Solved

Pre-Windows 2000 Compatible Access Group and Exchange 2k3

Posted on 2004-08-05
4
898 Views
Last Modified: 2008-03-06
Hello,
    I'm going through our AD groups and I've noticed that the PRE-Windows 2000 Compatible Access group has the group EXCHANGE DOMAIN SERVERS in the group. We are running a native Windows 2003 / XP networking with Exchange 2003.

Does EXCHANGE DOMAIN SERVERS group need to be in this group?

Thanks!

Elvis
0
Comment
Question by:ev89pimp
  • 2
4 Comments
 
LVL 21

Expert Comment

by:marc_nivens
ID: 11730268
No it does not, and I would remove it as soon as possible.
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 11730338
Can you elaborate? Is it because we are running a native environment? I usually have a hard time believe everything I hear from MS so I'd feel better if I could explain why I would remove it.

Thanks!

0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 125 total points
ID: 11730763
This group exists in order to allow legacy NT 4 users access to certain domain information anonymously.  It is needed for coexistence with a legacy NT 4 environment for certain applications to function correctly.  If you have no more NT 4 servers, you no longer need this.
You can get more information on this group by going to support.microsoft.com and querying for pre-windows 2000 compatible access.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 32801450
TechNet Article Explains in Greater Detail
Why does the Pre-Windows 2000 Compatible Access group contain the Exchange Domain Servers group?

In the Exchange security model, every domain contains two groups: a domain global group named Exchange Domain Servers and a domain local group named Exchange Enterprise Servers. The Exchange Domain Servers group contains all the Exchange servers in that domain. The Exchange Enterprise Servers group contains the Exchange Domain Servers groups from all domains in the forest in which you have run DomainPrep. DomainPrep grants the Exchange Enterprise Servers group read and write permissions on a variety of mail-related attributes on domain partition objects. After you run DomainPrep, all Exchange servers should have these read and write permissions through the two levels of group membership.

In Exchange 2000 Server, all Exchange servers do not always have the necessary read and write permissions after you run DomainPrep. Specifically, if an Exchange server attempts to read attributes on a domain partition mailbox-enabled user object and is connected to a global catalog server in a different domain than that in which the user resides, the Exchange Enterprise Servers group is not present in the Exchange server's security token; therefore, the read and write permissions from the Exchange Enterprise Servers group do not take effect. In this case, the Exchange server acts as an authenticated user.

This is not an issue when the domain is enabled with “Permissions compatible for pre-Windows 2000 applications" because the Everyone security principal (and in Windows Server™ 2003, the Anonymous Logon security principal) has read permissions against all attributes on all objects in the domain. Therefore the Exchange server has access to the necessary data.

To help protect against cases where the domain may not have been prepared for pre-Windows 2000 applications, Exchange Server 2003 DomainPrep adds the Exchange Domain Servers group to the BUILTIN\Pre-Windows 2000 Compatible Access group within the domain. In addition, DomainPrep adds an access control entry to the Pre-Windows 2000 Compatible Access group to allow the Exchange Enterprise Servers group to modify the membership of the Pre-Windows 2000 Compatible Access group.


0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question