How to stop automatic conversion of universal distribution groups to universal security groups in Exchange 2000 and in Exchange 2003 (843587)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition

INTRODUCTION

By default, universal security groups are used to grant permission to a public folder or to a mailbox folder in Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003. The default settings do not let you use universal distribution groups to grant permission to a public folder or to a mailbox folder. When a Microsoft Outlook user tries to use a universal distribution group to grant permission to a public folder or to a mailbox folder, the universal distribution group is automatically converted to a universal security group by the Microsoft Exchange Information Store process.

It is best to use only universal security groups to grant permission to a public folder or to a mailbox folder in Exchange 2000 and in Exchange 2003. However, if you have to grant permission to a public folder or to a mailbox folder by using a universal distribution group, you can change the value that is set in the properties of the msExchDisableUDGConversion attribute. Changing the value permits Microsoft Windows administrators to manually convert universal distribution groups.

MORE INFORMATION

The msExchDisableUDGConversion attribute of your Exchange organization object in the Active Directory directory service controls the behavior of the Microsoft Exchange Information Store process. By default, the Microsoft Exchange Information Store process automatically converts universal distribution groups to universal security groups when the group is used to control access to either a public folder or to a mailbox folder. The following values are used in the msExchDisableUDGConversion attribute to control the behavior of this attribute:
  • If the msExchDisableUDGConversion attribute does not exist, or if the attribute is set to 0, universal distribution groups are automatically converted to universal security groups.
  • If the msExchDisableUDGConversion attribute is set to 1, Outlook cannot request the conversion of universal distribution groups to universal security groups. However, Exchange system processes can still convert universal distribution groups and Microsoft Exchange Server 5.5 groups to universal security groups if the Exchange system processes are used to control access to folders. For example, Exchange Server 5.5 groups are converted to universal security groups if you upgrade Exchange Server 5.5 to a later version of Exchange.
  • If the msExchDisableUDGConversion attribute is set to 2, automatic conversions do not occur. Windows administrators must manually convert groups to universal distribution groups or to universal security groups.
To set the value in the properties of the msExchDisableUDGConversion attribute, you must modify the attribute on your Exchange organization object in Active Directory. You can use the ADSI Edit snap-in to modify the msExchDisableUDGConversion attribute.

Note The ADSI Edit snap-in is included in the Microsoft Windows 2000 Support Tools.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To use the ADSI Edit snap-in to change the msExchDisableUDGConversion attribute so that you can convert a universal security group to a universal distribution group, follow these steps:
  1. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
  2. Expand Configuration Container.
  3. Expand CN=Configuration, DC=Server_name, DC=Domain, Domain.
  4. Expand CN=Services.
  5. Expand CN=Microsoft Exchange.
  6. Right-click the Your_Exchange_organization_name object, and then click Properties.
  7. On the Attributes tab, click Optional in the Select which properties to view list.
  8. In the Select a property to view list, click msExchDisableUDGConversion.
  9. In the Edit Attribute box, type 2, and then click Set.
  10. Click Apply, click OK, and then quit ADSI Edit.
Note You can also use other tools that permit direct access to Active Directory attributes. For example, you can use the Ldifde.exe utility or the LDP utility.

REFERENCES

For additional information about folder permissions and the restrictions of group types, click the following article numbers to view the articles in the Microsoft Knowledge Base:

297016 You must use a native-mode Windows 2000 domain for Exchange 2000

274046 You cannot add a distribution group to permissions of a public folder in Exchange 2000

271930 Message delivery to global groups does not work in Exchange Server 2003 or in Exchange 2000 Server

328880 How to troubleshoot public folder performance issues that are related to ACL conversions in Exchange 2000 and in Exchange 2003

To view the "Understanding public folders in Exchange 2000, part II" Microsoft Support WebCast transcript, visit the following Web site:

http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fen%2Fwc032001%2Fwct032001.asp


For additional information about how to install Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

301423 How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer

Modification Type:MinorLast Reviewed:11/10/2005
Keywords:kbinfo KB843587 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.