Groups
In Windows Server 2003, a group is an Active Directory object that can hold users and other groups. In the case of security groups, permissions can be assigned to a group and are inherited by all of the objects in that group. This makes the group a valuable Windows security construct. Exchange Server 2003 also uses the group for another purpose. A group can be made mail-enabled and then populated with other mail- or mailbox-enabled recipients to make a distribution list, a term you may be familiar with from earlier versions of Exchange Server. A group can contain users, contacts, public folders, and even other groups. When a message is sent to a mail-enabled group, the list of members is extracted, and the message is sent to each member of the list individually. Groups are visible in the Global Address List if they are configured properly to be mail-enabled.
Windows Server 2003 supports two distinct types of groups. A security group can be assigned permissions and rights and be mail-enabled. A distribution group can only be mail-enabled.
Group Types and Scopes
Before we can begin any discussion on creating and managing groups, a discussion on group types and group scopes is necessary. You will need to have a good understanding of how the two different group types and three different group scopes work before you can effectively use groups in your Exchange organization.
Group Types
As mentioned previously, there are two types of groups within Active Directory: security groups and distribution groups. The names of these groups are fairly descriptive in regard to their usage.
Security groups Security groups, as the name implies, are used primarily to configure and assign security settings for those user and group objects placed within the group. An administrator can configure the desired rights and permissions on the group, and these settings will then automatically be applied to all group members without the need to manually configure the settings on the individual objects. As you can see, this is a benefit from both an administrative point of view (less work to be done) and from an accuracy point of view (fewer chances of configuring individual object permissions incorrectly). Security groups can also be mail-enabled if desired, therefore allowing their mailbox-enabled and mail-enabled members to receive all messages that are sent to the security group.
Distribution groups Distribution groups, as their name implies, are used only for sending messages to a large number of objects without having to manually select each user, group, or contact. You can place all members of a specific department or geographical location into a distribution group and then send one message to the group that will be distributed to all members. Since distribution groups are not access control list (ACL)–enabled as security groups are, you cannot assign user rights or permissions to them.
You can change a distribution group into a security group at any time with no loss in functionality. However, changing a security group into a distribution group will result in the rights and permissions that have been configured on that group being lost. You will be warned of this fact when attempting to make the change.
Group Scopes
Within Active Directory, three different group scopes exist. The scope of the group determines who may be members of the group from an Active Directory standpoint. From an Exchange standpoint, the group scope determines who will be able to determine group membership when multiple domains exist within the organization.
Domain local groups The membership of domain local groups is not published to the global catalog servers in the organization, thus preventing Exchange users from being able to determine the group membership of mail-enabled domain local groups outside the domain in which their user account is located. In most cases, if your organization consists of multiple domains, then you may opt to not use domain local groups for Exchange distribution purposes. The membership of domain local groups is dependent on the domain functional level of the domain but typically can include accounts from any domain in the forest.
Global groups The membership of global groups is also not published to the global catalog servers in the organization. In most cases, if your organization consists of multiple domains, then you may opt to not use global groups for Exchange distribution purposes. The membership of global groups is dependent on the domain functional level of the domain but typically can include only accounts from the same domain in the forest as the group was created in.
Universal groups Only universal groups have their membership information published to the global catalog servers in the organization. This then allows Exchange users that are located in any domain in the forest to be able to determine the group membership of any group in the forest, regardless of the domain it has been created in. The ability to create, and therefore use, universal groups is dependent on the domain functional level of the domain in that they can be created only when the domain functional level is at Windows 2000 native or Windows Server 2003. If your organization is capable of using universal groups, you’ll want to consider their usage for Exchange distribution groups, especially when creating query-based distribution groups, as discussed later in this chapter. Universal groups can contain members from any domain in the forest.
Note | There is a lot more to be said about group scopes, including how the domain functional level impacts your ability to work with the different scopes. You can find more information about group scopes by searching the Windows Server 2003 help files for “Group Scopes” or by visiting this website: www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_ADgroups_3groupscopes.asp. |
Creating a Group
Creating and configuring a new group object is very simple. Exercise 5.4 outlines the steps involved.
-
Choose Start > Programs > Administrative Tools > Active Directory Users and Computers.
-
From the Action menu, point to New, and select Group.
-
The New Object-Group dialog box opens, as seen below. In the Group Name field, type a name that represents the members of the group you are creating. Notice that Windows automatically fills in a pre–Windows 2000–compatible group name for you.
