Many times people often play with permissions when they should not. One common mistake administrators make is that they remove the Authenticated Users from the security mask on the Address Lists Container thus hiding it from everybody. Once this is done the following things will break:
1. The OAB Generation process (for Enterprise and Hosting Versions of Exchange)2. Outlook's check names functionality. This will stop all new profiles from being created3. All MAPI applications that need access to the (GAL) Global Address List
There a few ways this can manifest itself:
1. The Exchange 2003 forestprep process fails with error 0x800713922. You are unable to install Exchange in to a child domain3. People are not able to create profiles4. Blackberry BesAdmin account has no access to accounts.
There are a few ways to fix this and you will need to pick which is the best one for you:
WARNING: Changing the permissions from the default installed settings can cause your Exchange Organization to become un-useable.
Option 1: You can assume ownership of the object using DSACLS:Example: DSACLS "dn of active directory object" /G domain name\UserAccount:WO
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /G domain\administrator:WO
Option 2: You can grant rights to the object using DSACLS: (this will wipe the current DACLS and replace them with what you select!!):Example: DSACLS "dn of active directory object" /N /G domain name\UserAccount:RP
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /N /G domain\administrator:RP
Option 3: This is the safest option if you are not sure, however this will reset the objects permissions back to the Schema Defaults:Example: DSACLS "dn of object" /S DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /S
Now depending on your permissions you may also need to do some additional work by inheriting permissions based on the option that is best suited for your organization. You can use ADSIEdit to re select the checkbox for Inherit Permissions
For the most part option 2 will be your best option by adding an account to the security list so you can get the container back, and then reset the ownership and permissions. To be on the extra safe side if you need you can always run setup /forestprep after you have ran DSACLS to reset the effective permissions to the default setup.
To make sure that they are set correctly here are the permissions as they should be listed:
CN=Address Lists Container and CN=Offline Address Lists Container PermissionsAuthenticated Users: Special Permissions: List Contents
CN=Default Global Address List PermissionsAuthenticated Users: Read and Open Address List
Exchange Server mobile device management Radicati Group Releases New Study "Microsoft Exchange 2007