Exchange 2007 and above require distribution groups (and mail-enabled security 
groups) to be universal in scope. It avoids quite a number of problems that 
revolve around the expansion of other group scopes.

[I refuse to be drawn into the discussion as to whether that was the "right 
way" to fix the problem - I simply note that that was how the Exchange team 
chose to fix it.]

I would suggest that you aren't gaining anything by making those changes, and 
in fact, as you note yourself, it's conceivable that you will break some things 
by doing so.

________________________________
From: David Lum [david....@nwea.org]
Sent: Tuesday, April 21, 2009 9:33 AM
To: NT System Admin Issues
Subject: AD restructure

I am doing some major AD restructuring for our org – I am finding dozens of 
Universal security groups that are really distribution lists. Do I gain 
anything by changing these to the distribution group type? I understand that if 
I do that they cannot be assigned to DACL’s (and if they are currently assigned 
to them this will break that), but if they are purely distribution lists what 
am I gaining other than it “feels right”?

Prior to my working on this, I know AD groups were created at whatever level 
“just worked” and didn’t follow a best practice (most of their AD groups – both 
security and distribution, are Universal for this reason, GGRRRR).
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to