Distribution group membership is still visible after you hide the membership (812841)


The information in this article applies to:

  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Server

SYMPTOMS

When you hide the membership of a distribution group, members of that distribution group are not hidden from members of the Pre-Windows 2000 Compatible Access security group. This means that users with access to your directory can view a group that an object is a member of by viewing the memberOf attribute on an object, even if the membership of the distribution group is hidden.

Example John Smith is a member of a distribution group named MYDL. You have correctly hidden the MYDL group membership by using the instructions in the following Microsoft Knowledge Base article:

253827 How Exchange hides group membership in Active Directory

When logged on to the Exchange Server computer as a user who belongs to the Pre-Windows 2000 Compatible Access security group, you can view the properties of John Smith from the Global Address List. MYDL is listed on the Member of tab.

Note To locate the Member of tab, follow these steps:
  1. In Microsoft Outlook, click New.
  2. In the new message window that appears, click the To button.
  3. in the Show names from the list, click Global Address List.
  4. Right-click a name in the Name list, and then click Properties.
  5. Click the Member of tab.

CAUSE

This issue occurs because hidden distribution group membership is exposed to members of the Pre-Windows 2000 Compatible Access security group through the memberOf attribute. When you install Exchange 2000 Server in a domain in which the Pre-Windows 2000 Compatible Access security group contains members, you receive the following message:The domain "domain.com" has been identified as an insecure domain for mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in Pre-Windows 2000 Compatible Access security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-Windows 2000 servers and applications. To secure this domain, remove any unnecessary members of this group. The Pre-Windows 2000 Compatible Access security group is populated during Dcpromo based on whatever permissions choices are made. For more information about this process, click the following article number to view the article in the Microsoft Knowledge Base:

257988 Description of Dcpromo permissions choices

Note This article also explains how to remove the Everyone group from the Pre-Windows 2000 Compatible Access security group. See the "More Information" section of the current article (812841) for more information about the Everyone group as it resides in the Pre-Windows 2000 Compatible Access security group.

WORKAROUND

To work around this scenario, follow these steps:
  1. Add the distribution group to a new organizational unit or to an organizational unit that you want to modify access to in Active Directory Users and Computers.
  2. Edit the properties of the new organizational unit to deny the Read permission to the users or groups that you want to prevent from viewing the distribution group membership.

    Note If you want to deny Read access to the Pre-Windows 2000 Compatibility Access group, make sure that you first remove the Everyone group from the Pre-Windows 2000 Compatibility Access group membership. If you do not remove the Everyone group, everyone will be denied Read access to the distribution group.

    In some cases, you may have to provide backward compatibility for earlier server/client operating systems and programs, and you cannot remove the Everyone group from the membership of the Pre-Windows 2000 Compatible Access security group.
  3. Right-click the distribution group, click Exchange Tasks, click Next, click Hide Membership, and then click Next.
  4. Click Next to confirm that the security descriptor of the selected group will be changed to prevent viewing, and then click Finish.
  5. Allow sufficient time for the Recipient Update Service (RUS) to replicate the changes. Or, update the RUS manually in Exchange System Manager. To do so:
    1. Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
    2. Under your organization, expand Recipients, and then click Recipient Update Services.
    3. In the right pane, right-click the recipient update service, and then click Update Now.

MORE INFORMATION

When you put a group in an organizational unit where you have denied Read access to the community that you want to secure its membership from, the group does not appear in the Global Address List (GAL). However, the group membership may still be determined through the use of a Lightweight Directory Access Protocol (LDAP) query on the memberOf attribute of a user account. This query will reveal if that user is a member of a hidden distribution list. There is no way to work around the exposing of this attribute when Everyone is part of the Pre-Windows 2000 Compatible Access security group.

Pre-Windows 2000 Compatibility Access provides for certain programs that must query the Active Directory by using anonymous logon access. Programs or services that may query the directory by using anonymous logon access include those running in the security context of the local System account:, such as in the following scenarios:
  • On a server running Microsoft Windows NT 4.0 in or outside the forest.
  • On a server running Windows 2000 in a trusting domain outside the forest..
An example of such a program or service is the Routing and Remote Access Service running on Windows NT 4.0.

In Active Directory, the group Pre-Windows 2000 Compatible Access is assigned Read permissions on the domain root, and is also assigned Read permissions on all user objects, computer objects, and group objects. When you enable Pre-Windows 2000 Compatibility, the special Everyone group is added as a member of the Pre-Windows 2000 Compatible Access group. Because Everyone includes both authenticated users and anonymous users, anyone with network access can read these objects. When this setting is enabled, any user with network access (even one without an account in the forest) can query and discover information about Active Directory users, groups, and computers. If you do not have programs that require Active Directory access enabled for Pre-Windows 2000 Compatibility, do not select this setting during domain controller promotion.

When you choose to hide group membership, a "Deny" Access Control Entry (ACE) is placed on the "member" attribute, and, because of this, nobody can read it. However, because Exchange 2000 Server must have access to this attribute, two accounts are granted access to the Member attribute even though the distribution group is hidden: The Exchange Domain Servers group (all Exchange servers in the domain are members of this group) and the Account Operators group (initially empty). Because typical users are not members of the Account Operators group or the Exchange Servers group (which should only include computer accounts), the membership is considered hidden.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

253827 How Exchange hides group membership in Active Directory

Modification Type:MinorLast Reviewed:7/25/2006
Keywords:kbnofix kbBug kbprb KB812841
©2004 Microsoft Corporation. All rights reserved.