Reading Distribution List Membership


Stephen Engle

I am trying to find a set of rights in Active Directory to allow certain
groups to view and read group (DL) membership. Can anyone tell me what
those rights might be and how to grant them in AD?


Joe Richards [MVP]

You need to grant RP on the member attribute of a group. By default, most users
can already read this info.

Now if these groups are "hidden" by Exchange you are pretty screwed because
Exchange "hacks" the ACL on the DLs and you would have to further hack it (no
existing supported tools to do this, you would have to script it) to allow
someone to read members that isn't an account op, domain admin, or Exchange Server.


Glenn L

? for you Joe...

Is the RUS configurable in the way it hacks the DACLs on hidden DLs?

Glenn L

It is the Exchange task wizard in the Exchange provided 'users and
computers.msc' that does the hacking.
Seems to me I could simply use the security tab (instead of EXTasks) to
prevent authenticated users, then grant specific groups read access to
specific DLs.
I will have to test this.

Joe Richards [MVP]

The issue is the ACL order. When exchange hides DL Membership it puts the ACL
into a non-canonical order. Everything else forces the ACL into a canonical
order that is why the ADUC[1] says that it can't modify the ACL of a hidden group.

The whole thing comes down to how ACLs are implemented. They are a list of ACEs,
the first DENY ACE that applies to the security principal being checked stops
check of the ACL. You have inherited ACEs and explicit ACEs, explicit overrides
inherited. DENIES override GRANTS. So if you put them together, an inherited
DENY can be overwridden by an explicit GRANT.

If you are looking to duplicate this functionality w/o using the Exchange
non-canonical formating (aka hacking) of the ACL, you would do it by clearing
the ACL on a group (except for system and admins), placing the group in an OU
and only allowing read for the properties you want everyone (auth users) to read
on the OU for groups, and then explicitely granting RP on member for whomever it
is you want to read the membership on the individual groups. If you are using
Exchange, don't forget to allow Exchange access explicitely because in certain
multidomain circumstances when reading specific GCs it relies on auth user's
access to the membership attribute.


[1] This is now, when this first happened, ADUC would correct the ACL and the
membership would be revealed again.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question