[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 738
  • Last Modified:

Security Group Permissions Not Applying to DL with CSVDE

I have several email distribution groups that are created twice weekly through a csv upload.  I don't want to go into a long discussion about why its done this way (it would be a long) but I'll post if someone needs this info to help.  In a sentence the members of this email distribution group change that often (and there are a lot of members), we have several scripts that run to pull the info from other sources and then creates the csv file for me to upload. I have a script that deletes the old groups and recreates the new ones.  That all works great, since the info is all pulled from various data base sources we have eliminated almost all manual entry which makes these distribution group accurate and easy to upload.  Here's the problem.

We need to restrict who can send email to these groups.  To minimize a lot of manual changes to the scripts we thought it would be easiest to have a security group assigned to each distribution group that would apply to the message restrictions.  Right now a security group is applied that assigns the following permission:  Only accept messages from (those in that security
group).  All this uploads fine into active directory.  

The problem is users who are part of the security group that specify they have rights to send to the distribution list cannot send to it (nor can those not in the list).  I have to manually remove their name from the security list and manually add it to the message restriction section of the
distribution group individually.  

How can I get this security to work each time we upload the distribution lists?

I know I could do it manually however we do not have the staff to add 30+ names to each email distribution list (20 and growing) twice a week.  I know I can add the group membership into the CSV file, but that changes fairly often and I don't want to have to edit the script twice a week either.  In addition, I think it would increase the chances that the script will not run (typos, user's account is disabled, etc.).  The simplest way would to have the name of the security group coded into the script and change the members in the security group in AD.  Which is what we are trying to do, but the message restrictions do not seem to recognize the names in the security group.

I've trolled the search engines and usenet groups for help on this and gotten nada - so it's up to you Experts now...

Thanks for any input!
  • 2
2 Solutions
I haven't played around with email message restrictions, but from what you have said, I think there are two things to consider here.
1: Can these permissions be assigned to a security group, or can it only be assigned to individual users? If its the later, then youre going to have to change your scripts.

2: Is the security group being deleted and re-created as well? If so, then make sure the permissions are assigned after it has been re-created, otherwise the permissions will be assigned to the SID of the deleted security group, rather than the newly re-created group.
e_sandrsAuthor Commented:
Thanks for the comment!

We'll evaluate the user vs. group issue (I'm not certain if we know *any* of the groups are working or not) and think about those insidious SID's (nuthin' but trouble, they are - especially in drive imaging).

I'll let you know what we see...
I am not sure if I understand the issues completely but I hope this helps. You can update the distribution lists "authOrig" attribute using vbscript.

' Distribution List DN
dn = "CN=Distro-L,OU=Groups,DC=Domain,DC=Net"

' User to be added DN
dn2 = "CN=Name A Namerson,OU=Administration,OU=Information Services,DC=Domain,DC=Net"

Set obj = GetObject("LDAP://DCServerName/" & dn)

obj.PutEx 3,"authOrig",Array(dn2)

Is this what you are looking for or will it help you solve the problem?
e_sandrsAuthor Commented:
Thanks for the brainstorming.  I'm relating this info second hand (this isn't primarily my project/issue), but I believe the security group/SID idea ended up being helpful in the solution they implemented - and since code efforts are always appreciated (and we will save it for later if needed) I split the points a bit.

Thanks again!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now