Solved

GAL, attachments et.al.

Posted on 2004-10-20
22
335 Views
Last Modified: 2011-09-20
Hello all,
I have just subscribed to this group and I am having problems which I haven’t been able to solve.  I've tried looking on Microsoft's troubleshooting and IT help etc. and I have 4 books and I'm getting no answers.

MY SETUP:  I am running win 2000 server (MAIN), win 2000 server (POSTOFFICE) with Exhange Server 2000, and clients have Outlook 2002.

PROBLEMS:
•      Clients can send and receive email, but when they (workstations) try to attach a Word doc, the message pops up   from Word “Unable to complete the operation. A fatal error has occurred in Outlook.”  No event log errors show up in workstation computer nor main DC server nor exchange server.  When they send an attachment as a .jpg file, it works no problem.
•      The Global Address List is listed in the clients’ Outlook, but it’s empty.  The admin can see it filled.
•      On the client computer, I am getting an error “Source: USERENV, Category: None, Type: error, Event ID: 1000, User: NT AUTHORITY\SYSTEM, Computer: Actual_Name, Description: Windows cannot determine the user or computer name. Return value (1317)”.
•      I created a new user so I could log on as the user at my workstation and check to see what is working or not.
When I try to setup an Outlook account, it says that the user name is not listed.  That used to work too.

WHAT STARTED ALL THIS:
I set up Outlook Web Access, so that people could access their email from the internet when they were out of office.  It required that I use Outlook Today mailboxes—the Exchange mailboxes on the server.
I discovered that, within our network, by using Outlook:File:Other users folders:  all the staff's email was unprotected and readable.
I deleted some users, e.g. Authorized Users and Anonymous Users in the Exchsrvr directory.  That’s when it all started. Unfortunately, I did not document the exact changes I made.  I restored the two users I just mentioned, but it still doesn’t work. I don’t think I changed anything on the M drive, probably couldn’t.  
I have not been able to find any info on who should have security access to what directories. Does anyone know what permissions a network client needs to access GAL and have other functions work properly?
Authorized Users group ?? with read and write ?? is that sufficient or necessary ?? Is Anonymous necessary ??

WHAT I’VE ALREADY TRIED:
*  I believe I solved the unprotected email problem.  The DC exchange group is “Exchange Enterprise Servers”, and there was Domain Users group in there.  That may have been the security problem.  I deleted it and it seems to have stopped the leak.  But the other problems remain.
*  I also used adsiedit to ensure authorized users have permissions to open Global Address List.
*  In exchange System Mgr, in the properties for the GAL, authorized users and anonymous do have Open Address List checked and there are no denies anywhere.
*  I did a restore of System State on both servers, and I reconfigured both servers to the “basicsv” and “basicdc” templates, but no change.
*  I completely re-installed Exchange Server 2000 and all the updates to Sp4, but no change.
*  When I try to set up Active Director Connector, I get an error “No mapping between account names and security IDs was done, Facility: Win32, Id no: c0070534, Microsoft Active Directory Connector Setup”.

My gut feeling is that this is a permissions problem, but where and what, I have not found.  Any help I will greatly appreciate.
Richard

0
Comment
Question by:Richard_St_Pierre
  • 11
  • 11
22 Comments
 
LVL 22

Expert Comment

by:kristinaw
ID: 12361600
you deleted the authenticated users group from AD? i didn't think that was possible. at any rate, your recovery steps sound good.

why are you trying to install an AD connector, do you still have an exchange 5.5 box? that's the only reason you'd need the connector.

in addition to open address list, also add Read, Read Permissions, List Contents, and List Object.

