Topic Last Modified: 2006-08-21

The Microsoft® Exchange Server Analyzer Tool queries the following attributes for each distribution group object in all domains found in the Active Directory® directory service to determine whether any of the groups are used to set delivery restrictions based on membership in the group:

dLMemRejectPermsBL

Contains the DNs of recipients or connectors that will not accept messages from this group.

dLMemSubmitPermsBL

Contains the DNs of recipients or connectors that will accept messages from this group.

If the Exchange Server Analyzer finds that there are group objects that are used to set delivery restrictions, the Exchange Server Analyzer examines those groups to determine whether they contain any nested groups.

The Exchange Server Analyzer also reads the following registry key to determine whether the RestrictionMethod registry value is present and how it is configured:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransport\Parameters\RestrictionMethod

The Exchange Server Analyzer displays a warning if the following conditions are true:

This error indicates that delivery restrictions based on distribution group membership may significantly affect Exchange mail flow performance.

The default behaviors for the categorizer is to recursively expand distribution groups and check restrictions for each message that passes through the system.

When you send mail to a user who accepts or denies messages from a distribution group or send mail that travels through a connector that accepts or denies message from a distribution group, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN on both lists match. If a distribution group is nested in another distribution group, the nested distribution is also expanded.

The RestrictionMethod value determines how the categorizer will process restrictions. If you set the value of RestrictionMethod to 2, the transport components on this server that runs Exchange Server will not expand membership of distribution groups when the server checks restrictions. This configuration provides the best performance for restriction checks. Additionally, for the RestrictionMethod registry entry to take effect, all distribution groups that include users who have delivery restrictions must be flat. That is, the restricted distribution groups must not have nested distribution groups. The expansion logic will not work if the restricted distribution groups are nested.

For distribution groups that are used in connector restrictions, it is recommended that you set the RestrictionMethod registry entry value on a connector bridgehead server that has no mailboxes. For Active Directory user restrictions, if the restricted distribution groups have expansion servers, we recommend that you create the RestrictionMethod registry entry on the expansion servers.

To address this error:

Important:
This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.
To create the RestrictionMethod registry entry and set its value to 2
  1. Open a registry editor, such as Regedit.exe or Regedt32.exe.

  2. Navigate to: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeTransport\Parameters

  3. In the left pane, click Parameters.

  4. On the Edit menu, point to New, and then click DWORD Value.

  5. Type RestrictionMethod, and then press ENTER to name the new registry entry.

  6. Right-click RestrictionMethod and then click Modify.

  7. Type 2, and then press ENTER.

  8. Close the registry editor.

Before you edit the registry, and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows registry" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).

For More Information

For more information about non-hierarchal restriction checking, see Consider non-hierarchical restriction checking.

For more information about the effect of distribution group restriction on Exchange mail flow, see the following Microsoft Knowledge Base articles:

For more information about the RestrictionMethod registry value, see Microsoft Knowledge Base article 895407, "In Exchange Server 2003, message delivery to local mailboxes and to external mailboxes is slower than you expect after you configure delivery restrictions based on distribution groups" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=895407).

For more information about the registry value, see Microsoft Knowledge Base article 277872, "XCON: Connector Delivery Restrictions May Not Work Correctly" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=277872).