Microsoft KB Archive/843587

= How to stop automatic conversion of universal distribution groups to universal security groups in Exchange 2000 and in Exchange 2003 =

Article ID: 843587

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition

-





INTRODUCTION
By default, universal security groups are used to grant permission to a public folder or to a mailbox folder in Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003. The default settings do not let you use universal distribution groups to grant permission to a public folder or to a mailbox folder. When a Microsoft Outlook user tries to use a universal distribution group to grant permission to a public folder or to a mailbox folder, the universal distribution group is automatically converted to a universal security group by the Microsoft Exchange Information Store process.

It is best to use only universal security groups to grant permission to a public folder or to a mailbox folder in Exchange 2000 and in Exchange 2003. However, if you have to grant permission to a public folder or to a mailbox folder by using a universal distribution group, you can change the value that is set in the properties of the msExchDisableUDGConversion attribute. Changing the value permits Microsoft Windows administrators to manually convert universal distribution groups.



MORE INFORMATION
The msExchDisableUDGConversion attribute of your Exchange organization object in the Active Directory directory service controls the behavior of the Microsoft Exchange Information Store process. By default, the Microsoft Exchange Information Store process automatically converts universal distribution groups to universal security groups when the group is used to control access to either a public folder or to a mailbox folder. The following values are used in the msExchDisableUDGConversion attribute to control the behavior of this attribute:
 * If the msExchDisableUDGConversion attribute does not exist, or if the attribute is set to 0, universal distribution groups are automatically converted to universal security groups.
 * If the msExchDisableUDGConversion attribute is set to 1, Outlook cannot request the conversion of universal distribution groups to universal security groups. However, Exchange system processes can still convert universal distribution groups and Microsoft Exchange Server 5.5 groups to universal security groups if the Exchange system processes are used to control access to folders. For example, Exchange Server 5.5 groups are converted to universal security groups if you upgrade Exchange Server 5.5 to a later version of Exchange.
 * If the msExchDisableUDGConversion attribute is set to 2, automatic conversions do not occur. Windows administrators must manually convert groups to universal distribution groups or to universal security groups.

To set the value in the properties of the msExchDisableUDGConversion attribute, you must modify the attribute on your Exchange organization object in Active Directory. You can use the ADSI Edit snap-in to modify the msExchDisableUDGConversion attribute.

Note The ADSI Edit snap-in is included in the Microsoft Windows 2000 Support Tools.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To use the ADSI Edit snap-in to change the msExchDisableUDGConversion attribute so that you can convert a universal security group to a universal distribution group, follow these steps:
 * 1) Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
 * 2) Expand Configuration Container.
 * 3) Expand CN=Configuration, DC=, DC= ,  .
 * 4) Expand CN=Services.
 * 5) Expand CN=Microsoft Exchange.
 * 6) Right-click the   object, and then click Properties.
 * 7) On the Attributes tab, click Optional in the Select which properties to view list.
 * 8) In the Select a property to view list, click msExchDisableUDGConversion.
 * 9) In the Edit Attribute box, type 2, and then click Set.
 * 10) Click Apply, click OK, and then quit ADSI Edit.

Note You can also use other tools that permit direct access to Active Directory attributes. For example, you can use the Ldifde.exe utility or the LDP utility.

