Exchange 2003 Grub Üyeliği Hak

Merhabalar 2003 için bunu yapabiliyorsunuz. Aşağıda açıklamış. Kısaca exchange tasklardan aşağıda görüldüğü gibi menü geliyor.

Hiding group members

When you mail-enable a group, you expose the group's membership
list to MAPI clients. An Outlook user can open the GAL, right-click a
group, and select Properties to see the group members, as shown in Figure 5.12.

Figure 5.12 Outlook exposes members of a group, which could create a privacy or a security issue. (Click on image for enlarged view.)

You might not want Outlook users to see a group's membership
because of privacy concerns for the members or because the Windows
administrators don't want to expose the contents of mail-enabled
Security groups.

You can hide the group membership using the Exchange Tasks
Wizard for the group. Right-click the group in Active Directory Users
and Computers, select Exchange Tasks from the flyout menu, then select
Hide Membership in the Exchange Task Wizard, as shown in Figure 5.13.

Figure 5.13 Exchange Task Wizard showing the Hide Membership option. (Click on image for enlarged view.)

Hiding group membership requires some fancy footwork on the part of Exchange. Here's why.

An Active Directory group object has an attribute called Member
that holds the list of accounts that belong to the group. If you want
to block all Outlook users from seeing the group's membership, Exchange
must set a Deny Read permission on the Member attribute for the
Everyone group.

But it's not that simple. An Exchange server needs to see the
Member attribute so it can send email to the members. That means
Exchange can't simply deny access to the Everyone group, because
Everyone includes the Exchange server's account.

Exchange solves this problem by changing the sort order for
the Access Control List entries on a group object with hidden
membership. You can see this for yourself. Use the Exchange Task Wizard
to hide the membership of a group; then open the Properties window for
that group in Active Directory Users and Computer, and select the
Security tab. You'll get a warning that the contents can't be modified.
Acknowledge the warning and proceed.

Click Advanced to view the Advanced view of the
Security tab, as shown in Figure 5.14. This view shows the access
control entries in the order that the operating system evaluates them
when determining access authorization. Each line corresponds to an
access control entry (ACE), which contains the SID of a user or group
and the permissions assigned to that SID. (The interface communicates
with a Global Catalog server to replace the bare SIDs with their
friendly names.)

Figure 5.14 Advanced view of ACL for group with hidden membership showing non-canonical sorting of permissions. (Click on image for enlarged view.)

You'll see that Exchange played a little shell game with the
access list. It did indeed give the Everyone group a Deny Read on the
Member attribute, but it also put an Allow Read on the same attribute
for the Exchange Domain Servers group, the Domain Admins group, and the
Account Operators group.

The security subsystem in Windows evaluates access control
entries in the order you see them in the ACL Editor. Because the
security subsystem encounters the Allow Read assigned to an Exchange
server before it encounters the Deny Read assigned to the Everyone
group, it gives the Exchange server access to the Member attribute
while blocking users and other computers.

This is called non-canonical sorting. As shown in
Figure 5.14, you can recognize non-canonical sorting when you see a
Deny ACE placed below Allow ACEs in the same level of the hierarchy.

Because the ACL Editor always enforces canonical sorting when
changing security settings, don't use the Security tab in the
Properties page of a group to change the permission settings if the
group has been configured to have hidden membership in Exchange.

Hocam Merhaba ,

Bu ayarları yaptığımı düşünüyorum. Hata yapmadıysam. Fakat gerekli gizli olarak gitmesi gereken mail adresini nereye ekleyeceğim?

Tşk.