Microsoft KB Archive/898082

= Users cannot access public folder resources that are members of a nested Universal Distribution Group (UDG) in a mixed-mode Exchange Server environment =

Article ID: 898082

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 5.5 Standard Edition

-





SYMPTOMS
When you run Microsoft Exchange Server in a mixed-mode Exchange Server environment, users who are members of nested distribution groups cannot access resources in the public folder store. For example, users who are members of a nested group cannot see a public folder in the public folder hierarchy.

When you investigate this issue, you find that only the top-level group was converted to a Universal Security Group (USG). The nested groups remain Universal Distribution Groups (UDGs). You expect the Exchange store to automatically convert UDGs to USGs when the UDG is part of a discretionary access control list (DACL) for a public folder.



CAUSE
This issue occurs because nested UDGs are not converted to USGs if their parent is already a USG. The converter function determines whether to continue enumerating a member based on the member's group type. If a top-level group is a USG, the converter will not try to enumerate any nested groups to determine whether they also require conversion. Otherwise, every time that a DACL changed on a folder, Exchange would have to enumerate the entire membership of a group. Group enumeration affects the following items:
 * The performance of the Exchange store
 * The performance of the Microsoft Windows 2000 global catalog server
 * The performance of the Microsoft Windows Server 2003 global catalog server

The Exchange store will not convert a UDG to a USG when the following conditions are true:
 * You manually convert a parent UDG to a USG without converting the nested members.
 * You add a UDG to the membership list of a USG.

Note It is not important whether you add the UDG to the USG before or after you add the USG to the DACL for a folder.

In these conditions, Exchange does not check to determine whether group members are groups that need converting. Therefore, if a USG in a DACL has members that are UDGs, Exchange ignores the UDGs. Therefore, the DACL is not enforced correctly.



WORKAROUND
To work around this issue, convert the affected UDGs to USGs. You can either do this manually or by using a script. To do this manually, follow these steps:
 * 1) Start the Active Directory Users and Computers tool. To do this, click Start, click Run, type dsa.msc in the Open box, and then click OK.
 * 2) Expand your domain name.
 * 3) In the console tree, locate and then click the organizational unit or the container that contains the UDG that you want to convert.
 * 4) In the right pane, right-click the group that you want to convert, and then click Properties.
 * 5) On the General tab, click Security under Group type, and then click OK.

If you have to create more distribution groups, do not use UDGs as members of USGs. Instead, use mail-enabled USGs to prevent conversion issues.



Microsoft Exchange Server version 5.5 distribution lists and Active Directory security groups
Exchange Server 5.5 uses distribution lists both for message delivery and for access control. However, Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 use distribution lists only for message delivery. Both Exchange 2000 and Exchange 2003 use Active Directory security groups for access control.

The following are the two types of Active Directory groups:
 * Security groups - Security groups are listed in DACLs that define permissions on resources and on objects. Security groups can also be used as an e-mail entity. If you send an e-mail message to the security group, that e-mail message is sent to all the members of the security group.
 * Distribution groups - Distribution groups are not security-enabled. They cannot be listed in DACLs. You can only use the e-mail programs of distribution groups, such as Exchange, to send e-mail messages to collections of users.

The Active Directory Connector (ADC) replicates Exchange 5.5 distribution lists to Active Directory UDGs. When Exchange 2000 or Exchange 2003 encounters a UDG while it processes a public folder DACL, Exchange immediately tries to upgrade the UDG to a USG. The USG then replaces the UDG in the DACL. This conversion occurs because UDGs cannot be used to grant permissions to public folders.

Conversion of UDGs to USGs
The Exchange store will automatically try to upgrade a UDG to a USG if a UDG is listed in the DACL for a public folder. The converter will enumerate the membership of a UDG. Additionally, the converter typically converts the nested member UDGs.

Important note The UDG must be in a Windows 2000 or Windows Server 2003 native mode domain to enable the Exchange store to upgrade the group to a USG. In a mixed Exchange 2000 and Exchange 5.5 environment, or in a mixed Exchange 2003 and Exchange 5.5 environment, the ADC will display a warning if you replicate Exchange 5.5 distribution lists to a non-native mode domain.

If the UDG is in a Windows 2000 or Windows Server 2003 native mode domain, the Exchange store will upgrade a UDG to a USG when the following conditions are true:
 * A UDG is added to the DACL list of a folder. The UDG may be added by a client or through Exchange System Manager.
 * An Exchange 5.5 folder is replicated to an Exchange 2000 folder or to an Exchange 2003 folder.
 * A previous attempt to upgrade a UDG failed. For example, the upgrade fails if the UDG was in a Windows 2000 or Windows Server 2003 mixed-mode domain. Note that the next time that the folder is accessed, the Exchange store will again try to upgrade the UDG.

Circumstances where UDG to USG conversion does not occur
UDG to USG conversion will not occur when the following conditions are true:
 * The Windows 2000 or Windows Server 2003 domain that contains the UDG is in a mixed-mode.
 * A previously converted UDG is reset to a UDG.

Note The conversion function is not called repeatedly if the UDG was successfully upgraded. For example, consider the following scenario. You add a UDG to the DACL for a folder, let it upgrade to a USG, and then reset the group to a UDG. In this scenario, the conversion function does not automatically upgrade the UDG again on client access. However, the conversion function does upgrade the UDG if you modify the permissions that are associated with the UDG.
 * The membership of a UDG has not been replicated.
 * The parent of nested UDGs is already a USG.

