To resolve this issue, use one of the following methods as applicable to your situation.
Method 1: You can access the Default Global Address List Properties dialog box
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this issue, follow these steps:
- Start Exchange System Manager.
- Expand the Recipients container, and then
expand All Global Address Lists.
- Right-click Default Global Address List,
and then click Properties.
- Click the Security tab, click
Authenticated Users, and then click to select the
Allow check box next to Full Control.
Note An "Unable to display security information" message may appear
when you click the
Security tab on the
Default Global Address
List object. If this message appears, open the All Global Address Lists
object's properties before you open the Default Global Address List object's
properties.
Method 2: You cannot access the Default Global Address List Properties dialog box
In this scenario, the
Default Global Address List container may not appear in Exchange System Manager, or you receive an error message when you right-click
Default Global Address List, and then click
Properties. To resolve this issue, use the
DSACLS.exe command to view and to modify the permissions on the
Default Global Address List container. To do this, follow these steps:
- Type the following DSACLS.exe command, and then press ENTER to view the permissions that are assigned to the Default Global Address List container in the Active Directory directory service:
DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com"
Replace Example and com with your domain and domain suffix names. Additionally, if your organization does not have the default name of First Organization, modify this command accordingly.
Note This command is one line. - View the results that are returned by this command to see if any Deny permissions are assigned to the NT AUTHORITY\Authenticated Users group.
- Type the following DSACLS.exe command, and then press ENTER to reset the permissions on the Default Global Address Lists container for the Authenticated Users group:
DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO
- Log off the computer, and then log on again.
- Start Exchange System Manager.
MORE INFORMATION
If you do not have access to the
All Global Address Lists container in Exchange System Manager, you can use the following
DSACLS.exe command to reset the permissions on this container for the Authenticated Users group:
DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO
For a list of DSACLS.exe command-line options, type
dsacls /?, and then press ENTER at a command prompt.
The path of the object that you specify in the
DSACLS.exe command-line is a distinguished name in RFC 1779 format. If you do not know the path of your address list container, you can locate this container by using the Active Directory Services Interface (ADSI) Edit tool. To do this, follow these steps:
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.
Note ADSI Edit is included with the Microsoft Windows 2000 and Windows Server 2003 Support Tools.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
301423
How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
314203
How to install the Windows Support Tools from a command prompt
- Expand Configuration Container [servername.example.com], and then expand CN=Configuration,DC=example,DC=com.
- Expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=OrganizationName where OrganizationName is the name of your Exchange organization.
- Expand CN=Address Lists Container.
- Click CN=All Global Address Lists. The distinguished name of the address list containers appear in the right pane. Make a note of the desired address list's distinguished name to then use it with the DSACLS command.
- Quit ADSI Edit.