?
Solved

AD Distribution List management

Posted on 2006-04-04
14
Medium Priority
?
474 Views
Last Modified: 2013-12-03
I have an Active Directory distribution list containing AD users AND Mail Enabled contacts.  I would like a certain user to add/del/modify the list but how will they be able to add a new member (Mail Enabled Contact) unless they are an Admin and stting at ther server itself?

Paul
0
Comment
Question by:pauljnye
  • 7
  • 5
  • 2
14 Comments
 
LVL 19

Expert Comment

by:jss1199
ID: 16375149
Hi pauljnye,

1.  Create a OU to house the DLs and contacts you want this person to manage/add and then delegate rights to this individual to Read, Write and Create Child Objects.  2.  Once the rights have been delegated install the administration tools via adminpak.msi on that user's workstation so he can access ADUC without accessing the server.
3.  Reference http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx for more information on using the Delegation of Control Wizard.


Cheers!
0
 

Author Comment

by:pauljnye
ID: 16375688
Thanks jss1199,  this sounds exactly like its going to work and I am now going to try it.  Where can I obtain the Admin tools/Admin pack for the workstation?

Paul
0
 

Author Comment

by:pauljnye
ID: 16375750
Found it.  Now I can start the test
Paul
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 19

Expert Comment

by:jss1199
ID: 16375754
0
 

Author Comment

by:pauljnye
ID: 16375990
Ok after testing Admintools from my workstation (I am Domain Admin) I discovered that when I create a contact it didnt ask me if I wanted to create an exchange email address.  If I add the email address afterwards it doesnt make the contact 'mail enbaled' from GAL, and the contact's properties don't have any 'Exchange Tabs'

Paul
0
 
LVL 19

Accepted Solution

by:
jss1199 earned 2000 total points
ID: 16376049
Sorry - Forgot to mention that along with the AD Management Tools, you need Exchaneg Management components installed (from the Exchaneg Setup CD).  This will place the necessary components ni place on that system to create mail-enabled objects.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16376078
You have just stumbled on the number one reason why having users maintain contacts is a bad idea - they have to have the Exchange management tools and the Active Directory tools installed on their server.
A machine with the Exchange management tools is basically an Exchange server without databases and should be treated as such. That means ensuring that it is secure and kept up to date with the service packs and other patches.
Do you really want a user to have access to the tools - even if they don't know what to do with them?

Simon.
0
 

Author Comment

by:pauljnye
ID: 16376502
jss1199 - Thanks for the info.  I will find the Exchange tools and see.

Sembee - No, I don't want a user to have access to the tools if they don't know what to do with them, so I created an OU just for the purpose of containing AD Dist Lists and to delegate the management to a secretary who does.  This way they cant access my entire AD, and only this delegate can.  I dont see a major problem with that.  Is Exchange Tools different, and more of a vunerability?  Does it simply add the 'Exchange Tabs' to  AD Admin Pack seemlessly?

Paul
0
 
LVL 19

Expert Comment

by:jss1199
ID: 16376615
It adds the tabs but also the Exchange System Manager and other components.  I would, at minimum, delete the program group for Exchange from START PROGRAMS so the secretary does not stumble across it and decide to play around
0
 

Author Comment

by:pauljnye
ID: 16380208
jss1199,

Does the Exchange tools by default allow someone to harm my real Exchange Svr?  Wouldnt they need permission to modify exchange?

Paul
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16380308
To make changes to the AD a user needs to have certain permissions to the domain.
By definition, this allows that user access to the domain, which a regular user does not have.

Two major issues with having the tools installed on the machine.
1. It could allow the user to go looking at things they don't understand and possibly make changes.
2. In the event of an elevated permission problem, they would be able to make changes.

If someone else who does have the relevant permissions, but not the tools was to login to that machine, then they could make changes.

ESM is the control system for Exchange. It takes one click of the mouse in the wrong place and your Exchange server is dead.

Permissions or not, the mere presence of the tools on a machine that is operated by an untrained operator is real cause for concern.

Simon.
0
 
LVL 19

Expert Comment

by:jss1199
ID: 16380988
Paul,

Sembee is correct in his assessment but maybe a tad bit alarmist.  Install in order to get the Exchange/AD integration and then remove the program group for Exchange.  This way your secretary cannot stumble across the tools...

jss
0
 

Author Comment

by:pauljnye
ID: 16381584
Thanks both for your responses.

Sembee, point taken.  I think however I will remove all program group and icons and then instil the fear of God in the secretary to BEWARE and dont touch ANYTHING else.  I am prepared to take a calculated risk as I really need the features.

Testing now.......

Paul
0
 

Author Comment

by:pauljnye
ID: 16387942
After testing i am satisfied that my needs are met.  I installed AD management tools and Exchange Management tools (which required the IIS snap in)  ADUC now gave me access to Exchange tasks.  As a normal user you cannot really use the Exchange tools to get to the heart of my Exchange Svr though Sembee suggested.  The Exchange manager was only showing 'Recipients' and 'Tools' and even when you click it reports 'ldap object not found' which I am thinking is due to lack of permissions.  ANYWAY, I aknowledge Sembee's advice and I will remove the Exch program group etc.

Thanks!
Paul
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question