constraint violation occurs when attempting to add attibute dLMemSumbitPermsBL UserDN for distribution group hi can any one please help. we dont have an exchange server in our domain but use directory syncronization with microsoft exchange online. adding the attibute msExchRequireAuthToSendTo works fine but trying to add dLMemSumbitPermsBL with a value of CN=VANG-Distribution-Group-Auth,OU=Security Groups,DC=viceroyang,DC=corporate,DC=thekorgroup,DC=loca returns a constrain error or the following error message ADMODIFY.ERR - A constraint violation occurred. (Exception from HRESULT: 0x8007202F we are running Windows Server 2003 R2 SE SP2 and using AD version 5.2.3790.3959 with MS Exchange online

It looks like you are trying to write a back-link attribute value - which is not possible. You can only write the forward link values. http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/39/Default.aspx What is it you are trying to achieve?Tony

Agree with Tony you're trying to back-link an attribute for attributes that are programmed to be hardcoded only.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Tony / James thanks - i have this distribution group: CN=VANG-Test-DG,OU=Distribution Groups,DC=mydomain,DC=com i have a security group CN=VANG-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com i would like to use Active directory Explorer from systeminternals.com to set the property dLMemSumbitPerms with a value of: VANG-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com so that ONLY membs of the VANG-Distribution-Group-Auth security group can send email to the distribution group VANG-Test-DG e.g. (vang.dg.test@mydomain.com) this used to work with distribution groups when we had a local exchange server but we have since migrated to Microsoft Exchange Online and decomissioned our local Exchange server we have run into a problem. i realized now the error of trying to modify dLMemSumbitPermsBL - thank you for that however when i try to use dLMemSumbitPerms i get a new error that the value: 'VANG-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com' is not a valid syntax for ORName

Hi Matthew Looks like you might have missed the "CN=" prefix from the name CN=VANG-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com not VANG-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=comTony

I appologize Tony ! - I did miss it from the post but its not being missed from the attempt to enter the value in Active Directory Explorer or ADMODIFY I am using: cn=vang-distribution-group-auth,ou=security groups,dc=mydomain,dc=com and ideas why i would get not valid syntax for an ORName in Active Directory Explore or Exception from HRESULT: 0x8007200A error in ADMODIFY <?xml version="1.0" standalone="no" ?> <!DOCTYPE LogFile (View Source for full doctype...)> - <XmlRoot xmlns="45201134600PM.xml"> <user UserDN="LDAP://CN=VANG-Test-DG,OU=Distribution Groups,DC=mydomain,DC=com," type="Failure" attribute="dLMemSumbitPerms" message="ADMODIFY.ERR - The specified directory service attribute or value does not exist. (Exception from HRESULT: 0x8007200A)" /> </XmlRoot>

You can't modify that attribute it's owned by the system. ms-Exch-DL-Mem-Submit-Perms-BL Attribute Backlink to ms-Exch-DL-Mem-Submit-Perms Attribute. If you're trying to put in the restriction of who can send to the DL use the dLMemSubmitPerms attribute.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi Matthew Can you check your AD schema to see that the attribute ms-Exch-DL-Mem-Submit-Perms Attribute is present?Tony

James: thanks for your continued help: to answer your question - yes im trying with the dLMemSubmitPerms attribute now and not the dLMemSubmitPermsBL one (i was originally trying with the BL attribute in error) Tony: I just checked my schema and the attribute ms-Exch-DL-Mem-Submit-Perms is there strangely i was able to successfully add both the msExchRequireAuthToSendTo and msExchHideFromAddressLists attributes successfully to the distribution list in question. do I have to enclose the intended value of the ORName CN=Vang-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com in any special quotation marks or other delimiters? could it be the AD attribute editor I'm attempting to use?

James: thanks for your continued help: to answer your question - yes im trying with the dLMemSubmitPerms attribute now and not the dLMemSubmitPermsBL one (i was originally trying with the BL attribute in error) Tony: I just checked my schema and the attribute ms-Exch-DL-Mem-Submit-Perms is there strangely i was able to successfully add both the msExchRequireAuthToSendTo and msExchHideFromAddressLists attributes successfully to the distribution list in question. do I have to enclose the intended value of the ORName CM=Vang-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com in any special quotation marks or other delimiters? could it be the AD attribute editor I'm attempting to use?

Hi Matthew Normally you would need to enclose it in double-quotes if the DN contains spaces, but yours doesn't appear to. Try entering the value on the DG with ADSIEdit and see if that will accept the syntax. Tony

Hi Tony, I was able to set the value of the dLMemSubmitPerms using ASDIedit but even after waiting over 24 hrs the desired result had not taken place. I then realized that the controlling group: CN=Vang-Distribution-Group-Auth,OU=Security Groups,DC=mydomain,DC=com is defined as a security group and not a distribution group. I have since changed it to a distribution group and am currently waiting to see if the change will produce the desired result after replication. As a side note, I am curious as to whether I can set the attribute msExchRequireAuthToSendTo at the same time as dLMemSubmitPerms or whether the two would interfer with each other. if i get dLMemSubmitPerms to work i will test setting msExchRequireAuthToSendTo = TRUE afterwards regards

Hi - it stilll does not work I have tried everything I can think of (all of the above). Are there any other exchange added attributes that need to be set in order for the dlMemSubmitPerms attibute to work? as the actual exchange server is located in the cloud (mail.microsoftonline.com) I will try to re open a ticket with them and ask them if they are seeing the dlMemSubmitPerms in their environment (i assume that they have a replica of our domain somewhere ...)