joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Exchange Automatic conversion of non-security enabled groups into security enabled groups

by @ 6:07 pm on 10/12/2009. Filed under tech

Some people still don’t know this even after all of these years… But Exchange can change your non-security enabled groups (sometimes mistakenly called DL’s[1]) into security enabled groups. This is done automagically anytime someone applies a “DL” to security in Exchange, such as on a folder in a mailbox or on public folder or something. For example, say you have a non-security enabled group in the domain called “Active Directory People” which is your distribution list to send email out to your Active Directory people. Someone says (and I mean any someone, even some low level no one who shouldn’t be allowed to change anything at all) “Hey, I also want to give those people access to something in my mailbox, say like the calendar…” Outlook says that is cool, adds the SID for the non-security enabled group to the ACL for the calendar on the mailbox and then Exchange looks at the group and says, well “Crikey mate… that group isn’t security enabled which means the users won’t get the SID in their token so the security delegation just made will never work so let me fix that in AD for you…”[2] and wham bam thank you ma’am… the group is now security enabled.

In the meanwhile someone somewhere else is seeing a “DL” that is now all of a sudden security enabled and saying… “HEY! Who did that, that wasn’t supposed to be done.” and they change it back. And then eventually Exchange changes it back again. And on and on… Of course Microsoft doesn’t give any mechanism to find what ACL on what folder on what mailbox is causing this issue so you have no clue.

At least now they have given a mechanism to STOP the auto security enablement from occurring. I still think it would be great if something told you where the SID was in the ACLs that was causing it.


Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups


Thanks to my friend BrianD for sending me the link on this as it is something we have discussed in the past a few times. I heard they were going to do it, didn’t hear that hey actually did do it though. Good to know they did.



[1] A DL is a distribution list and it can be security enabled or not. Not being security enabled doesn’t mean it is automatically only used for email. In fact it could be non-security enabled and still not used for email.

[2] Not sure why Exchange suddenly became Aussie but I am sure my Aussie friends will be suitably impressed insulted. 😉

Rating 3.00 out of 5

One Response to “Exchange Automatic conversion of non-security enabled groups into security enabled groups”

  1. Joe,

    Thanks for explaining this. I had the fix but I didn’t totally know what it was taking place.

    I’m going to update my post with a link back to this.

[joeware – never stop exploring… :) is proudly powered by WordPress.]