MCSA/MCSE 70-294 Working with User, Group, and Figurer Accounts
Michael Cross , ... Thomas Westward. Shinder Dr. Technical Editor , in MCSE (Test 70-294) Study Guide, 2003
Domain Local
Domain local groups also have a scope that extends to the local domain, and are used to assign permissions to local resources. The difference between domain local and global groups is that user accounts, global groups, and universal groups from whatsoever domain can be added to a domain local grouping. Because of its limited scope, even so, members tin can but be assigned permissions within the domain in which this group is created.
As yous might expect from the ii previous scopes, the abilities of a domain local group depends on the domain functional level. If the functional level is prepare to Windows 2000 mixed, then the domain local grouping can but contain user accounts and global groups from any domain. Information technology cannot incorporate universal groups when Windows Server 2003 is using this level of functionality. If the functional level is ready to Windows 2000 native or Windows Server 2003, then the domain local grouping can contain user accounts and global groups from any domain, as well every bit universal groups. In add-on, information technology can contain other domain local groups from the same domain. These abilities, however, have no affect on permissions. In all cases, permissions tin simply be assigned to resources in the local domain.
Domain local groups can be converted to a universal grouping, provided that there are no other domain local groups in its membership. If the domain local grouping does accept other domain local groups as members, then these must be removed from the membership earlier a conversion is fabricated.
MCSE/MCSA seventy–294: Creating User and Group Strategies
Michael Cross , ... Thomas W. Shinder Dr. Technical Editor , in MCSE (Examination 70-294) Study Guide, 2003
Domain Local Groups
According to Microsoft, domain local groups (DLGs) are used when assigning permissions or user rights. While we've loosely mentioned this in regard to all groups, it is this specific grouping scope that Microsoft wants you to use when modifying the access control list (ACL) of an object such every bit a file, or assigning a user right. Other groups will exist added to a DLG to have their members receive the group'due south assigned permissions or rights.
In a Windows 2000 mixed functional level domain, domain local groups tin can consist of users, computers, and global groups from the domain the DLG exists in, and whatsoever trusted domain. When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, a DLG can as well contain other domain local groups from its local domain, as well every bit universal groups. Despite the fact that this group type can contain users and computers directly, it is of import to think that Microsoft recommends that you use it to contain other groups, which themselves incorporate users or computers. Specific scenarios regarding this usage are presented after in the chapter.
Dustin Hannifin , ... Joey Alpern , in Microsoft Windows Server 2008 R2, 2010
Planning for groups
Before setting up groups in AD, you should properly plan and certificate how you want to utilize groups within your organization. Merely like user accounts, you demand a consistent naming convention and usage strategy. Ane of the more common group strategies involves creating domain local groups related to various resources such as file shares, printers, and internal applications. Then, global groups are created for various workgroups such every bit marketing, finance, and It. Users are then assigned to the global groups. To give a specific workgroup permission to a resource, y'all simply add the global grouping to the local group. If a resource spans multiple domains, y'all may want to consider the usage of universal groups. As a best practise, use universal groups only when necessary every bit they create additional replication traffic across the woods when changes are made. Figure 4.35 depicts what a typical group configuration might look similar.
MCSA/MCSE seventy–294: Working with Forests and Domains
Michael Cross , ... Thomas West. Shinder Dr. Technical Editor , in MCSE (Exam 70-294) Study Guide, 2004
New Domainwide Features
Agile Directory technology debuted with Windows 2000. Now, with Windows Server 2003, it has been refined and enhanced. Active Directory is now easier to deploy, more efficient at replication, has improved administration, and poses a meliorate end-user experience. Some features are enabled correct away, while others require a complete migration of DCs to the new release before they go available. There are endless new features, the nearly significant of which we discuss next.
Domain Controller Rename
Not to be confused with domain renaming, domain controller rename is the ability to rename a DC without following the Windows 2000 procedure of demoting, renaming, and promoting over again. In a large domain, this saves considerable time, especially over a slow WAN link, since the process of re-promoting the DC requires a replication of the Active Directory.
