Hi, i am using exchange 2007 in my organization, recently i have found that in last few days my all user able to add or remove member in distribution group thats created in Exchange, they easily use outlook 2007 & can able to add/remove members... any one can help me to short out this issue that how can i stop user for this action/ i want to restrict them for this

Hi, See the properties of DG in Exchange Management Console, these users must exist in "Managed By" property of each DG, or they might be part of a security group which exist in "Managed By" with "Mananger can update membership list" flag set. Regards, Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

no dear, i am having two domain controller in trust relation ship my primary domain controller having the mail server and another having AD, DL in my primary domain contrller not able to change by any user, and DL exists in another domain where my AD exists,is able to change by the user... whether i have check all security permission of DL they all are having same attributes.. any help plz

no dear, i am having two domain controller in trust relation ship my primary domain controller having the mail server and another having AD, DL in my primary domain contrller not able to change by any user, and DL exists in another domain where my AD exists,is able to change by the user... whether i have check all security permission of DL they all are having same attributes.. any help plz i am having two domain controller when i see the effective permission on domain where my mail serve exists than its showing only read only permission but when i chech where user migrated domain where my AD exists than i see that user having all rights how can i change that one

On Thu, 15 Jul 2010 13:31:34 +0000, Luv2Microsoft wrote: > > >Hi, > >i am using exchange 2007 in my organization, recently i have found that in last few days my all user able to add or remove member in distribution group thats created in Exchange, they easily use outlook 2007 & can able to add/remove members... > >any one can help me to short out this issue that how can i stop user for this action/ i want to restrict them for this Use ADUS (or ADSIEDIT) and check the "Security" tab on one of the Distribution Groups. Click the "Advanced..." button and then sort the list by "Permission". Who has "Full Control"? Who has "Write Members" permission? I expect you'll find something like the Everyone group has. If not, check what groups the people are in that shouldn't be able to change the membership of the group. Maybe you've added "Everyone" to the Domain Administrators group? Whatever you do, do NOT deny the Everyone group permissions, just remove the permission (not having permission isn't the same as being denied permission)! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 16 Jul 2010 05:36:52 +0000, Luv2Microsoft wrote: >i am having two domain controller in trust relation ship my primary domain controller having the mail server and another having AD, You have more than one AD forest? Domains within an AD forest implicitly trust each other, there's not to establish a "trust relationship" within the AS forest. >DL in my primary domain contrller not able to change by any user, and DL exists in another domain where my AD exists,is able to change by the user... > >whether i have check all security permission of DL they all are having same attributes.. If the security settings on both DLs are identical then you'll have to check the membership of the groups that have permissions on the DL (I'd start with the groups that have inherited permissions). You probably have a group containing "normal" users "nested" in some other group that has special permissions. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

hi i have check on my both domain controller but in OU i am not found that there is no permission for user that having full access but in my Distribution Group properties--> security--> advance--> Effective permission than i type a user name that is my another Domain is showing full access this is not happening with a single user but all user in this domain having full access......please help me to short out this??

On Mon, 19 Jul 2010 06:13:38 +0000, Luv2Microsoft wrote: >i have check on my both domain controller but in OU i am not found that there is no permission for user that having full access but in my Distribution Group properties--> security--> advance--> Effective permission than i type a user name that is my another Domain is showing full access this is not happening with a single user but all user in this domain having full access......please help me to short out this?? Okay, so no individual user has the necessarypermission to modify the membership of the groups. What about groups that have permission to modify the memership? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

yes.. by this user can able to add/remove members in DL through outlook no i am not able to find any permission assign on group or user how can i find it

On Tue, 20 Jul 2010 05:32:04 +0000, Luv2Microsoft wrote: > > >yes.. by this user can able to add/remove members in DL through outlook > >no i am not able to find any permission assign on group or user how can i find it Have you looked at every group that user is a member of? If none of those groups have permission to modify the group's membership then verify that none of those groups are members of any group that has permission to modify the membership. You might want to first verify that the "adminCount" property of the user is not greater than 1 (or isn't present at all). If the adminCount is greater than zero the user is a member of a protected group. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

how can i check this one You might want to first verify that the "adminCount" property of the user is not greater than 1 (or isn't present at all). If the adminCount is greater than zero the user is a member of a protected group. ---

how can i check this one You might want to first verify that the "adminCount" property of the user is not greater than 1 (or isn't present at all). If the adminCount is greater than zero the user is a member of a protected group. --- U can use ADSIEdit.msc, which is a builtin tool in Windows 2008, and for windows 2003 u will have to install it after downloading. Open AdsiEdit.msc and go to "Default Naming Context" section, which is like you are browsing AD users in ADUC, and then locate your user and see its propeties. U will find "adminCount" at start. Regards,Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

ya dear i have check it but its = <not set>

On Thu, 22 Jul 2010 06:43:11 +0000, Luv2Microsoft wrote: >ya dear i have check it but its = <not set> Then you're back to examining the set of objects that have the ability to modify the "members" property on the DL. Then finding out, for each group, whether a person is either a member of that group or indirectly a member of that group (by being a member of a group that's a member of the group with the necessary permission). You're still at the same place you were on July 16th. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

In My second domain controller i have found that Domain User group is member of Account operator security group......finally i have reoslve this one Thankx dear for your suggestion its very help ful for me ........