Microsoft Exchange Server 2007 Administrators Pocket Consultant Second Edition
Distribution groups and address lists are extremely important in Microsoft Exchange Server 2007 administration. Careful planning of your organization's groups and address lists can save you countless hours in the long run. Unfortunately, most administrators don't have a solid understanding of these subjects, and the few who do spend most of their time on other duties. To save yourself time and frustration, study the concepts discussed in this chapter, and then use the step-by-step procedures to implement the groups and lists for your organization.
Using Security and Distribution Groups
You use groups to grant permissions to similar types of users, to simplify account administration, and to make it easier to contact multiple users. For example, you can send a message addressed to a group, and the message will go to all the users in that group. Thus, instead of having to enter 20 different e-mail addresses in the message header, you enter one e-mail address for all of the group members.
Group Types, Scope, and Identifiers
Microsoft Windows defines several different types of groups, and each of these groups can have a unique scope. In Active Directory domains, you use three group types:
-
Security Groups that you use to control access to network resources. You can also use user-defined security groups to distribute e-mail.
-
Standard distribution Groups that have fixed membership and that you use only as e-mail distribution lists. You can't use them to control access to network resources.
-
Dynamic distribution Groups for which membership is determined based on a Lightweight Directory Access Protocol (LDAP) query and that you use only as e-mail distribution lists. The LDAP query is used to build the list of members whenever messages are sent to the group.
Note | Dynamic distribution groups created for Exchange Server 2003 or Exchange 2000 Server are not compatible with Exchange Server 2007 and aren't displayed in Exchange Management Console. You can resolve this by forcing an upgrade. See "Modifying Dynamic Distribution Groups Using Cmdlets" in this chapter for details. |
Security groups can have different scopes-domain local, built-in local, global, and universal-so that they are valid in different areas of your Active Directory forest. Previously, you could also create distribution groups with different scopes as well. To simplify group management, Exchange Server 2007 supports groups only with universal scope. You can mail-enable security groups with universal scope, and you can create new distribution groups with universal scope.
Real World If your organization has existing mail-enabled security groups or distribution groups with global scope, you will not be able to use those groups with Exchange Server 2007. You will either need to create a new architecture for your groups or convert those groups to universal groups. Using Active Directory Users And Computers, domain administrators can easily convert global groups to universal groups. They simply need to double-click the group entry, select Universal under Group Scope, and then click OK. However, some conversion restrictions apply. For example, you can convert a global group only if it isn't a member of another global group. In addition, pre-planning is recommended to determine the impact on Active Directory.
Groups with universal scope:
-
Can contain user accounts from any domain in the forest as well as other groups from any domain in the forest.
-
Can be put into other groups and assigned permissions in any domain in the forest.
When you work with dynamic distribution groups, keep in mind that the membership can include only members of the local domain, or it can include users and groups from other domains, domain trees, or forests. Scope is determined by the default apply-filter container you associate with the group when you create it. More specifically, the default apply-filter container defines the root of the search hierarchy and the LDAP query filters to recipients in and below the specified container. For example, if the apply-filter container you associate with the group is http://cpandl.com, the query filter is applied to all recipients in this domain. If the apply-filter container you associate with the organizational unit is Engineering, the query filter is applied to all recipients in or below this container.
As with user accounts, Windows uses unique security identifiers (SIDs) to track groups. This means that you can't delete a group, re-create it, and then expect all the permissions and privileges to remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.
When to Use Security and Standard Distribution Groups
Exchange Server 2007 changes the rules about how you can use groups. Previously, you could use groups with different scopes, but now you can only use groups with universal scope. As a result, you might need to rethink how and when you use groups.
You must change the scope of any global group to universal before you can mail-enable it. Rather than duplicating your existing security group structure with distribution groups that have the same purpose, you might want to selectively mail-enable your universal security groups. For example, if you have a universal security group called Marketing, you don't need to create a MarketingDistList distribution group. Instead, you could enable Exchange mail on the original universal security group.
You can mail-enable built-in and predefined universal groups as well. Some of the groups you might want to consider mail-enabling include the following:
-
Enterprise Admins
-
Exchange Organization Administrators
-
Exchange Recipient Administrators
-
Exchange View-Only Administrators
-
Schema Admins
You might also want to mail-enable universal security groups that you previously defined. Then, if existing distribution groups serve the same purpose, you can delete the distribution groups.
When to Use Dynamic Distribution Groups
It's a fact of life that over time users will move to different departments, leave the company, or accept different responsibilities. With standard distribution groups, you'll spend a lot of time managing group membership when these types of changes occur- and that's where dynamic distribution groups come into the picture. With dynamic distribution groups, there isn't a fixed group membership and you don't have to add or remove users from groups. Instead, group membership is determined by the results of an LDAP query sent to your organization's Global Catalog (or dedicated expansion) server whenever mail is sent to the distribution group.
Dynamic distribution groups can be used with or without a dedicated expansion server. You'll get the most benefit from dynamic distribution without a dedicated expansion server when the member list returned in the results is relatively small (fewer than 25 members). If there are potentially hundreds or thousands of members, however, dynamic distribution is inefficient and could require a great deal of processing to complete. To resolve this problem, you can shift the processing requirements from the Global Catalog server to a dedicated expansion server (a server whose only task is to expand the LDAP queries). However, it could still take several minutes to resolve and expand large distribution lists. For more information on expansion servers, see "Designating an Expansion Server" and "Modifying Dynamic Distribution Groups Using Cmdlets" in this chapter.
One other thing to note about dynamic distribution is that you can associate only one specific query with each distribution group. For example, you could create separate groups for each department in the organization. You could have groups called QD-Accounting, QD-BizDev, QD-Engineering, QD-Marketing, QD-Operations, QD-Sales, and QD-Support. You could, in turn, create a standard distribution group or a dynamic distribution group called AllEmployees that contains these groups as members- thereby establishing a distribution group hierarchy.
When using multiple parameters with dynamic distribution, keep in mind that multiple parameters typically work as logical AND operations. For example, if you create a query with a parameter that matches all employees in the state of Washington with all employees in the Marketing department, the query results will not contain a list of all employees in Washington and all Marketing employees. Rather, the results will contain a list only of recipients who both are in Washington and are members of the Marketing group. In this case, you get the expected results by creating a dynamic distribution group for all Washington state employees, another dynamic distribution group for all Marketing employees, and a final group that has as members the other two distribution groups.
Категории