What types of objects can be members of a global group in a domain?
|
As you might expect from the two previous scopes, the abilities of a domain local group depends on the domain functional level. If the functional level is set to Windows 2000 mixed, then the domain local group can only contain user accounts and global groups from any domain. It cannot contain universal groups when Windows Server 2003 is using this level of functionality. If the functional level is set to Windows 2000 native or Windows Server 2003, then the domain local group can contain user accounts and global groups from any domain, as well as universal groups. In addition, it can contain other domain local groups from the same domain. These abilities, however, have no impact on permissions. In all cases, permissions can only be assigned to resources in the local domain. Show
Domain local groups can be converted to a universal group, provided that there are no other domain local groups in its membership. If the domain local group does have other domain local groups as members, then these must be removed from the membership before a conversion is made. Read moreNavigate DownView chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836944500088 MCSE/MCSA 70–294: Creating User and Group StrategiesMichael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2003 Domain Local GroupsAccording to Microsoft, domain local groups (DLGs) are used when assigning permissions or user rights. While we’ve loosely mentioned this in regard to all groups, it is this specific group scope that Microsoft wants you to use when modifying the access control list (ACL) of an object such as a file, or assigning a user right. Other groups will be added to a DLG to have their members receive the group’s assigned permissions or rights. In a Windows 2000 mixed functional level domain, domain local groups can consist of users, computers, and global groups from the domain the DLG exists in, and any trusted domain. When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, a DLG can also contain other domain local groups from its local domain, as well as universal groups. Despite the fact that this group type can contain users and computers directly, it is important to remember that Microsoft recommends that you use it to contain other groups, which themselves contain users or computers. Specific scenarios regarding this usage are presented later in the chapter. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978193183694450009X Feature focusDustin Hannifin, ... Joey Alpern, in Microsoft Windows Server 2008 R2, 2010 Planning for groupsBefore setting up groups in AD, you should properly plan and document how you want to use groups within your organization. Just like user accounts, you need a consistent naming convention and usage strategy. One of the more common group strategies involves creating domain local groups related to various resources such as file shares, printers, and internal applications. Then, global groups are created for various workgroups such as marketing, finance, and IT. Users are then assigned to the global groups. To give a specific workgroup permission to a resource, you simply add the global group to the local group. If a resource spans multiple domains, you may want to consider the usage of universal groups. As a best practice, use universal groups only when necessary as they create additional replication traffic across the forest when changes are made. Figure 4.35 depicts what a typical group configuration might look like.  Figure 4.35. Active Directory Groups. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597495783000049 MCSA/MCSE 70–294: Working with Forests and DomainsMichael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2004 New Domainwide FeaturesActive Directory technology debuted with Windows 2000. Now, with Windows Server 2003, it has been refined and enhanced. Active Directory is now easier to deploy, more efficient at replication, has improved administration, and poses a better end-user experience. Some features are enabled right away, while others require a complete migration of DCs to the new release before they become available. There are countless new features, the most significant of which we discuss next. Domain Controller RenameNot to be confused with domain renaming, domain controller rename is the ability to rename a DC without following the Windows 2000 procedure of demoting, renaming, and promoting again. In a large domain, this saves considerable time, especially over a slow WAN link, since the process of re-promoting the DC requires a replication of the Active Directory. Renaming a DC in Windows Server 2003 is much easier than it was in 2000, but that does not mean it has become a simple procedure. If you have multiple DCs, before you rename one of them you must make sure of a few things first. If any Operational Master roles reside on the DC, you need to transfer them to another DC. If the DC is a GC server, you have to move that role as well. Remember that the first DC you install in the forest is the root DC. This DC is responsible for the GC and for all Flexible Single Master Operations (FSMO) roles unless you