Renaming a DC in Windows Server 2003 is much easier than it was in 2000, but that does not hateful it has become a simple procedure. If you have multiple DCs, before you rename 1 of them you must brand certain of a few things commencement. If any Operational Master roles reside on the DC, you lot need to transfer them to another DC. If the DC is a GC server, you have to motion that part as well. Call up that the first DC you install in the forest is the root DC. This DC is responsible for the GC and for all Flexible Single Master Operations (FSMO) roles unless you have spread them out manually. You lot need to transfer all of these functions to another DC before you lot rename the server.
Universal Groups and Group Conversions
Universal Groups are able to contain members from whatsoever domain in any forest, and they replicate to the GC. They are specially useful for administrative groups. 1 of the all-time uses for groups with universal scope is to consolidate groups to a higher place the domain level. To do this, add domain user accounts to groups with global scope and nest these Global Groups inside Universal Groups. Using this strategy, changes to the Global Groups do non directly impact the membership of groups with universal scope. Taking information technology one step further, a Universal Group in one forest tin can contain Global Groups from i or more additional forests beyond any available wood trusts.
Hither is an example. Refer to Figure 4.2.You accept two domains in different forests with NetBIOS names of CATS and DOGS. Each domain contains a Global Group called Birdwatchers. To have reward of this new capability, you add together both of the Global Groups, CATS\Birdwatchers and DOGS\Birdwatchers, to a Universal Grouping you create called ALLBirdwatchers.The second step is to create an identical Universal Group in the other forest equally well. The ALLBirdwatchers group can now be used to authenticate users anywhere in both enterprises. Whatever changes in the membership of the individual Birdwatchers groups volition not cause replication of the ALLBirdwatchers grouping.
Yous should strive to manage your Universal Groups in such a way equally to minimize the frequency of changes, since every change causes the unabridged membership of the group to be replicated to every GC in the forest. A newly created grouping, by default is configured equally a Security Group with global telescopic regardless of the current domain functional level. Refer to Table 4.1 for a summary of Universal Group capabilities that are available at the various domain functional levels.
Table four.i. Summary of Universal Group Capabilities past Domain Functional Level
Functional Level
Universal Grouping Members
Universal Group Nesting
Windows 2000 mixed
None
None
Windows 2000 native
User and computer accounts, Global Groups, and Universal Groups from any domain
Universal Groups can be added to other groups and assigned permissions in any domain
Windows Server 2003 interim
None
None
Windows Server 2003
User and computer accounts, Global Groups, and Universal Groups from whatever domain
Universal Groups can be added to other groups and assigned permissions in any domain
Groups tin besides exist changed from one scope to another, inside certain limitations. Changing a group scope is not allowed in domains with a functional level of Windows 2000 mixed or Windows Server 2003 interim. The following telescopic conversions are allowed in domains with a functional level of Windows 2000 native or Windows Server 2003:
■
Global to Universal, if the group you desire to change is non a member of another Global Grouping.
■
Domain Local to Universal, if the group you want to change does not take another Domain Local Grouping as a member.
■
Universal to Global, if the group you want to alter does not take another Universal Group as a member.
■
Universal to Domain Local, with no restrictions.
Security Group Nesting
Security Groups are used to grant access to resources. Using nesting, you can add together a grouping to a group. This reduces replication traffic past nesting groups to consolidate member accounts. A Security Group can also exist used as an e-mail distribution list, but a Distribution Grouping cannot be used in a discretionary admission control list (DACL), which means it cannot be used to grant access to resources. Sending electronic mail to a Security Grouping sends the message to all members of the group.
In the Windows 2000 mixed domain functional level, Security Groups are restricted to the post-obit members:
■
Global Groups can but have user accounts as members.
■
Domain Local Groups tin have other Global Groups and user accounts equally members.
■
Universal Groups cannot be created.
Examination Alert
Information technology is very important to know the dissimilar restrictions on grouping memberships at different domain functional levels.
Distribution Grouping Nesting
Distribution Groups are collections of users, computers, contacts, and other groups. They are typically used merely for e-mail applications. Security Groups, on the other paw, are used to grant admission to resources and as electronic mail distribution lists. Using nesting, you tin can add together a group to a group. Grouping nesting consolidates member accounts and reduces replication traffic. Windows NT did not back up Distribution Groups within the Bone, but they are supported in all versions of Agile Directory. Distribution Groups cannot be listed in DACLs in whatever version of Windows, which ways they cannot be used to define permissions on resources and objects, although they can be used in DACLs at the application layer.
