XADM: Hidden Group Membership Does Not Replicate to Exchange Server 5.5 (321205)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 5.5
This article was previously published under Q321205

SYMPTOMS

After Active Directory Connector (ADC) has synchronized Exchange Server 5.5 and Active Directory, you cannot view members of distribution lists on which you have configured the Hide Membership from Address Book setting when you use the Exchange Server 5.5 Administrator program.

CAUSE

This problem occurs when the account that is listed in the Windows Server Information section on the Connections tab of the ADC Connection Agreement does not have the appropriate permissions to view the hidden membership of the groups in Active Directory. Therefore, this information is not replicated to the Exchange Server 5.5 folder. The Exchange Domain Servers group and the Account Operators group are the only groups that have the appropriate permissions to view the hidden membership.

RESOLUTION

To resolve this problem, replicate the membership of the hidden groups to Exchange Server 5.5. To do so, complete both of the methods that are described in this section in the order that they are presented.

Method 1: Export Distinguished Name and Members Attributes to the Hidden_groups.ldf File

Before you replicate the membership of the hidden groups to Exchange Server 5.5, Microsoft recommends that you export the distinguished name attributes and the members attributes of all groups that have the hideDLMembership attribute set to TRUE from the Active Directory domain to a file named Hidden_groups.ldf.
  1. Log on to the domain by using an account that has permissions to view the hidden membership in Active Directory.
  2. Open a command prompt, and then run the following command, where dc=domain,dc=com is the distinguished name of your domain:

    ldifde -f hidden_groups.ldf -d dc=domain,dc=com -r (hideDLMembership=TRUE) -l member -p subtree

  3. Repeat steps 1 and 2 for each additional Windows 2000 domain in the forest.
You can use the exported Hidden_groups.ldf file to identify all groups that have hidden membership. This file is a valuable backup of the current membership for each group.

Method 2: Replicate Membership of Hidden Groups to Exchange Server 5.5

  1. Add the account that is listed in the Windows Server Information section on the Connections tab of the ADC Connection Agreement to the Account Operators group and the Exchange Domain Servers group.
  2. Start the Active Directory Users and Computers snap-in, locate a group that has hidden membership, and then verify that the membership is visible.
  3. Modify the group that you identified in step 2 in some way. For example, you can increment the object's USN Changed value:
    1. In the Notes box on the General tab, add a note, and then click Apply.
    2. Delete the note, and then click Apply.
    3. Repeat steps A and B for all groups that have hidden membership (see the Hidden_groups.ldf file that you created in Method 1).
  4. Force replication of the ADC Connection Agreement that replicates the group objects.
  5. When the replication is complete, check the corresponding distribution lists in the Exchange Server 5.5 Administrator program to verify that the members are listed.

MORE INFORMATION

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

253827 XADM: How Exchange Hides Group Membership in Active Directory

288342 XADM: How to Find Distribution Groups with Hidden Membership

290801 Permissions for Distribution Group Are Not in Standard Format

309718 XADM: Account Operators Can Obtain Access to All Mailboxes

Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kbprb KB321205
©2004 Microsoft Corporation. All rights reserved.