have spread them out manually. You need to transfer all of these functions to another DC before you rename the server. Universal Groups and Group ConversionsUniversal Groups are able to contain members from any domain in any forest, and they replicate to the GC. They are particularly useful for administrative groups. One of the best uses for groups with universal scope is to consolidate groups above the domain level. To do this, add domain user accounts to groups with global scope and nest these Global Groups within Universal Groups. Using this strategy, changes to the Global Groups do not directly affect the membership of groups with universal scope. Taking it one step further, a Universal Group in one forest can contain Global Groups from one or more additional forests across any available forest trusts. Here is an example. Refer to Figure 4.2.You have two domains in different forests with NetBIOS names of CATS and DOGS. Each domain contains a Global Group called Birdwatchers. To take advantage of this new capability, you add both of the Global Groups, CATS\Birdwatchers and DOGS\Birdwatchers, to a Universal Group you create called ALLBirdwatchers.The second step is to create an identical Universal Group in the other forest as well. The ALLBirdwatchers group can now be used to authenticate users anywhere in both enterprises. Any changes in the membership of the individual Birdwatchers groups will not cause replication of the ALLBirdwatchers group. You should strive to manage your Universal Groups in such a way as to minimize the frequency of changes, since every change causes the entire membership of the group to be replicated to every GC in the forest. A newly created group, by default is configured as a Security Group with global scope regardless of the current domain functional level. Refer to Table 4.1 for a summary of Universal Group capabilities that are available at the various domain functional levels. Table 4.1. Summary of Universal Group Capabilities by Domain Functional Level Functional LevelUniversal Group MembersUniversal Group NestingWindows 2000 mixedNoneNoneWindows 2000 nativeUser and computer accounts, Global Groups, and Universal Groups from any domainUniversal Groups can be added to other groups and assigned permissions in any domainWindows Server 2003 interimNoneNoneWindows Server 2003User and computer accounts, Global Groups, and Universal Groups from any domainUniversal Groups can be added to other groups and assigned permissions in any domain Groups can also be changed from one scope to another, within certain limitations. Changing a group scope is not allowed in domains with a functional level of Windows 2000 mixed or Windows Server 2003 interim. The following scope conversions are allowed in domains with a functional level of Windows 2000 native or Windows Server 2003: ■Global to Universal, if the group you want to change is not a member of another Global Group. ■Domain Local to Universal, if the group you want to change does not have another Domain Local Group as a member. ■Universal to Global, if the group you want to change does not have another Universal Group as a member. ■Universal to Domain Local, with no restrictions. Security Group NestingSecurity Groups are used to grant access to resources. Using nesting, you can add a group to a group. This reduces replication traffic by nesting groups to consolidate member accounts. A Security Group can also be used as an e-mail distribution list, but a Distribution Group cannot be used in a discretionary access control list (DACL), which means it cannot be used to grant access to resources. Sending e-mail to a Security Group sends the message to all members of the group. In the Windows 2000 mixed domain functional level, Security Groups are restricted to the following members: ■Global Groups can only have user accounts as members. ■Domain Local Groups can have other Global Groups and user accounts as members. ■Universal Groups cannot be created. EXAM WARNINGIt is very important to know the different restrictions on group memberships at different domain functional levels. Distribution Group NestingDistribution Groups are collections of users, computers, contacts, and other groups. They are typically used only for e-mail applications. Security Groups, on the other hand, are used to grant access to resources and as e-mail distribution lists. Using nesting, you can add a group to a group. Group nesting consolidates member accounts and reduces replication traffic. Windows NT did not support Distribution Groups within the OS, but they are supported in all versions of Active Directory. Distribution Groups cannot be listed in DACLs in any version of Windows, which means they cannot be used to define permissions on resources and objects, although they can be used in DACLs at the application layer. Microsoft Exchange is a common example. If you do not need a group for security purposes, create a Distribution Group instead. Number of Domain Objects SupportedIn Windows 2000, group membership was stored in Active Directory as a single multivalued attribute. When the membership list changed, the entire group had to be replicated to all DCs. So that the store