Which begs the question: How does Exchange determine if a distribution group needs to be a security group? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Tuesday, April 21, 2009 8:15 AM To: NT System Admin Issues Subject: RE: AD restructure
Exchange will automatically promote a DG to a SG if, in its sole discretion, the DG needs to be a SG. For example, if you assign permissions to a PF using a DG, Exchange will promote that DG to a SG. Again, I'm not going to get into a right-vs-wrong flame, but it is what it is. ________________________________ From: Brian Desmond [br...@briandesmond.com] Sent: Tuesday, April 21, 2009 11:07 AM To: NT System Admin Issues Subject: RE: AD restructure Eh? This is definitely something you should look at. IIRC Exchange itself doesn't require that DLs be uni groups, it's just that all the tooling (e.g. the UI and PowerShell) enforces this. It is and has been best practice since Exchange 2000 in nearly any case so it makes sense to enforce it through the tools the 90% crowd uses. Mail enabled security groups is generally a no-no. It's a pretty big security blackhole if you let people manage membership in Outlook. You can secure anything with a sec group, so take for example the "Finance People" DL which is incidentally a security group too. Jane the admin for finance adds Bob who's covering for Bill to the DL so he gets mail. Unbeknownst to anyone, Bill now has access to all the books because someone secured them with the same group that is exposed for mail. One thing to keep in mind if you want to test security groups and see what breaks if you make them distribution groups, when you do that conversion, the SID is retained, so if you discover you need it to remain a security group until you can reACL resources, you can just make it a security group again and the SID will stay intact. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Tuesday, April 21, 2009 8:37 AM To: NT System Admin Issues Subject: RE: AD restructure Exchange 2007 and above require distribution groups (and mail-enabled security groups) to be universal in scope. It avoids quite a number of problems that revolve around the expansion of other group scopes. [I refuse to be drawn into the discussion as to whether that was the "right way" to fix the problem - I simply note that that was how the Exchange team chose to fix it.] I would suggest that you aren't gaining anything by making those changes, and in fact, as you note yourself, it's conceivable that you will break some things by doing so. ________________________________ From: David Lum [david....@nwea.org] Sent: Tuesday, April 21, 2009 9:33 AM To: NT System Admin Issues Subject: AD restructure I am doing some major AD restructuring for our org - I am finding dozens of Universal security groups that are really distribution lists. Do I gain anything by changing these to the distribution group type? I understand that if I do that they cannot be assigned to DACL's (and if they are currently assigned to them this will break that), but if they are purely distribution lists what am I gaining other than it "feels right"? Prior to my working on this, I know AD groups were created at whatever level "just worked" and didn't follow a best practice (most of their AD groups - both security and distribution, are Universal for this reason, GGRRRR). David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~