Dgoldman's WebLog

The daily adventures of an Escalation Engineer

Missing permissions on the Address Lists Container breaks the OAB Generation process

Missing permissions on the Address Lists Container breaks the OAB Generation process

  • Comments 1

Many times people often play with permissions when they should not. One common mistake administrators make is that they remove the Authenticated Users from the security mask on the Address Lists Container thus hiding it from everybody. Once this is done the following things will break:

1. The OAB Generation process (for Enterprise and Hosting Versions of Exchange)
2. Outlook's check names functionality. This will stop all new profiles from being created
3. All MAPI applications that need access to the (GAL) Global Address List

There a few ways this can manifest itself:

1. The Exchange 2003 forestprep process fails with error 0x80071392
2. You are unable to install Exchange in to a child domain
3. People are not able to create profiles
4. Blackberry BesAdmin account has no access to accounts.

There are a few ways to fix this and you will need to pick which is the best one for you:

WARNING: Changing the permissions from the default installed settings can cause your Exchange Organization to become un-useable.

Option 1: You can assume ownership of the object using DSACLS:
Example: DSACLS "dn of active directory object" /G domain name\UserAccount:WO

DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /G domain\administrator:WO

Option 2: You can grant rights to the object using DSACLS: (this will wipe the current DACLS and replace them with what you select!!):
Example: DSACLS "dn of active directory object" /N /G domain name\UserAccount:RP

DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /N /G domain\administrator:RP

Option 3: This is the safest option if you are not sure, however this will reset the objects permissions back to the Schema Defaults:
Example: DSACLS "dn of object" /S
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /S

Now depending on your permissions you may also need to do some additional work by inheriting permissions based on the option that is best suited for your organization. You can use ADSIEdit to re select the checkbox for Inherit Permissions

For the most part option 2 will be your best option by adding an account to the security list so you can get the container back, and then reset the ownership and permissions. To be on the extra safe side if you need you can always run setup /forestprep after you have ran DSACLS to reset the effective permissions to the default setup.

To make sure that they are set correctly here are the permissions as they should be listed:

CN=Address Lists Container and CN=Offline Address Lists Container Permissions
Authenticated Users: Special Permissions: List Contents

CN=Default Global Address List Permissions
Authenticated Users: Read and Open Address List

Dave

Comments
  • Exchange Server mobile device management Radicati Group Releases New Study "Microsoft Exchange 2007

Page 1 of 1 (1 items)