-
Next, you must choose a group scope. This determines at what level the group will be available in Active Directory—local, global, or universal. If you are going to create a simple distribution group (shown in the next step), it is usually best to make the group universal in scope so that it will be available throughout the organization. Otherwise, you may find that the group is limited by domain boundaries. Note that a domain must be running in the Windows 2000 native or Windows Sever 2003 domain functional level to support universal groups.
-
Next, you must define a group type. This determines whether the group is for security or distribution purposes. A security group can be made mail-enabled and used for distribution purposes. Recall that security groups can also be assigned permissions and made part of access control lists (ACLs) for resources. A distribution group is used for e-mail purposes only and cannot be used for security purposes. Security groups can be later converted into distribution groups, with a loss of all configured ACL entries. Likewise, distribution groups can later be converted into security groups if desired.
-
Click Next to go on.
-
Select the Create An Exchange E-mail Address option.
-
If you want, you can change the alias name or the administrative group to which the new group belongs. When you have finished, click Next to go on.
-
The final page summarizes the setup. Click Finish to create the new group.
Properties of a Distribution Group
Once you have created a new group, you will configure it the same way you configure other objects—with property pages. Three Exchange-related property pages connected with distribution groups need to be explained: Members, Managed By, and Exchange Advanced.
Members Page
The Members property page lists every member of the group. Use the Add button to access the Active Directory list, from which you can add new members to the group. Use the Remove button to remove selected members.
Managed By Page
The Managed By property page, shown in Figure 5.10, lets you assign an owner whose job it is to manage the group’s membership. By default, the administrator who creates the group is the owner, but you can designate any user, group, or contact in the GAL as the owner. If you give ownership to another user, that user can use Outlook to modify the group’s membership and does not need access to Active Directory Users and Computers. You can relieve yourself of a great deal of work by specifying the owners of a group. As groups grow larger, they can consume a considerable amount of management time.
Exchange Advanced Page
The Exchange Advanced property page, shown in Figure 5.11, holds several configuration items that may be familiar to you, such as Simple Display Name and a Custom Attributes button.
You can, however, also configure several options that are particular to distribution lists. They are as follows:
Expansion Server Whenever a message is sent to a group, the group must be expanded so that the message can be sent to each member of the group. A categorizer performs this expansion. The default choice is Any Server In The Organization. This choice means that the home server of the user sending the message always expands the group. You can also designate a specific server to handle the expansion of the group. The choice of a dedicated expansion server is a good one if you have a large group. In this case, expansion could consume a great amount of server resources, which can compromise performance for busy servers.
Note | We will discuss the creation and administration of administrative groups and routing groups in Chapter 8, “Building Administrative and Routing Groups.” |
Hide Group From Exchange Address Lists If you enable this option, the group is not visible in the GAL.
Send Out-Of-Office Messages To Originator Users of Exchange clients can configure rules that enable the clients to automatically reply to messages received while the users are away from their office. When this option is enabled, users who send messages to groups can receive those automatic out-of-office messages from members of the list. For particularly large groups, it’s best not to allow out-of-office messages to be delivered because of the excess network traffic they generate.
Send Delivery Reports To Group Owner If you enable this option, notification is sent to the owner of the group whenever an error occurs during the delivery of a message to the group or to one of its members. Note that this option is unavailable if the group has not been assigned an owner.
Send Delivery Reports To Message Originator If you enable this option, error notifications are also sent to the user who sent a message to the group.
Do Not Send Delivery Reports If you enable this option, error notifications will not be sent.
Custom Attributes Just as you can configure up to 15 custom attributes for a mailbox, you can configure up to 15 custom attributes for a distribution group as well.
Query-Based Distribution Groups
Among the new features in Exchange Server 2003 is the query-based distribution group. One of the biggest problems with using distribution groups in the past has been the amount of work and time that it can take to maintain an accurate and up-to-date group membership. Query-based distribution groups aim to correct that problem. As the name implies, a query-based distribution group is a mail-enabled distribution group that has its membership defined by the results of an LDAP query that is made against the content of Active Directory.
The obvious advantage to using a query-based distribution is that it provides a way to dynamically configure the membership of a group from all Exchange recipients based on a configured LDAP query. You can create a query, for example, that might limit the membership of a group to those users who are part of the Accounting department of your organization. By that same logic, you could also create a query-based distribution group that specifies membership is to be limited to those users, contacts, and distribution groups that are located in a specific building or in a specific geographical area (such as a state or city) within your organization. By being able to quickly create, and change, the queries used to create these groups you save time and energy over maintaining larger standard distribution groups. As well, query-based distribution groups are much more accurate in their group membership because all the work is done by the results of the query you create.
