Solved

Converting Distribution to Security Groups...

Posted on 2004-09-08
7
715 Views
Last Modified: 2010-04-12
We have a Multiple Domains with mixed mode network. Our Mail server is E5.5 and we most our exchange sites are upgraded to e2k.Only few server needs upgrade including our server. We have lot Distribution lists.

Now when a new user comes in I want to assign Share access rights, Printer access & adding into DL in one shot. For this I want to convert all DLGroups into security groups.
So that I can assign permission for printers & Files. As well as he will be the part of DL.
By adding him into the DL I can achieve all this.

I just want to know there are any issues in converting the Distribution lists groups type to Security groups.

And should in future shd I go ahead and use security groups for double purpose…(Assign permissions as well as DL)…

Please let me why we have specific Distribution group If my case is possible….

Thanks
 
0
Comment
Question by:moorthy_kulumani
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:jdeclue
ID: 12006157
Here are some of my thoughts.... first, the Exchange 5.5 cannot use the Groups in active directory unless you are using the Active Directory Connector for Exchange to create and synchronize the Users and Groups, in this case it will create a group in the Active Directory and add the users to it. Many people use this technique to create the AD Users and Groups, from the Exchange 5.5 Directory rather than a Windows NT Domain.

The converison in Active Directory of Distribution Lists to Security Groups, is automatic. If a distribution list is created in Active Directory from you Exchange 5.5 directory and that Group is also applied as a security group, then the first time a user in the group access the Distribution List to obtain a security principal it will be converted to a security group.

Distribution Lists vs. Security Groups, the biggest difference in my mind for keeping them seperated is that the Distribution lists will have an email address and probably be publish in the Global Address Book. Anyone using Outlook can view the membership, and send emails to the list. Most people want to keep the security groups seperate, without email addresses and without them being published.

J
0
 
LVL 3

Author Comment

by:moorthy_kulumani
ID: 12013561
Thanks for your time & comment...

We have ADC and everything in Place.We are creating groups using ADUC. Just our Home server is 5.5.

I want to put it clear..Can i use a securtiy group for accessing resource and as well as a Distrubution list ? If yes what is the disadvantage ?
If no Why ?

The Advantage i am looking here is ..Once the user added to the Security group he is in the DL & he get access to printer and shares in one shot.

Whereas in other way (Most people want to keep the security groups seperate, without email addresses and without them being published. )
I need to have two groups one for accessing resouces and one for the DL.


Hope you get what i am looking for..

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12016168
Yes they can be used that way. Most people do not, becuase of administration. A department might have multiple lists for distribution (Managers, Staff, Department.. etc), they may also have many different security groups that just do not align to the distribution lists.  The problem with doing groups in any fashion, is that it is hard to change it down the road. Most people that start trying to use groups for dual purpose run into many issues down the road, and trying to fix or change the way they were done in the past can be a nightmare. Below I have outlined an example of a Finance group, see if it explains what I mean.


J

FINANCE GROUP

Distribution Lists:
Managers -  All managers, team leads, CIO etc
Finance - All finance employess
Payments - Specific finance employees
Travel - travel staff
Payroll - payroll staff

Security Groups:
Finance - Read Only - Finance staff
Finance - Read/Write - CIO, Managers
Finance Application - Read Only - all Finance employees
Finance Application - Read/Write - Specific finance employees, accountants, CIO etc
Travel System - Read Only - all Finance employees
Travel System - Read/Write - Read/Write - Specific finance employees, travel specialists, CIO etc
Payroll System - Accountants, CIO, payroll employees

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 3

Author Comment

by:moorthy_kulumani
ID: 12016693
So in My case i think i can use the security group then...

DL :
All-staff  
mangers
Sales
Finance
Travel


Say i changed this to Sec groups...for to use some resource...


All-staff  - All emp.to access company forms etc..
mangers - all mangers access to color printer
sales- to the sales printer and sales share...
Finance - to the finance share and printer
Travel - to the travel share and printer..

In this case i can ise those as DL as well as for security purpose right ?
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 100 total points
ID: 12016904
Of course, there are no hard and fast rules. ;). The real answer is, if it works for the company and it makes administration easier than do it!. I only wanted to point out pitfalls you can run into down the road. If those are not concerns, then don't pay attention to them. So the answer to the original question, is no there should not ba any issues, but you should create an Exchange 5.5 group, let it sync to the AD side and test it first. There are always exceptions and if something is wierd in the enviroment you could possibly have an issue.

J
0
 
LVL 3

Author Comment

by:moorthy_kulumani
ID: 12017213
I appreciate your time & sharing your thoughts.

Thanks
Ram.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12017462
No problem, I hope that did help. Even if it was a bit long winded! Take Care.

J
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now