Imanami Community

We've had several cases where a user was unable to make changes to a DL's membership even though he's the owner. To solve this Sys Admins have had to explicitely grant te necessary permissions or did the add/change of the DL for the user.  Does granting a user DL ownership not automatically mean that user has full rights to maintain membership of that DL?

 Any ideas why this could happen? Thanks.

Hello henrychan,

 There is a setting in Active Directory that will need to be checked in order to allow the group owner/manager to update the membership list.  See attached screenshot.  The "Manager can update memberhsip list" checkbox has been added the feature list for consideration in the next release of WebDir 5.0.

Robin,

We've had other users who were assigned DL ownership from within WebDir and they were able to add & delete members without having syadmins check the box in ADUC (what you refererred to). In order words they've had full self-service capability to manage their own DLs (one of the primary reasons for implementing WebDir) without IT's involvement.  I believe that's how WebDir is supposed to work so your response about the ADUC checkbox and inclusion of this feature in WebDir 5 is confusing me.

The issue we're experiencing with a few users here and there and that's what we can't understand.  The majority of users are able to update their DL memberships without problems.

Am I misunderstanding your response?

Thanks,

Henry

Hello Henry,

 Sorry, I misread the issue you are experiencing.  Are the users that can successfully manage their distribution list and the users that cannot manage their distribution list logging into the same virtual server? 

Robin,

 Yes, in this situation all users are in the same virtual server.  As I mentioned not all users experience the issue but this has now happened at least four times that we're aware of, when users call IT saying they're the owners of the DL and yet can't add/delete members.  The way we get around it is to grant them explicit permissions via ADUC which defeats the purpose of providing users with WebDir self-service.

Any ideas? 

Thanks,

Henry

Hello Henry,

Check the permissions given to the WebDir Service Account.  The WebDir Service account is used for delegating permissions to authenticated WebDir users.  You can locate the name of the account by opening WebDir's System Manager console.  Then select the "Directory" tab for the virtual server under the server node.  We recommend the account have Domain Admin rights within Active Directory to prevent permission issues that may occur. 

Hi Robin & Henry,

Button visibility is controlled by WebDir, so if the buttons are not showing up it is probably not caused by service account permisions.  However, if the buttons are visible but the members are never added or removed then I would suspect service account permissions.

Is the problem consistent or intermittent? For example, if User A is the owner of Group 1 and Group 2, is User A always unable to manage Group 1 or just sometimes?  Is User A able to manage Group B?  Are User A, Group 1 and group Group 2 int he same domain/forest? 

--Robert

Hi Robin & Robert,

Our WebDir service account is a member of Domain Admins.

The problem doesn't happen for all users, just a couple. But for them it happns consistently with the problem DLs.

We only have one forest and one domain.

Thanks,

Henry

WebDir matches the logged on user's DN to the group owner's DN to determine whether the Owner security rule applies.  For this problem to occur consistently with the same group and user, the user is either not specified in the ManagedBy attribute of the group or WebDir is failing to match them. 

 Either way, I think we can resolve this faster with a call to support.  Please call support 925-371-3000 option 3.

--Robert