?
Solved

Pre-Windows 2000 Compatible Access Group and Exchange 2k3

Posted on 2004-08-05
4
Medium Priority
?
954 Views
Last Modified: 2008-03-06
Hello,
    I'm going through our AD groups and I've noticed that the PRE-Windows 2000 Compatible Access group has the group EXCHANGE DOMAIN SERVERS in the group. We are running a native Windows 2003 / XP networking with Exchange 2003.

Does EXCHANGE DOMAIN SERVERS group need to be in this group?

Thanks!

Elvis
0
Comment
Question by:ev89pimp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 21

Expert Comment

by:marc_nivens
ID: 11730268
No it does not, and I would remove it as soon as possible.
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 11730338
Can you elaborate? Is it because we are running a native environment? I usually have a hard time believe everything I hear from MS so I'd feel better if I could explain why I would remove it.

Thanks!

0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 11730763
This group exists in order to allow legacy NT 4 users access to certain domain information anonymously.  It is needed for coexistence with a legacy NT 4 environment for certain applications to function correctly.  If you have no more NT 4 servers, you no longer need this.
You can get more information on this group by going to support.microsoft.com and querying for pre-windows 2000 compatible access.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 32801450
TechNet Article Explains in Greater Detail
Why does the Pre-Windows 2000 Compatible Access group contain the Exchange Domain Servers group?

In the Exchange security model, every domain contains two groups: a domain global group named Exchange Domain Servers and a domain local group named Exchange Enterprise Servers. The Exchange Domain Servers group contains all the Exchange servers in that domain. The Exchange Enterprise Servers group contains the Exchange Domain Servers groups from all domains in the forest in which you have run DomainPrep. DomainPrep grants the Exchange Enterprise Servers group read and write permissions on a variety of mail-related attributes on domain partition objects. After you run DomainPrep, all Exchange servers should have these read and write permissions through the two levels of group membership.

In Exchange 2000 Server, all Exchange servers do not always have the necessary read and write permissions after you run DomainPrep. Specifically, if an Exchange server attempts to read attributes on a domain partition mailbox-enabled user object and is connected to a global catalog server in a different domain than that in which the user resides, the Exchange Enterprise Servers group is not present in the Exchange server's security token; therefore, the read and write permissions from the Exchange Enterprise Servers group do not take effect. In this case, the Exchange server acts as an authenticated user.

This is not an issue when the domain is enabled with “Permissions compatible for pre-Windows 2000 applications" because the Everyone security principal (and in Windows Server™ 2003, the Anonymous Logon security principal) has read permissions against all attributes on all objects in the domain. Therefore the Exchange server has access to the necessary data.

To help protect against cases where the domain may not have been prepared for pre-Windows 2000 applications, Exchange Server 2003 DomainPrep adds the Exchange Domain Servers group to the BUILTIN\Pre-Windows 2000 Compatible Access group within the domain. In addition, DomainPrep adds an access control entry to the Pre-Windows 2000 Compatible Access group to allow the Exchange Enterprise Servers group to modify the membership of the Pre-Windows 2000 Compatible Access group.


0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
This video discusses moving either the default database or any database to a new volume.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question