Incorrect Number of Recipients with Valid Digital IDs Is Returned When You Send an Encrypted Message to a Query-Based Distribution Group By Using Outlook Web Access

When you send a message that is encrypted or that uses the S/MIME protocol to a distribution group that contains a query-based distribution group as one of its members, the GetCert code that reports whether the members of the distribution group have valid certificates may not return an accurate result for the members that have valid digital IDs.

This issue may occur if you send the encrypted message by using Microsoft Outlook Web Access (OWA). The S/MIME Control in OWA cannot encrypt mail to query-based distribution groups. The GetCert code treats the whole nested (a distribution group that is a member of a distribution group) query-based distribution group as a single member.

For example, this issue occurs if you send an encrypted message to a distribution group that is made up of the following two members:

• One member that has a valid digital certificate.
• Another member that is a query-based distribution group that is made up of several members. Some have valid digital IDs and others do not.

In this example, the GetCert code determines that one member has a valid digital ID, and that the member that is representative of the query-based distribution group does not have one. The GetCert code only returns the number of members that are not in query-based distribution groups.

Exchange Server 2003 contains a new feature to help reduce the time you spend managing distribution groups. This feature is the query-based distribution group. These groups have the same functionality as standard distribution groups, but instead of specifying static user memberships, they allow the use of a Lightweight Directory Access Protocol (LDAP) query to specify the members of the distribution group (for example, "All full time employees in my company").