Assign Secondary Account Permissions to Distribution Lists in Exchange 2003

The company I am working for has a slightly different security model than I've seen before. It is probably because the largest Exchange server I've supported previously only had 3,000 mailboxes. This one supports 10x that number, with plans to grow to over 100,000 mailboxes by this time next year.

With that, they use a seperate "security" domain for logon and authentication than the "resource" domain where their mailboxes reside. This means that the account you logon to your computer, may not be the same account you read your email from. That account will need to be granted secondary permissions to that mailbox, aka "Associated Exernal Account".

Along that same strain, you can no longer simply assign permissions to a user via the Managed By tab. Their mailbox is assigned permissions, but you need to grant their security account permissions also if the group owner wants to add/remove members.

That's why I developed this script. This script will assign Manager permissions to a distribution list. It assigns the selected name rights on the Managed By tab, then assigns the "Send As" and "Write Members" permissions on the Security tab to the selected user's Associated External Account.

There are a few limitations/warnings:

1. It doesn't work with DLs that contain commas in their display name. It will present this groups in a popup box when you query the OUs. This may be resolved as of my latest release.
2. If you attempt to query all DLs in an OU, it may return only a portion of them. Use the Contains functionality to filter the results. It works similar to a SQL LIKE command, in that it will return DLs that contain the phrase anywhere in it. (no wild cards) Found it was having issues with punctuation, like back slashes in names.
3. It does not remove the old owner's permissions from the security tab. Heck, this could be useful when assigning additional owners to a single DL.
4. I have not tested the script yet against a new owner without an associated external account. It will attempt to assign to the NT_DOMAIN\SELF account of the user.

I've cleaned up the code, so it no longer asks for a specific OU. It will query your entire domain for the specified DL. To run, double-click on the downloaded HTA and have fun!

Note: I have recently (3/26) updated this script to filter on the entries, instead of search each one. This makes the overall process rather quick.

Update (6/6/2008): I have added code to allow you to remove people from the security settings on a DL also. Currently working on an issue that generates an error when dealing with an apostrophe in the distinguished name (for example ldap://cn=Eric's Big List,ou=groups,ou=ericwoodford,ou=local). VBScript is taking it as the end of string and breaking..