A description of the message "The domain 'Example.com' has been identified as an insecure domain for mail-enabled groups with hidden DL membership"
This article has been archived. It is offered "as is" and will no longer be updated.
This article discusses the message that you receive when you prepare your domain for the installation of Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server by running the Setup program together with the /domainprep option.
When you run the Setup /domainprep command, you receive the following message:
The domain "Example.com" has been identified as an insecure domain for mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in "Pre-Windows 2000 Compatible Access" security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-Windows 2000 servers and applications. To secure this domain, remove any unnecessary members from this group.This behavior does not keep you from installing Exchange.
This message does not indicate that your domain is not secure or that your Exchange organization is running in mixed mode. If you are concerned that hidden distribution list memberships may be exposed to members of the Pre-Windows 2000 Compatible Access security group, make sure that you populate the Pre-Windows 2000 Compatible Access security group with trusted users or groups.
Microsoft Windows 2000 introduced stricter default security settings than the security settings that were available in Microsoft Windows NT Server 4.0 and in earlier versions of the Windows NT operating system. To be compatible with services that require anonymous access to certain domain information, Windows 2000 provides a method to switch between the higher-security settings and the backward-compatible security settings.
The backward-compatible security settings grant users anonymous access to certain domain information. Computers that are running Windows NT 4.0 and computers that are running earlier versions of Windows NT require anonymous access. If you do not require backward compatibility with earlier versions of Windows, Microsoft recommends that you use the higher-security settings.
The Pre-Windows 2000 Compatible Access security group was introduced in Windows 2000. This group controls the backward-compatible security option. In Windows 2000, you can implement backward compatibility with earlier versions of Windows by making the Everyone security group a member of the Pre-Windows 2000 Compatible Access security group. You can implement the higher-security settings by removing all members from the Pre-Windows 2000 Compatible Access security group. Therefore, in Windows 2000, you can manually switch between the backward-compatible security settings and the higher-security settings on Active Directory directory service objects by updating the membership of the Pre-Windows 2000 Compatible Access security group.
Article ID: 834639 - Last Review: 12/08/2015 05:56:11 - Revision: 1.3
Microsoft Exchange 2000 Server Standard Edition, Microsoft Exchange 2000 Enterprise Server, Microsoft Exchange Server 2003 Enterprise Edition, Microsoft Exchange Server 2003 Standard Edition
- kbnosurvey kbarchive kbinfo KB834639