Solved

Pre-Windows 2000 Compatible Access Group and Exchange 2k3

Posted on 2004-08-05
4
908 Views
Last Modified: 2008-03-06
Hello,
    I'm going through our AD groups and I've noticed that the PRE-Windows 2000 Compatible Access group has the group EXCHANGE DOMAIN SERVERS in the group. We are running a native Windows 2003 / XP networking with Exchange 2003.

Does EXCHANGE DOMAIN SERVERS group need to be in this group?

Thanks!

Elvis
0
Comment
Question by:ev89pimp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 21

Expert Comment

by:marc_nivens
ID: 11730268
No it does not, and I would remove it as soon as possible.
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 11730338
Can you elaborate? Is it because we are running a native environment? I usually have a hard time believe everything I hear from MS so I'd feel better if I could explain why I would remove it.

Thanks!

0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 125 total points
ID: 11730763
This group exists in order to allow legacy NT 4 users access to certain domain information anonymously.  It is needed for coexistence with a legacy NT 4 environment for certain applications to function correctly.  If you have no more NT 4 servers, you no longer need this.
You can get more information on this group by going to support.microsoft.com and querying for pre-windows 2000 compatible access.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 32801450
TechNet Article Explains in Greater Detail
Why does the Pre-Windows 2000 Compatible Access group contain the Exchange Domain Servers group?

In the Exchange security model, every domain contains two groups: a domain global group named Exchange Domain Servers and a domain local group named Exchange Enterprise Servers. The Exchange Domain Servers group contains all the Exchange servers in that domain. The Exchange Enterprise Servers group contains the Exchange Domain Servers groups from all domains in the forest in which you have run DomainPrep. DomainPrep grants the Exchange Enterprise Servers group read and write permissions on a variety of mail-related attributes on domain partition objects. After you run DomainPrep, all Exchange servers should have these read and write permissions through the two levels of group membership.

In Exchange 2000 Server, all Exchange servers do not always have the necessary read and write permissions after you run DomainPrep. Specifically, if an Exchange server attempts to read attributes on a domain partition mailbox-enabled user object and is connected to a global catalog server in a different domain than that in which the user resides, the Exchange Enterprise Servers group is not present in the Exchange server's security token; therefore, the read and write permissions from the Exchange Enterprise Servers group do not take effect. In this case, the Exchange server acts as an authenticated user.

This is not an issue when the domain is enabled with “Permissions compatible for pre-Windows 2000 applications" because the Everyone security principal (and in Windows Server™ 2003, the Anonymous Logon security principal) has read permissions against all attributes on all objects in the domain. Therefore the Exchange server has access to the necessary data.

To help protect against cases where the domain may not have been prepared for pre-Windows 2000 applications, Exchange Server 2003 DomainPrep adds the Exchange Domain Servers group to the BUILTIN\Pre-Windows 2000 Compatible Access group within the domain. In addition, DomainPrep adds an access control entry to the Pre-Windows 2000 Compatible Access group to allow the Exchange Enterprise Servers group to modify the membership of the Pre-Windows 2000 Compatible Access group.


0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question