Link to home
Start Free TrialLog in
Avatar of jp_tech
jp_tech

asked on

Create new Distribution Groups or just mail enable existing Security Groups?

I am running Exchange 2003 on a 2003 Enterprise Server in a one domain forest.  We want to start using distribution groups in Exchange so I started creating Global Distribution Groups.  I then realized that I can also mail enable existing Security Groups.  My question to you all is, what is the best practice?  Is it best to create new groups for mail distribution purposes or is it ok to just mail enable the existing security groups?  The later seems to be much less work and it already contains all of the users and has the groups name we want to use for Distribution such as HS TEACHER or HS STAFF.  Whats are the pros and cons of each approach?
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
create new DL's and make the SG's members

mail-enabling SG's is quicker and easier, but I have found that it is a false economy and can cause a lot of problems down the road

better to take the extra time to do it right at the start than to have to go back and do it right once everything goes south
Avatar of jp_tech
jp_tech

ASKER

I did create a Global Distribution group as a test then added a SC, when I sent mail to the Dl the users in the SC did not receive the test emails.  

The SC would have to be mail enabled as well in that scenario.

Chris
make the DL's dynamic
Avatar of jp_tech

ASKER

That's what I figured, but now I will be increasing the amount of mailboxes in Exchange by creating new DL's and also mail enabling existing security groups.  I'm not sure if that's a bad thing, I'm new to Exchange so I'm just thinking things through.
Avatar of jp_tech

ASKER

How do you do that in Exchange 2003?  I thought that was only able to be done in 2007?  I may be wrong though.

It wouldn't be increasing the number of mailboxes, mail enabled groups don't get one of those. It just allows the group to have an address, the server will expand it into it's members should it ever have a mail directed at it.

You can make dynamic distribution lists in both 2003 and 2007. Never been all that keen on them myself. They work, without doubt, but they're a bit more obscure than is generally desirable.

Chris
I never create distribution groups, always Security Groups. I also don't use dynamic groups either. By using security groups I can use the group for both permissions and email distribution.

Simon.
Avatar of jp_tech

ASKER

Mestha, do you see any cons for using Distribution Groups as opposed to mail enables Security Groups?  And what is your reason for not using Dynamic groups?  to anyone what are Dynamic Groups Exactly and how do i create them in Exchange 2003? Thanks.
I don't create Distribution groups they are just a waste of time. They are only for distribution - whereas I can use a security group for two tasks. One less thing to administrate.

I don't use Dynamic groups because I find them a pig to setup. I have designed distribution group systems for 10,000s of users where it require a new user to be added to one or two groups at most. I can also add users to a specific group, which you cannot do with dynamic groups. I can just do more with static groups.

Simon.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I forgot to say the classic reason - dynamic lists are for email only, you cannot use them for permissions.

Simon.
Avatar of jp_tech

ASKER

Chris-Dent, I tried createing a Query Based Distribution List but I get, " You can only create a query based distribution opject in Exchange Server 2003 native Mode.  Any Idea how I can get around that? Was trying to follow your example and create one as a test.  
Chris what is your environment like that the dynamics groups work best for you?  In my scenario many of the security groups that exist already contain the members that I need to target with distribution lists.  You and Mestha  make very valid points on both sides of the coin on this one.  I am still trying to decide which model will work best for me now and the future.  

> Any Idea how I can get around that?

You can't get around it, but you could shift the mode to Native if you don't have any 5.5 or 2000 Exchange Servers to deal with. MS have a little KB article discussing all the implications (and giving instructions) here:

http://support.microsoft.com/kb/327779

If your security groups have the right members I would simply mail enable those. There's no point in creating dynamic lists if they are only based on the same groups, just makes AD and Exchange work harder for no good reason.

Chris
Avatar of jp_tech

ASKER

That is my conclusion, since my security group structure is already set up, and the groups will rarely change in my environment other than the addition or deletion of a new teacher or staff member.  I have thought it through and for me that seems to be the best option.  I will mail enable my existing security groups and create new ones as needed.  I will also change Exchange to native mode since I only have one Exchange Server running 2003.  

Cool that sounds good to me :)

Chris
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Right but the folder ACL should be the corner case not the defining normal case...

Thanks,
Brian Desmond
Active Directory MVP
Avatar of jp_tech

ASKER

bdesmond would you mind writing more on what you mean by you last comment please.

Brian means that if give a user rights to update a distribution list (Managed By along with "Manager can update membership list", or by granting a user rights to modify the group membership) then you give over control of the security of your file system (or anywhere else) to your users.

That is you might have a list called:

Department - Finance

Which is a mailing list and also controls access to a share here:

\\server\departments\Finance

If someone can update the membership of that distribution list they can also give people access to the share (intentionally or not). If the access is not authorised then you may have a problem because shares like that tend to contain a great deal of sensitive information.

It's a good reason to keep your distribution lists separate from groups used to secure resources.

Chris
Avatar of jp_tech

ASKER

Good point on that one, and gives me something else to consider when designing the folder structure.  Note. The Director of It wants to use a Clerical Staff member to Update the list memberships.

Then I would go back to suggesting you keep Security and Distribution separate unless there's a compelling argument for combining them :)

It's a bit of effort to set up, but I can tell you how to copy the membership from one group to another if you have a lot of them to do.

Chris
Avatar of jp_tech

ASKER

Thanks, I think that is what I may have to do now with this new knowledge of the directors intent to allow clerical staff to add members to lists.  I will wait to see the groups they want created and how many, I should know by tomorrow.
Avatar of jp_tech

ASKER

BTW the reponses to this question are really good,  others will learn allot from this thread, I know I did.
Avatar of jp_tech

ASKER

Chris on your last comment how do you copy members of one group to another?  If I create a distribution group called A, and I want to add the members of groups B and C to this new group, what would be the recommended way?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jp_tech

ASKER

Thanks for the Excellent Help Guys