Windows servers use groups to control access to security objects such as NTFS files and folders, registry keys...
and Active Directory objects. Exchange 2003 uses groups to control access to public folders and user mailboxes as well as to act as distribution lists.
For example, Figure 5.1 shows how you can put a Security group called Engineering on the permission list for a public folder so that only members of the Engineering group can read or contribute to the folder.
You are reading tip #1 from "15 tips in 15 minutes: Managing recipients and distribution lists," excerpted from Chapter 5 of the book Learning Exchange Server 2003, published by Addison-Wesley Professional.
You can also use Security groups to control access to an individual user's private mailbox. For example, if the Forensics team wants access to the mailbox of an employee under suspicion of industrial espionage, you could create a Security group called Forensics and put that group on the permission list for the user's mailbox without the user's knowledge.
You can use Security groups to delegate administrative roles for your entire Exchange organization or for individual Administrative Groups.
Issues with mail-enabled Security groups
At first, using Security groups both to protect Exchange resources and to support email distribution doesn't appear to present any difficulties. But the devil lies in the details, as they say, and if you don't plan your group management correctly, both your users and your Windows system administrator colleagues down the hall might not like the results.
Most Windows administrators consider the ability to create Security groups in Active Directory something of a special privilege and they tightly control that privilege, granting it only to administrators who agree to abide by a strict set of business practices or risk getting shamed at a Monday meeting.
"After all," reason the Windows administrators, "we spent a lot of time and sat down at a lot of meetings to come up with a strategy for naming and nesting groups that meets all of our users' business requirements with the fewest groups possible. We don't want outsiders coming in and messing things up."
The outsiders, in this case, include email users who have an entirely different set of business practices, not to mention their own personal eccentricities, which affect their attitude towards distribution lists. Email users have a love affair with distribution lists. They want lots of them, and they want to give them all sorts of names to please executives, managers, clients, vendors, government regulators, secret agents, and just about anybody else who interacts with the messaging system in any capacity whatsoever.
And if they want a new distribution list, they want it now. Not tomorrow. Not by the end of the day. Not in response to filling out an online work order. NOW!
Because an Exchange distribution list is really an Active Directory group, and the Windows administrators don't want to see groups created willy-nilly, you might find yourself at something of an impasse. Statesmanship demands a compromise. You need a group that can act as a distribution list but cannot reside on an Access Control List where it could cause problems for Windows administrators. You need a Distribution group. If you can get IT management and the user's managers to agree on a naming scheme, then life gets simple in this area.
Distribution group advantages
Distribution groups have their limits, but those limits become their strength. Windows administrators might not care about groups that can't end up on file and printer ACLs, so they can loosen the reins a bit on who can create them or modify their membership.
For example, you might want junior Exchange administrators or even department gurus to create Distribution groups, with the understanding that group names such as "Executives I Loathe" had better not show up in the Global Address List (GAL). You could even grant permission to Help Desk technicians to modify the membership of Distribution groups in response to a phone call from designated users, something you would not ordinarily want to do with Security groups.
Watch out for automatic promotions
Your idyllic compromise to permit Exchange administrators to create Distribution groups using a different set of business practices and standards than the Windows administrators use for Security groups could get you into trouble if you don't watch out for a feature in Exchange 2003.
ESM and Outlook permit you to place a Distribution group on the permission list for a public folder or a user's mailbox, as shown in Figure 5.2.
If you take advantage of this capability, when the Exchange Information Store notices that the group appears on a permission list, it automatically promotes the Distribution group to a Security group.
Once the group becomes a Security group, it begins to appear in the Select Users and Groups control used to add security principals to Access Control Lists in Windows. Very soon after that occurs, your phone rings. It's the manager of the Windows administration team calling you to a meeting to discuss why you have violated your agreement not to create Security groups. Personally, I'd rather lock the senior representatives of the national Republican and Democratic parties in a cage for a six hour, no-holds-barred policy fight over gun control than be present at that meeting.
To avoid those situations, it's important that you make anyone with Author permissions on a public folder aware of the security group promotion feature and urge them to be absolutely sure that they only add Security groups onto a permission list.
Delegating group membership management
You might decide to permit non-administrators to manage the membership of Distribution groups without allowing them to create groups, delete them, or change their scope or type. Active Directory has a "Modify Group Membership" permission intended for this purpose.
Unfortunately, Active Directory does not have a filter that applies the "Modify Group Membership" permission solely to Distribution groups. You need to collect your Distribution groups into a separate OU (Figure 5.3 shows an example) then delegate the "Modify Group Membership" permission to a Security group on the ACL of that OU. Do so as follows:
Right-click the OU icon and select Delegate Control from the flyout menu. This starts the Delegation of Control wizard.
Click Next. The Users and Groups window opens.
Click Add and use the object picker to select the Distro Managers group. The result looks like Figure 5.4.
Click Next. The Tasks to Delegate window opens.
Check the Modify the Membership of a Group option, as shown in Figure 5.5.
Click Next. This opens a Summary window.
- Click Finish to exit the wizard.
With this delegation in place, any user you put in the Distro Managers group can change the membership of a Distribution group in the Distribution Groups OU. You do not need to train those users to use Active Directory Users and Computers and you don't need to install the Adminpak.msi tools on their desktops. They can do the work via Outlook.
Managing distribution list membership in Outlook
A user who has "Modify Group Membership" permissions on a group in Active Directory can use Outlook to manage members of that group. Here's the procedure:
From the main Outlook window, open the Address Book either by selecting Tools -> Address Book from the main menu or by pressing Ctrl+Shift+B.
In the Show Names dropdown field, select Global Address List. Figure 5.6 shows an example.
Right-click a distribution list and select Properties from the flyout menu. This shows the membership list of the distribution list along with information about the owner, if any. Figure 5.7 shows an example.
Click the Modify Members button to open a Distribution List Membership window.
Click Add to open a browse list for the GAL from which you can select new members. The member can be a user account, another group, or a contact.
Click OK then OK again to save the change.
- Close the Address Book.
15 tips in 15 minutes: Managing recipients and distribution lists
Tip 1: Exchange security groups
Tip 2: Group membership expansion
Tip 3: Managing Exchange group email properties
Tip 4: Exchange 2003 Query-Based Distribution Groups
Tip 5: DSAccess for Exchange
Tip 6: DSProxy for Exchange
Tip 7: Managing Exchange recipient policies
Tip 8: Exchange Recipient Update Service and proxy addresses
Tip 9: Restricting mail storage on an Exchange server
Tip 10: The Exchange server mailbox management service
Tip 11: Blocking a user's email access
Tip 12: Accessing another user's mailbox in Outlook
Tip 13: Exchange mail retention
Tip 14: Managing recipients with system policies
Tip 15: Managing recipients with Global Settings
This chapter excerpt from Learning Exchange Server 2003 by William Boswell is printed with permission from Addison-Wesley Professional, Copyright 2004. Click here for the chapter download or to purchase the book.