Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-03-19
Universal distribution groups and universal security groups are groups of recipients created to expedite the mass sending of e-mail messages and other information. However, unlike universal distribution groups, universal security groups can also be used to assign permissions.
In Microsoft Exchange, only Active Directory objects that have security principals can be used to grant permission to a public folder or to a mailbox folder. However, it's possible for a Microsoft Outlook user to use a universal distribution group to grant permission to a public folder or to a mailbox folder. In this case, the universal distribution group is automatically converted to a universal security group by the Microsoft Exchange Information Store service. This is the default behavior in Exchange Server 2010 and Exchange Server 2007.
You can modify this behavior to prevent the automatic conversion of universal distribution groups to universal security groups. The msExchDisableUDGConversion attribute of your Exchange organization object in Active Directory is used to control how the Microsoft Exchange Information Store service responds to requests for conversion of universal distribution groups to universal security groups. The following are the acceptable values for the msExchDisableUDGConversion attribute:
- 0 If the attribute is set to 0, or if it isn't configured, universal distribution groups are automatically converted to universal security groups when they're used to grant permissions to public folders or mailbox folders.
- 1 If the attribute is set to 1, Outlook can't request the conversion. However, Exchange system processes can still convert a universal distribution group to a universal security group.
- 2 If the attribute is set to 2, automatic conversions can't occur.
This topic explains how to use Active Directory Service Interfaces (ADSI) Edit to modify the msExchDisableUDGConversion attribute to prevent the automatic conversion of universal distribution groups to universal security groups.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Distribution groups" entry in the Mailbox Permissions topic.
Start ADSI Edit.
In the console tree, expand Configuration Container.
Note: If you don't see Configuration Container, you'll need to connect to it. From the Action menu, click Connect to. In Connection Settings, select Configuration from the Select a well known Naming Context list, and then click OK.
Expand CN=Configuration,DC=<domain>,DC=<domain extension>. For example, if your Exchange organization is in the contoso.com forest, this folder name would be CN=Configuration,DC=contoso,DC=com.
Expand CN=Microsoft Exchange.
Right-click CN=<Exchange organization name>, and then click Properties.
In the Attributes list, select msExchDisableUDGConversion, and then click Edit.
Note: If you can't find this property in the list, you'll need to turn on the ability to view optional settings. On the Attribute Editor tab, click Filter, and then, under Show attributes, select Optional.
In Integer Attribute Editor, in the Value box, type 2, and then click OK.
For detailed steps about disabling automatic conversion of universal distribution groups to universal security groups in Exchange Server 2003 and Exchange 2000 Server, see Microsoft Knowledge Base article 843587, How to stop automatic conversion of universal distribution groups to universal security groups in Exchange 2000 and in Exchange 2003.