We help IT Professionals succeed at work.

Exhange 2003 - AD 2003 Distribution Lists

I have added a handful of Global Distribution lists in active directory. We are running Windows Server 2003 and Exchange 2003.  I have also created a security group called DistListManagers and added the members to that group.  What is the best, easiest way to allow the members of this group to manage the Distribution lists, add members, add external contacts?  Does this have to be done through Active Directory or can the users do this through Outlook somehow?
Comment
Watch Question

In AD you under the distributuon groups there is an option called "managed by". I know adding a user to this group will allow them to open and edit the group from within outlook. I have never tested this with a security group im not sure if it will let you use a group instead of an individual user.

In any case the managed by tab is where you will want to start looking.

Author

Commented:
Yeah, I checked that. It would not list the security groups as an option.

Commented:
Try creating a distibution group with the security group as a member.  Make the distribution group the manager of the other distribution group.  If I remember right, that should work.
I just tested this on my AD and it doesnt look like there is a way that you can have a security group allowed to be the "managed by" thing for a group.

I would make the suggestion that you create the groups and then specify one member of that group to be in charge of keeping it up to date. Thats pretty much how we have our groups configured that wish to have someone manage them and i think that may be the only MS approved way.

Author

Commented:
Ok, checking cmccall's suggestion. I will get back.

Author

Commented:
cmccall's suggestion did not work.  Any other suggestions?
I dont think you are going to find another suggestion for this. I think this is a limitation within Active Directory itself that only allows a single person to be set as the manager of the group.

The only other option that might work would be to create an account that is used only for updating the group and then share that username and password with the people responsible for modifying the group.

Commented:
I actually found this solution from another post:  First is the link to the post,  Then the answer below it.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21997634.html?sfQueryTermInfo=1+10+2003+30+distribut+exchang+group+list+manag+secur

---------------------------------------------------------------------------------------------------------------------------------
Answer:

Can I allow more than one person to manage a Windows distribution list? Yes!

Short answer, yes. In a Windows 2000 domain (not sure if this restriction is exactly the same in a 2003 domain), let's say you have a distribution list called ALLIT, which you manually add people to when needed. You have several administrative assistants. Normally, admin1 updates the list, as he has been set as the manager of the list from within Active Directory Users & Computers (ADUC), using the Managed By tab in the properties of the group.

What happens when admin1 is out sick, on vacation, etc? Your boss would like admin1, admin2, AND admin3 to be able to update the list. But, the problem is that you can only select a single user in the Managed By tab. So what do you do? There's a pretty easy way to get around this. First off, you need to be familiar with ADSI edit which you should be if you're an admin for a 2000/2003 domain. There are lots of links and information that will tell you that ADSI edit is terribly dangerous. Well, just about any admin tool can be terribly dangerous if used the wrong way. Personally, I find ADSI edit invaluable, just be careful until you become familiar with it. Here's a quick tutorial: ADSI_EDIT.

What you need to do first is find (or create) a group that contains all the users who should be able to update the given list. In our case, we're going to create a security group called 'ALLIT Update' and add admin1, admin2 and admin3 to the group.

Next, head into ADSI edit, right click and select 'Connect To well known naming context' and make sure 'Domain' is in the drop down list. Expand things out and you should see a structure that looks like your OU structure when you're in the ADUC. Find the 'ALLIT Update' group, right click and select properties, scroll down til you find the distinguishedName attribute, double click it and copy the value.

Next, find the ALLIT group in ADSI edit and find the managedBy value. Paste the distinguishedName value from 'ALLIT Update' into this field, exit, head back into the ADUC, find ALLIT and you should now see the 'ALLIT Update' listed in there as the group manager. All you need to do now is tick the 'manager can update group membership' checkbox. Now admin1, admin2 and admin3 should be able to manager the ALLIT group. (if they can't do it right away, wait just a bit - have them log off/back on then try again). You also have the added convenience of merely adding people to and from 'ALLIT Update' whenever you want to add/remove group managers.

Author

Commented:
Thanks anyway guys.  And I hope this solution helps others.