Article ID: 898082 - View products that this article applies to.
When you run Microsoft Exchange Server in a mixed-mode Exchange Server environment, users who are members of nested distribution groups cannot access resources in the public folder store. For example, users who are members of a nested group cannot see a public folder in the public folder hierarchy.
When you investigate this issue, you find that only the top-level group was converted to a Universal Security Group (USG). The nested groups remain Universal Distribution Groups (UDGs). You expect the Exchange store to automatically convert UDGs to USGs when the UDG is part of a discretionary access control list (DACL) for a public folder.
This issue occurs because nested UDGs are not converted to USGs if their parent is already a USG. The converter function determines whether to continue enumerating a member based on the member's group type. If a top-level group is a USG, the converter will not try to enumerate any nested groups to determine whether they also require conversion. Otherwise, every time that a DACL changed on a folder, Exchange would have to enumerate the entire membership of a group. Group enumeration affects the following items:
To work around this issue, convert the affected UDGs to USGs. You can either do this manually or by using a script. To do this manually, follow these steps:
Microsoft Exchange Server version 5.5 distribution lists and Active Directory security groupsExchange Server 5.5 uses distribution lists both for message delivery and for access control. However, Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 use distribution lists only for message delivery. Both Exchange 2000 and Exchange 2003 use Active Directory security groups for access control.
The following are the two types of Active Directory groups:
Conversion of UDGs to USGsThe Exchange store will automatically try to upgrade a UDG to a USG if a UDG is listed in the DACL for a public folder. The converter will enumerate the membership of a UDG. Additionally, the converter typically converts the nested member UDGs.
Important note The UDG must be in a Windows 2000 or Windows Server 2003 native mode domain to enable the Exchange store to upgrade the group to a USG. In a mixed Exchange 2000 and Exchange 5.5 environment, or in a mixed Exchange 2003 and Exchange 5.5 environment, the ADC will display a warning if you replicate Exchange 5.5 distribution lists to a non-native mode domain.
If the UDG is in a Windows 2000 or Windows Server 2003 native mode domain, the Exchange store will upgrade a UDG to a USG when the following conditions are true:
Circumstances where UDG to USG conversion does not occurUDG to USG conversion will not occur when the following conditions are true:
For more information, see the "Types of Groups Used in Access Control Lists" topic in Chapter 7 of the Working with the Exchange Server 2003 Store guide. To view this guide, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/aa996360.aspxFor more information about the role of groups and of access control lists in Exchange 2000, visit the following Microsoft Web site:
Article ID: 898082 - Last Review: October 25, 2007 - Revision: 2.4