We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

AD Distribution List management

pauljnye
pauljnye asked
on
Medium Priority
546 Views
Last Modified: 2013-12-03
I have an Active Directory distribution list containing AD users AND Mail Enabled contacts.  I would like a certain user to add/del/modify the list but how will they be able to add a new member (Mail Enabled Contact) unless they are an Admin and stting at ther server itself?

Paul
Comment
Watch Question

Commented:
Hi pauljnye,

1.  Create a OU to house the DLs and contacts you want this person to manage/add and then delegate rights to this individual to Read, Write and Create Child Objects.  2.  Once the rights have been delegated install the administration tools via adminpak.msi on that user's workstation so he can access ADUC without accessing the server.
3.  Reference http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx for more information on using the Delegation of Control Wizard.


Cheers!

Author

Commented:
Thanks jss1199,  this sounds exactly like its going to work and I am now going to try it.  Where can I obtain the Admin tools/Admin pack for the workstation?

Paul

Author

Commented:
Found it.  Now I can start the test
Paul

Author

Commented:
Ok after testing Admintools from my workstation (I am Domain Admin) I discovered that when I create a contact it didnt ask me if I wanted to create an exchange email address.  If I add the email address afterwards it doesnt make the contact 'mail enbaled' from GAL, and the contact's properties don't have any 'Exchange Tabs'

Paul
Commented:
Sorry - Forgot to mention that along with the AD Management Tools, you need Exchaneg Management components installed (from the Exchaneg Setup CD).  This will place the necessary components ni place on that system to create mail-enabled objects.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Expert of the Year 2007
Expert of the Year 2006

Commented:
You have just stumbled on the number one reason why having users maintain contacts is a bad idea - they have to have the Exchange management tools and the Active Directory tools installed on their server.
A machine with the Exchange management tools is basically an Exchange server without databases and should be treated as such. That means ensuring that it is secure and kept up to date with the service packs and other patches.
Do you really want a user to have access to the tools - even if they don't know what to do with them?

Simon.

Author

Commented:
jss1199 - Thanks for the info.  I will find the Exchange tools and see.

Sembee - No, I don't want a user to have access to the tools if they don't know what to do with them, so I created an OU just for the purpose of containing AD Dist Lists and to delegate the management to a secretary who does.  This way they cant access my entire AD, and only this delegate can.  I dont see a major problem with that.  Is Exchange Tools different, and more of a vunerability?  Does it simply add the 'Exchange Tabs' to  AD Admin Pack seemlessly?

Paul

Commented:
It adds the tabs but also the Exchange System Manager and other components.  I would, at minimum, delete the program group for Exchange from START PROGRAMS so the secretary does not stumble across it and decide to play around

Author

Commented:
jss1199,

Does the Exchange tools by default allow someone to harm my real Exchange Svr?  Wouldnt they need permission to modify exchange?

Paul
Expert of the Year 2007
Expert of the Year 2006

Commented:
To make changes to the AD a user needs to have certain permissions to the domain.
By definition, this allows that user access to the domain, which a regular user does not have.

Two major issues with having the tools installed on the machine.
1. It could allow the user to go looking at things they don't understand and possibly make changes.
2. In the event of an elevated permission problem, they would be able to make changes.

If someone else who does have the relevant permissions, but not the tools was to login to that machine, then they could make changes.

ESM is the control system for Exchange. It takes one click of the mouse in the wrong place and your Exchange server is dead.

Permissions or not, the mere presence of the tools on a machine that is operated by an untrained operator is real cause for concern.

Simon.

Commented:
Paul,

Sembee is correct in his assessment but maybe a tad bit alarmist.  Install in order to get the Exchange/AD integration and then remove the program group for Exchange.  This way your secretary cannot stumble across the tools...

jss

Author

Commented:
Thanks both for your responses.

Sembee, point taken.  I think however I will remove all program group and icons and then instil the fear of God in the secretary to BEWARE and dont touch ANYTHING else.  I am prepared to take a calculated risk as I really need the features.

Testing now.......

Paul

Author

Commented:
After testing i am satisfied that my needs are met.  I installed AD management tools and Exchange Management tools (which required the IIS snap in)  ADUC now gave me access to Exchange tasks.  As a normal user you cannot really use the Exchange tools to get to the heart of my Exchange Svr though Sembee suggested.  The Exchange manager was only showing 'Recipients' and 'Tools' and even when you click it reports 'ldap object not found' which I am thinking is due to lack of permissions.  ANYWAY, I aknowledge Sembee's advice and I will remove the Exch program group etc.

Thanks!
Paul
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.