could be updated in a single transaction during the replication process, group memberships were limited to 5000 members. In Windows Server 2003, Linked Value Replication removes this limitation and minimizes network traffic by setting the granularity of group replication to a single principle value, such as a user or group. Distribution GroupsDistribution Groups, unlike Security Groups, are not primarily used for access control, although they can be used in an ACL at the application layer. Distribution groups are designed to be used with e-mail applications only. You can convert a Distribution Group to a Security Group (or vice versa), if the functional level is Windows 2000 native or higher. You have to be a domain or enterprise admin, or a member of the Account Operators Group (or have the appropriate authority delegated) to convert a group. Changing the group type is as simple as right-clicking the group in Active Directory Users and Computers, clicking Properties, and clicking the desired group type on the General tab. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836944500106 Managing Recipients in Exchange 2007Henrik Walther, in How to Cheat at Configuring Exchange Server 2007, 2007 Managing Distribution GroupsAs is the case with Exchange 2000 and 2003, Exchange 2007 has two types of distribution groups: mail-enabled distribution groups, which are used strictly for distributing messages, and mail-enabled security groups, which are used to assign permissions to users as well as to distribute messages. In addition, the query-based distribution group introduced in Exchange 2003 has made its way into Exchange 2007, albeit with a new name and a few changes. These groups are now called dynamic distribution groups and, as the name implies, are still dynamic in nature and based on a set of configured criteria. More about them later. Distribution groups can contain other distribution groups, user mailboxes (mailbox-enabled users), and mail contacts (mail-enabled contacts). You can get a list of the mail-enabled distribution groups in your organization by selecting the Distribution Group subnode beneath the Recipient Configuration work center node, as shown in Figure 3.32. This is also the place where you create new groups as well as modify any existing ones. Just like user mailbox objects, distribution groups are explicit in Exchange 2007, meaning that each type of group is differentiated using an individual icon as well as a recipient type details description, as you can see in Figure 3.32. As you can also see in this figure, we have four different explicit group types: Figure 3.32. Listing Distribution Group Types under the Distribution Group Subnode ▪Mail Universal Distribution groups ▪Mail Universal Security groups ▪Dynamic Distribution groups ▪Mail Non-Universal groups ▪Domain Local groups ▪Global groups WARNING Although pre-existing Mail Non-Universal groups are shown under the Distribution Group subnode in the figure, you should be aware that the administration of these group types is limited. Actually, it's recommended that you do not use these types of groups for distributing messages in Exchange 2007. Another word of warning when you are creating groups in ADU&C snap-in console: Any group created as a Distribution Global group will not be available when you're trying to mail-enable that group via the EMC. Groups created in the ADUC MMC snap-in must be Universal Distribution groups if they are later to be mail-enabled using the EMC. SOME INDEPENDENT ADVICE You may ask, “What should I use in my organization—mail-enabled security groups or ordinary mail-enabled distribution groups?” That's a really good question, and here is something to consider: Choosing mail-enabled security groups will give you the option of using the group as both a distribution group as well as using it to assign permissions to user account objects in your Active Directory forest. This means that using mail-enabled security groups will lower the number of groups in your organization, thereby lowering the amount of maintenance required. Be careful using mail-enabled security groups; you could accidentally assign too many permissions to the wrong users! Double check the membership of the distribution list before assigning it to a resource's ACL. When highlighting a group under the Distribution Group subnode, you get a set of actions that can be performed on it in the Action pane. When highlighting a Mail Universal Security group, for example, we get the set of actions shown in Figure 3.33. We can disable the group, removing all Exchange-related properties from the group; remove it (which physically removes the group object from Active Directory!); or access the Properties page for the group by choosing the Properties action. Figure 3.33. Actions for a Mail Universal Security Group in the Actions Pane If we had highlighted a Dynamic Distribution group, we would not have had the option to disable it, but only to remove it. Highlighting a Mail Non-Universal group will also give us the option of converting it to a Universal group, as shown in Figure 3.34. We highly recommend you do this. Figure 3.34. Actions for a Mail Non-Universal Group