Re: Best practices for groups?!
- From: "Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Sep 2009 11:07:19 -0400
"UselessUser" <UselessUser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CC34321C-9E82-4B65-A02C-CA69770FB793@xxxxxxxxxxxxxxxx
Hi,
2003 SP2 with Exchange 2003 SP2...
We are suddenly realizing the fact that our groups and their structure is
truely awful...
We have a OU called groups and all groups have been thrown in there... and
the problems are for example:
Some distribution groups have been turned into security groups by using
them
for permissions as public folders
We have used the DL for file permissions, with GG as member, and then
populated the GG group but other admins have just added users direct to
the
permissions or made them members of the DL so I need to sort that out...
Basically I am trying to work out a usable structure and create a kind of
hierarchy of groups, and I am a bit unsure of how to do it with Public
Folders also... I was going to do the following...
Create top OU called groups, create sub OU's called distribution,
security,
distribution and security and then put each group in its respective place,
however with any distribution groups that have been given permission to
public folders they are now both distribution and security which could be
a
bit confusing...
How do others deal with this?
The way Public Folders work, if you select to use a Distribution Group
(non-Security Group), the system will "honor" the request and change the
group type to a Security Group, whether you have AD permissions to change
the type directly or not, such as if you are an Exchange admin without AD
permissions.
I've seen this in one place I worked at. The AD group was upset and fuming
trying to nail down who changed them. We kind of smiled and said it was
Exchange. The AD guy wasn't well versed in Exchange, and he simply referred
to Exchange as a big "virus." Go figure...
To deal with it, requires SOPs and a little training and understanding of
what's going on. Not much you can do about it. Have your admins understand,
that although it is appropriate to use groups (and not direct user
accounts), to be careful when choosing a group to make sure that it's not a
Dist Group. If it is, submit the appropriate ticket to change the group
type, or a ticket to create a group for this purpose.
What's also funny (not laughing) is when you use a user account for PF
permissions, and that account gets disabled and deleted, it still shows up
in the ACL as "NTUser\jsmith" or whatever their name is. But Exchange will
NOT remove it from the ACL when the account's deleted. Go figure... So if
the PF is mail enabled, and is used by a department to send out mail to the
group such as when something gets posted to the PF, and you have rules to
send to the group, it will generate an NDR, which winds up confusing the
sender, and sometimes the Exchange admins trying to nail it down. THis is
another good reason to use a group, and not direct user accounts.
I hope that helps...
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
.
- References:
- Best practices for groups?!
- From: UselessUser
- Best practices for groups?!
- Prev by Date: Re: what are right orders?
- Next by Date: Re: what are right orders?
- Previous by thread: Best practices for groups?!
- Next by thread: How does Local System Account maintain persistent connections?
- Index(es):
Relevant Pages
|
Loading
