Re: AD distribution and security group usage

What do you mean by assign permissions to DL's in Exchange? Can you provide a
link or more detailed information?

I do not believe our users currently have permission to do this. The problem
is the admin staff have set security groups, mainly for file access, and have
associated an email address with that group.

1. This looks ugly in the GAL
2. When a user asks to be removed from one of these mail enabled security
groups, they lose permission to access files.

How can I work around this?

"Joe Richards [MVP]" wrote:

You mention GAL so you are using Exchange, note that Exchange will convert DLs
to security groups as it needs to when people assign permissions to DLs in
Exchange. This could be the lowliest worker who decided to set some mailenabled
group to have access to something on their mailbox. You really can't stop it,
trying to will hurt Exchange.

As for whether or not groups are being used, it is one of the hardest questions
to answer, there is nothing that tells you when it was last used, the best you
can do for security groups is look at every user in the group or part of the
group through nesting and find out when they last logged on, that is the last
time that group was used by them as its SID was inserted into their token,
whether they used that SID or not you can not ascertain unless you are auditing
the resources the group gives access to. You can try to figure this out by
security disabling the groups but that doesn't help a lot again because if they
are exchange based, Exchange will just resecurity enable them if necessary.

DLs are much tougher, you basically just need to boot all members out and see if
anyone complains.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



desktop wrote:
I am auditing AD,

1. Removing unused distribution/security groups
2. Changing groups used for both distribution and security to distribution
only (in order to remove security groups email addresses from the GAL)

I think the best way to do this would be to;

1. Know the last time that distribution groups were being used/are being
used so I do not remove groups in use - How?
2. Recreate any security groups being used as both security and distribution
groups
to distribution groups only - What will this affect?
3. Determine which security groups are currently in use - How?

I have looked at dsget and dsquery aswell as cvsde and ldife, which do not
seem to provide the information that I require. Can anyone help?

.

Relevant Pages

  • Re: Best practices for groups?!
    ... Some distribution groups have been turned into security groups by using ... We have used the DL for file permissions, with GG as member, and then ... such as if you are an Exchange admin without AD ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchnage 2000/2003
    ... Security Groups = security principals, ... Exchange hierarchy in AD, but it doesn't really store info about ... There's no native facility to backup individual mailboxes as such - also ... It is recommended to use Universal Distribution Groups. ...
    (microsoft.public.exchange.admin)
  • Re: AD delegation
    ... How do I keep from adding them to other security groups? ... Use the Delegation of Control Wizard on the OU containing the accounts this group should manage and select the "Create, delete, and manage user accounts", "Reset user passwords and force password change at next logon", and "Read all user information" permissions. ... The ability to add them to groups is actually a permission that must be applied to group objects, not to user objects, as Hunter points out. ... As for Exchange, the users must also have the Exchange View-Only Administrator role on any administrative groups involved. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD distribution and security group usage
    ... You can certainly try it, but again, it does nothing to prevent someone from adding a normal non-security DL into an ACL and having Exchange converting it to a security group. ... Joe Richards Microsoft MVP Windows Server Directory Services ... The problem is the admin staff have set security groups, mainly for file access, and have associated an email address with that group. ... Know the last time that distribution groups were being used/are being used so I do not remove groups in use - How? ...
    (microsoft.public.win2000.active_directory)
  • Re: I Can Open Anybodys Inbox
    ... Properties in Exchange System Manager). ... > I am the Sys-Admin and Exchange Admin of our company and yes, ... > those security groups. ... > permissions issue. ...
    (microsoft.public.exchange.admin)