As you might suspect by now, there is a trade-off to the power and flexibility that query-based distribution groups provide. This trade-off comes in the form of increased loading on your global catalog servers. Each time an e-mail is sent to a query-based distribution group, the LDAP query you have configured must be run against the global catalog to determine the membership of the group.
To make use of query-based distribution groups, your network should be using Windows Server 2003 global catalog servers and Exchange Server 2003 or Exchange 2000 Server at Service Pack 3. If you still have any remaining Windows 2000 Server global catalog servers, don’t despair; you can still use query-based distribution groups as long as you modify the Registry on your Exchange 2000 Servers to accommodate them. You can perform this Registry modification as detailed in Exercise 5.5.
When you are ready to create a query-based distribution group, you can do so by completing the process detailed in Exercise 5.6.
-
On the Exchange 2000 Server, open the Registry Editor by clicking Start > Run and entering regedit.
-
Locate the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SMTPSVC\Parameters
-
Once you have located and expanded this key, you will need to create a new DWORD for it. In the right-hand pane of the Registry Editor, right-click and select New > DWORD Value from the context menu.
-
For the DWORD name, enter DynamicDLPageSize.
-
To modify the data in the new DWORD, right-click it and select Modify from the context menu. Select the Decimal option and enter the value 31 in the Value Data area.
-
Click OK to accept the changes.
-
Close the Registry Editor.
-
Choose Start > Programs > Administrative Tools > Active Directory Users and Computers.
-
From the Action menu, point to New, and select Query-Based Distribution Group.
-
The New Object – Query-Based Distribution Group dialog box opens, as seen below. Enter the name for the new group and its e-mail alias, and then click Next.
-
On the next page, seen below, you will be able to select the Active Directory container against which you want the query to be run. To change the default value, click the Change button and select the new container.
-
The next step is to create the filter, or LDAP query, that will be used to determine the group membership. Several preconfigured options exist, as you saw previously. In most cases, however, you will want to select the Customize Filter option and then build a custom filter by clicking the Customize button. You can see how we might select from all available Exchange recipients that are located in the city of Newport News. Be aware, however, that not all attributes of an object are replicated to the global catalog. A list of the attributes that are not replicated, and thus not suitable for use in the filter of a query-based distribution group, follows this exercise.
-
When you have finished creating your filter, click the OK button to close the Find Exchange Recipients dialog box.
-
Click Next on the New Object-Query-based Distribution Group dialog box to continue. You will be presented with a summary of the query you have created.
-
Click the Finish button to create the new query-based distribution group.
-
To see the results your query returned, you can use the Preview tab of the group’s properties. Right-click the new query-based distribution group and select Properties from the context menu. Switch to the Preview tab, seen below, to see the results of the filter query.
As mentioned in Exercise 5.6, there are several object attributes that are not replicated to the global catalog and are thus not suitable for use in the creation of a filter for a query-based distribution group. The following list presents these attributes:
-
Assistant
-
Comment
-
Direct reports
-
Division
-
E-mail address (other)
-
Employee ID
-
Generational suffix
-
Home address
-
Home drive
-
Home folder
-
ILS settings
-
International ISDN number
-
International ISDN number (others)
-
Logon workstations
-
Member of
-
Middle name
-
Teletex number
-
Teletex number (others)
-
Title
Although you might be tempted to create the LDAP query by hand, don’t give it serious consideration unless you are very familiar with this operation. The simple query we created in Exercise 5.6 that looked just for Exchange objects with a city of Newport News produced the following result:
(&(!cn=SystemMailbox{*})(&(&(&(& (mailnickname=*) (| (&(objectCategory=person)
(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory= person)
(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory =person)
(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)
(objectCategory=msExchDynamicDistributionList) )))(objectCategory=user)
(l=Newport News))))
As you can imagine, adding in other filter items would quickly result in a very complicated query string. Should the LDAP query you are using for a query-based distribution group have bad formatting or not be in the proper LDAP syntax, a user who sends an e-mail message to that group will receive a code 5.2.4 nondelivery report (NDR). On the other hand, should the query be formatted properly but return no Exchange objects, no NDR will be generated because the query-based distribution group functioned as it was properly configured—thus demonstrating the importance of checking group membership using the Preview tab.
0 comments
Post a Comment