in the Actions Pane Let's access the Properties page for a Mail Universal Distribution group. The first tab we're presented with is the General tab (see Figure 3.35), where we can change the name and alias of the group as well as view or modify any specified custom attributes. Figure 3.35. The General Tab for a Distribution Group We also have the option of changing the group name under the Group Information tab. We can also specify the person (AD user account) that manages the respective group by selecting the Managed By option, clicking Browse, and choosing an account in AD. The person specified here will also be shown as the Owner when users user the GAL to open the Properties page of the group from within Outlook. On a side note, this person has the option of receiving delivery reports when messages are sent to the group, which is configurable on the Advanced tab. Finally, we have a Notes field, where we can enter administrative notes about the group. Again, as with user notes, bear in mind that end users will be able to see these notes from their Outlook clients when accessing them in the GAL. The Members tab should not need any further explanation; it is simply the place where you add and/or remove members from the group. The Member Of tab lists any distribution groups that include this group on its member list. Note that you cannot use this tab to add the selected group to other distribution groups! The E-Mail Addresses tab is the place where you can see all the e-mail addresses for the group as well as modify or add new e-mail addresses. By default, the e-mail addresses are stamped on the distribution group by the email address policy in the Exchange organization; however, you have the option of disabling this behavior and instead administering these lists manually by deselecting the option Automatically update e-mail addresses based on recipient policy. On the Advanced tab, shown in Figure 3.36, we can specify a simple display name, used if the original display name of the group contains Unicode characters and you have third-party applications that don't support Unicode. In addition, you can define an expansion server, used to expand group membership. When a message is sent to a distribution group, Exchange must access the membership list to deliver the message to each member of the group. When dealing with large distribution groups, this can be a very resource-intensive task, thus giving a reason to define a particular hub transport server role as your expansion server. Figure 3.36. The Advanced Tab TIP If you specify an expansion server for a particular distribution group, you should always make sure it's well documented because the group will then depend on this specified server to deliver messages. This means that if you someday find out you want to replace your existing hub transport server with a new one, and that particular hub transport server has been explicitly assigned as an expansion server for one or more distribution groups, those groups will no longer be able to deliver messages to the respective members. Under the Advanced tab, you also have the option of hiding the group from the Exchange Global Address Lists (GAL) and specify that any out-of-office messages should be sent to the originator (the sender of the message) instead of the group. Lastly, you have the option of specifying whether delivery reports should be sent or not. If you choose to have them sent, you can select whether they should be sent to the message originator or the group manager specified under the Group Information tab. Note that if you decide to send delivery reports to the group manager, a group manager must be selected under the Group Information Managed By field or you will receive a warning message telling you to do so. TIP Larger “All User” based distribution groups should always have a limited number of allowed senders defined because these groups tend to encompass your entire organization and can get you in trouble if everyday messages can be delivered to everyone in your company. The last tab is Mail Flow Settings, where you can configure the maximum group receiving size in KB as well as defining who should be allowed to send messages to the group. NOTE When accessed via the Exchange Management Console, the property pages are identical for Mail Universal Distribution groups and Mail Universal Security groups, so there's no reason to go through the tabs under the Properties page of a Mail Universal Security group. