I recently had a conversation with a customer who said that he doesn’t allow mail enabled Active Directory security groups. Another customer was in the same meeting who said that he wished he could disable that ability. Two proofpoints that Active Directory administrators do not want to mail enable security groups. Unfortunately, we were discussing something else and that was just a side conversation that I was never able to explore further. And it left me wondering, why not?
I can think of thousands of reasons of why you would want to mail enable Active Directory security groups.
- You are using a security group to give permission to a specific printer and it’s broken…the best way to tell the users of that printer is to email everyone who has permission to use it.
- You are giving access to a particular folder to members of a project team with a security group…if you want to email everyone on that team with information on what goes in that folder, it’s easy you email the security group.
- If you own a SharePoint resource and are managing access with a security group and you want everyone to know about the great changes you have made to that resource….hey, email the mail enabled security group!
- In short, any time you are controlling access to a system, folder, file, etc and you need to communicate about that access, it’s easy to do.
Yet, I cannot think of any reason why you wouldn’t want to mail enable it. It seems that one group is always better than two. Heck, Imanami is in the business of controlling group glut, why would anyone want to encourage it?
But there is one technical limitation that I believe started with Exchange 2007…only Universal security groups can be mail enabled. This must have to do with losing email for incorrectly scoped groups. Whenever Exchange 2000/2003 receives a mail sent to a mail-enabled group, Exchange will query a global catalog to find out who the members are of that group. Sometimes mail would be stuck in the Categorizer, in most cases because the Global Catalog is unable to supply the members list of a domain local/global group created in another domain. A universal group would solve this problem.
But, Microsoft encourages the use of global security groups unless you don’t have trust between the domains. So to mail enable that security group you are going outside of recommended practice by using a universal group.
That is the only reason I can think of to not mail enable a security group but the business uses would appear to outweigh the technical limitations to me. What am I missing? The two customers referenced above have MASSIVE infrastructures so maybe it’s just keeping their groups scoped correctly is more important than letting users email a security group but there has to be more, right?