A description of the message "The domain 'Example.com' has been identified as an insecure domain for mail-enabled groups with hidden DL membership"

Article translations Article translations
Article ID: 834639 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article discusses the message that you receive when you prepare your domain for the installation of Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server by running the Setup program together with the /domainprep option.

MORE INFORMATION

When you run the Setup /domainprep command, you receive the following message:
The domain "Example.com" has been identified as an insecure domain for mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in "Pre-Windows 2000 Compatible Access" security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-Windows 2000 servers and applications. To secure this domain, remove any unnecessary members from this group.
This behavior does not keep you from installing Exchange.

This message does not indicate that your domain is not secure or that your Exchange organization is running in mixed mode. If you are concerned that hidden distribution list memberships may be exposed to members of the Pre-Windows 2000 Compatible Access security group, make sure that you populate the Pre-Windows 2000 Compatible Access security group with trusted users or groups.

Microsoft Windows 2000 introduced stricter default security settings than the security settings that were available in Microsoft Windows NT Server 4.0 and in earlier versions of the Windows NT operating system. To be compatible with services that require anonymous access to certain domain information, Windows 2000 provides a method to switch between the higher-security settings and the backward-compatible security settings.

The backward-compatible security settings grant users anonymous access to certain domain information. Computers that are running Windows NT 4.0 and computers that are running earlier versions of Windows NT require anonymous access. If you do not require backward compatibility with earlier versions of Windows, Microsoft recommends that you use the higher-security settings.

The Pre-Windows 2000 Compatible Access security group was introduced in Windows 2000. This group controls the backward-compatible security option. In Windows 2000, you can implement backward compatibility with earlier versions of Windows by making the Everyone security group a member of the Pre-Windows 2000 Compatible Access security group. You can implement the higher-security settings by removing all members from the Pre-Windows 2000 Compatible Access security group. Therefore, in Windows 2000, you can manually switch between the backward-compatible security settings and the higher-security settings on Active Directory directory service objects by updating the membership of the Pre-Windows 2000 Compatible Access security group.

Properties

Article ID: 834639 - Last Review: October 25, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
Keywords: 
kbinfo KB834639

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com