Microsoft Exchange is a mutual example. If you lot do not demand a group for security purposes, create a Distribution Grouping instead.
Number of Domain Objects Supported
In Windows 2000, group membership was stored in Agile Directory every bit a single multivalued attribute. When the membership list changed, the unabridged group had to be replicated to all DCs. So that the store could be updated in a single transaction during the replication process, group memberships were express to 5000 members. In Windows Server 2003, Linked Value Replication removes this limitation and minimizes network traffic by setting the granularity of group replication to a unmarried principle value, such as a user or grouping.
Distribution Groups
Distribution Groups, unlike Security Groups, are not primarily used for admission control, although they tin can be used in an ACL at the application layer. Distribution groups are designed to be used with e-postal service applications only. You lot can convert a Distribution Group to a Security Group (or vice versa), if the functional level is Windows 2000 native or higher. You accept to exist a domain or enterprise admin, or a member of the Account Operators Group (or accept the appropriate authority delegated) to catechumen a group. Changing the group type is as elementary as correct-clicking the group in Agile Directory Users and Computers, clicking Properties, and clicking the desired grouping blazon on the General tab.
Henrik Walther , in How to Cheat at Configuring Substitution Server 2007, 2007
Managing Distribution Groups
As is the case with Exchange 2000 and 2003, Exchange 2007 has two types of distribution groups: mail-enabled distribution groups, which are used strictly for distributing messages, and mail-enabled security groups, which are used to assign permissions to users likewise as to distribute letters. In improver, the query-based distribution group introduced in Exchange 2003 has made its way into Commutation 2007, albeit with a new proper name and a few changes. These groups are now called dynamic distribution groups and, as the name implies, are still dynamic in nature and based on a set up of configured criteria. More about them later.
Distribution groups can incorporate other distribution groups, user mailboxes (mailbox-enabled users), and mail contacts (mail-enabled contacts). Yous can get a list of the mail-enabled distribution groups in your organization by selecting the Distribution Grouping subnode beneath the Recipient Configuration work centre node, as shown in Figure iii.32. This is also the place where you create new groups every bit well as modify whatsoever existing ones. Just like user mailbox objects, distribution groups are explicit in Exchange 2007, pregnant that each type of group is differentiated using an private icon as well every bit a recipient blazon details description, as you tin can run into in Figure iii.32. As you can also see in this effigy, nosotros accept four dissimilar explicit grouping types:
Figure three.32. Listing Distribution Group Types under the Distribution Group Subnode
▪
Mail service Universal Distribution groups
▪
Mail service Universal Security groups
▪
Dynamic Distribution groups
▪
Mail Non-Universal groups
▪
Domain Local groups
▪
Global groups
Alarm
Although pre-existing Mail Non-Universal groups are shown under the Distribution Grouping subnode in the figure, yous should exist aware that the assistants of these group types is limited. Really, information technology's recommended that you lot exercise not use these types of groups for distributing messages in Substitution 2007.
Another discussion of warning when you are creating groups in ADU&C snap-in panel: Any group created equally a Distribution Global group will not be available when you lot're trying to mail-enable that group via the EMC. Groups created in the ADUC MMC snap-in must be Universal Distribution groups if they are afterwards to be mail-enabled using the EMC.
SOME INDEPENDENT ADVICE
You may ask, "What should I use in my organization—mail-enabled security groups or ordinary mail service-enabled distribution groups?" That's a actually good question, and here is something to consider: Choosing mail-enabled security groups will give you the option of using the group equally both a distribution group as well every bit using it to assign permissions to user account objects in your Active Directory forest. This means that using mail-enabled security groups will lower the number of groups in your organization, thereby lowering the amount of maintenance required. Exist careful using mail-enabled security groups; y'all could accidentally assign also many permissions to the wrong users! Double check the membership of the distribution list before assigning it to a resource's ACL.
When highlighting a group nether the Distribution Grouping subnode, you get a set up of actions that can be performed on information technology in the Action pane. When highlighting a Mail Universal Security group, for example, we get the set of actions shown in Figure three.33. Nosotros can disable the group, removing all Commutation-related backdrop from the grouping; remove it (which physically removes the group object from Active Directory!); or access the Properties folio for the group by choosing the Properties action.