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978159749137250006X Managing Recipients in Exchange 2007In The Best Damn Exchange, SQL and IIS Book Period, 2007 Managing Distribution GroupsAs is the case with Exchange 2000 and 2003, Exchange 2007 has two types of distribution groups: mail-enabled distribution groups, which are used strictly for distributing messages, and mail-enabled security groups, which are used to assign permissions to users as well as to distribute messages. In addition, the query-based distribution group introduced in Exchange 2003 has made its way into Exchange 2007, albeit with a new name and a few changes. These groups are now called dynamic distribution groups and, as the name implies, are still dynamic in nature and based on a set of configured criteria. More about them later. Distribution groups can contain other distribution groups, user mailboxes (mailbox-enabled users), and mail contacts (mail-enabled contacts). You can get a list of the mail-enabled distribution groups in your organization by selecting the Distribution Group subnode beneath the Recipient Configuration work center node, as shown in Figure 3.32. This is also the place where you create new groups as well as modify any existing ones. Figure 3.32. Listing Distribution Group Types Under the Distribution Group Subnode Just like user mailbox objects, distribution groups are explicit in Exchange 2007, meaning that each type of group is differentiated using an individual icon as well as a recipient type details description, as you can see in Figure 3.32. As you can also see in this figure, we have four different explicit group types: ■ Mail Universal Distribution groups ■ Mail Universal Security groups ■ Dynamic Distribution groups ■ Mail Non-Universal groups ■ Domain Local groups ■ Global groups WarningAlthough pre-existing Mail Non-Universal groups are shown under the Distribution Group subnode in the figure, you should be aware that the administration of these group types is limited. Actually, it’s recommended that you do not use these types of groups for distributing messages in Exchange 2007. Another word of warning when you are creating groups in ADU&C snap-in console: Any group created as a Distribution Global group will not be available when you’re trying to mail-enable that group via the EMC. Groups created in the ADUC MMC snap-in must be Universal Distribution groups if they are later to be mail-enabled using the EMC. Some Independent AdviceYou may ask, “What should I use in my organization—mail-enabled security groups or ordinary mail-enabled distribution groups?” That’s a really good question, and here is something to consider: Choosing mail-enabled security groups will give you the option of using the group as both a distribution group as well as using it to assign permissions to user account objects in your Active Directory forest. This means that using mail-enabled security groups will lower the number of groups in your organization, thereby lowering the amount of maintenance required. Be careful using mail-enabled security groups; you could accidentally assign too many permissions to the wrong users! Double check the membership of the distribution list before assigning it to a resource’s ACL. When highlighting a group under the Distribution Group subnode, you get a set of actions that can be performed on it in the Action pane. When highlighting a Mail Universal Security group, for example, we get the set of actions shown in Figure 3.33. We can disable the group, removing all Exchange-related properties from the group; remove it (which physically removes the group object from Active Directory!); or access the Properties page for the group by choosing the Properties action. Figure 3.33. Actions for a Mail Universal Security Group in the Actions Pane If we had highlighted a Dynamic Distribution group, we would not have had the option to disable it, but only to remove it. Highlighting a Mail Non-Universal group will also give us the option of converting it to a Universal group, as shown in Figure 3.34. We highly recommend you do this. Figure 3.34. Actions for a Mail Non-Universal Group in the Actions Pane Let’s access the Properties page for a Mail Universal Distribution group. The first tab we’re presented with is the General tab (see Figure 3.35), where we can change the name and alias of the group as well as view or modify any specified custom attributes. Figure 3.35. The General Tab for a Distribution Group We also have the option of changing the group name under the Group Information tab. We can also specify the person (AD user account) that manages the respective group by selecting the Managed By option, clicking Browse, and choosing an account in AD. The person specified here will also be shown as the Owner when users user the GAL to open the Properties page of the group from within Outlook. On a side note, this person has the option of receiving delivery reports when messages are sent to the group, which is configurable on the Advanced tab. Finally, we have a Notes field, where we can enter administrative notes about the group. Again, as with user notes, bear in mind that end users will be able to see these notes from their Outlook clients when accessing them in the GAL. The Members tab should not need any further explanation; it is simply the place where you add and/or remove members from the group. The Member Of tab lists any distribution groups that include this group on its member list. Note that you cannot use this tab to add the selected group to other distribution groups! The E-Mail Addresses tab is the place where you can see all the e-mail addresses for the group as well as modify or add new e-mail addresses. By default, the e-mail addresses are stamped on the distribution group by the e-mail address policy in the Exchange organization; however, you have the option of disabling this behavior