The Two Types of Active Directory GroupsDistribution GroupsDistribution groups are designed to combine users together so that you can send e-mails (via Microsoft Exchange Server) collectively to a group rather than individually to each user in the group. Active Directory Distribution groups are designed to be used for e-mail specifically and cannot be granted Windows permissions. Show
Objects in Active Directory that can have permissions granted to them are known as a security principal. For example, users are an example of a security principal because a user can be granted rights. Security groups, as discussed below, are also security principals. Distribution groups are not security principals, however, because rights cannot be granted to a distribution group. Why? Because the Active Directory schema does not give distribution groups this ability. The terms “distribution groups” and “distribution lists” tend to be used interchangeably, particularly if you work with Microsoft Exchange Server administrators. Don’t let this trip you up! Read: Scopes of Active Directory Groups Security GroupsUsed with care, Active Directory Security Groups provide an efficient way to assign access to resources on your network. Using security groups, you can
Read: Mail Enabled an Active Directory Security Group or Not? A mail-enabled security group serves a dual purpose in an organization.
Using a Security Group as a Distribution ListSet the Security Group Scope to UniversalBy default, most security groups have a global scope. To mail-enable them, you must first change the scope to universal, as Microsoft Exchange only supports universal as a group scope. Mail-Enable a Security GroupOpen Exchange Management Shell on the Exchange Server and run the following cmdlet: Type (Enable-DistributionGroup -Identity “Marketing”) Here, replace the group name with the name of your security group. If the group name contains a space, use double quotes. To reverse this, use the following cmdlet: Disable-DistributionGroup -Identity “group name” Create a Mail-Enabled Security GroupYou can create a mail-enabled security group using Exchange Administration Center (EAC), as shown below. However, you cannot mail-enable an existing security group using EAC; for that you have to use Exchange Management Shell. The mail-enabled security group’s name, display name, group type, and primary SMTP address will appear in the resulting display. The group is ready to receive an email. To view your group in EAC, go to Recipients > Groups. This group is identical to other distribution groups in terms of its attributes. Characteristics of Mail Enabled Security GroupsGranting Access to Resources:Mail enabled security groups are used for granting access to resources such as SharePoint and emailing notifications to users. Function Same as Security Groups:They function the same as regular security groups, except that they cannot be dynamically managed through Azure Active Directory and cannot contain devices. Ability to Send Mail:It includes the ability to send mail to all the members of the group. Can be Added to Team:Mail-enabled security groups can be added to a team. A Discussion on Mail-Enable Security GroupsQUESTION: So should you use a mail-enabled security group for email or create a distribution list instead? Here are some questions that we have tried to answer this important question.
Risks of Mail-Enabled Security GroupsAs you know, as each user object collects more and more SIDs they are going to experience decreased performance due to token bloat. Their logins will be slower, and at more than 1015 tokens, they will be unable to log in entirely. Of course, this makes it even more important that you have some sort of lifecycle on your security groups. Pretty much any security group should be monitored to make sure that the resource it protects still exists and the membership is current, but it becomes even more critical if every group is a security group! Read: How to expire Active Directory Security Groups So, what is right for you? Carefully monitored security groups or a mix of distribution and security groups? Must Read Resource: Verdict on Mail Enable Security Group or NotAll-in-One Security SolutionWhen Active Directory Groups becomes too significant a burden to bear, it’s time to upgrade your life with GroupID. Join companies like Disney, Nike, Splunk, Hershey’s, FedEx, American Red Cross, The Federal Reserve, Cedar Sinai Hospital, and the Center for Autism, who all rely on GroupID to keep their systems up to date and secure. Get started with GroupID today with a Free Trial, and see how much more you could be doing with your Active Directory Groups while improving productivity. Learn more about GroupID here. Which of the following are considered security principals?Security principals are user accounts, group accounts, and computer accounts.
Which main security principal is recommended for assigning rights and permissions to domain resources?A group scope that's the main security principal recommended for assigning rights and permissions to domain resources. downlevel user logon name The user logon name field defined in a user account object that's used for backward-compatibility with OSs and applications that don't recognize the UPN format.
What are some basic types of Active Directory objects that serve as security principals choose all that apply?Active Directory has two forms of common security principals: user accounts and computer accounts. These accounts represent a physical entity that is either a person or a computer. A user account also can be used as a dedicated service account for some applications.
Which powershell cmdlet below can be used to set permissions for a security principal to a GPO or to all GPOs?The Set-GPPermission cmdlet grants a level of permissions to a security principal (user, security group, or computer) for one Group Policy Object (GPO) or all the GPOs in a domain. You use the TargetName and TargetType parameters to specify a user, security group, or computer for which to set the permission level.
|