Published: 13/11/2023
Applies to: Cayosoft Administrator 10.3 or later.
Summary: This article contains step-by-step instructions on adding Send As permission to the Active Directory Distribution List, which was once (or still is) a protected group member.
Issue
If you add a user as a SendAs delegate to a Distribution List that was once (or still is) a member of a protected group you will get this error:
Active Directory operation failed on <computer.domain.com>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152DB2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0.
Overview
If a user or a group is a member of an Active Directory protected group then when the SDProp process runs every hour it changes this user or group:
- adminCount attribute is set to 1.
- In Access Control List inheritance gets disabled.
After that, it is impossible to add a user as a SendAs delegate to a Distribution List using AD native tools or the Cayosoft Web Portal.
Resolution
Remove the Distribution List from the protected group, clear the adminCount attribute and restore defaults for Advanced Security Settings.
- In ADUC open Distribution List Properties > Member Of.
- Remove the Distribution List from protected groups.
- In ADUC open Distribution List Properties > Attribute Editor.
- Double-click the adminCount attribute, and clear it.
- Save changes.
- Open Distribution List Properties > Security > Advanced.
- On Advanced Security Settings click Restore Defaults.
- Save changes.
Add Send As permission manually in ADUC.
- In ADUC open Distribution List Properties > Security > Advanced.
- Click Add.
- Click Select Principal and specify the user to add Send As permission.
- Scroll down the Permissions and Properties list and click Clear All.
- Go back to the Permissions list and check Send As.
- Click OK.
- Save changes.
Comments
0 comments
Please sign in to leave a comment.