In exchange 2007 there is no more RUS (Recipient Update Service). Because the RUS is not around to stamp acls on hidden distribution lists, we can no longer ensure the distribution list will still be hidden. When ADUC changes or updates a distribution list it will set canonical acls, and to hide the membership we need to set non-canonical acls.

Due to these limitations with Exchange 2007 and the Active Directory we no longer support hiding Distribution List Memberships. There is a new workaround that can be used which is explained later on in this blog.

With regards to the names of the groups, a QBDG (Query Based Distribution Group) is exactly the same as DDG (Dynamic Distribution Group). DDG does not “replace” QBDG. If you create a DDG in E2k7, it will show as QBDG in E2k3. If you create a QBDG in E2k3, it will show as DDG in E2k7. We just renamed the friendly name of the existing object :)

Truth be known hiding (static) Distribution Group membership never really worked to begin with due to limitations of Active Directory. If you were part of a distribution list that was hidden it was very easy for someone to pull up your account in the global address list via outlook and see what groups you are in!! As a part of a security audit by the product group, it was decided to remove this insecure feature from the product in favor of using the QBDG/DDG feature, which serves as reasonable (if awkward) mitigation”.