Problem: In Exchange System Manager the container for Global Address Listis not visable/missing. Symptoms: Using adsiedit.msc... The object "CN=All Global Address Lists" is missing the class attribute(addressBookContainer). Editing the properties for the object returns the following error: "An invalid directory pathname was passed". Deleting the objectreturns the following error: "The specified directory service attribute or value does not exist." Renaming the objectreturns the following error: "Access is denied" Prior totrying steps 3 and 4... Attempted to resetACL to default values using...dsacls "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain_name,DC=com" /N /G "authenticated users": SDRCWDWOWPRPCALODSACLS returned "The system cannot find the file specified. The command failed to complete successfully." The object'sparentpermission and owner settings appear to be OK, owner=administrator permission=full control In sumary, I cannot restore the AD since I am unsure as to when the problem firstoccurred. I'm suspecting the problem has been going for several weeks and was not brought to my attention. If the object can be deleted/renamed, I'm fairly confident the GAL can be manually re-created. Thanks in advance for any and all help.

Rerunning the Exchange setup with /forestprep switch would help you.It will recreate entry or attributes if it is missing.

Hi, Please perform the following commands to troubleshoot the issue: 1. Assume ownership of the object using DSACLS: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain_name,DC=com" /G domain name\useraccount:WO 2. Grant Rights to the object using DSACLS: (this will wipe the current DACLS and replace them with what you select": DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain_name,DC=com" /N /G domain name\useraccount:GA 3. Set the objects permissions back to the Schema Defaults: DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain_name,DC=com" /S 4. Inherit Permissions Use ADSIEdit to reselect the checkbox for Inherit Permissions Mike

Hi Mike and thanks for your repsonse. In regards to items 1-4,the DSCALS commands all failed in a simalar manner to resetting the ACL vaules.The error messagewas "An invalid directory pathname was passed". I don't believe the problem is attributed tosecurity or ownership, but rather the object iscorrupted. Amit recommended running Exchange setup with the /forestprep parameter.If I recall correctly, this command failed becuase a duplicate name already existed. I did find a work around for the problem: Create an object called "CN=All Global Address Lists 2" Assign it to the class "addressBookContainer Create on object under "CN=All Global Address Lists 2" called "CN=Default Global Address List" Assign it to the class "addressBookContainer Modify the attribute in obect "CN=Microsoft Exchange" Change attribute "globalAddressList" to point to new the GAL e.g."CN=Default Global Address List, CN=All Global Address List 2,CN=Address List Container,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com

My guess is that you have been trying to follow the guide Configuring Virtual Organizations and Address List Segregation in Exchange 2007 http://technet.microsoft.com/en-us/library/bb936719.aspxand might have hit the "All Global Address Lists" container with a deny for authenticated users instead of the subcontainer "CN=Default Global Address List" In the guide they suggest the following command in order to restrict access to the Default Global Address List: Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True This renders all users (including your administrative accounts) without access to the Default Global Address List Active Directory Object hence it will show up in ADSIEDIT without a class name. (In your case you probablymade the deny with ADSIEDIT and not the powershell command) However you should still be able to rename the orphaned object using ADSIEDIT. Do not try to edit or take properties on the object first otherwise you will have to close and reopen ADSIEDIT (the error message in case you tried to edit it first will be This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action.). After you rename the orphaned "All Global Address Lists" and create a new with ADSIEDIT you can recreate the Default Global Address List with the following command: New-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))} If you wish to follow the guide Configuring Virtual Organizations and Address List Segregation in Exchange 2007 again I would suggest that you restrict access to the Default Global Address List only for users in the All Hosted Groups SG that you already have all hosted domains and hence all hosted users in. This can be done by using this command where Authenticated Users have been replaced with All Hosted Groups SG: Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "All Hosted Groups SG" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True In this way you can still have administrative accounts which arent members of the All Hosted Groups SG and can see the full Default Global Address List. Another benefit if your administrative accounts arent members of any hosted groups they will still be able to create an Outlook Profile as they still have access to the Default Global Address List and are able to resolve their name in the address list when they click on the check name button. The downside of course is that you have to be 100% sure that all of your hosted users actually are members of a domain group and that all domain groups are members of the All Hosted Groups SG but you would probably have to ensure that anyway.

Oups - saw later that you are using Exchange System Manager - hence Exchange 2003 and no powershell. Anyway it's kind of the same procedure - do your deny on the "All Hosted Groups SG" instead of "Authenticated Users"

Mike, I wanted to note that this worked for me. I had this happen with my default GAL but thankfully in our Dev environment while going through the address list segreation white paper. After restoring the permissions I just added the field group to the default gal object and set the deny open address list permission. Before restoring thepermissions, the default global address list object did not have anyclass assignedto it.