Hi Brian, Since last post, I have tried their workaround, however it did not help. Not sure why. The other workaround they had was to adjust the Windows Service login account from Local System to a Domain User account. After doing this, the product was able to read group membership perfectly. The product is called Exclaimer Signature Manager.

Hi, Recently we have started using a product that generates company Outlook Signatures. This is based on a template, which reads members of a group, 'Signature A'. So far, some users this works fine with, some it doesn't. The product doesn't pickup certain members of this group. Working with the vendor's team, we have put it down to a difference in permissions for each user. For example, if I go into ADUC, narrow down to UserA, Properties, Security, Advanced, Effective Permissions, select NETWORK SERVICE, this 'principal' has access to 'Read group membership' for UserA. However if I go to UserB (a user affected by this issue) it does not. The vendor's workaround is to assign permission for NETWORK SERVICE to the domain root for 'Read group membership', by going to ADUC, right-click domain.local, Properties, Security, Advanced, Add, NETWORK SERVICE, OK, Properties tab, Apply to 'Descendant User objects', tick 'Read group membership', OK OK OK. We have experienced several AD hiccups in this company's history, and I am on a slight mission to iron them out instead of performing workarounds. How do I find out why this security permission is getting applied to some users and not others?

Hi, My suspection is that the product needs to add ACL to all the users. However, some users under a container may not inherite permissions properly. I think the workaround is worth trying. Let's see how it works. Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Effective Permission is sometimes not that accurate. Im unsure if you view the result on Windows Server 2003. If it is the case, please apply the hotfix for the server http://support.microsoft.com/kb/933071 In addition, Network service is pre-defined account used for accessing network resources by applications. NOrmally, we don't need do any changes to its permissions. Is it a Micrsoft product? Does it work after doing the permission change? Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Apologies, our domain is Windows Server 2008 R2. This product is not made by Microsoft, no. I haven't done extensive testing to prove that after performing their workaround the product works. At this point I can only go by their advice.

Hi Brian, Since last post, I have tried their workaround, however it did not help. Not sure why. The other workaround they had was to adjust the Windows Service login account from Local System to a Domain User account. After doing this, the product was able to read group membership perfectly. The product is called Exclaimer Signature Manager.

Hi, Thanks for posting in Microsoft TechNet forums. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Local System uses Computer Account when accessing AD; could be a problem that the service account doesn't have enough permission with reading AD objects. The product should have a log for tracing this. Anyway, glad to hear it finally works. Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Thanks for replying. Appreciate the effort, and will await your reply. So far, I haven't been able to find a link between accounts, if group membership affects it or not.