How Exchange hides group membership in Active Directory

This article was previously published under Q253827
This article has been archived. It is offered "as is" and will no longer be updated.
Exchange 2000 uses a Windows 2000 security descriptor to limit access to group membership. The Active Directory Connector (ADC) and Recipient Update Service are responsible for updating these security descriptors for groups that have hidden memberships.
Exchange Server 5.5 has its own directory service, so it is responsible for defining how users can browse through attributes and who has the right to read or write certain properties. This allows Exchange Server 5.5 to determine whether or not someone can see the membership of a group because the code that shows that attribute through Messaging Application Programming Interface (MAPI) or Lightweight Directory Access Protocol (LDAP) passes through the Exchange Server 5.5 security system.

In Exchange 2000, Active Directory replaces the Exchange Server directory, so the security system for LDAP queries belongs to Windows 2000. Windows 2000 allows you to control access to several levels, including setting permissions on a single attribute. For that reason, Exchange 2000 uses the Windows 2000 security descriptor to control who does and does not have the right to see the members of a group.

With Exchange 2000 and Windows 2000, you must take certain precautions to ensure that permissions are set properly. For example, all Exchange 2000 servers installed in your organization need the permission to see the group membership, even if the Hide Membership option for this group is enabled. Otherwise, those servers cannot expand the group membership and deliver messages addressed to that group.

To give Exchange 2000 users and administrators the maximum security possible, Exchange 2000 depends on the ADC and the Recipient Update Service to ensure that these permissions are set properly.

Handling Distribution Lists Replicated from Exchange Server 5.5

If you are installing Exchange 2000 in a mixed topology, with one or more Exchange Server 5.5 computers, you need the ADC to replicate your entries from the Exchange Server 5.5 directory to Active Directory and vice-versa. For this reason, if you are replicating a distribution list (DL) that is hidden in Exchange Server 5.5, the membership needs to be hidden in Active Directory as well.

To accomplish this, when the ADC is replicating a hidden DL from Exchange Server 5.5, it detects that the hide-dl-membership attribute in the Exchange Server 5.5 directory is set to TRUE, and it stamps a set of Access Control Entries (ACEs) on the security descriptor in Active Directory. Those ACEs will be in a non-canonical format, which means that at least one denied ACE will follow an allowed ACE.

To determine which Security Principals have permission to read or write membership, the ADC reads the msExchServerGlobalGroups attribute from the organization container entry in Active Directory, and extracts the list of security identifiers (SIDs) that will comprise the non-canonical part of the security descriptor. This allows all Exchange Server computers to gain access to group membership, regardless of whether the membership is hidden.

Consider the following example. Your organization has several Exchange 2000 servers in two different domains, DomA and DomB. Exchange 2000 Setup creates two groups, named "DomA\Domain EXServers," and "DomB\Domain EXServers." The msExchServerGlobalGroups attribute will contain two values, which will be the SIDs of those two groups.

The final security descriptor of that group, after the ADC replicates it to Active Directory will be:

ACE #TypeRightSID
1AllowedRead/Write MemberDomA\Domain EXServers
2AllowedRead/Write MemberDomB\Domain EXServers
3DeniedRead/Write MemberEveryone

The ADC will add the first to the third ACE in the table above. So, when the Windows Security subsystem evaluates this permission, it will grant to both "Domain EXServers" the right to read and write the membership, but nobody else.

When you open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and click Advanced Features on the View menu, you can see the Security tab on each entry. If you select the group that contains the non-canonical security descriptor, you receive the following error message:
Windows can not edit the permissions on 'MyHiddenGroup' because they have been written in a non-standard format by another application. To enable editing, you must use the application to restore the permissions to a standard format.
Basically, the Windows Security subsystem knows how to interpret non-canonical formats, but the user interface does not let you edit it. Not even the administrator will be allowed to see or edit the membership of a group that has the hideDLMembership attribute in Active Directory equal to TRUE. In order to do that, you need to be a member of the "Domain EXServers" security group.

The Recipient Update Service

There are two scenarios that are not addressed by the solution above:
  • What if the ADC is running before the first Exchange 2000 server is installed?
  • If you add a new domain with Exchange 2000 to your organization, how would it be added to the list of servers on the non-canonical security descriptor?
The answer for both questions is the Recipient Update Service.

The Recipient Update Service has the job of monitoring changes on Active Directory and takes actions based on these changes. Mainly, it adds, removes, and modifies e-mail addresses, address lists, and other attributes for mail-enabled entries, such as users, contacts, groups, and public folders. But it also knows when a new server or a new domain is added to the network.

Specifically, if you add a new Exchange 2000 server to a domain that does not already have an Exchange 2000 server, it will search for all groups with the condition "hideDLMembership=TRUE," and reset the security descriptor to meet the new requirement for the non-canonical security descriptor.

This also works for manual or programmatic changes using the LDAP interface. If the hideDLMembership attribute is changed to TRUE or FALSE, the Recipient Update Service will notice that, and add or remove the non-canonical part of the security descriptor. This allows companies to write their own application to change the status of a member-hidden group without compromising security.

Avoiding Latency Issues When Modifying Hidden Group Status

The Recipient Update Service may take from a few seconds to a few minutes to identify a new change in Active Directory, depending on several conditions. For that reason, if you select a group using the Active Directory Users and Computers MMC snap-in, the Exchange Extension for that snap-in will provide immediate action if you choose to hide the membership of that group.

To hide group membership using the Active Directory Users and Computers MMC snap-in:
  1. Click the group whose membership you want to hide.
  2. Right-click the group, and then click Exchange Tasks.
  3. Follow the wizard, and click Hide Membership.
For a one-domain-controller environment, this will immediately change the security descriptor of that group and prevent anyone from viewing its membership information. However, for a multi-domain-controllers environment, you must wait for Active Directory replication to be finished.
RUS exch2kp2w XADM DC AD

Article ID: 253827 - Last Review: 12/05/2015 18:35:47 - Revision: 4.0

Microsoft Exchange 2000 Server Standard Edition, Microsoft Exchange Server 5.5 Service Pack 3, Microsoft Windows 2000 Standard Edition

  • kbnosurvey kbarchive kberrmsg kbinfo KB253827
ERROR: at System.Diagnostics.Process.Kill() at Microsoft.Support.SEOInfrastructureService.PhantomJS.PhantomJSRunner.WaitForExit(Process process, Int32 waitTime, StringBuilder dataBuilder, Boolean isTotalProcessTimeout)