Effigy iii.33. Actions for a Mail Universal Security Group in the Actions Pane
If we had highlighted a Dynamic Distribution grouping, we would not accept had the option to disable it, but but to remove it.
Highlighting a Mail service Not-Universal group volition also give u.s.a. the option of converting it to a Universal group, every bit shown in Figure 3.34. We highly recommend you do this.
Figure three.34. Actions for a Postal service Non-Universal Group in the Deportment Pane
Let's admission the Properties page for a Mail service Universal Distribution group. The outset tab we're presented with is the Full general tab (come across Figure 3.35), where we can change the proper name and alias of the group as well as view or modify any specified custom attributes.
Figure 3.35. The General Tab for a Distribution Group
We also accept the option of irresolute the group name under the Group Information tab. Nosotros can too specify the person (Advertizing user business relationship) that manages the respective group by selecting the Managed By selection, clicking Browse, and choosing an account in AD. The person specified here volition also exist shown as the Owner when users user the GAL to open up the Properties page of the group from inside Outlook. On a side note, this person has the choice of receiving delivery reports when messages are sent to the group, which is configurable on the Advanced tab. Finally, we have a Notes field, where we can enter authoritative notes virtually the group. Over again, as with user notes, bear in listen that end users will be able to see these notes from their Outlook clients when accessing them in the GAL.
The Members tab should not need any further explanation; information technology is merely the place where you add and/or remove members from the group. The Fellow member Of tab lists any distribution groups that include this group on its member list. Notation that you cannot use this tab to add the selected group to other distribution groups! The E-Mail Addresses tab is the place where you tin can see all the email addresses for the group as well equally modify or add new e-post addresses. By default, the e-mail addresses are stamped on the distribution grouping by the electronic mail address policy in the Commutation organisation; however, you have the option of disabling this beliefs and instead administering these lists manually by deselecting the option Automatically update e-post addresses based on recipient policy.
On the Advanced tab, shown in Effigy three.36, nosotros can specify a elementary display name, used if the original display name of the grouping contains Unicode characters and you lot have third-party applications that don't support Unicode. In addition, you tin can define an expansion server, used to aggrandize group membership. When a message is sent to a distribution group, Substitution must access the membership list to deliver the message to each member of the group. When dealing with large distribution groups, this tin be a very resources-intensive task, thus giving a reason to ascertain a item hub transport server part every bit your expansion server.
Figure 3.36. The Avant-garde Tab
TIP
If you lot specify an expansion server for a particular distribution group, you should ever make sure it'southward well documented considering the grouping will then depend on this specified server to evangelize messages. This means that if you someday discover out you want to supercede your existing hub transport server with a new one, and that detail hub transport server has been explicitly assigned as an expansion server for one or more than distribution groups, those groups will no longer be able to evangelize messages to the respective members.
Nether the Advanced tab, you as well accept the pick of hiding the group from the Exchange Global Address Lists (GAL) and specify that any out-of-office messages should be sent to the originator (the sender of the message) instead of the group. Lastly, y'all take the option of specifying whether commitment reports should be sent or not. If you choose to accept them sent, you tin can select whether they should be sent to the message originator or the grouping manager specified under the Group Information tab. Note that if you make up one's mind to ship delivery reports to the grouping manager, a group manager must be selected under the Group Information Managed By field or you lot will receive a warning bulletin telling you to do so.
TIP
Larger "All User" based distribution groups should always have a limited number of allowed senders defined considering these groups tend to encompass your entire organization and can become you lot in trouble if everyday letters can be delivered to everyone in your company.
The concluding tab is Mail Period Settings, where you can configure the maximum group receiving size in KB too equally defining who should exist allowed to send messages to the grouping.
Notation
When accessed via the Exchange Management Console, the property pages are identical for Mail Universal Distribution groups and Postal service Universal Security groups, so there'due south no reason to go through the tabs nether the Properties page of a Mail Universal Security group.
