Rowdyone52
asked on
Active Directory Groups Global/Universal
Experts,
We have quite a few groups setup in our organization. These groups have email addresses and when we send email to the group sometimes the members get the email, but most times they don't. The groups with the trouble seem to be security groups with a group scope of global. We changed the groups to have a universal group scope and now the members are receiving their emails. All the members of these groups are in the same domain, so why would that make a difference?
We have quite a few groups setup in our organization. These groups have email addresses and when we send email to the group sometimes the members get the email, but most times they don't. The groups with the trouble seem to be security groups with a group scope of global. We changed the groups to have a universal group scope and now the members are receiving their emails. All the members of these groups are in the same domain, so why would that make a difference?
Why are you using security group with email address? Why not use distribution group?
ASKER
Distribution Group...Not security group
Universal
Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.
Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
Global
Global groups are the primary scope of groups into which users are placed in Mixed-mode domains. Global groups can be placed only in the security descriptors of resource objects that reside in the same domain. This means that you cannot restrict access to an object based solely on user membership in a global group from another domain.
Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.
In a Native-mode domain, global groups can be nested within each other. This may be useful when administrators have nested organizational units, and want to delegate Organizational Unit (OU) administrative functionality in a gracefully decreasing manner down an OU tree. In this situation, a global group tree can be used as a parallel construct, for the assignment of such decreasing privileges
Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.
Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
Global
Global groups are the primary scope of groups into which users are placed in Mixed-mode domains. Global groups can be placed only in the security descriptors of resource objects that reside in the same domain. This means that you cannot restrict access to an object based solely on user membership in a global group from another domain.
Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.
In a Native-mode domain, global groups can be nested within each other. This may be useful when administrators have nested organizational units, and want to delegate Organizational Unit (OU) administrative functionality in a gracefully decreasing manner down an OU tree. In this situation, a global group tree can be used as a parallel construct, for the assignment of such decreasing privileges
ASKER
Do you know why users of global groups wouldnt get emails, while users in Universal groups would?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks :-)