Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Unable to access the Default Global Address Lists container in Exchange System Manager


View products that this article applies to.

Symptoms

When you try to expand the All Global Address Lists container by using the Microsoft Exchange System Manager tool in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, you may experience one or more of the following symptoms:
  • You receive the following error message:
    You will not be able to add, remove or rename Global Address Lists because you do not have the required permissions on all Global Address Lists
  • The Default Global Address List container no longer appears under All Global Address Lists.
  • The Default Global Address List container appears under All Global Address Lists. However, when you right-click Default Global Address List and then click Properties, you receive the following error message:
    The specified directory service attribute or value does not exist.
  • Microsoft Outlook users can still access the Global Address List.

↑ Back to the top


Cause

This issue may occur if the Authenticated Users group does not have Full Control permissions to the Default Global Address List. Typically, this issue occurs if the Authenticated Users group is assigned Deny permissions to the Full Control check box on the Security tab of the Default Global Address List Properties dialog box.

↑ Back to the top


Resolution

To resolve this issue, use one of the following methods as applicable to your situation.

Method 1: You can access the Default Global Address List Properties dialog box

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To resolve this issue, follow these steps:
  1. Start Exchange System Manager.
  2. Expand the Recipients container, and then expand All Global Address Lists.
  3. Right-click Default Global Address List, and then click Properties.
  4. Click the Security tab, click Authenticated Users, and then click to select the Allow check box next to Full Control.
Note An "Unable to display security information" message may appear when you click the Security tab on the Default Global Address List object. If this message appears, open the All Global Address Lists object's properties before you open the Default Global Address List object's properties.

Method 2: You cannot access the Default Global Address List Properties dialog box

In this scenario, the Default Global Address List container may not appear in Exchange System Manager, or you receive an error message when you right-click Default Global Address List, and then click Properties. To resolve this issue, use the DSACLS.exe command to view and to modify the permissions on the Default Global Address List container. To do this, follow these steps:
  1. Type the following DSACLS.exe command, and then press ENTER to view the permissions that are assigned to the Default Global Address List container in the Active Directory directory service:
    DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com"
    Replace Example and com with your domain and domain suffix names. Additionally, if your organization does not have the default name of First Organization, modify this command accordingly.

    Note This command is one line.
  2. View the results that are returned by this command to see if any Deny permissions are assigned to the NT AUTHORITY\Authenticated Users group.
  3. Type the following DSACLS.exe command, and then press ENTER to reset the permissions on the Default Global Address Lists container for the Authenticated Users group:
    DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO
  4. Log off the computer, and then log on again.
  5. Start Exchange System Manager.

MORE INFORMATION

If you do not have access to the All Global Address Lists container in Exchange System Manager, you can use the following DSACLS.exe command to reset the permissions on this container for the Authenticated Users group:
DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO
For a list of DSACLS.exe command-line options, type dsacls /?, and then press ENTER at a command prompt.

The path of the object that you specify in the DSACLS.exe command-line is a distinguished name in RFC 1779 format. If you do not know the path of your address list container, you can locate this container by using the Active Directory Services Interface (ADSI) Edit tool. To do this, follow these steps:

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.

    Note ADSI Edit is included with the Microsoft Windows 2000 and Windows Server 2003 Support Tools. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    301423 How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer
    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    314203 How to install the Windows Support Tools from a command prompt
  2. Expand Configuration Container [servername.example.com], and then expand CN=Configuration,DC=example,DC=com.
  3. Expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=OrganizationName where OrganizationName is the name of your Exchange organization.
  4. Expand CN=Address Lists Container.
  5. Click CN=All Global Address Lists. The distinguished name of the address list containers appear in the right pane. Make a note of the desired address list's distinguished name to then use it with the DSACLS command.
  6. Quit ADSI Edit.

↑ Back to the top


Keywords: KB286296, kbprb, kberrmsg, kbtshoot, kbenv

↑ Back to the top

Article Info
Article ID : 286296
Revision : 7
Created on : 10/25/2007
Published on : 10/25/2007
Exists online : False
Views : 496