In The Best Damn Exchange, SQL and IIS Volume Period, 2007
Managing Distribution Groups
As is the case with Exchange 2000 and 2003, Exchange 2007 has 2 types of distribution groups: mail-enabled distribution groups, which are used strictly for distributing messages, and post-enabled security groups, which are used to assign permissions to users as well as to distribute messages. In addition, the query-based distribution group introduced in Exchange 2003 has made its way into Exchange 2007, admitting with a new name and a few changes. These groups are now called dynamic distribution groups and, every bit the proper name implies, are still dynamic in nature and based on a set of configured criteria. More about them afterwards.
Distribution groups tin contain other distribution groups, user mailboxes (mailbox-enabled users), and mail contacts (post-enabled contacts). You can get a list of the mail-enabled distribution groups in your organization by selecting the Distribution Group subnode beneath the Recipient Configuration piece of work center node, as shown in Figure 3.32. This is also the place where you create new groups as well as alter any existing ones.
Figure iii.32. Listing Distribution Grouping Types Under the Distribution Group Subnode
But like user mailbox objects, distribution groups are explicit in Exchange 2007, significant that each type of group is differentiated using an private icon as well as a recipient type details clarification, as you can see in Figure iii.32. As you can also see in this figure, we have four unlike explicit group types:
■ Postal service Universal Distribution groups
■ Postal service Universal Security groups
■ Dynamic Distribution groups
■ Mail Non-Universal groups
■ Domain Local groups
■ Global groups
Warning
Although pre-existing Mail Not-Universal groups are shown nether the Distribution Group subnode in the effigy, y'all should be enlightened that the administration of these grouping types is express. Really, it'due south recommended that you practice non use these types of groups for distributing letters in Exchange 2007.
Another discussion of warning when you are creating groups in ADU&C snap-in console: Any group created as a Distribution Global group will not be bachelor when you're trying to mail-enable that group via the EMC. Groups created in the ADUC MMC snap-in must be Universal Distribution groups if they are afterwards to be mail-enabled using the EMC.
Some Contained Advice
You may ask, "What should I use in my organization—post-enabled security groups or ordinary mail-enabled distribution groups?" That's a really good question, and here is something to consider: Choosing mail-enabled security groups volition give y'all the pick of using the group equally both a distribution group as well equally using it to assign permissions to user business relationship objects in your Agile Directory woods. This means that using post-enabled security groups volition lower the number of groups in your organization, thereby lowering the amount of maintenance required. Be careful using postal service-enabled security groups; y'all could accidentally assign as well many permissions to the wrong users! Double check the membership of the distribution list earlier assigning it to a resources'due south ACL.
When highlighting a grouping under the Distribution Group subnode, you get a set of actions that tin can be performed on it in the Action pane. When highlighting a Mail service Universal Security group, for example, we get the set of actions shown in Figure 3.33. We tin disable the group, removing all Substitution-related backdrop from the group; remove information technology (which physically removes the group object from Active Directory!); or access the Properties page for the group by choosing the Properties action.
Figure iii.33. Actions for a Mail service Universal Security Group in the Actions Pane
If nosotros had highlighted a Dynamic Distribution group, we would not accept had the selection to disable it, just only to remove it.
Highlighting a Mail service Non-Universal group will also give us the option of converting it to a Universal group, equally shown in Figure three.34. We highly recommend you practice this.
Figure 3.34. Actions for a Post Non-Universal Grouping in the Deportment Pane
Let'south access the Properties folio for a Mail Universal Distribution group. The first tab we're presented with is the General tab (see Figure 3.35), where nosotros can change the name and alias of the group as well equally view or modify any specified custom attributes.
Effigy iii.35. The General Tab for a Distribution Grouping
Nosotros also have the selection of irresolute the group name under the Group Data tab. Nosotros tin can besides specify the person (AD user account) that manages the respective group by selecting the Managed By choice, clicking Browse, and choosing an business relationship in Ad. The person specified here will also be shown as the Owner when users user the GAL to open the Properties page of the group from inside Outlook. On a side annotation, this person has the option of receiving delivery reports when messages are sent to the group, which is configurable on the Avant-garde tab. Finally, nosotros have a Notes field, where we tin enter administrative notes nigh the group. Over again, every bit with user notes, bear in mind that finish users will be able to see these notes from their Outlook clients when accessing them in the GAL.