and instead administering these lists manually by deselecting the option Automatically update e-mail addresses based on recipient policy. On the Advanced tab, shown in Figure 3.36, we can specify a simple display name, used if the original display name of the group contains Unicode characters and you have third-party applications that don’t support Unicode. In addition, you can define an expansion server, used to expand group membership. When a message is sent to a distribution group, Exchange must access the membership list to deliver the message to each member of the group. When dealing with large distribution groups, this can be a very resource-intensive task, thus giving a reason to define a particular hub transport server role as your expansion server. Figure 3.36. The Advanced Tab Some Independent AdviceIf you specify an expansion server for a particular distribution group, you should always make sure it’s well documented because the group will then depend on this specified server to deliver messages. This means that if you someday find out you want to replace your existing hub transport server with a new one, and that particular hub transport server has been explicitly assigned as an expansion server for one or more distribution groups, those groups will no longer be able to deliver messages to the respective members. Under the Advanced tab, you also have the option of hiding the group from the Exchange Global Address Lists (GAL) and specify that any out-of-office messages should be sent to the originator (the sender of the message) instead of the group. Lastly, you have the option of specifying whether delivery reports should be sent or not. If you choose to have them sent, you can select whether they should be sent to the message originator or the group manager specified under the Group Information tab. Note that if you decide to send delivery reports to the group manager, a group manager must be selected under the Group Information Managed By field or you will receive a warning message telling you to do so. The last tab is Mail Flow Settings, where you can configure the maximum group receiving size in KB as well as defining who should be allowed to send messages to the group. Some Independent AdviceLarger “All User” based distribution groups should always have a limited number of allowed senders defined because these groups tend to encompass your entire organization and can get you in trouble if everyday messages can be delivered to everyone in your company. NoteWhen accessed via the Exchange Management Console, the property pages are identical for Mail Universal Distribution groups and Mail Universal Security groups, so there’s no reason to go through the tabs under the Properties page of a Mail Universal Security group. Creating a New Distribution GroupTo create a new distribution group, click the New Distribution Group link in the Action pane, bringing up the New Distribution Group Wizard shown in Figure 3.37. The first page is the Introduction page, where you need to specify whether you want to create a new distribution group or mail-enable an existing security group. If you choose to mail-enable an existing group, click the Browse button and you will be presented with a GUI picker, where all security groups that haven’t been mail-enabled will be listed. For the purposes of this example, we’ll select New group, then click Next. Figure 3.37. The Introduction Page in the New Distribution Group Wizard On the Group Information page shown in Figure 3.38, we’ll have to specify whether we want to create a new mail-enabled distribution group or a mail-enabled security group. We’ll then need to specify the OU in which the group should be created in Active Directory and finally give it an appropriate name and alias. The alias is automatically filled in and duplicated with whatever you used for a name; however, it can still be changed without altering the name. Figure 3.38. Selecting the Type of Distribution Group That Should Be Created NoteAs already mentioned, the only difference between mail-enabled distribution groups and mail-enabled security groups is the ability for security groups to be used to assign permissions to user objects in Active Directory. Let’s click Next, which will bring us to the New Distribution Group page, where you should verify the information in the Configuration Summary pane. Once it’s verified, click New and finally click Finish. To create or modify existing distribution groups via the EMS, use the New-DistributionGroup and Set-DistributionGroup CMDlets. An example of creating a distribution group might look like the following: New-DistributionGroup -Name “New Group” -OrganizationalUnit syngress.local/users -SamAccountName “New-Group” -Type security Creating a New Dynamic Distribution GroupDynamic distribution groups, which were known as query-based distribution groups in Exchange 2003, provide the same type of functionality as ordinary distribution groups, but instead of manually adding members to the group’s membership list, you can use a set of filters and conditions that you predefine when creating the group to derive its membership. When a message is set to a dynamic distribution