This blog is by design...

Thursday, December 01, 2005

Can I allow more than one person to manage a Windows distribution list? Yes!

Short answer, yes. In a Windows 2000 domain (not sure if this restriction is exactly the same in a 2003 domain), let's say you have a distribution list called ALLIT, which you manually add people to when needed. You have several administrative assistants. Normally, admin1 updates the list, as he has been set as the manager of the list from within Active Directory Users & Computers (ADUC), using the Managed By tab in the properties of the group.

What happens when admin1 is out sick, on vacation, etc? Your boss would like admin1, admin2, AND admin3 to be able to update the list. But, the problem is that you can only select a single user in the Managed By tab. So what do you do? There's a pretty easy way to get around this. First off, you need to be familiar with ADSI edit which you should be if you're an admin for a 2000/2003 domain. There are lots of links and information that will tell you that ADSI edit is terribly dangerous. Well, just about any admin tool can be terribly dangerous if used the wrong way. Personally, I find ADSI edit invaluable, just be careful until you become familiar with it. Here's a quick tutorial: ADSI_EDIT.

What you need to do first is find (or create) a group that contains all the users who should be able to update the given list. In our case, we're going to create a security group called 'ALLIT Update' and add admin1, admin2 and admin3 to the group.

Next, head into ADSI edit, right click and select 'Connect To well known naming context' and make sure 'Domain' is in the drop down list. Expand things out and you should see a structure that looks like your OU structure when you're in the ADUC. Find the 'ALLIT Update' group, right click and select properties, scroll down til you find the distinguishedName attribute, double click it and copy the value.

Next, find the ALLIT group in ADSI edit and find the managedBy value. Paste the distinguishedName value from 'ALLIT Update' into this field, exit, head back into the ADUC, find ALLIT and you should now see the 'ALLIT Update' listed in there as the group manager. All you need to do now is tick the 'manager can update group membership' checkbox. Now admin1, admin2 and admin3 should be able to manager the ALLIT group. (if they can't do it right away, wait just a bit - have them log off/back on then try again). You also have the added convenience of merely adding people to and from 'ALLIT Update' whenever you want to add/remove group managers.