Hi everyone: I have a universal distribution group that I am trying to configure so that a particular user can manage it. She will be adding and removing people from the list using Outlook 2002 and the version of Exchange is 2007. So far, we tried/configured the following: In Exchange management console under Group Information, I checked the "Managed By" field and then added the user. In Active Directory under the Managed By tab, I verified that the user was listed and then checked the "Manager can update membership list" box. In Active Directory under the Security tab, I verified that the user has the following permissions: List Contents, Read all properties, write all properties, Read permissions, All validated writes, Add/remove self as member, Read members, Write members. Am I missing something here? I have been to many forums and they all say that I am doing this correctly so thought I would ask the pro's if you had any advice. Thanks Chris

On Tue, 8 Jun 2010 22:48:20 +0000, Steinomite wrote: >I have a universal distribution group that I am trying to configure so that a particular user can manage it. She will be adding and removing people from the list using Outlook 2002 and the version of Exchange is 2007. > >So far, we tried/configured the following: 1. In Exchange management console under Group Information, I checked the "Managed By" field and then added the user. 2. In Active Directory under the Managed By tab, I verified that the user was listed and then checked the "Manager can update membership list" box. 3. In Active Directory under the Security tab, I verified that the user has the following permissions: List Contents, Read all properties, write all properties, Read permissions, All validated writes, Add/remove self as member, Read members, Write members. Am I missing something here? I have been to many forums and they all say that I am doing this correctly so thought I would ask the pro's if you had any advice. Thanks Chris How many AD domains are ther in your AD forest? The GC used by the user must be a GC in the same domain as the group and the user trying to make the change. Only the GC in the domain that holds the group has a writable copy of the data. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, Yes, as Rich said, you should confirm whether your environment is in multi-domain environments. In the multi-domain, the GC chosen by the client may not be in the same domain as Active Directory Group objects. Therefore, users might not be able to update group membership because the "selected" GC may have a read-only copy of the group. Thanks Allen

Thanks guys. We do have two domains. The distribution group was created in the child domain but has a root domain email address (by default). We demoted the group to run in "Domain local", but the user still cannot add/edit the distribution group. Also, she cannot see the users in the list anymore (but I can see them on the server). Thanks Chris

On Wed, 9 Jun 2010 22:29:51 +0000, Steinomite wrote: >We do have two domains. The distribution group was created in the child domain but has a root domain email address (by default). The e-mail address doesn't matter. What's the distinguished name of the user? What's the distinguished name of the group? >We demoted the group to run in "Domain local", but the user still cannot add/edit the distribution group. That's not going to work very well. Mail-enabled groups should have a "universal" scope. >Also, she cannot see the users in the list anymore (but I can see them on the server). Sure. The membership of a group with a non-universal scope isn't present in GCs outside the group's domain. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, You should not demote the group as "Domain local", that's not the issue. As you mentioned, you have child and root domain. The distribution group was created in the child domain which means only the GC of child domain has write copy of the group. For the GC of the root domain which has read-only copy. By default, only one GC in the root and child domain. Thus, you need to promote the DC of the child domain to GC or move the GC role from the root domain to child domain. Thanks Allen

Thanks guys, that does make since now when you explain it. We have a total of 8 domain controllers, all which are GC's. 5 children and 3 root. The DN for the user is: CN=User,OU=Title,OU=Department,OU=Location,OU=Status,DC=Child,DC=Root,DC=Extension The DN for the group is: CN=Group,OU=Location,DC=Child,DC=Root,DC=Extension Instead of using the actual names, I substituted with what function they serve and/or the location they are at. Looks like both the user and the group are housed in the child domain. Thanks Chris

Hi, If the child domain also has the GC, next you should ensure the Outlook client select the GC of child domain. Thanks Allen

On Thu, 10 Jun 2010 15:12:24 +0000, Steinomite wrote: >We have a total of 8 domain controllers, all which are GC's. 5 children and 3 root. > >The DN for the user is: CN=User,OU=Title,OU=Department,OU=Location,OU=Status,DC=Child,DC=Root,DC=Extension > >The DN for the group is: CN=Group,OU=Location,DC=Child,DC=Root,DC=Extension The user and group are in the same AD domain. But that doesn't mean that the user is connected to a GC in the "Child" domain. If the a GC in the "Root" domain is being used it will have just a read-only copy of the information. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Sorry it's taking me so long to get my head around it. Guess I am just confused why my group and user created in a child domain need to talk with the GC in the root domain. It's like the system is going out of it's way to make sure the DL is not manageable... Sounds like I am pretty stuck then? Any suggestions on how to get around this? Should I be creating DL differently in the future? Thanks again guys! Chris

Hi, You first need to confirm the connecting GC of Outlook is the child domain. Press Ctrl+right click Outlook icon in System Tray, select Connection Status, confirm the GC of the Directory. If it's GC of root domain, you need to use the registry to specify the GC of child domain to be used for the Outlook on the client side. HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider Value name: DS Server Data type: REG_SZ (string) Value data: FQDN of the global catalog server How to configure Outlook to a specific global catalog server or to the closest global catalog server http://support.microsoft.com/kb/319206 Thanks Allen

On Mon, 14 Jun 2010 22:09:19 +0000, Steinomite wrote: > > >Sorry it's taking me so long to get my head around it. Guess I am just confused why my group and user created in a child domain need to talk with the GC in the root domain. It's like the system is going out of it's way to make sure the DL is not manageable... > >Sounds like I am pretty stuck then? Any suggestions on how to get around this? Should I be creating DL differently in the future? Your problem is an AD design problem, combined with an Outlook problem. Having GCs from multiple domains in the same AD site leads Outlook to believe any one of them is as good as the other. If your users don't move around, and your AD infrastructure is stable, you can tell Outlook to use a specific GC. http://support.microsoft.com/kb/319206 Point Outlook to a GC in the child domain. I'd do this just for the troublesome users, not for the general population. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks guys. In the end, I created an entry into our login script to add this key for users that needed to manage contacts and it works like a charm. Chris

One last question. What happens if the DC that I point the Outlook client to is offline? Will Outlook default back to the root DC or will I have to manually go in and delete that key for Outlook to start working again? If Outlook just tanks, can I add a key to point to a secondary DC if the first one is unavailable? Thanks.

On Mon, 21 Jun 2010 16:02:10 +0000, Steinomite wrote: > > >One last question. > >What happens if the DC that I point the Outlook client to is offline? Will Outlook default back to the root DC or will I have to manually go in and delete that key for Outlook to start working again? IIRC, Outlook falls back to it's default behavior to find a working GC. It's easy enought to test, though. Just put a bogus GC name into the value and see what happens. >If Outlook just tanks, can I add a key to point to a secondary DC if the first one is unavailable? No. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks Rich. I did as you instructed and verified that it will fail over to an available DC if the specified one is not present. Thanks so much everyone for getting me through this. Your all truly brilliant people. Chris