• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4204
  • Last Modified:

Create new Distribution Groups or just mail enable existing Security Groups?

I am running Exchange 2003 on a 2003 Enterprise Server in a one domain forest.  We want to start using distribution groups in Exchange so I started creating Global Distribution Groups.  I then realized that I can also mail enable existing Security Groups.  My question to you all is, what is the best practice?  Is it best to create new groups for mail distribution purposes or is it ok to just mail enable the existing security groups?  The later seems to be much less work and it already contains all of the users and has the groups name we want to use for Distribution such as HS TEACHER or HS STAFF.  Whats are the pros and cons of each approach?
0
jp_tech
Asked:
jp_tech
  • 12
  • 9
  • 4
  • +2
5 Solutions
 
Chris DentPowerShell DeveloperCommented:

You can use either, whether you should or not is only constrained by how you want it to work and how well it works for you.

Personally I keep my distribution groups separate from the groups I use to assign permissions. While the groups may start out with the same membership I find that they tends to diverge over time. I'd rather have them separate in the first place than have to redesign either the distribution lists or the security groups later on.

Do note that while I may approach it like that there's no rule that says you must. Only advice based on what's worked well in the past.

Chris
0
 
abhaighCommented:
create new DL's and make the SG's members

mail-enabling SG's is quicker and easier, but I have found that it is a false economy and can cause a lot of problems down the road

better to take the extra time to do it right at the start than to have to go back and do it right once everything goes south
0
 
jp_techAuthor Commented:
I did create a Global Distribution group as a test then added a SC, when I sent mail to the Dl the users in the SC did not receive the test emails.  
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
Chris DentPowerShell DeveloperCommented:

The SC would have to be mail enabled as well in that scenario.

Chris
0
 
abhaighCommented:
make the DL's dynamic
0
 
jp_techAuthor Commented:
That's what I figured, but now I will be increasing the amount of mailboxes in Exchange by creating new DL's and also mail enabling existing security groups.  I'm not sure if that's a bad thing, I'm new to Exchange so I'm just thinking things through.
0
 
jp_techAuthor Commented:
How do you do that in Exchange 2003?  I thought that was only able to be done in 2007?  I may be wrong though.
0
 
Chris DentPowerShell DeveloperCommented:

It wouldn't be increasing the number of mailboxes, mail enabled groups don't get one of those. It just allows the group to have an address, the server will expand it into it's members should it ever have a mail directed at it.

You can make dynamic distribution lists in both 2003 and 2007. Never been all that keen on them myself. They work, without doubt, but they're a bit more obscure than is generally desirable.

Chris
0
 
MesthaCommented:
I never create distribution groups, always Security Groups. I also don't use dynamic groups either. By using security groups I can use the group for both permissions and email distribution.

Simon.
0
 
jp_techAuthor Commented:
Mestha, do you see any cons for using Distribution Groups as opposed to mail enables Security Groups?  And what is your reason for not using Dynamic groups?  to anyone what are Dynamic Groups Exactly and how do i create them in Exchange 2003? Thanks.
0
 
MesthaCommented:
I don't create Distribution groups they are just a waste of time. They are only for distribution - whereas I can use a security group for two tasks. One less thing to administrate.

I don't use Dynamic groups because I find them a pig to setup. I have designed distribution group systems for 10,000s of users where it require a new user to be added to one or two groups at most. I can also add users to a specific group, which you cannot do with dynamic groups. I can just do more with static groups.

Simon.
0
 
Chris DentPowerShell DeveloperCommented:

I don't really see it as one less thing to administer. But in my environment the distribution lists tend to have more people in them than need to be allowed access to file systems. It's that difference that makes it sensible for me to have separate groups for e-mail and security. As I said at the beginning though, you should use what works for you, we can only share what works well for us.

Dynamic Distribution Groups are based on a search base (an OU, for example) and an LDAP query. Every time someone sends a message to the group Exchange must expand it's membership. You can't actively see the membership (it doesn't have any), only calculate it based on the base and filter.

I worked for an organisation that came close to using them for a while, but they were dropped in favour of scripts to update group membership because the dynamic lists were too much bother to maintain when people wanted adding but didn't fit in with the query.

To create a Dynamic Distribution List in Exchange 2003:

1. Open AD Users and Computers
2. Right click and select new "Query-based Distribution Group"
3. Enter a name and alias
4. Select a value for "Apply filter to recipients in and below" (this is the search base)
5. Create an LDAP query. Lets apply a filter so you can see it in action:
  a. Click Customize
  b. In the Find drop down box select Custom Search
  c. Select Advanced
  d. Enter:  (sAMAccountName=YourUserName)
6. Next then Finish
7. Open up the group and select Preview. Your account should appear in the list.

Note that when creating the LDAP query you can use the other options (of course), however, you end up with much neater and more efficient queries if you create them yourself.

Chris
0
 
MesthaCommented:
I forgot to say the classic reason - dynamic lists are for email only, you cannot use them for permissions.

Simon.
0
 
jp_techAuthor Commented:
Chris-Dent, I tried createing a Query Based Distribution List but I get, " You can only create a query based distribution opject in Exchange Server 2003 native Mode.  Any Idea how I can get around that? Was trying to follow your example and create one as a test.  
Chris what is your environment like that the dynamics groups work best for you?  In my scenario many of the security groups that exist already contain the members that I need to target with distribution lists.  You and Mestha  make very valid points on both sides of the coin on this one.  I am still trying to decide which model will work best for me now and the future.  
0
 
Chris DentPowerShell DeveloperCommented:

> Any Idea how I can get around that?