The Members tab should not need any further explanation; it is simply the place where you lot add together and/or remove members from the group. The Member Of tab lists any distribution groups that include this group on its member list. Notation that y'all cannot use this tab to add together the selected group to other distribution groups! The Due east-Mail Addresses tab is the place where you tin see all the east-mail addresses for the group as well every bit modify or add new eastward-post addresses. By default, the email addresses are stamped on the distribution group by the east-mail address policy in the Substitution organization; withal, you take the option of disabling this behavior and instead administering these lists manually by deselecting the pick Automatically update e-mail addresses based on recipient policy.
On the Advanced tab, shown in Figure 3.36, nosotros can specify a unproblematic display proper name, used if the original display name of the group contains Unicode characters and you have third-party applications that don't support Unicode. In add-on, you tin define an expansion server, used to expand group membership. When a message is sent to a distribution grouping, Substitution must access the membership list to deliver the message to each member of the group. When dealing with large distribution groups, this can be a very resources-intensive task, thus giving a reason to define a detail hub transport server role as your expansion server.
Figure three.36. The Avant-garde Tab
Some Independent Advice
If yous specify an expansion server for a particular distribution group, you should always make sure information technology's well documented because the group will then depend on this specified server to deliver messages. This ways that if yous someday find out you want to replace your existing hub transport server with a new ane, and that particular hub ship server has been explicitly assigned every bit an expansion server for ane or more distribution groups, those groups will no longer exist able to deliver messages to the respective members.
Under the Advanced tab, you also accept the option of hiding the group from the Exchange Global Accost Lists (GAL) and specify that whatever out-of-role messages should be sent to the originator (the sender of the message) instead of the group. Lastly, you lot have the option of specifying whether delivery reports should exist sent or not. If you lot choose to have them sent, you can select whether they should be sent to the message originator or the group manager specified under the Group Information tab. Annotation that if you make up one's mind to send delivery reports to the group manager, a group director must be selected under the Group Information Managed Past field or you volition receive a warning bulletin telling you to do so.
The final tab is Mail service Flow Settings, where you can configure the maximum group receiving size in KB as well as defining who should be allowed to send messages to the group.
Some Independent Advice
Larger "All User" based distribution groups should e'er accept a express number of allowed senders defined because these groups tend to embrace your entire organization and can get yous in trouble if everyday messages can be delivered to everyone in your company.
Note
When accessed via the Exchange Management Panel, the property pages are identical for Mail Universal Distribution groups and Mail service Universal Security groups, and then there'due south no reason to go through the tabs under the Properties folio of a Mail Universal Security grouping.
Creating a New Distribution Group
To create a new distribution grouping, click the New Distribution Group link in the Action pane, bringing up the New Distribution Group Sorcerer shown in Figure 3.37. The first page is the Introduction page, where yous need to specify whether you desire to create a new distribution group or mail-enable an existing security group. If you choose to mail-enable an existing group, click the Browse button and you will be presented with a GUI picker, where all security groups that haven't been postal service-enabled will be listed. For the purposes of this case, nosotros'll select New grouping, then click Next.
Figure iii.37. The Introduction Page in the New Distribution Group Magician
On the Grouping Information page shown in Effigy three.38, nosotros'll have to specify whether nosotros want to create a new postal service-enabled distribution grouping or a post-enabled security group. Nosotros'll then demand to specify the OU in which the group should be created in Active Directory and finally give information technology an appropriate proper name and allonym. The allonym is automatically filled in and duplicated with whatever you used for a name; however, it tin can still be changed without altering the name.
Figure iii.38. Selecting the Type of Distribution Group That Should Be Created
Annotation
As already mentioned, the only departure betwixt mail-enabled distribution groups and post-enabled security groups is the power for security groups to be used to assign permissions to user objects in Active Directory.
Let's click Next, which will bring us to the New Distribution Group page, where you should verify the information in the Configuration Summary pane. Once information technology'southward verified, click New and finally click Finish.
