Solved

Will using the distribution group as security group impact the Active Directory performance?

Posted on 2009-07-05
4
219 Views
Last Modified: 2012-05-07
Hello,
Good Day,

My question is very simple and straighforward.

If i use the distribution group as security group, will it impact the AD performance? ... In other words, using the distribution group is for email purpose only but if i use it as security group as well for resource access, will it make my users logon time slow or something? ... or will it create an AD replication bottleneck?

Appreciate your quick response.

Thanks in advance
0
Comment
Question by:amyassein
  • 2
  • 2
4 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24780522
Security groups Groups that can have security descriptors associated with them. You define security groups in domains using Active Directory Users And Computers.

Distribution groups Groups that are used as e-mail distribution lists. They can't have security descriptors associated with them. You define distribution groups in domains using Active Directory Users And Computers.

Extract from: http://technet.microsoft.com/en-us/library/bb726978.aspx
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 125 total points
ID: 24780526
It could depending on how many groups the user is a member of.  
You can run into an issue known as "token bloat"
http://support.microsoft.com/kb/327825
New resolution for problems with Kerberos authentication when users belong to many groups
http://technet.microsoft.com/en-us/library/cc757478(WS.10).aspx
 ...but as you can see there are also fixes/workarounds in place
There are other concerns with security vs distro lists.  See the thread below, really great discussion from Brian, Simon, and Chris a few months ago
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24349300.html
Thanks
Mike
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24780543
but of course you can create mail enabled security groups so why bother with DL's when one group will do both?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24780552
demazter that was the entire debate here:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24349300.html
I can see both sides of the argument.
Thanks
Mike
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now