Re: distribution lists in w2k mixed mode

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jaclynn Hiranaka [MSFT] (jaclynnh_at_online.microsoft.com)
Date: 03/09/04 

Date: Tue, 9 Mar 2004 10:45:00 -0500

The problem with moving to a Windows mixed mode environment is that the DLs
from 5.5 are not upgraded to Universal Security Groups. When the DL comes
over into Windows 2000 it will replicate as a Distribution Group.

In Windows 2000 and above only Security groups can be used for permissions.
If you have any DLs listed for permissions on either mailboxes or public
folders this will fail in Exchange 2000. You will begin to see events in
your logs indicating that you cannot upgrade the group to a security group.

It is recommended that you replicate DLs to a native mode Windows domain.
Remember that you can stand up a child domain and make it native if you
cannot for some reason upgrade the parent domain.

The following article describes your situation:
274046 You Cannot Add a Distribution Group to Permissions of a Public Folder
in
http://support.microsoft.com/?id=274046

Hope that helps. 

-- 
-------------------------
Jaclynn Hiranaka
Enterprise Messaging Support
This posting is provided "AS IS" with no warranties, and confers no rights.
© 2003 Microsoft Corporation. All rights reserved.
"gurvinder.nijjar" <gsnijjar@hotmail.com> wrote in message
news:e7dIiLgAEHA.2404@TK2MSFTNGP11.phx.gbl...
> are there any issues with migrating from exch 5.5 to exch 2003 in w2k
domain
> in a mixed mode.  Also are there any issues with migrating exch 5.5
> distributioin lists into exch 2003.
>
>

Relevant Pages

  • Re: Windows Security Roles
    ... Does Windows 2000 Server support this as well? ... there are issues with using AzMan for this. ... It is useful to allow nested groups, and have a heirarchy of users, user ... We think that we are able to shift to only be using AD Security groups, ...
    (microsoft.public.dotnet.security)
  • Re: Determine AD group membership
    ... Do not confuse this with the kerberos PAC, ... I pretty much agree with JoeK that if you alert the people using the software that these are the limitations (i.e. security groups within the scope of the user and the machine they are being used on) then you should be fine. ... If your app is one that will generate lots of groups and users could be in lots of groups either through nesting or directly and you are not using Windows Securityand Windows ACLs then you should not generally be using security enabled groups unless the company is otherwise using those groups for Windows Security. ...
    (microsoft.public.platformsdk.security)
  • Re: Group Domain Admins cannot be found
    ... Universal Security groups when it comes to the restriction. ... In Windows 2000 Mixed mode Universal ... Changing mode to Windows 2000 Native mode enables Universal groups for ... Wonder what happens when I introduce a couple of 2008 servers;) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Domain Admins cannot be found
    ... Changing the Domain Functional level appears to have fixed my ... Universal Security groups when it comes to the restriction. ... In Windows 2000 Mixed mode Universal ... Changing mode to Windows 2000 Native mode enables Universal groups for ...
    (microsoft.public.windows.server.active_directory)
  • Re: Determine AD group membership
    ... Yep that is exactly what I was talking about but in addition to the security/distribution groups in the 3 scopes, ... If you know that you only care about Windows Security groups with scope local to the workstation involved, then using the local user token is completely fine. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.platformsdk.security)