Hi. I need to add certain user access to modify the mail-enabled group in AD. I have tried to implement PowerShell into my code for using "ADD-ADPermission" cmdlet, but that is failing by some unknown reason. So as a backup, I should try to add for certain user a write access to the "member" attributes of the group. But I have no idea what kind GUID I should use to offer those rights.. -- Petri

Hi Petri, I think GUID was not used in ACL or permission settings. Could you let us know more detailed information about your problem? Also, you can always use dsacl to configure permission for AD objects. It can use it in Powershell script if necessary. How to Use Dsacls.exe in Windows Server 2003 and Windows 2000 http://support.microsoft.com/kb/281146 Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I have written a web site by CSharp which create the distribution list into AD using the New-DistributionList cmdlet. I also setup the by "set-group -managedby" to setup the "owner" of the DL. But the owner is unable modify the members of the list until I give write access to member attribute for the user. For that I tried to use "Add-ADPermission -Identity groupname -User ownersID -AccessRights WriteProperty -Properties Member" in a code, but my IIS is crashing at that time. The same happend if I try to use "Get-ADPermission". So that is why I thought to step modifying the attribute ACL directly, as a backup. The error code on the IIS is pretty generic: 0x8007006d. -- Petri

Hi, Could you run the commands Add-ADPermission and Get-ADPermission manually in PowerShell console directly? If we could run the commands, it may be a IIS problem, it’s suggested to submit a new post in IIS forum, they are the best resource for this kind of problem. The Official Microsoft IIS Site http://forums.iis.net/ As I mentioned earlier, try to launch dsacl.exe to configure AD permission to test. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.