When we talk about Active Directory groups, we are usually talking about two kinds of groups: Distribution Groups and Security Groups. Managing distribution lists and security groups is a mission-critical task for just about any IT organization.
Active Directory distribution groups work with your email client to define who is included on group messages, while security groups are used to control access to resources. Those could be hardware, SharePoint sites, applications, folders, or a host of other uses.
Simple so far, right? Distribution groups are for emailing people, and security groups provide access. Black and white. Cut and dried.
Or maybe not… Let’s go through them briefly to understand the types better.
The Two Types of Active Directory Groups
Distribution groups are designed to combine users together so that you can send e-mails (via Microsoft Exchange Server) collectively to a group rather than individually to each user in the group. Active Directory Distribution groups are designed to be used for e-mail specifically and cannot be granted Windows permissions.
Objects in Active Directory that can have permissions granted to them are known as a security principal. For example, users are an example of a security principal because a user can be granted rights. Security groups, as discussed below, are also security principals. Distribution groups are not security principals, however, because rights cannot be granted to a distribution group. Why? Because the Active Directory schema does not give distribution groups this ability.
The terms “distribution groups” and “distribution lists” tend to be used interchangeably, particularly if you work with Microsoft Exchange Server administrators. Don’t let this trip you up!
Used with care, Active Directory Security Groups provide an efficient way to assign access to resources on your network. Using security groups, you can
- Assign User Rights. User rights are assigned to active directory security groups to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to built-in security groups at the time Active Directory is installed to help administrators define a person’s administrative role in the domain.
- Assign Permissions to Resources. Permissions are assigned to the security groups in the active directory for a shared resource. This is different from user rights because user rights apply across an entire domain versus permissions that are directed to a specific entity. Permissions determine who can access the resource and the level of access, such as Full Control or Read-only. Some permissions that are given domain objects are automatically assigned to allow various levels of access to built-in security groups, such as the Account Operators group or the Domain Admins group.
Characteristics of Mail Enabled Security Groups
Granting Access to Resources:
Mail enabled security groups are used for granting access to resources such as SharePoint and emailing notifications to users.
Function Same as Security Groups:
They function the same as regular security groups, except that they cannot be dynamically managed through Azure Active Directory and cannot contain devices.
Ability to Send Mail:
It includes the ability to send mail to all the members of the group.
Can be Added to Team:
Mail-enabled security groups can be added to a team.
But there are risks here too!
As you know, as each user object collects more and more SIDs they are going to experience decreased performance due to token bloat. Their logins will be slower, and at more than 1015 tokens, they will be unable to log in entirely.
Of course, this makes it even more important that you have some sort of lifecycle on your security groups. Pretty much any security group should be monitored to make sure that the resource it protects still exists and the membership is current, but it becomes even more critical if every group is a security group!
So, what is right for you? Carefully monitored security groups, or a mix of distribution and security groups?
All-in-One Security Solution
When Active Directory Groups becomes too significant a burden to bear, it’s time to upgrade your life with GroupID. Join companies like Disney, Nike, Splunk, Hershey’s, FedEx, American Red Cross, The Federal Reserve, Cedar Sinai Hospital, and the Center for Autism, who all rely on GroupID to keep their systems up to date and secure. Get started with GroupID today with a Free Trial, and see how much more you could be doing with your Active Directory Groups while improving productivity.
Learn more about GroupID here.