Exchange Server 2010 : Working with Distribution Groups and Address Lists - Using Security and Distribution Groups

9/20/2013 9:16:21 PM

You use groups to grant permissions to similar types of users, to simplify account administration, and to make it easier to contact multiple users. For example, you can send a message addressed to a group, and the message will go to all the users in that group. Thus, instead of having to enter 20 different e-mail addresses in the message header, you enter one e-mail address for all of the group members.

Group Types, Scope, and Identifiers

Windows defines several different types of groups, and each of these groups can have a unique scope. In Active Directory domains, you use three group types:

  • Security You use security groups to control access to network resources. You can also use user-defined security groups to distribute e-mail.

  • Standard distribution Standard distribution groups have fixed membership, and you use them only as e-mail distribution lists. You can't use these groups to control access to network resources.

  • Dynamic distribution Membership for dynamic distribution groups is determined based on a Lightweight Directory Access Protocol (LDAP) query; you use these groups only as e-mail distribution lists. The LDAP query is used to build the list of members whenever messages are sent to the group.


Dynamic distribution groups created for Exchange Server 2007 are compatible with Exchange Server 2010. However, dynamic distribution groups created for Exchange Server 2003 or Exchange 2000 Server are not compatible with Exchange Server 2010 and aren't displayed in the Exchange Management Console. You can resolve this by forcing an upgrade.

Security groups can have different scopes—domain local, global, and universal—so that they are valid in different areas of your Active Directory forest. With Exchange Server 2003, you could also create distribution groups with different scopes as well. To simplify group management, Exchange Server 2007 and Exchange Server 2010 support only groups with universal scope. You can mail-enable security groups with universal scope, and you can create new distribution groups with universal scope.


If your organization has existing mail-enabled security groups or distribution groups with global scope, you will not be able to use those groups with Exchange Server 2007 and later editions of Exchange. You will either need to create a new architecture for your groups or convert those groups to universal groups. Using Active Directory Users And Computers, domain administrators can easily convert global groups to universal groups. They simply need to double-click the group entry, select Universal under Group Scope, and then click OK. However, some conversion restrictions apply. For example, you can convert a global group only if it isn't a member of another global group. In addition, pre-planning is recommended to determine the impact on Active Directory. You also can use Set-Group to convert groups.

Groups with universal scope can do the following:

  • Contain users and groups from any domain in the forest

  • Be put into other groups and assigned permissions in any domain in the forest

When you work with dynamic distribution groups, keep in mind that the membership can include only members of the local domain, or it can include users and groups from other domains, domain trees, or forests. Scope is determined by the default apply-filter container you associate with the group when you create it. More specifically, the default apply-filter container defines the root of the search hierarchy and the LDAP query filters to recipients in and below the specified container. For example, if the apply-filter container you associate with the group is cpandl.com, the query filter is applied to all recipients in this domain. If the apply-filter container you associate with the organizational unit is Engineering, the query filter is applied to all recipients in or below this container.

As with user accounts, Windows uses unique security identifiers (SIDs) to track groups. This means that you can't delete a group, re-create it with the same name, and then expect all the permissions and privileges to remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.

2. When to Use Security and Standard Distribution Groups

Exchange Server 2007 and Exchange Server 2010 change the earlier rules about how you can use groups. Previously, you could use groups with different scopes, but now you can use only groups with universal scope. As a result, you might need to rethink how and when you use groups.

You must change the scope of any global group to universal before you can mail-enable it. Rather than duplicating your existing security group structure with distribution groups that have the same purpose, you might want to selectively mail-enable your universal security groups, which converts them to distribution groups. For example, if you have a universal security group called Marketing, you don't need to create a MarketingDistList distribution group. Instead, you could enable Exchange mail on the original universal security group, which would then become a distribution group.

You might also want to mail-enable universal security groups that you previously defined. Then, if existing distribution groups serve the same purpose, you can delete the distribution groups.

