Solved

Pre-Windows 2000 Compatible Access Group and Exchange 2k3

Posted on 2004-08-05
4
874 Views
Last Modified: 2008-03-06
Hello,
    I'm going through our AD groups and I've noticed that the PRE-Windows 2000 Compatible Access group has the group EXCHANGE DOMAIN SERVERS in the group. We are running a native Windows 2003 / XP networking with Exchange 2003.

Does EXCHANGE DOMAIN SERVERS group need to be in this group?

Thanks!

Elvis
0
Comment
Question by:ev89pimp
  • 2
4 Comments
 
LVL 21

Expert Comment

by:marc_nivens
ID: 11730268
No it does not, and I would remove it as soon as possible.
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 11730338
Can you elaborate? Is it because we are running a native environment? I usually have a hard time believe everything I hear from MS so I'd feel better if I could explain why I would remove it.

Thanks!

0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 125 total points
ID: 11730763
This group exists in order to allow legacy NT 4 users access to certain domain information anonymously.  It is needed for coexistence with a legacy NT 4 environment for certain applications to function correctly.  If you have no more NT 4 servers, you no longer need this.
You can get more information on this group by going to support.microsoft.com and querying for pre-windows 2000 compatible access.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 32801450
TechNet Article Explains in Greater Detail
Why does the Pre-Windows 2000 Compatible Access group contain the Exchange Domain Servers group?

In the Exchange security model, every domain contains two groups: a domain global group named Exchange Domain Servers and a domain local group named Exchange Enterprise Servers. The Exchange Domain Servers group contains all the Exchange servers in that domain. The Exchange Enterprise Servers group contains the Exchange Domain Servers groups from all domains in the forest in which you have run DomainPrep. DomainPrep grants the Exchange Enterprise Servers group read and write permissions on a variety of mail-related attributes on domain partition objects. After you run DomainPrep, all Exchange servers should have these read and write permissions through the two levels of group membership.

In Exchange 2000 Server, all Exchange servers do not always have the necessary read and write permissions after you run DomainPrep. Specifically, if an Exchange server attempts to read attributes on a domain partition mailbox-enabled user object and is connected to a global catalog server in a different domain than that in which the user resides, the Exchange Enterprise Servers group is not present in the Exchange server's security token; therefore, the read and write permissions from the Exchange Enterprise Servers group do not take effect. In this case, the Exchange server acts as an authenticated user.

This is not an issue when the domain is enabled with “Permissions compatible for pre-Windows 2000 applications" because the Everyone security principal (and in Windows Server™ 2003, the Anonymous Logon security principal) has read permissions against all attributes on all objects in the domain. Therefore the Exchange server has access to the necessary data.

To help protect against cases where the domain may not have been prepared for pre-Windows 2000 applications, Exchange Server 2003 DomainPrep adds the Exchange Domain Servers group to the BUILTIN\Pre-Windows 2000 Compatible Access group within the domain. In addition, DomainPrep adds an access control entry to the Pre-Windows 2000 Compatible Access group to allow the Exchange Enterprise Servers group to modify the membership of the Pre-Windows 2000 Compatible Access group.


0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now