project database

I recently had a conversation with a customer who said that he doesn’t allow mail enabled Active Directory security groups.  Another customer was in the same meeting who said that he wished he could disable that ability.  Two proofpoints that Active Directory administrators do not want to mail enable security groups.  Unfortunately, we were discussing something else and that was just a side conversation that I was never able to explore further.  And it left me wondering, why not?

I can think of thousands of reasons of why you would want to mail enable Active Directory security groups.

  • You are using a security group to give permission to a specific printer and it’s broken…the best way to tell the users of that printer is to email everyone who has permission to use it.
  • You are giving access to a particular folder to members of a project team with a security group…if you want to email everyone on that team with information on what goes in that folder, it’s easy you email the security group.
  • If you own a SharePoint resource and are managing access with a security group and you want everyone to know about the great changes you have made to that resource….hey, email the mail enabled security group!
  • In short, any time you are controlling access to a system, folder, file, etc and you need to communicate about that access, it’s easy to do.

Yet, I cannot think of any reason why you wouldn’t want to mail enable it.  It seems that one group is always better than two.  Heck, Imanami is in the business of controlling group glut, why would anyone want to encourage it?

But there is one technical limitation that I believe started with Exchange 2007…only Universal security groups can be mail enabled.  This must have to do with losing email for incorrectly scoped groups.  Whenever Exchange 2000/2003 receives a mail sent to a mail-enabled group, Exchange will query a global catalog to find out who the members are of that group. Sometimes mail would be stuck in the Categorizer, in most cases because the Global Catalog is unable to supply the members list of a domain local/global group created in another domain.  A universal group would solve this problem.

But, Microsoft encourages the use of global security groups unless you don’t have trust between the domains.  So to mail enable that security group you are going outside of recommended practice by using a universal group.

That is the only reason I can think of to not mail enable a security group but the business uses would appear to outweigh the technical limitations to me.  What am I missing?  The two customers referenced above have MASSIVE infrastructures so maybe it’s just keeping their groups scoped correctly is more important than letting users email a security group but there has to be more, right?

 

Active Directory group whitepaper

5 1 vote
Article Rating
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
james
james
11 years ago

I’m interested in what people come up with here as well. It’s not a clear cut case but one thing to consider is that you may need Distribution lists that are NOT security groups even if there are things for which a security group already exists. Distribution lists may need to be broader than just a particular security group (though perhaps you could always just add your mail enabled security group(s) plus any individuals to an additional distribution list then?). However often times companies want some members to have direct management of distribution lists and obviously that’s not a good… Read more »

Phillip Lyle
Phillip Lyle
11 years ago

Hi Ed, A couple corrections and comments on your article: – Microsoft requires Universal Distribution groups, not Security groups, in Exchange 2007. Security groups are still optional – You can only assign permissions across domains with a trust, and once the trust exists, you can use any group scope (Global, Domain Local, and Universal) in your design. My thoughts on the matter: Universal security group usage in the Windows 2000 era resulted in higher replication costs, as every time group membership changed, the entire list was replicated to every global catalog in the forest. Imagine a group with thousands of… Read more »

brian
brian
11 years ago

I have run into this exact thing. We have scientific instruments which access is limited by group membership. If the staff that support the instrument want to communicate with the users they can email the security group. However we have had to make these all universal groups (we have a forest with 5 trees) because of the very issue you mentioned about not being able to enumerate the membership of security groups that are not universal

web archive
10 years ago

If you use a universal security group to give “full access permissions” in the console, if you also want the group to be able to “send on behalf of” (not ‘send as’), then you would still need to add them as a ‘Delegate’ in Outlook under ToolsOptionsDelegates. The problem then arises that you can’t add a group as a delegate unless it is a mail-enabled group. So that’s another reason for doing that. (this is regarding Exchange 2007)