsoft's troubleshooting and IT help etc. and I have 4 books and I'm getting no answers.
MY SETUP: I am running win 2000 server (MAIN), win 2000 server (POSTOFFICE) with Exhange Server 2000, and clients have Outlook 2002.
PROBLEMS:
• Clients can send and receive email, but when they (workstations) try to attach a Word doc, the message pops up from Word “Unable to complete the operation. A fatal error has occurred in Outlook.” No event log errors show up in workstation computer nor main DC server nor exchange server. When they send an attachment as a .jpg file, it works no problem.
• The Global Address List is listed in the clients’ Outlook, but it’s empty. The admin can see it filled.
• On the client computer, I am getting an error “Source: USERENV, Category: None, Type: error, Event ID: 1000, User: NT AUTHORITY\SYSTEM, Computer: Actual_Name, Description: Windows cannot determine the user or computer name. Return value (1317)”.
• I created a new user so I could log on as the user at my workstation and check to see what is working or not.
When I try to setup an Outlook account, it says that the user name is not listed. That used to work too.
WHAT STARTED ALL THIS:
I set up Outlook Web Access, so that people could access their email from the internet when they were out of office. It required that I use Outlook Today mailboxes—the Exchange mailboxes on the server.
I discovered that, within our network, by using Outlook:File:Other users folders: all the staff's email was unprotected and readable.
I deleted some users, e.g. Authorized Users and Anonymous Users in the Exchsrvr directory. That’s when it all started. Unfortunately, I did not document the exact changes I made. I restored the two users I just mentioned, but it still doesn’t work. I don’t think I changed anything on the M drive, probably couldn’t.
I have not been able to find any info on who should have security access to what directories. Does anyone know what permissions a network client needs to access GAL and have other functions work properly?
Authorized Users group ?? with read and write ?? is that sufficient or necessary ?? Is Anonymous necessary ??
WHAT I’VE ALREADY TRIED:
* I believe I solved the unprotected email problem. The DC exchange group is “Exchange Enterprise Servers”, and there was Domain Users group in there. That may have been the security problem. I deleted it and it seems to have stopped the leak. But the other problems remain.
* I also used adsiedit to ensure authorized users have permissions to open Global Address List.
* In exchange System Mgr, in the properties for the GAL, authorized users and anonymous do have Open Address List checked and there are no denies anywhere.
* I did a restore of System State on both servers, and I reconfigured both servers to the “basicsv” and “basicdc” templates, but no change.
* I completely re-installed Exchange Server 2000 and all the updates to Sp4, but no change.
* When I try to set up Active Director Connector, I get an error “No mapping between account names and security IDs was done, Facility: Win32, Id no: c0070534, Microsoft Active Directory Connector Setup”.
My gut feeling is that this is a permissions problem, but where and what, I have not found. Any help I will greatly appreciate.
Richard
I have just subscribed to this group and I am having problems which I haven’t been able to solve. I've tried looking on Microsoft's troubleshooting and IT help etc. and I have 4 books and I'm getting no answers.
MY SETUP: I am running win 2000 server (MAIN), win 2000 server (POSTOFFICE) with Exhange Server 2000, and clients have Outlook 2002.
PROBLEMS:
• Clients can send and receive email, but when they (workstations) try to attach a Word doc, the message pops up from Word “Unable to complete the operation. A fatal error has occurred in Outlook.” No event log errors show up in workstation computer nor main DC server nor exchange server. When they send an attachment as a .jpg file, it works no problem.
• The Global Address List is listed in the clients’ Outlook, but it’s empty. The admin can see it filled.
• On the client computer, I am getting an error “Source: USERENV, Category: None, Type: error, Event ID: 1000, User: NT AUTHORITY\SYSTEM, Computer: Actual_Name, Description: Windows cannot determine the user or computer name. Return value (1317)”.
• I created a new user so I could log on as the user at my workstation and check to see what is working or not.
When I try to setup an Outlook account, it says that the user name is not listed. That used to work too.
WHAT STARTED ALL THIS:
I set up Outlook Web Access, so that people could access their email from the internet when they were out of office. It required that I use Outlook Today mailboxes—the Exchange mailboxes on the server.
I discovered that, within our network, by using Outlook:File:Other users folders: all the staff's email was unprotected and readable.
I deleted some users, e.g. Authorized Users and Anonymous Users in the Exchsrvr directory. That’s when it all started. Unfortunately, I did not document the exact changes I made. I restored the two users I just mentioned, but it still doesn’t work. I don’t think I changed anything on the M drive, probably couldn’t.
I have not been able to find any info on who should have security access to what directories. Does anyone know what permissions a network client needs to access GAL and have other functions work properly?
Authorized Users group ?? with read and write ?? is that sufficient or necessary ?? Is Anonymous necessary ??
WHAT I’VE ALREADY TRIED:
* I believe I solved the unprotected email problem. The DC exchange group is “Exchange Enterprise Servers”, and there was Domain Users group in there. That may have been the security problem. I deleted it and it seems to have stopped the leak. But the other problems remain.
* I also used adsiedit to ensure authorized users have permissions to open Global Address List.
* In exchange System Mgr, in the properties for the GAL, authorized users and anonymous do have Open Address List checked and there are no denies anywhere.
