AD Distribution List management

I have an Active Directory distribution list containing AD users AND Mail Enabled contacts.  I would like a certain user to add/del/modify the list but how will they be able to add a new member (Mail Enabled Contact) unless they are an Admin and stting at ther server itself?

Paul
pauljnyeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jss1199Commented:
Hi pauljnye,

1.  Create a OU to house the DLs and contacts you want this person to manage/add and then delegate rights to this individual to Read, Write and Create Child Objects.  2.  Once the rights have been delegated install the administration tools via adminpak.msi on that user's workstation so he can access ADUC without accessing the server.
3.  Reference http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx for more information on using the Delegation of Control Wizard.


Cheers!
0
pauljnyeAuthor Commented:
Thanks jss1199,  this sounds exactly like its going to work and I am now going to try it.  Where can I obtain the Admin tools/Admin pack for the workstation?

Paul
0
pauljnyeAuthor Commented:
Found it.  Now I can start the test
Paul
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jss1199Commented:
0
pauljnyeAuthor Commented:
Ok after testing Admintools from my workstation (I am Domain Admin) I discovered that when I create a contact it didnt ask me if I wanted to create an exchange email address.  If I add the email address afterwards it doesnt make the contact 'mail enbaled' from GAL, and the contact's properties don't have any 'Exchange Tabs'

Paul
0
jss1199Commented:
Sorry - Forgot to mention that along with the AD Management Tools, you need Exchaneg Management components installed (from the Exchaneg Setup CD).  This will place the necessary components ni place on that system to create mail-enabled objects.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SembeeCommented:
You have just stumbled on the number one reason why having users maintain contacts is a bad idea - they have to have the Exchange management tools and the Active Directory tools installed on their server.
A machine with the Exchange management tools is basically an Exchange server without databases and should be treated as such. That means ensuring that it is secure and kept up to date with the service packs and other patches.
Do you really want a user to have access to the tools - even if they don't know what to do with them?

Simon.
0
pauljnyeAuthor Commented:
jss1199 - Thanks for the info.  I will find the Exchange tools and see.

Sembee - No, I don't want a user to have access to the tools if they don't know what to do with them, so I created an OU just for the purpose of containing AD Dist Lists and to delegate the management to a secretary who does.  This way they cant access my entire AD, and only this delegate can.  I dont see a major problem with that.  Is Exchange Tools different, and more of a vunerability?  Does it simply add the 'Exchange Tabs' to  AD Admin Pack seemlessly?

Paul
0
jss1199Commented:
It adds the tabs but also the Exchange System Manager and other components.  I would, at minimum, delete the program group for Exchange from START PROGRAMS so the secretary does not stumble across it and decide to play around
0
pauljnyeAuthor Commented:
jss1199,

Does the Exchange tools by default allow someone to harm my real Exchange Svr?  Wouldnt they need permission to modify exchange?

Paul
0
SembeeCommented:
To make changes to the AD a user needs to have certain permissions to the domain.
By definition, this allows that user access to the domain, which a regular user does not have.

Two major issues with having the tools installed on the machine.
1. It could allow the user to go looking at things they don't understand and possibly make changes.
2. In the event of an elevated permission problem, they would be able to make changes.

If someone else who does have the relevant permissions, but not the tools was to login to that machine, then they could make changes.

ESM is the control system for Exchange. It takes one click of the mouse in the wrong place and your Exchange server is dead.

Permissions or not, the mere presence of the tools on a machine that is operated by an untrained operator is real cause for concern.

Simon.
0
jss1199Commented:
Paul,

Sembee is correct in his assessment but maybe a tad bit alarmist.  Install in order to get the Exchange/AD integration and then remove the program group for Exchange.  This way your secretary cannot stumble across the tools...

jss
0
pauljnyeAuthor Commented:
Thanks both for your responses.

Sembee, point taken.  I think however I will remove all program group and icons and then instil the fear of God in the secretary to BEWARE and dont touch ANYTHING else.  I am prepared to take a calculated risk as I really need the features.

Testing now.......

Paul
0
pauljnyeAuthor Commented:
After testing i am satisfied that my needs are met.  I installed AD management tools and Exchange Management tools (which required the IIS snap in)  ADUC now gave me access to Exchange tasks.  As a normal user you cannot really use the Exchange tools to get to the heart of my Exchange Svr though Sembee suggested.  The Exchange manager was only showing 'Recipients' and 'Tools' and even when you click it reports 'ldap object not found' which I am thinking is due to lack of permissions.  ANYWAY, I aknowledge Sembee's advice and I will remove the Exch program group etc.

Thanks!
Paul
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Fonts Typography

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.