Kris.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12361607
add those options to the security for the authenticated users group.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12361842
I only deleted authenticated users from the Exchsrvr directory on Postoffice, and since restored it.
I actually gave them full control on the Global Address List.
I wasn't sure if I needed the AD connector, since I only have exchange 2000, apparently I don't need it.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12362010
make sure they are listed in the security settings of the server (in the esm) with the same options i listed before. don't do full control here, this is what causes everyone to be able to open everyone else's mailbox.

kris.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12362823
Still no GAL nor Word attachments.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12373080
Rich,

sorry i was unable to get back to you yesterday. same status as before?

kris.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12373812
yes,  
I did 2 tests,  dsadiag on both servers and GC is good.
rpcping on servers and client, and passed.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12373965
check your tree in ADUC, authorized users need permissions to read objects there as well or can make the gal appear as blank. since all objects are really just AD objects, if authenticated users aren't allowed to view them in ad, they can't view them in the gal either.

Kris.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12374177
I'm confused, how do you assign permissions in aduc.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12374202
active directory users and computers.

0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12374223
authenticated users need 'read' access to user objects in there as well.

kris.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Richard_St_Pierre
ID: 12374226
Maybe i'm dense, but I can assign groups but where do permissions come in?
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12374280
exchange 2000 integrates with AD. a user with a mailbox is really just a mail enabled AD object. If AD userobjectA does not have AD at least read permissions on AD userobjectB, then userA will not be able to see userB in the Gal.

Kris.
0
 
LVL 22

Accepted Solution

by:
kristinaw earned 500 total points
ID: 12374289
so, look in ADUC, where your users are located....in my example I have an OU called 'CON Users" and all other user OU's are under that parent OU. So, in my case I would check perms on 'CON Users' and make sure authenticated users have at least Read, read permissions, etc.

make more sense?
0
 

Author Comment

by:Richard_St_Pierre
ID: 12374350
I understand the theory.  User johndoe needs permission to read user marysmith, but how do I assign that?
0
 

Author Comment

by:Richard_St_Pierre
ID: 12374390
I wrote my last comment before getting your last two.  I didn't realize there are permission attacted to the "user" folder.I changed it to read, now I will look and see if it helped.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12374424
That seems to have done it.  I have to check some more workstations to be sure.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12374472
I think its working but now everyone can access others' mail using Outlook:File:Other users folders..
0
 

Author Comment

by:Richard_St_Pierre
ID: 12374658
Do mailbox users need any directory permissions assigned from the exchsrvr folder on down to end folders?
Right now I have "postoffice users", "authenticated users", "domain users" all with read write execute thru the whole directory. This was in an attempt to solve the problem.
0
 

Author Comment

by:Richard_St_Pierre
ID: 12375006
Thank you Kris, you got me out of a jam.  I am still very confused about permissions.  Which ones are needed for which objects and which directories.  Its all very confusing. I want to undo permissions not needed, but an afraid to make something disfunctional.  A book or article saying this type of user should have this permission on this object or this directory would be helpful.
Thanks again
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12375014
permissions in the ESM (exchange system manager) somewhere are what's allowing everyone to be able to open everyone else's mail. i'll look thru some of my perms tomorrow but i think they just need the read perms (list, etc) that i detailed earlier in this thread.

anyways, progress at least. more tomorrow.

kris.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 12380818
Richard,

In ADUC you also want to make sure than authenticated users have 'Apply Group Policy'. This is a default for this group and without it you'll have issues making group policy work.

Now, for the problem of folks being able to open other peeps mailboxes, those permissions are controlled in the ESM. Authenticated users need the following:

open address list, also add Read, Read Permissions, List Contents, and List Object. they don't need anything else.

You can give those perms to the other two groups (postoffice users and domain users) if you like, but it's superfluous IMHO. Also, I don't think it's generally a good idea to change too much stuff in there. It can have all sorts of adverse effects.

If you use public folders in your org, check the following:

http://support.microsoft.com/?kbid=313866

i've never run across a book that gets into enough detail with perms. most of the stuff i've learned has been through trial and error and reading stuff on different websites (including this one).
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Resolve DNS query failed errors for Exchange
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now