You use groups to grant permissions to similar types of
users, to simplify account administration, and to make it easier to
contact multiple users. For example, you can send a message addressed
to a group, and the message will go to all the users in that group.
Thus, instead of having to enter 20 different e-mail addresses in the
message header, you enter one e-mail address for all of the group
members.
Group Types, Scope, and Identifiers
Windows defines several different types of groups, and each
of these groups can have a unique scope. In Active Directory domains,
you use three group types:
-
Security You use
security groups to control access to network resources. You can also
use user-defined security groups to distribute e-mail.
-
Standard distribution
Standard distribution groups have fixed membership, and you use them
only as e-mail distribution lists. You can't use these groups to
control access to network resources.
-
Dynamic distribution
Membership for dynamic distribution groups is determined based on a
Lightweight Directory Access Protocol (LDAP) query; you use these
groups only as e-mail distribution lists. The LDAP query is used to
build the list of members whenever messages are sent to the group.
Note
Dynamic distribution groups created for Exchange Server 2007 are
compatible with Exchange Server 2010. However, dynamic distribution
groups created for Exchange Server 2003 or Exchange 2000 Server are not
compatible with Exchange Server 2010 and aren't displayed in the
Exchange Management Console. You can resolve this by forcing an
upgrade.
Security groups can have different scopes—domain local, global, and universal—so
that they are valid in different areas of your Active Directory forest.
With Exchange Server 2003, you could also create distribution groups
with different scopes as well. To simplify group management, Exchange
Server 2007 and Exchange Server 2010 support only groups with universal
scope. You can mail-enable security groups with universal scope, and
you can create new distribution groups with universal scope.
Note
If your organization has existing mail-enabled
security groups or distribution groups with global scope, you will not
be able to use those groups with Exchange Server 2007 and later
editions of Exchange. You will either need to create a new architecture
for your groups or convert those groups to universal groups. Using
Active Directory Users And Computers, domain administrators can easily
convert global groups to universal groups. They simply need to
double-click the group entry, select Universal under Group Scope, and
then click OK. However, some conversion restrictions apply. For
example, you can convert a global group only if it isn't a member of
another global group. In addition, pre-planning is recommended to
determine the impact on Active Directory. You also can use Set-Group to
convert groups.
Groups with universal scope can do the following:
When you work with dynamic distribution groups, keep in mind that
the membership can include only members of the local domain, or it can
include users and groups from other domains, domain trees, or forests.
Scope is determined by the default apply-filter
container you associate with the group when you create it. More
specifically, the default apply-filter container defines the root of
the search hierarchy and the LDAP query filters to recipients in and
below the specified container. For example, if the apply-filter
container you associate with the group is cpandl.com, the query filter
is applied to all recipients in this domain. If the apply-filter
container you associate with the organizational unit is Engineering,
the query filter is applied to all recipients in or below this
container.
As with user accounts, Windows uses unique security identifiers (SIDs) to track groups.
This means that you can't delete a group, re-create it with the same
name, and then expect all the permissions and privileges to remain the
same. The new group will have a new SID, and all the permissions and
privileges of the old group will be lost.
2. When to Use Security and Standard Distribution Groups
Exchange Server 2007 and Exchange Server 2010 change the earlier
rules about how you can use groups. Previously, you could use groups
with different scopes, but now you can use only groups with universal
scope. As a result, you might need to rethink how and when you use
groups.
You must change the scope of any global group to universal before
you can mail-enable it. Rather than duplicating your existing security
group structure with distribution groups that have the same purpose,
you might want to selectively mail-enable your universal security
groups, which converts them to distribution groups. For example, if you
have a universal security group called Marketing, you don't need to
create a MarketingDistList distribution group. Instead, you could
enable Exchange mail on the original universal security group, which
would then become a distribution group.
You might also want to mail-enable universal security groups that
you previously defined. Then, if existing distribution groups serve the
same purpose, you can delete the distribution groups.
To reduce the time administrators spend managing groups, Exchange
Server 2010 defines several additional control settings, including
-
Group ownership
Mail-enabled
security groups, standard distribution groups, and dynamic distribution
groups can have one or more owners. A group's owners are the users
assigned as its managers, and they can control membership in the group.
A group's managers are listed when users view the properties of the
group in Microsoft Office Outlook. Additionally, managers can receive
delivery reports for groups if you select the Send Delivery Reports To
Group Manager option on the Advanced tab.
-
Membership approval
Mail-enabled
security groups and standard distribution groups can have open or
closed membership. There are separate settings for joining and leaving
a group. For joining, the group can be open to allow users to join
without requiring permission, closed to allow only group owners and
administrators to add members, or require owner approval to allow users
to request membership in a group. Membership requests must be approved
by a group owner. For leaving, a group can either be open to allow
users to leave a group without requiring owner approval or closed to
allow only group owners and administrators to remove members.
Your management tool of choice will determine your options for configuring group ownership and membership
approval. When you create distribution groups in the Exchange Control
Panel, you can specify ownership and membership approval settings when
you create the group and can edit these settings at any time by editing
the group's properties. When you create distribution groups in the
Exchange Management Console, you create the group first and then edit
the group's properties to specify the desired ownership and membership
approval settings.
3. When to Use Dynamic Distribution Groups
It's a fact of life that over time users will move to different
departments, leave the company, or accept different responsibilities.
With standard distribution groups, you'll spend a lot of time managing
group membership when these types of changes occur—and that's where
dynamic distribution groups come into the picture. With dynamic
distribution groups, there isn't a fixed group membership and you don't
have to add or remove users from groups. Instead, group membership is
determined by the results of an LDAP query sent to your organization's
Global Catalog (or dedicated expansion) server whenever mail is sent to
the distribution group.
Dynamic distribution groups can be used with or without a dedicated
expansion server. You'll get the most benefit from dynamic distribution
without a dedicated expansion server when the member list returned in
the results is relatively small (fewer than 25 members). In the case of
potentially hundreds or thousands of members, however, dynamic
distribution is inefficient and could require a great deal of
processing to complete. To resolve this problem, you can shift the
processing requirements from the Global Catalog server to a dedicated
expansion server (a server whose only task is to expand the LDAP
queries). However, it could still take several minutes to resolve and
expand large distribution lists.
One other thing to note about dynamic distribution is that you can
associate only one specific query with each distribution group. For
example, you could create separate groups for each department in the
organization. You could have groups called QD-Accounting, QD-BizDev,
QD-Engineering, QD-Marketing, QD-Operations, QD-Sales, and QD-Support.
You could, in turn, create a standard distribution group or a dynamic
distribution group called AllEmployees that contains these groups as
members—thereby establishing a distribution group hierarchy.
When using multiple parameters with dynamic distribution,
keep in mind that multiple parameters typically work as logical AND
operations. For example, if you create a query with a parameter that
matches all employees in the state of Washington with all employees in
the Marketing department, the query results do not contain a list of
all employees in Washington or all Marketing employees. Rather, the
results contain a list of recipients who are in Washington and are
members of the Marketing group. In this case, you get the expected
results by creating a dynamic distribution group for all Washington
State employees, another dynamic distribution group for all Marketing
employees, and a final group that has as members the other two
distribution groups.
