Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A description of the message "The domain 'Example.com' has been identified as an insecure domain for mail-enabled groups with hidden DL membership"

A description of the message "The domain 'Example.com' has been identified as an insecure domain for mail-enabled groups with hidden DL membership"

View products that this article applies to.

Introduction

This article discusses the message that you receive when you prepare your domain for the installation of Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server by running the Setup program together with the /domainprep option.

↑ Back to the top

More information

When you run the Setup /domainprep command, you receive the following message:
The domain "Example.com" has been identified as an insecure domain for mail-enabled groups with hidden DL membership. Hidden DL membership will be exposed to members of the built-in "Pre-Windows 2000 Compatible Access" security group. This group may have been populated during the promotion of the domain with the intent of allowing permissions to be compatible with pre-Windows 2000 servers and applications. To secure this domain, remove any unnecessary members from this group.
This behavior does not keep you from installing Exchange.

This message does not indicate that your domain is not secure or that your Exchange organization is running in mixed mode. If you are concerned that hidden distribution list memberships may be exposed to members of the Pre-Windows 2000 Compatible Access security group, make sure that you populate the Pre-Windows 2000 Compatible Access security group with trusted users or groups.

Microsoft Windows 2000 introduced stricter default security settings than the security settings that were available in Microsoft Windows NT Server 4.0 and in earlier versions of the Windows NT operating system. To be compatible with services that require anonymous access to certain domain information, Windows 2000 provides a method to switch between the higher-security settings and the backward-compatible security settings.

The backward-compatible security settings grant users anonymous access to certain domain information. Computers that are running Windows NT 4.0 and computers that are running earlier versions of Windows NT require anonymous access. If you do not require backward compatibility with earlier versions of Windows, Microsoft recommends that you use the higher-security settings.

The Pre-Windows 2000 Compatible Access security group was introduced in Windows 2000. This group controls the backward-compatible security option. In Windows 2000, you can implement backward compatibility with earlier versions of Windows by making the Everyone security group a member of the Pre-Windows 2000 Compatible Access security group. You can implement the higher-security settings by removing all members from the Pre-Windows 2000 Compatible Access security group. Therefore, in Windows 2000, you can manually switch between the backward-compatible security settings and the higher-security settings on Active Directory directory service objects by updating the membership of the Pre-Windows 2000 Compatible Access security group.

↑ Back to the top

Keywords: KB834639, kbinfo

↑ Back to the top

Article Info
Article ID : 834639
Revision : 4
Created on : 10/25/2007
Published on : 10/25/2007
Exists online : False
Views : 352