Unable to access the Default Global Address Lists container in Exchange System Manager (286296)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
This article was previously published under Q286296
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

When you try to expand the All Global Address Lists container by using the Microsoft Exchange System Manager tool in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, you may experience one or more of the following symptoms:
  • You receive the following error message:
    You will not be able to add, remove or rename Global Address Lists because you do not have the required permissions on all Global Address Lists
  • The Default Global Address List container no longer appears under All Global Address Lists.
  • The Default Global Address List container appears under All Global Address Lists. However, when you right-click Default Global Address List and then click Properties, you receive the following error message:
    The specified directory service attribute or value does not exist.
  • Microsoft Outlook users can still access the Global Address List.

CAUSE

This issue may occur if the Authenticated Users group does not have Full Control permissions to the Default Global Address List. Typically, this issue occurs if the Authenticated Users group is assigned Deny permissions to the Full Control check box on the Security tab of the Default Global Address List Properties dialog box.

RESOLUTION

To resolve this issue, use one of the following methods as applicable to your situation.

Method 1: You can access the Default Global Address List Properties dialog box

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, follow these steps:
  1. Start Exchange System Manager.
  2. Expand the Recipients container, and then expand All Global Address Lists.
  3. Right-click Default Global Address List, and then click Properties.
  4. Click the Security tab, click Authenticated Users, and then click to select the Allow check box next to Full Control.
Note An "Unable to display security information" message may appear when you click the Security tab on the Default Global Address List object. If this message appears, open the All Global Address Lists object's properties before you open the Default Global Address List object's properties.

Method 2: You cannot access the Default Global Address List Properties dialog box

In this scenario, the Default Global Address List container may not appear in Exchange System Manager, or you receive an error message when you right-click Default Global Address List, and then click Properties. To resolve this issue, use the DSACLS.exe command to view and to modify the permissions on the Default Global Address List container. To do this, follow these steps:
  1. Type the following DSACLS.exe command, and then press ENTER to view the permissions that are assigned to the Default Global Address List container in the Active Directory directory service:

    DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com"

    Replace Example and com with your domain and domain suffix names. Additionally, if your organization does not have the default name of First Organization, modify this command accordingly.

    Note This command is one line.
  2. View the results that are returned by this command to see if any Deny permissions are assigned to the NT AUTHORITY\Authenticated Users group.
  3. Type the following DSACLS.exe command, and then press ENTER to reset the permissions on the Default Global Address Lists container for the Authenticated Users group:

    DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO

  4. Log off the computer, and then log on again.
  5. Start Exchange System Manager.

MORE INFORMATION

If you do not have access to the All Global Address Lists container in Exchange System Manager, you can use the following DSACLS.exe command to reset the permissions on this container for the Authenticated Users group:

DSACLS "CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Example,DC=com" /N /G "Authenticated Users":SDRCWDWOWPRPCALO

For a list of DSACLS.exe command-line options, type dsacls /?, and then press ENTER at a command prompt.

The path of the object that you specify in the DSACLS.exe command-line is a distinguished name in RFC 1779 format. If you do not know the path of your address list container, you can locate this container by using the Active Directory Services Interface (ADSI) Edit tool. To do this, follow these steps:

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.

    Note ADSI Edit is included with the Microsoft Windows 2000 and Windows Server 2003 Support Tools. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    301423 How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    314203 How to install the Windows Support Tools from a command prompt

  2. Expand Configuration Container [servername.example.com], and then expand CN=Configuration,DC=example,DC=com.
  3. Expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=OrganizationName where OrganizationName is the name of your Exchange organization.
  4. Expand CN=Address Lists Container.
  5. Click CN=All Global Address Lists. The distinguished name of the address list containers appear in the right pane. Make a note of the desired address list's distinguished name to then use it with the DSACLS command.
  6. Quit ADSI Edit.
Modification Type:MajorLast Reviewed:2/6/2006
Keywords:kbenv kbtshoot kberrmsg kbprb KB286296 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.