You can't get around it, but you could shift the mode to Native if you don't have any 5.5 or 2000 Exchange Servers to deal with. MS have a little KB article discussing all the implications (and giving instructions) here:

http://support.microsoft.com/kb/327779

If your security groups have the right members I would simply mail enable those. There's no point in creating dynamic lists if they are only based on the same groups, just makes AD and Exchange work harder for no good reason.

Chris
0
 
jp_techAuthor Commented:
That is my conclusion, since my security group structure is already set up, and the groups will rarely change in my environment other than the addition or deletion of a new teacher or staff member.  I have thought it through and for me that seems to be the best option.  I will mail enable my existing security groups and create new ones as needed.  I will also change Exchange to native mode since I only have one Exchange Server running 2003.  
0
 
Chris DentPowerShell DeveloperCommented:

Cool that sounds good to me :)

Chris
0
 
bdesmondCommented:
From a best practice perspective, using security groups as DLs as well is not a good plan. It's a big security hole if you're allowing people to modify the membership in the GAL in particular.

Think about this scenario. You've got a mail enabled security group called Finance Users. Bob from finance goes on vacation, so someone adds Bill to the group to cover email requests. Unknowingly, Bill also now has access to the company books because someone secured that share with the Finance Users group.

Thanks,
Brian Desmond
Active Directory MVP
0
 
MesthaCommented:
I take your point Brian, but if you want to grant permissions to something in Exchange, public folder, folder in a mailbox, then the group needs to be a security group and needs to be mail enabled, and needs to be visible in the GAL for Outlook to allow it to be selected.

If the practise of having separate groups is followed, then you will end up with duplicated groups. I have seen that before and users just end up being put in both groups because everyone uses both groups.

With Exchange 2003, Exchange did a background task to convert a distribution group in to a security group, but with Exchange 2007 the group MUST be a security group from the outset (or converted) to allow its use for permissions.

Simon.
0
 
bdesmondCommented:
Right but the folder ACL should be the corner case not the defining normal case...

Thanks,
Brian Desmond
Active Directory MVP
0
 
jp_techAuthor Commented:
bdesmond would you mind writing more on what you mean by you last comment please.
0
 
Chris DentPowerShell DeveloperCommented:

Brian means that if give a user rights to update a distribution list (Managed By along with "Manager can update membership list", or by granting a user rights to modify the group membership) then you give over control of the security of your file system (or anywhere else) to your users.

That is you might have a list called:

Department - Finance

Which is a mailing list and also controls access to a share here:

\\server\departments\Finance

If someone can update the membership of that distribution list they can also give people access to the share (intentionally or not). If the access is not authorised then you may have a problem because shares like that tend to contain a great deal of sensitive information.

It's a good reason to keep your distribution lists separate from groups used to secure resources.

Chris
0
 
jp_techAuthor Commented:
Good point on that one, and gives me something else to consider when designing the folder structure.  Note. The Director of It wants to use a Clerical Staff member to Update the list memberships.
0
 
Chris DentPowerShell DeveloperCommented:

Then I would go back to suggesting you keep Security and Distribution separate unless there's a compelling argument for combining them :)

It's a bit of effort to set up, but I can tell you how to copy the membership from one group to another if you have a lot of them to do.

Chris
0
 
jp_techAuthor Commented:
Thanks, I think that is what I may have to do now with this new knowledge of the directors intent to allow clerical staff to add members to lists.  I will wait to see the groups they want created and how many, I should know by tomorrow.
0
 
jp_techAuthor Commented:
BTW the reponses to this question are really good,  others will learn allot from this thread, I know I did.
0
 
jp_techAuthor Commented:
Chris on your last comment how do you copy members of one group to another?  If I create a distribution group called A, and I want to add the members of groups B and C to this new group, what would be the recommended way?
0
 
Chris DentPowerShell DeveloperCommented:

There are a few different ways. Which is most appropriate depends on how many you have.

Using Outlook to expand the membership:

Create a new mail to the group. When you add in the group to the To box use Check Name. That should underline it and add a + symbol to the left of the name. Click the + and it expands. Copy the list if gives you there into the add members box for the new group.

Using VbScript

Save as .vbs, modify "yourdomain.com" and each of the group names then double click the script or run with "cscript scriptname.vbs".


  Set objSrcGroup = GetObject("WinNT://yourdomain.com/Source Group Name")
  Set objDstGroup = GetObject("WinNT://yourdomain.com/Destination Group Name")

  On Error Resume Next
  For Each objMember in objSrcGroup.Members
    objDstGroup.Add objMember.AdsPath
  Next


Using PowerShell

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx
With:
http://www.quest.com/activeroles-server/arms.aspx

Once installed, this command will copy members of one group to another when run from PowerShell (started from the Quest Software shortcut).


Get-QADGroupMember "Source Group" | Add-QADGroupMember "Destination Group"


A few things to download, but it does make for a wonderfully short way of adding members of one group to another.

Chris
0
 
jp_techAuthor Commented:
Thanks for the Excellent Help Guys
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 9
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now