When we talk about Active Directory groups, we are usually talking about two kinds of groups: Distribution Groups and Security Groups. Managing distribution lists and security groups is a mission-critical task for just about any IT organization.
Active Directory distribution groups work with your email client to define who is included on group messages, while security groups are used to control access to resources. Those could be hardware, SharePoint sites, applications, folders, or a host of other uses.
Simple so far, right? Distribution groups are for emailing people, and security groups provide access. Black and white. Cut and dried.
Or maybe not… Let’s go through them briefly to understand the types better.
The Two Types of Active Directory Groups
Distribution groups are designed to combine users together so that you can send e-mails (via Microsoft Exchange Server) collectively to a group rather than individually to each user in the group. Active Directory Distribution groups are designed to be used for e-mail specifically and cannot be granted Windows permissions.
Objects in Active Directory that can have permissions granted to them are known as a security principal. For example, users are an example of a security principal because a user can be granted rights. Security groups, as discussed below, are also security principals. Distribution groups are not security principals, however, because rights cannot be granted to a distribution group. Why? Because the Active Directory schema does not give distribution groups this ability.
The terms “distribution groups” and “distribution lists” tend to be used interchangeably, particularly if you work with Microsoft Exchange Server administrators. Don’t let this trip you up!
Used with care, Security Groups provide an efficient way to assign access to resources on your network. Using security groups, you can
- Assign user rights. User rights are assigned to security groups to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to built-in security groups at the time Active Directory is installed to help administrators define a person’s administrative role in the domain.
- Assign permissions to resources. Permissions are assigned to the security group for a shared resource. This is different from user rights because user rights apply across an entire domain versus permissions that are directed to a specific entity. Permissions determine who can access the resource and the level of access, such as Full Control or Read-only. Some permissions that are given domain objects are automatically assigned to allow various levels of access to built-in security groups, such as the Account Operators group or the Domain Admins group.
Read more: Scopes of Active Directory Groups
So, what are mail-enabled Security Groups?
Security groups can be mail enabled, and there are plenty of good reasons to do it. You can use mail-enabled security groups to distribute messages as well as grant access permissions to resources in Exchange and Active Directory. That way, if there is new information in the folder the security group is securing, everyone can be notified by email. Or, if there is an issue with a printer, everyone who has access to the printer (a security group) can be sent an email to let them know what’s going on.
We have at least one client who doesn’t have any distribution groups. They make every group a security group, and mail enable it. For them, it eliminated several duplicate groups.
But there are risks here too!
As you know, as each user object collects more and more SIDs they are going to experience decreased performance due to token bloat. Their logins will be slower, and at more than 1015 tokens, they will be unable to log in entirely.
Of course, this makes it even more important that you have some sort of lifecycle on your security groups. Pretty much any security group should be monitored to make sure that the resource it protects still exists and the membership is current, but it becomes even more critical if every group is a security group!
So, what is right for you? Carefully monitored security groups, or a mix of distribution and security groups?
All-in-One Security Solution
When Active Directory becomes too significant a burden to bear, it’s time to upgrade your life with GroupID. Join companies like Disney, Nike, Splunk, Hershey’s, FedEx, American Red Cross, The Federal Reserve, Cedar Sinai Hospital, and the Center for Autism, who all rely on GroupID to keep their systems up to date and secure. Get started with GroupID today with a Free Trial, and see how much more you could be doing with your Active Directory Groups while improving productivity.
Learn more about GroupID here.