From: Rich Matheisen [MVP] on
PufferDude <PufferDude(a)discussions.microsoft.com> wrote:

>I'm very new to Exchange (2003) and some things are not making sense to me.
>It seems that (nearly) all security in Exchange is based on objects that
>appear in the GAB.... which seems problematic to me.
>
>For example, if I create a public folder with the intent of it being a
>shared calendar, and I only want a small subset of Exchange users to be able
>to see/use it, in the permissions tab of the folder I can *only* select users
>or groups from the GAB. So, I go and create a distribution list in AD and add
>the appropriate subset of users to it, but it is ONLY selectable in the
>permissions of the shared folder if it is a) mailbox enabled and b) visible.
>
>So, what is the *purpose* of a distribution group that is not mailbox
>enabled, and what is the purpose of hidden groups, if they can't be used to
>grant rights to users WITHOUT that group showing up as a mail-enabled group
>in the GAB?
>
>I guess I'm not understanding why everything in Exchange related to security
>permission is only applicable to VISIBLE users/groups in the GAB, instead of
>groups that can be hidden from users but STILL controlling their access to
>various things. What am I missing?

The fact that Exchange is using "backwards compatible" ways of doing
things. Exchange 5.x still coexists with Exchange 200x in many
organizations, and 5.x had its own directory and security model.

>It seems that the GAB will eventually be
>filled with a bunch of groups that you had to put there to grant permissions,
>but DON'T really want/need users to send emails to those groups.

I think "filled" is a bit overstating things. But the need to use
mail-enabled groups isn't going away as long as MS continues to allow
ancient software (all the way back to the pre-Outlook days of "Capone)
to work with current software.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott(a)getronics.com
Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Rich Matheisen [MVP] on
PufferDude <PufferDude(a)discussions.microsoft.com> wrote:

>Thanks Ed, that helps. Just so I understand what you're saying... if I want
>to apply permissions to a specific group but not have it be visible in the
>GAL, I must let it be visible long enough to apply the permission and THEN
>make it hidden?

Or you could use the legacyExchangeDN property value instead of the
Display Name -- then the thing can remain hidden. The reason you need
to find the thing in the GAL is to resolve the name to the
legacyExchangeDN. Think about it working something like DNS name
resolution.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott(a)getronics.com
Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Ed Crowley [MVP] on
I didn't say completely useless, just pretty useless.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message
news:orgou3dftca1v9hf6nrshhjfa6990bj41h(a)4ax.com...
> "Ed Crowley [MVP]" <curspice(a)mvpsnospam.org> wrote:
>
> [ snip ]
>
>>> So, what is the *purpose* of a distribution group that is not mailbox
>>> enabled,
>>
>>That's a good point. Those are pretty useless.
>
> I don't think so. I use them to populate groups in other systems. The
> other system uses LDAP (of course) to read the membership of the AD
> group and populates the membership of its local group. The group
> membership isn't very large (several hundred members per group), but
> the local access is faster than dynamic LDAP queries.
>
> Just becasue a group isn't a security principal or have an email
> address doesn't make them "pretty useless". :-)
>
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott(a)getronics.com
> Or to these, either: mailto:h.pott(a)pinkroccade.com
> mailto:melvin.mcphucknuckle(a)getronics.com
> mailto:melvin.mcphucknuckle(a)pinkroccade.com


From: fhp198e on
On Mar 27, 11:28 pm, "Ed Crowley [MVP]" <cursp...(a)mvpsnospam.org>
wrote:
> I didn't say completely useless, just pretty useless.
> --
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
>
> "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote in messagenews:orgou3dftca1v9hf6nrshhjfa6990bj41h(a)4ax.com...
>
> > "Ed Crowley [MVP]" <cursp...(a)mvpsnospam.org> wrote:
>
> > [ snip ]
>
> >>> So, what is the *purpose* of a distribution group that is not mailbox
> >>> enabled,
>
> >>That's a good point. Those are pretty useless.
>
> > I don't think so. I use them to populate groups in other systems. The
> > other system uses LDAP (of course) to read the membership of the AD
> > group and populates the membership of its local group. The group
> > membership isn't very large (several hundred members per group), but
> > the local access is faster than dynamic LDAP queries.
>
> > Just becasue a group isn't a security principal or have an email
> > address doesn't make them "pretty useless". :-)
>
> > --
> > Rich Matheisen
> > MCSE+I, Exchange MVP
> > MS Exchange FAQ athttp://www.swinc.com/resource/exch_faq.htm
> > Don't send mail to this address mailto:h.p...(a)getronics.com
> > Or to these, either: mailto:h.p...(a)pinkroccade.com
> > mailto:melvin.mcphucknuc...(a)getronics.com
> > mailto:melvin.mcphucknuc...(a)pinkroccade.com

I'm encountering a similar problem-adding users individually to the
permissions of a PF works just fine, but attempting to add those in a
DG which is a universal, security, mail enabled group does not allow
them to access the folders.
First  |  Prev  | 
Pages: 1 2
Prev: ESM Error
Next: OAB path change