group, Exchange queries the Active Directory for recipients matching the specified filters and conditions. The primary advantage of using dynamic distribution groups over ordinary distribution groups is that dynamic groups lower the administrative burden, since you don’t have to maintain any distribution group membership lists. If we should mention any disadvantage of using dynamic distribution groups, it is that this type of group puts more load on the Global Catalog servers in your Active Directory forest. This is based on the fact that each time a message is sent to a dynamic distribution group, Exchange will have to query them based on the criteria defined in the group. You create a new dynamic distribution group by clicking New Dynamic Distribution Group in the Action pane under the Distribution Group subnode of the Recipient Configuration work center node. This will bring up the New Dynamic Distribution Group Wizard shown in Figure 3.39. Here you specify the OU in which the group should be created and give the group a meaningful name. When you have done so, click Next. Figure 3.39. Naming a New Distribution Group The next page is the Filter Settings page (see Figure 3.40) where you will need to specify the recipient container the filter should be applied to. Clicking the Browse button will bring up a GUI picker where you can choose an individual OU or even the whole Active Directory domain, for that matter. On this page you also have the option of specifying the type of recipients that should be included in your filter. For example, this could be All recipient types or just Users with Exchange mailboxes. When you have made your choices, click Next. Figure 3.40. Selecting Filter Settings for a New Dynamic Distribution Group We have now reached the most interesting of all pages in the wizard, where we actually select and define the conditions that should be used by the group. As you can see in Figure 3.41, we can select conditions such as Recipient is in a State or Province, Recipient is in a Department, or Recipient is in a company as well as any of the 15 custom attributes that you might have defined on your mailbox-enabled user objects, so there should be plenty of possibilities. For the purposes of our example, we have selected Recipient is in a Company and edited the condition so that all recipients in a company called Exchange Dogfood will receive the messages sent to the respective dynamic distribution group. When you have selected the required conditions, you can click the Preview button in the lower-right corner to display all recipients who meet your criteria and whether they are the correct recipients you intended for the group. When you’re ready, click Next, New, and finally Finish. Figure 3.41. Choosing Conditions for a New Dynamic Distribution Group Since most of the Properties pages for a dynamic distribution group are more or less identical to that of an ordinary distribution group, we will not cover them here, with the exception of two tabs, which we want to quickly show you. The Filter and Conditions tabs are where you change the filter and condition behavior for a dynamic distribution group. As you can see in Figure 3.42, the Filter tab is where you can change the recipient container and the recipient types used by the group. Figure 3.42. The Filter Tab Under the Conditions tab, shown in Figure 3.43, you can change the conditions that should be used to define your group, as well as use the Preview button to list all users meeting your conditions. Figure 3.43. The Conditions Tab To create or modify existing dynamic distribution groups via the EMS, use the New-DynamicDistributionGroup and Set-DynamicDistributionGroup CMDlets. Some Independent AdviceSo, what do you do if you want to use conditions other than those available in the New Dynamic Distribution Group Wizard? Is this even possible? As a matter of fact, it is, but only by using the New-DynamicDistributionGroup CMDlet in the EMS. You should also bear in mind that any conditions and filters other than those provided in the GUI must be managed using the EMS. If, for example, you wanted to create a custom recipient filter that included all recipients in an OU called EDFUsers, with a mailbox located on a server called EDFS03, you would need to run the following command: What types of objects can be members of domain local groups?A domain local group can include members of any type in the domain and members from trusted domains. For example, suppose you need access management for a collection of folders on one or more servers that contain information for managers. The group you create for that purpose should be a domain local group (ex.
What can global groups have as members?Global Groups can only have user accounts as members. Domain Local Groups can have other Global Groups and user accounts as members. Universal Groups cannot be created.
What is global domain group?A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Can a universal group be a member of a global group?Universal groups have the following characteristics:
A universal group can include as members users, global groups, and other universal groups from any domain in the forest.
|