To reduce the time administrators spend managing groups, Exchange Server 2010 defines several additional control settings, including

  • Group ownership Mail-enabled security groups, standard distribution groups, and dynamic distribution groups can have one or more owners. A group's owners are the users assigned as its managers, and they can control membership in the group. A group's managers are listed when users view the properties of the group in Microsoft Office Outlook. Additionally, managers can receive delivery reports for groups if you select the Send Delivery Reports To Group Manager option on the Advanced tab.

  • Membership approval Mail-enabled security groups and standard distribution groups can have open or closed membership. There are separate settings for joining and leaving a group. For joining, the group can be open to allow users to join without requiring permission, closed to allow only group owners and administrators to add members, or require owner approval to allow users to request membership in a group. Membership requests must be approved by a group owner. For leaving, a group can either be open to allow users to leave a group without requiring owner approval or closed to allow only group owners and administrators to remove members.

Your management tool of choice will determine your options for configuring group ownership and membership approval. When you create distribution groups in the Exchange Control Panel, you can specify ownership and membership approval settings when you create the group and can edit these settings at any time by editing the group's properties. When you create distribution groups in the Exchange Management Console, you create the group first and then edit the group's properties to specify the desired ownership and membership approval settings.

3. When to Use Dynamic Distribution Groups

It's a fact of life that over time users will move to different departments, leave the company, or accept different responsibilities. With standard distribution groups, you'll spend a lot of time managing group membership when these types of changes occur—and that's where dynamic distribution groups come into the picture. With dynamic distribution groups, there isn't a fixed group membership and you don't have to add or remove users from groups. Instead, group membership is determined by the results of an LDAP query sent to your organization's Global Catalog (or dedicated expansion) server whenever mail is sent to the distribution group.

Dynamic distribution groups can be used with or without a dedicated expansion server. You'll get the most benefit from dynamic distribution without a dedicated expansion server when the member list returned in the results is relatively small (fewer than 25 members). In the case of potentially hundreds or thousands of members, however, dynamic distribution is inefficient and could require a great deal of processing to complete. To resolve this problem, you can shift the processing requirements from the Global Catalog server to a dedicated expansion server (a server whose only task is to expand the LDAP queries). However, it could still take several minutes to resolve and expand large distribution lists.

One other thing to note about dynamic distribution is that you can associate only one specific query with each distribution group. For example, you could create separate groups for each department in the organization. You could have groups called QD-Accounting, QD-BizDev, QD-Engineering, QD-Marketing, QD-Operations, QD-Sales, and QD-Support. You could, in turn, create a standard distribution group or a dynamic distribution group called AllEmployees that contains these groups as members—thereby establishing a distribution group hierarchy.

When using multiple parameters with dynamic distribution, keep in mind that multiple parameters typically work as logical AND operations. For example, if you create a query with a parameter that matches all employees in the state of Washington with all employees in the Marketing department, the query results do not contain a list of all employees in Washington or all Marketing employees. Rather, the results contain a list of recipients who are in Washington and are members of the Marketing group. In this case, you get the expected results by creating a dynamic distribution group for all Washington State employees, another dynamic distribution group for all Marketing employees, and a final group that has as members the other two distribution groups.

  •  SharePoint 2010 : The Search User Interface - The Search Results Page (part 4) - Search Later from Windows Explorer
  •  SharePoint 2010 : The Search User Interface - The Search Results Page (part 3) - RSS
  •  SharePoint 2010 : The Search User Interface - The Search Results Page (part 2) - Alert Me
  •  SharePoint 2010 : The Search User Interface - The Search Results Page (part 1) - Search Suggestions
  •  Sharepoint 2013 : View Properties of a Document
  •  Sharepoint 2013 : Open a Document for Reading
  •  Sharepoint 2013 : See What Lists and Document Libraries Are in a Site
  •  Sharepoint 2013 : See What Files or List Items Are Waiting for Your Approval, Synchronize a Library or Folder Using SkyDrive Pro
  •  Sharepoint 2013 : Restore an Earlier Version of a File or List Item, Approve or Reject a File or List Item
  •  Sharepoint 2013 : Publish a File or List Item
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    Popular Tags
    Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone