Vat of Knowledge

Ran into another one today. At times, we have to forward email to more than one person for a person who may be either leaving the company, or their email is simply being monitored.

In order to hide the distribution group properly, make sure to follow this M$ article:

http://support.microsoft.com/kb/812841

Symptoms

When you hide the membership of a distribution group, members of that distribution group are not hidden from members of the Pre-Windows 2000 Compatible Access security group. This means that users with access to your directory can view a group that an object is a member of by viewing the memberOf attribute on an object, even if the membership of the distribution group is hidden.

Example John Smith is a member of a distribution group named MYDL. You have correctly hidden the MYDL group membership by using the instructions in the following Microsoft Knowledge Base article:

When logged on to the Exchange Server computer as a user who belongs to the Pre-Windows 2000 Compatible Access security group, you can view the properties of John Smith from the Global Address List. MYDL is listed on the Member of tab.

Note To locate the Member of tab, follow these steps:

1. In Microsoft Outlook, click New.
2. In the new message window that appears, click the To button.
3. in the Show names from the list, click Global Address List.
4. Right-click a name in the Name list, and then click Properties.
5. Click the Member of tab.

Cause

This issue occurs because hidden distribution group membership is exposed to members of the Pre-Windows 2000 Compatible Access security group through the memberOf attribute. When you install Exchange 2000 Server in a domain in which the Pre-Windows 2000 Compatible Access security group contains members, you receive the following message:

The Pre-Windows 2000 Compatible Access security group is populated during Dcpromo based on whatever permissions choices are made. For more information about this process, click the following article number to view the article in the Microsoft Knowledge Base:

Note This article also explains how to remove the Everyone group from the Pre-Windows 2000 Compatible Access security group. See the “More Information” section of the current article (812841) for more information about the Everyone group as it resides in the Pre-Windows 2000 Compatible Access security group.

Workaround

To work around this scenario, follow these steps:

1. Add the distribution group to a new organizational unit or to an organizational unit that you want to modify access to in Active Directory Users and Computers.
2. Edit the properties of the new organizational unit to deny the Read permission to the users or groups that you want to prevent from viewing the distribution group membership.

   Note If you want to deny Read access to the Pre-Windows 2000 Compatibility Access group, make sure that you first remove the Everyone group from the Pre-Windows 2000 Compatibility Access group membership. If you do not remove the Everyone group, everyone will be denied Read access to the distribution group.

   In some cases, you may have to provide backward compatibility for earlier server/client operating systems and programs, and you cannot remove the Everyone group from the membership of the Pre-Windows 2000 Compatible Access security group.

3. Right-click the distribution group, click Exchange Tasks, click Next, click Hide Membership, and then click Next.
4. Click Next to confirm that the security descriptor of the selected group will be changed to prevent viewing, and then click Finish.
5. Allow sufficient time for the Recipient Update Service (RUS) to replicate the changes. Or, update the RUS manually in Exchange System Manager. To do so:
   1. Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
   2. Under your organization, expand Recipients, and then click Recipient Update Services.
   3. In the right pane, right-click the recipient update service, and then click Update Now.