To create or alter existing distribution groups via the EMS, use the New-DistributionGroup and Set-DistributionGroup CMDlets. An case of creating a distribution group might look like the following:
New-DistributionGroup -Name "New Group" -OrganizationalUnit
Dynamic distribution groups, which were known as query-based distribution groups in Commutation 2003, provide the aforementioned type of functionality as ordinary distribution groups, but instead of manually adding members to the group'due south membership listing, you tin use a gear up of filters and conditions that you predefine when creating the group to derive its membership. When a message is set to a dynamic distribution group, Exchange queries the Active Directory for recipients matching the specified filters and weather. The principal advantage of using dynamic distribution groups over ordinary distribution groups is that dynamic groups lower the administrative burden, since you don't have to maintain any distribution group membership lists. If nosotros should mention any disadvantage of using dynamic distribution groups, it is that this blazon of grouping puts more load on the Global Catalog servers in your Active Directory wood. This is based on the fact that each fourth dimension a message is sent to a dynamic distribution group, Commutation will have to query them based on the criteria divers in the group.
You create a new dynamic distribution grouping past clicking New Dynamic Distribution Group in the Action pane under the Distribution Group subnode of the Recipient Configuration work eye node.
This volition bring upward the New Dynamic Distribution Group Wizard shown in Figure 3.39. Here you specify the OU in which the group should be created and give the grouping a meaningful proper name. When yous have done so, click Side by side.
Figure 3.39. Naming a New Distribution Group
The next page is the Filter Settings folio (run into Figure iii.xl) where you will need to specify the recipient container the filter should exist applied to. Clicking the Browse button will bring up a GUI picker where yous can choose an private OU or even the whole Active Directory domain, for that matter. On this page you too have the option of specifying the type of recipients that should be included in your filter. For example, this could exist All recipient types or simply Users with Commutation mailboxes. When you lot have fabricated your choices, click Side by side.
Effigy 3.twoscore. Selecting Filter Settings for a New Dynamic Distribution Group
Nosotros have now reached the most interesting of all pages in the wizard, where we actually select and ascertain the conditions that should be used past the group. As y'all can see in Figure 3.41, nosotros tin can select conditions such as Recipient is in a State or Province, Recipient is in a Department, or Recipient is in a company as well equally any of the 15 custom attributes that you might have divers on your mailbox-enabled user objects, so there should be enough of possibilities. For the purposes of our example, nosotros have selected Recipient is in a Company and edited the condition then that all recipients in a company chosen Exchange Dogfood will receive the messages sent to the respective dynamic distribution group. When you accept selected the required conditions, you tin can click the Preview button in the lower-right corner to brandish all recipients who meet your criteria and whether they are the right recipients you intended for the group. When you're ready, click Next, New, and finally Terminate.
Figure 3.41. Choosing Conditions for a New Dynamic Distribution Group
Since most of the Properties pages for a dynamic distribution group are more or less identical to that of an ordinary distribution grouping, nosotros will not embrace them here, with the exception of 2 tabs, which nosotros want to quickly testify you. The Filter and Conditions tabs are where you alter the filter and status behavior for a dynamic distribution group. Equally you tin see in Figure three.42, the Filter tab is where you can change the recipient container and the recipient types used by the group.
Effigy 3.42. The Filter Tab
Under the Conditions tab, shown in Figure iii.43, yous can change the weather that should be used to define your group, likewise every bit use the Preview button to listing all users coming together your conditions.
Figure 3.43. The Conditions Tab
To create or modify existing dynamic distribution groups via the EMS, use the New-DynamicDistributionGroup and Gear up-DynamicDistributionGroup CMDlets.
Some Independent Advice
And then, what practice you do if you want to employ weather condition other than those available in the New Dynamic Distribution Group Wizard? Is this fifty-fifty possible? As a matter of fact, it is, but only by using the New-DynamicDistributionGroup CMDlet in the EMS. Yous should too bear in listen that any weather and filters other than those provided in the GUI must be managed using the European monetary system. If, for example, y'all wanted to create a custom recipient filter that included all recipients in an OU called EDFUsers, with a mailbox located on a server called EDFS03, you would demand to run the following control:
When viewing the Filter tab on the Properties page of a dynamic distribution group, created using a custom filter, you volition see something similar to the display in Figure 3.44, showing the consummate recipient filter.
Effigy three.44. The Filter Tab on the Backdrop Folio When a Filter Has Been Created Through the Exchange Direction Vanquish
0 Response to "Can an Email Distribution Group Contain Other Distribution Group Inside"
Post a Comment