?
Solved

Pre-Windows 2000 Compatible Access Group and Exchange 2k3

Posted on 2004-08-05
4
Medium Priority
?
1,041 Views
Last Modified: 2008-03-06
Hello,
    I'm going through our AD groups and I've noticed that the PRE-Windows 2000 Compatible Access group has the group EXCHANGE DOMAIN SERVERS in the group. We are running a native Windows 2003 / XP networking with Exchange 2003.

Does EXCHANGE DOMAIN SERVERS group need to be in this group?

Thanks!

Elvis
0
Comment
Question by:ev89pimp
  • 2
4 Comments
 
LVL 21

Expert Comment

by:marc_nivens
ID: 11730268
No it does not, and I would remove it as soon as possible.
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 11730338
Can you elaborate? Is it because we are running a native environment? I usually have a hard time believe everything I hear from MS so I'd feel better if I could explain why I would remove it.

Thanks!

0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 11730763
This group exists in order to allow legacy NT 4 users access to certain domain information anonymously.  It is needed for coexistence with a legacy NT 4 environment for certain applications to function correctly.  If you have no more NT 4 servers, you no longer need this.
You can get more information on this group by going to support.microsoft.com and querying for pre-windows 2000 compatible access.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 32801450
TechNet Article Explains in Greater Detail
Why does the Pre-Windows 2000 Compatible Access group contain the Exchange Domain Servers group?

In the Exchange security model, every domain contains two groups: a domain global group named Exchange Domain Servers and a domain local group named Exchange Enterprise Servers. The Exchange Domain Servers group contains all the Exchange servers in that domain. The Exchange Enterprise Servers group contains the Exchange Domain Servers groups from all domains in the forest in which you have run DomainPrep. DomainPrep grants the Exchange Enterprise Servers group read and write permissions on a variety of mail-related attributes on domain partition objects. After you run DomainPrep, all Exchange servers should have these read and write permissions through the two levels of group membership.

In Exchange 2000 Server, all Exchange servers do not always have the necessary read and write permissions after you run DomainPrep. Specifically, if an Exchange server attempts to read attributes on a domain partition mailbox-enabled user object and is connected to a global catalog server in a different domain than that in which the user resides, the Exchange Enterprise Servers group is not present in the Exchange server's security token; therefore, the read and write permissions from the Exchange Enterprise Servers group do not take effect. In this case, the Exchange server acts as an authenticated user.

This is not an issue when the domain is enabled with “Permissions compatible for pre-Windows 2000 applications" because the Everyone security principal (and in Windows Server™ 2003, the Anonymous Logon security principal) has read permissions against all attributes on all objects in the domain. Therefore the Exchange server has access to the necessary data.

To help protect against cases where the domain may not have been prepared for pre-Windows 2000 applications, Exchange Server 2003 DomainPrep adds the Exchange Domain Servers group to the BUILTIN\Pre-Windows 2000 Compatible Access group within the domain. In addition, DomainPrep adds an access control entry to the Pre-Windows 2000 Compatible Access group to allow the Exchange Enterprise Servers group to modify the membership of the Pre-Windows 2000 Compatible Access group.


0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month14 days, 11 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question