Re: Trouble understanding how Exchange uses groups

Tech-Archive recommends: Fix windows errors by optimizing your registry

Inline below.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"PufferDude" <PufferDude@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:05735895-9EA5-4B0B-AB0E-D6A6BA1A39EE@xxxxxxxxxxxxxxxx
I'm very new to Exchange (2003) and some things are not making sense to
me.
It seems that (nearly) all security in Exchange is based on objects that
appear in the GAB.... which seems problematic to me.


The global address book is a reflector of non-excluded mail- and
mailbox-enabled objects in Active Directory and has no security
significance.

For example, if I create a public folder with the intent of it being a
shared calendar, and I only want a small subset of Exchange users to be
able
to see/use it, in the permissions tab of the folder I can *only* select
users
or groups from the GAB.

No, you can only select mailbox-enabled users because only they can log on
to Exchange anyway.

So, I go and create a distribution list in AD and add
the appropriate subset of users to it, but it is ONLY selectable in the
permissions of the shared folder if it is a) mailbox enabled and b)
visible.

You need to create a mail-enabled security group, actually, because only
those are security principals, and they need to be mail-enabled to show up
for Exchange.

So, what is the *purpose* of a distribution group that is not mailbox
enabled,

That's a good point. Those are pretty useless.

and what is the purpose of hidden groups, if they can't be used to
grant rights to users WITHOUT that group showing up as a mail-enabled
group
in the GAB?

Groups can be hidden if it's desired that people not see them in the GAL.
Users who know of their existence can still use them, they just can't pick
them out of the GAL. If hiding them doesn't work for you, then don't do it.

I guess I'm not understanding why everything in Exchange related to
security
permission is only applicable to VISIBLE users/groups in the GAB, instead
of
groups that can be hidden from users but STILL controlling their access to
various things. What am I missing? It seems that the GAB will eventually
be
filled with a bunch of groups that you had to put there to grant
permissions,
but DON'T really want/need users to send emails to those groups.

You can hide the groups from the address book after you apply them to rights
settings if you want. Hiding groups from the address book is not the way to
restrict people sending mail to them, the correct way to do that is by
setting delivery restrictions in the group's Properties > Exchange General >
Message Restrictions. For example, if a group contains members who use the
group to communicate with each other, you enter the group itself (after it
has been created initially--you can't do this until you hit "Apply" when
creating the group) in the accept messages only from field.



.

Quantcast