Security Group Permissions Not Applying to DL with CSVDE

Posted on 2006-05-01
Last Modified: 2012-08-13
I have several email distribution groups that are created twice weekly through a csv upload.  I don't want to go into a long discussion about why its done this way (it would be a long) but I'll post if someone needs this info to help.  In a sentence the members of this email distribution group change that often (and there are a lot of members), we have several scripts that run to pull the info from other sources and then creates the csv file for me to upload. I have a script that deletes the old groups and recreates the new ones.  That all works great, since the info is all pulled from various data base sources we have eliminated almost all manual entry which makes these distribution group accurate and easy to upload.  Here's the problem.

We need to restrict who can send email to these groups.  To minimize a lot of manual changes to the scripts we thought it would be easiest to have a security group assigned to each distribution group that would apply to the message restrictions.  Right now a security group is applied that assigns the following permission:  Only accept messages from (those in that security
group).  All this uploads fine into active directory.  

The problem is users who are part of the security group that specify they have rights to send to the distribution list cannot send to it (nor can those not in the list).  I have to manually remove their name from the security list and manually add it to the message restriction section of the
distribution group individually.  

How can I get this security to work each time we upload the distribution lists?

I know I could do it manually however we do not have the staff to add 30+ names to each email distribution list (20 and growing) twice a week.  I know I can add the group membership into the CSV file, but that changes fairly often and I don't want to have to edit the script twice a week either.  In addition, I think it would increase the chances that the script will not run (typos, user's account is disabled, etc.).  The simplest way would to have the name of the security group coded into the script and change the members in the security group in AD.  Which is what we are trying to do, but the message restrictions do not seem to recognize the names in the security group.

I've trolled the search engines and usenet groups for help on this and gotten nada - so it's up to you Experts now...

Thanks for any input!
Question by:e_sandrs
    LVL 2

    Accepted Solution

    I haven't played around with email message restrictions, but from what you have said, I think there are two things to consider here.
    1: Can these permissions be assigned to a security group, or can it only be assigned to individual users? If its the later, then youre going to have to change your scripts.

    2: Is the security group being deleted and re-created as well? If so, then make sure the permissions are assigned after it has been re-created, otherwise the permissions will be assigned to the SID of the deleted security group, rather than the newly re-created group.
    LVL 5

    Author Comment

    Thanks for the comment!

    We'll evaluate the user vs. group issue (I'm not certain if we know *any* of the groups are working or not) and think about those insidious SID's (nuthin' but trouble, they are - especially in drive imaging).

    I'll let you know what we see...
    LVL 6

    Assisted Solution

    I am not sure if I understand the issues completely but I hope this helps. You can update the distribution lists "authOrig" attribute using vbscript.

    ' Distribution List DN
    dn = "CN=Distro-L,OU=Groups,DC=Domain,DC=Net"

    ' User to be added DN
    dn2 = "CN=Name A Namerson,OU=Administration,OU=Information Services,DC=Domain,DC=Net"

    Set obj = GetObject("LDAP://DCServerName/" & dn)

    obj.PutEx 3,"authOrig",Array(dn2)

    Is this what you are looking for or will it help you solve the problem?
    LVL 5

    Author Comment

    Thanks for the brainstorming.  I'm relating this info second hand (this isn't primarily my project/issue), but I believe the security group/SID idea ended up being helpful in the solution they implemented - and since code efforts are always appreciated (and we will save it for later if needed) I split the points a bit.

    Thanks again!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now