How to Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-22
By definition, universal distribution groups and universal security groups are groups of recipients that are created to expedite the mass sending of e-mail messages and other information. However, unlike universal distribution groups, universal security groups can also be used to assign permissions.
In Microsoft Exchange, only the Active Directory directory service objects that have security principals can be used to grant permission to a public folder or to a mailbox folder. However, it is possible for a Microsoft Outlook user to use a universal distribution group to grant permission to a public folder or to a mailbox folder. In this case, the universal distribution group is automatically converted to a universal security group by the Microsoft Exchange Information Store service. This is the default behavior in Exchange Server 2007.
It is possible to modify this behavior to prevent the automatic conversion of universal distribution groups to universal security groups. The msExchDisableUDGConversion attribute of your Exchange organization object in Active Directory is used to control how the Microsoft Exchange Information Store service responds to requests for conversion of universal distribution groups to universal security groups. The following are the acceptable values for the msExchDisableUDGConversion attribute:
- 0 If the attribute is set to 0, or if it is not configured, universal distribution groups are automatically converted to universal security groups when they are used to grant permissions to public folders or mailbox folders.
- 1 If the attribute is set to 1, Outlook cannot request the conversion. However, Exchange system processes can still convert a universal distribution group to a universal security group.
- 2 If the attribute is set to 2, automatic conversions do not occur.
This topic explains how to use Active Directory Service Interfaces (ADSI) Edit to modify the msExchDisableUDGConversion attribute to prevent the automatic conversion of universal distribution groups to universal security groups.
To perform this procedure, the account you use must be delegated the following:
Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
Start ADSI Edit.
Expand Configuration Container.
Expand CN=Configuration,DC=<domain>,DC=<domain extension>. For example, if your Exchange organization is in the contoso.com forest, this folder name would be CN=Configuration,DC=contoso,DC=com.
Expand CN=Microsoft Exchange.
Right-click the CN=<Exchange organization name> object, and then click Properties.
On the Attribute Editor tab, select the Show optional attributes check box.
In the Attributes list, select msExchDisableUDGConversion, and then click Edit.
In Integer Attribute Editor, in the Value box, type 2, and then click OK.
To learn more about distribution groups, see Understanding Recipients.
For more information about managing distribution groups, see Managing Distribution Groups.
For detailed steps about disabling automatic conversion of universal distribution groups to universal security groups in Exchange Server 2003 and Exchange 2000 Server, see Microsoft Knowledge Base article 843587, How to stop automatic conversion of universal distribution groups to universal security groups in Exchange 2000 and in Exchange 2003.