In a recent post to NTBugTraq, Rene points out what he calls a “problem” with Exchange 2000 and Exchange 2003: under some circumstances, Exchange will convert a distribution group to a security group.
Regular users with no rights to modify ad security groups have the ability to change a distribution list to a security group.
Steps to recreate problem.
1: User opens a mailbox with Outlook 2000 / XP / 2003
2: Navigates to mailbox permissions
3: Add distribution list from Gal access as contributor.
4: Save changes
Once the user adds the distribution list Exchange will convert the distribution list to a like security group.
As another reader correctly noted, this behavior is by design, and it’s controlled by the msExchDisableUDGConversion attribute on the Exchange organization object. In Exchange 5.5, you could apply public folder permissions by assigning DLs. That doesn’t work in Exchange 2000 and later, since a distribution group doesn’t have a SID and thus cannot be used for permission assignment. Normally this conversion only takes place during an upgrade from Exchange 5.5 (a process described in chapter 10 of the Exchange 2000 resource kit). The default attribute value of 0 lets the conversion take place at any time; a value of 1 only allows conversions requested by the store (not by clients; this setting would fix Rene’s problem). A value of 2 disallows all such conversions (but as described in this webcast, this value isn’t recommended.) Kieran McCorry has a good article that talks more about the conversion process, why it’s necessary, and how to control it.
Paul's Down-Home Page 