Large number of mailboxes with distribution group delivery restrictions set

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2006-08-21

The Microsoft® Exchange Server Analyzer Tool queries the following attributes for each user object in all domains found in the Active Directory® directory service to determine whether any mailboxes in the domains have delivery restrictions set based on distribution group membership:


Controls whether messages are accepted or rejected by default. When set to the default setting of 1, messages from everyone are accepted.


Contains the DNs of distribution lists (DL) whose members may not send to this recipient.


Contains the DNs of distribution lists (DL) whose members may send to this recipient.

If the Exchange Server Analyzer determines that there are more than 500 mailboxes in the domain that have delivery restrictions set based on distribution group membership, the Exchange Server Analyzer displays an error.

This error indicates that delivery restrictions based on distribution group membership for many mailboxes may affect Exchange mail flow performance.

By default, categorizer recursively expands distribution groups and checks restrictions for each message that passes through the system.

When the message categorizer sends mail to a user who accepts or denies messages from a distribution group, the message categorizer has to expand the membership of the distribution group, obtain the full list of DNs of the members, and then compare the list of DNs to the list sender’s DNs. An access operation or a deny operation occurs when a DN appears on both lists. If a distribution group is nested in another distribution group, the nested distribution is also expanded.

To address this error:

  • Examine those users whose distribution group delivery restrictions are set and remove unnecessary restrictions.

  • Configure individual mailboxes and not distribution groups for delivery restrictions as referenced in Microsoft Knowledge Base article 812298, "Mail delivery is slow after you configure delivery restrictions that are based on a distribution list" (

  • For servers that are running Exchange Server 2003 Service Pack 2 (SP2) or a later version, consider implementing non-hierarchal restriction checking. For servers that are running Exchange versions earlier than Exchange Server 2003 SP2, consider upgrading to Exchange Server 2003 SP2.

For More Information

For more information about non-hierarchal restriction checking, see Consider non-hierarchical restriction checking

For more information about the effect of distribution group restriction on Exchange Server mail flow, see the following Microsoft Knowledge Base articles: