Checking and setting Read Member Of permission for Network Service account
When using Signature Manager Exchange Edition with a group policy, you observe that the Policy Tester is showing the correct behavior. However, when an email message is sent, the membership of this group cannot be correctly identified, so the policy does not get applied.
Ensure that the NETWORK SERVICE account has "Read Member of" permissions to the user object you are testing with e.g. Colin Smith.
Note: In some environments this change may not take affect straight away until the changes have been replicated to the Global Catalog server.
Ensure that the NETWORK SERVICE account has "Read Member of" permissions to the user object you are testing with e.g. Colin Smith.
- Open Active Directory User and Computers. (dsa.msc).
- Click View, then Advanced Features:
- Locate a problem user and open their Properties.
- Click the Security tab, Advanced button, then the Effective Permissions tab.
- Click the Select button and type the NETWORK SERVICE account. Click OK.
- Locate the permission Read Member of and confirm that the permission is present:
- Right click the OU and choose Properties.
- Click the Security tab, then click the Advanced button.
- Click Add and type NETWORK SERVICE. Click OK.
- Click the Properties tab and on the Apply to: drop down list choose Descendant User objects:
- Locate the permission Read Member of and tick the Allow check box:
- Click OK until you return to Active Directory Users & Computers.
- Repeat steps 1 to 5 above to confirm that NETWORK SERVICE now has the permission "Read Member of".
If the Read Member of permission is not present against the NETWORK SERVICE account then follow the next steps below:
To apply the permission change to all users in an OU.
Note: In some environments this change may not take affect straight away until the changes have been replicated to the Global Catalog server.
Customer support service by UserEcho