XADM: Restricting Permission to Address Book Views (248398)
The information in this article applies to:
- Microsoft Exchange Server 5.5
This article was previously published under Q248398 SYMPTOMS
Anyone with Microsoft Exchange Server Administrator permissions within an organization has the ability to create an Address Book view that can cause adverse affects within an entire organization. The Address Book view can be created from any Exchange Server computer or site within an organization. These Address Book views may cause each server's Exchange Server directory service to consume 100 percent of the CPU resources as the Address Book views are replicated to each server in the organization. This may cause the Exchange Server directory services to be inaccessible or a global address list to be unavailable.
CAUSE
Each Exchange Server computer builds the Address Book view based on Grouped by Attributes (GBA) that are replicated between sites and servers. If the Address Book views are poorly designed or frequently changed, the server may use a large number of CPU cycles on the directory to regenerate these views. Any person with permissions for the site naming context has permissions to alter the Address Book view.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Exchange Server 5.5. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
191014 XGEN: How to Obtain the latest Exchange Server 5.5 Service Pack
STATUSMicrosoft has confirmed that this is a problem in Microsoft Exchange Server version 5.5. This problem was first corrected in Exchange Server 5.5 Service Pack 4.MORE INFORMATION
When you apply this fix, a new heuristics bit is defined on the Address Book View container. Setting the heuristic bit to 1 blocks the inheritance of the permissions from the site container. After the change, which is replicated throughout the organization, only the permissions set explicitly on the Address Book View container are effective. WARNING: The change in the permission model should not be implemented without proper planning and only after assigning permission Administrators explicitly on the Address Book View in every site.
To properly handle the explicit permission on the Address Book Views it is strongly recommended to use Admin Fix described in Microsoft Knowledge Base article 262773.
The fix described in this article ensures that:
- The graphical user interface reflects the effective permissions
- With the Admin Fix it is not possible to remove the "Modify Permission" right from the last and only Admin and thus loosing the ability to administer permissions of the Address Book Views within the site.
- A Warning is received when removing the permission Admin role from the account which is currently logged on.
- A Warning is received when removing the last Account and thus removing the security from the object allowing anybody to modify it.
To enable the new heuristics bit: WARNING: If you use the raw mode of the Exchange Server Administrator program ( admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk. - Start the Microsoft Exchange Server Administrator program in raw mode by typing the following at a command prompt:
- Click the Address Book container, and then click Raw Properties on the File menu.
- In the List Attributes of Type list, click All.
- Click Heuristics in the list of attributes.
- In the Edit box, type 1, click Set, and then click OK.
IMPORTANT: Although the heuristics flag replicates between sites, you must add a Microsoft Windows NT account to the Permissions tab of the Address Book view properties for the Address Book view for each site because the Windows NT account does not replicate between sites. For additional information about the issue described in this article, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
251054 XADM: High Dsmain.exe CPU Usage When Populating Address Book Views
267425 XADM: Hiding Address Book Views from Exchange Server Administrator and Clients During Address Book View Storms
Modification Type: | Major | Last Reviewed: | 10/9/2003 |
---|
Keywords: | kbbug kbExchange550preSP4fix kbExchange550sp4Fix kbfix kbQFE KB248398 |
---|
|