Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD global groups nested in distribution group - will email work?

Posted on 2014-02-19
4
Medium Priority
?
5,930 Views
Last Modified: 2014-02-20
I have not been able to find a definitive answer to this question after much searching.  Too many ways to search I think.

We are currently on 2008 R2.  I have a number of global security groups in AD.  I want to create a distribution group and add all of the global security groups to it.  

I want to do this because all members of the security groups need to get the same email alerts.  As independent admins add/remove users to security groups there should be no need to also add them to distribution groups.

The question is, will global security group members receive emails or does each user account need to be a "direct" member of the distribution list?

I do not want to have a number of distribution lists - just one for many security groups.

I'm still looking but if anyone can find a definitive answer on this it would save me much experimentation.
0
Comment
Question by:yccdadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 39872745
You neglect to mention which mail system you're using, this is somewhat critical information.

Both security groups and distribution groups can be mail enabled in Exchange.

Are all groups in question mail enabled? If not, mail from Exchange will simply not arrive.

There is a problem with Exchange and global groups which you may encounter in a multi-domain forest; The categorizer cannot expand of membership of global groups outside of the groups domain. However, Exchange 2007 and later simply insist that mail-enabled groups are universal.

The group can still be a Security group after all that, but mail-enabled is key.

Chris
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39873728
Yes, as Chris mentioned this is a mail system is critical piece of information because the answer may differ based on the mail system you use as Active directory exhibits different behavior with different mail systems.

Hope that clarifies your WHY?

Keep us posted :)
0
 

Author Comment

by:yccdadmins
ID: 39873837
The mail system is Exchange and we have migrated to Microsoft's cloud.

I have a number of security groups (global) that control access to specific resources.  

When I am going to reboot the servers that contain those resources, I want to send an email to all individuals that are members of the global security groups.

I want to create a distribution group and make all the global security groups members of the distribution group.

Adding and removing end users from the security groups is an automated process.  I am looking to take advantage of that automation.  If I can make the security groups members of a distribution list, I do not have to manage a mailing list etc.

In 2000 server I found that end user accounts had to be a direct member of a distribution group in order to receive emails.  I thought it may have been a bug that has since been corrected.

So the basic question is, if I add global security groups to a distribution group, will the individual members of the security groups receive emails sent to the distribution group email address?  If I have to add each individual user account to the distribution group, I might as well create a mailing list...

All are on the same domain by the way.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 39873908
No. The group and all intermediate groups used members must be mail enabled.

Expansion under Exchange 2013 (as an example) is discussed here:

http://technet.microsoft.com/en-us/library/bb430743%28v=exchg.150%29.aspx

The critical comment to note is here:


Expansion completely expands nested levels of recipients into individual recipients.

A global security group which is not mail enabled is not a recipient. It will not expand beyond that point.

Chris
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question