* I did a restore of System State on both servers, and I reconfigured both servers to the “basicsv” and “basicdc” templates, but no change.
* I completely re-installed Exchange Server 2000 and all the updates to Sp4, but no change.
* When I try to set up Active Director Connector, I get an error “No mapping between account names and security IDs was done, Facility: Win32, Id no: c0070534, Microsoft Active Directory Connector Setup”.
My gut feeling is that this is a permissions problem, but where and what, I have not found. Any help I will greatly appreciate.
Richard
add those options to the security for the authenticated users group.
ASKER
I only deleted authenticated users from the Exchsrvr directory on Postoffice, and since restored it.
I actually gave them full control on the Global Address List.
I wasn't sure if I needed the AD connector, since I only have exchange 2000, apparently I don't need it.
I actually gave them full control on the Global Address List.
I wasn't sure if I needed the AD connector, since I only have exchange 2000, apparently I don't need it.
make sure they are listed in the security settings of the server (in the esm) with the same options i listed before. don't do full control here, this is what causes everyone to be able to open everyone else's mailbox.
kris.
kris.
ASKER
Still no GAL nor Word attachments.
Rich,
sorry i was unable to get back to you yesterday. same status as before?
kris.
sorry i was unable to get back to you yesterday. same status as before?
kris.
ASKER
yes,
I did 2 tests, dsadiag on both servers and GC is good.
rpcping on servers and client, and passed.
I did 2 tests, dsadiag on both servers and GC is good.
rpcping on servers and client, and passed.
check your tree in ADUC, authorized users need permissions to read objects there as well or can make the gal appear as blank. since all objects are really just AD objects, if authenticated users aren't allowed to view them in ad, they can't view them in the gal either.
Kris.
Kris.
ASKER
I'm confused, how do you assign permissions in aduc.
active directory users and computers.
authenticated users need 'read' access to user objects in there as well.
kris.
kris.
ASKER
Maybe i'm dense, but I can assign groups but where do permissions come in?
exchange 2000 integrates with AD. a user with a mailbox is really just a mail enabled AD object. If AD userobjectA does not have AD at least read permissions on AD userobjectB, then userA will not be able to see userB in the Gal.
Kris.
Kris.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand the theory. User johndoe needs permission to read user marysmith, but how do I assign that?
ASKER
I wrote my last comment before getting your last two. I didn't realize there are permission attacted to the "user" folder.I changed it to read, now I will look and see if it helped.
ASKER
That seems to have done it. I have to check some more workstations to be sure.
ASKER
I think its working but now everyone can access others' mail using Outlook:File:Other users folders..
ASKER
Do mailbox users need any directory permissions assigned from the exchsrvr folder on down to end folders?
Right now I have "postoffice users", "authenticated users", "domain users" all with read write execute thru the whole directory. This was in an attempt to solve the problem.
Right now I have "postoffice users", "authenticated users", "domain users" all with read write execute thru the whole directory. This was in an attempt to solve the problem.
ASKER
Thank you Kris, you got me out of a jam. I am still very confused about permissions. Which ones are needed for which objects and which directories. Its all very confusing. I want to undo permissions not needed, but an afraid to make something disfunctional. A book or article saying this type of user should have this permission on this object or this directory would be helpful.
Thanks again
Thanks again
permissions in the ESM (exchange system manager) somewhere are what's allowing everyone to be able to open everyone else's mail. i'll look thru some of my perms tomorrow but i think they just need the read perms (list, etc) that i detailed earlier in this thread.
anyways, progress at least. more tomorrow.
kris.
anyways, progress at least. more tomorrow.
kris.
Richard,
In ADUC you also want to make sure than authenticated users have 'Apply Group Policy'. This is a default for this group and without it you'll have issues making group policy work.
Now, for the problem of folks being able to open other peeps mailboxes, those permissions are controlled in the ESM. Authenticated users need the following:
open address list, also add Read, Read Permissions, List Contents, and List Object. they don't need anything else.
You can give those perms to the other two groups (postoffice users and domain users) if you like, but it's superfluous IMHO. Also, I don't think it's generally a good idea to change too much stuff in there. It can have all sorts of adverse effects.
If you use public folders in your org, check the following:
http://support.microsoft.com/?kbid=313866
i've never run across a book that gets into enough detail with perms. most of the stuff i've learned has been through trial and error and reading stuff on different websites (including this one).
In ADUC you also want to make sure than authenticated users have 'Apply Group Policy'. This is a default for this group and without it you'll have issues making group policy work.
Now, for the problem of folks being able to open other peeps mailboxes, those permissions are controlled in the ESM. Authenticated users need the following:
open address list, also add Read, Read Permissions, List Contents, and List Object. they don't need anything else.
You can give those perms to the other two groups (postoffice users and domain users) if you like, but it's superfluous IMHO. Also, I don't think it's generally a good idea to change too much stuff in there. It can have all sorts of adverse effects.
If you use public folders in your org, check the following:
http://support.microsoft.com/?kbid=313866
i've never run across a book that gets into enough detail with perms. most of the stuff i've learned has been through trial and error and reading stuff on different websites (including this one).
why are you trying to install an AD connector, do you still have an exchange 5.5 box? that's the only reason you'd need the connector.
in addition to open address list, also add Read, Read Permissions, List Contents, and List Object.
Kris.