This issue occurs because hidden distribution group membership is exposed to members of the Pre-Windows 2000 Compatible Access security group through the memberOf attribute. When you install Exchange 2000 Server in a domain in which the Pre-Windows 2000 Compatible Access security group contains members, you receive the following message:
The domain “domain.com” has been identified as an insecure domain for mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in Pre-Windows 2000 Compatible Access security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-Windows 2000 servers and applications. To secure this domain, remove any unnecessary members of this group.
The Pre-Windows 2000 Compatible Access security group is populated during Dcpromo based on whatever permissions choices are made. For more information about this process, click the following article number to view the article in the Microsoft Knowledge Base:
257988 (http://support.microsoft.com/kb/257988/) Description of Dcpromo permissions choices
Note This article also explains how to remove the Everyone group from the Pre-Windows 2000 Compatible Access security group. See the “More Information” section of the current article (812841) for more information about the Everyone group as it resides in the Pre-Windows 2000 Compatible Access security group.
To work around this scenario, follow these steps:
1. Add the distribution group to a new organizational unit or to an organizational unit that you want to modify access to in Active Directory Users and Computers.
2. Edit the properties of the new organizational unit to deny the Read permission to the users or groups that you want to prevent from viewing the distribution group membership.
Note If you want to deny Read access to the Pre-Windows 2000 Compatibility Access group, make sure that you first remove the Everyone group from the Pre-Windows 2000 Compatibility Access group membership. If you do not remove the Everyone group, everyone will be denied Read access to the distribution group.
In some cases, you may have to provide backward compatibility for earlier server/client operating systems and programs, and you cannot remove the Everyone group from the membership of the Pre-Windows 2000 Compatible Access security group.
3. Right-click the distribution group, click Exchange Tasks, click Next, click Hide Membership, and then click Next.
4. Click Next to confirm that the security descriptor of the selected group will be changed to prevent viewing, and then click Finish.
5. Allow sufficient time for the Recipient Update Service (RUS) to replicate the changes. Or, update the RUS manually in Exchange System Manager. To do so:
a. Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
b. Under your organization, expand Recipients, and then click Recipient Update Services.
c. In the right pane, right-click the recipient update service, and then click Update Now.
When you put a group in an organizational unit where you have denied Read access to the community that you want to secure its membership from, the group does not appear in the Global Address List (GAL). However, the group membership may still be determined through the use of a Lightweight Directory Access Protocol (LDAP) query on the memberOf attribute of a user account. This query will reveal if that user is a member of a hidden distribution list. There is no way to work around the exposing of this attribute when Everyone is part of the Pre-Windows 2000 Compatible Access security group.
Pre–Windows 2000 Compatibility Access provides for certain programs that must query the Active Directory by using anonymous logon access. Programs or services that may query the directory by using anonymous logon access include those running in the security context of the local System account:, such as in the following scenarios:
• On a server running Microsoft Windows NT 4.0 in or outside the forest.
• On a server running Windows 2000 in a trusting domain outside the forest..
An example of such a program or service is the Routing and Remote Access Service running on Windows NT 4.0.
In Active Directory, the group Pre–Windows 2000 Compatible Access is assigned Read permissions on the domain root, and is also assigned Read permissions on all user objects, computer objects, and group objects. When you enable Pre–Windows 2000 Compatibility, the special Everyone group is added as a member of the Pre–Windows 2000 Compatible Access group. Because Everyone includes both authenticated users and anonymous users, anyone with network access can read these objects. When this setting is enabled, any user with network access (even one without an account in the forest) can query and discover information about Active Directory users, groups, and computers. If you do not have programs that require Active Directory access enabled for Pre–Windows 2000 Compatibility, do not select this setting during domain controller promotion.
When you choose to hide group membership, a “Deny” Access Control Entry (ACE) is placed on the “member” attribute, and, because of this, nobody can read it. However, because Exchange 2000 Server must have access to this attribute, two accounts are granted access to the Member attribute even though the distribution group is hidden: The Exchange Domain Servers group (all Exchange servers in the domain are members of this group) and the Account Operators group (initially empty). Because typical users are not members of the Account Operators group or the Exchange Servers group (which should only include computer accounts), the membership is considered hidden.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
253827 (http://support.microsoft.com/kb/253827/) How Exchange hides group membership in Active Directory