I understand the need for object permissions. I really do. But man can they be a pain. Apparently at some point in the recent past, I managed to assign Everyone (a special Microsoft group, meaning, well, everyone) deny permission to an access list in Exchange. To make it worse, it was the Default Global Access List. What makes that so bad are two things.

One: I'm in this list, as is every other user. If they can't be found in that list, then they are unable to make an Exchange (RPC) connection to the server. You get a terribly useful message: The action could not be completed. The bookmark is not valid. What do bookmarks have to do with anything? I have no idea.

I found a ton of resources on Google Groups. Most of them have to do with the Global Catalog server. The problem is, this is a single-PC network. Everything is on that PC and there are no other computers of any kind on it. Nonetheless, I tried their solutions. They didn't work. I even rebooted three times because I saw where someone from Microsoft told someone that they needed to reboot twice. Figured that I was being difficult, so I'll give it an extra kick. Not happening.

So then I found another article on the subject that I needed - creating multiple address lists. Something in this article tripped and I realized that I couldn't see the default global list. So I tried to add it. The Exchange System Manager (ESM) would have none of it. Said the list already existed. Then why couldn't I see it? I'm a domain administrator, for crying out loud!

Not expecting much, I searched on restoring this list. Amazingly, I found something. This particular article addresses the issue for the Authorized Users group. That didn't help. I still couldn't see a problem. Then I noticed that the Everyone group had been denied access. Ah-ha. Taking the command they gave me, I altered it to give permissions to Everyone and that did the trick. I did have to log off and back on, but now I can see the group. Time to see if I can figure out how to do what I wanted to in the first place.

Oh, and DSACLS.exe? Very cool utility. Lists the permissions on an object, allows you to change them from the command line too. Very sweet. The only difficulty was in figuring out the location of the object. But that last link has instructions for that too.

And, lest I forget, the second thing: I know better than to assign deny permission to everyone. I'm so ashamed.

Leave a comment