Trouble understanding how Exchange uses groups
in [Microsoft Exchange]
|
Prev: ESM Error
Next: OAB path change
From: PufferDude on 27 Mar 2008 13:12 I'm very new to Exchange (2003) and some things are not making sense to me. It seems that (nearly) all security in Exchange is based on objects that appear in the GAB.... which seems problematic to me. For example, if I create a public folder with the intent of it being a shared calendar, and I only want a small subset of Exchange users to be able to see/use it, in the permissions tab of the folder I can *only* select users or groups from the GAB. So, I go and create a distribution list in AD and add the appropriate subset of users to it, but it is ONLY selectable in the permissions of the shared folder if it is a) mailbox enabled and b) visible. So, what is the *purpose* of a distribution group that is not mailbox enabled, and what is the purpose of hidden groups, if they can't be used to grant rights to users WITHOUT that group showing up as a mail-enabled group in the GAB? I guess I'm not understanding why everything in Exchange related to security permission is only applicable to VISIBLE users/groups in the GAB, instead of groups that can be hidden from users but STILL controlling their access to various things. What am I missing? It seems that the GAB will eventually be filled with a bunch of groups that you had to put there to grant permissions, but DON'T really want/need users to send emails to those groups.
From: Ed Crowley [MVP] on 27 Mar 2008 13:26 Inline below. -- Ed Crowley MVP - Exchange "Protecting the world from PSTs and brick backups!" "PufferDude" <PufferDude(a)discussions.microsoft.com> wrote in message news:05735895-9EA5-4B0B-AB0E-D6A6BA1A39EE(a)microsoft.com... > I'm very new to Exchange (2003) and some things are not making sense to > me. > It seems that (nearly) all security in Exchange is based on objects that > appear in the GAB.... which seems problematic to me. The global address book is a reflector of non-excluded mail- and mailbox-enabled objects in Active Directory and has no security significance. > For example, if I create a public folder with the intent of it being a > shared calendar, and I only want a small subset of Exchange users to be > able > to see/use it, in the permissions tab of the folder I can *only* select > users > or groups from the GAB. No, you can only select mailbox-enabled users because only they can log on to Exchange anyway. > So, I go and create a distribution list in AD and add > the appropriate subset of users to it, but it is ONLY selectable in the > permissions of the shared folder if it is a) mailbox enabled and b) > visible. You need to create a mail-enabled security group, actually, because only those are security principals, and they need to be mail-enabled to show up for Exchange. > So, what is the *purpose* of a distribution group that is not mailbox > enabled, That's a good point. Those are pretty useless. > and what is the purpose of hidden groups, if they can't be used to > grant rights to users WITHOUT that group showing up as a mail-enabled > group > in the GAB? Groups can be hidden if it's desired that people not see them in the GAL. Users who know of their existence can still use them, they just can't pick them out of the GAL. If hiding them doesn't work for you, then don't do it. > I guess I'm not understanding why everything in Exchange related to > security > permission is only applicable to VISIBLE users/groups in the GAB, instead > of > groups that can be hidden from users but STILL controlling their access to > various things. What am I missing? It seems that the GAB will eventually > be > filled with a bunch of groups that you had to put there to grant > permissions, > but DON'T really want/need users to send emails to those groups. You can hide the groups from the address book after you apply them to rights settings if you want. Hiding groups from the address book is not the way to restrict people sending mail to them, the correct way to do that is by setting delivery restrictions in the group's Properties > Exchange General > Message Restrictions. For example, if a group contains members who use the group to communicate with each other, you enter the group itself (after it has been created initially--you can't do this until you hit "Apply" when creating the group) in the accept messages only from field.
From: PufferDude on 27 Mar 2008 14:46 Thanks Ed, that helps. Just so I understand what you're saying... if I want to apply permissions to a specific group but not have it be visible in the GAL, I must let it be visible long enough to apply the permission and THEN make it hidden?
From: Ed Crowley [MVP] on 27 Mar 2008 16:27 If you can't see it, yes. -- Ed Crowley MVP - Exchange "Protecting the world from PSTs and brick backups!" "PufferDude" <PufferDude(a)discussions.microsoft.com> wrote in message news:57103939-3C15-4FD1-A3C4-3C8D0142D75D(a)microsoft.com... > Thanks Ed, that helps. Just so I understand what you're saying... if I > want > to apply permissions to a specific group but not have it be visible in the > GAL, I must let it be visible long enough to apply the permission and THEN > make it hidden?
From: Rich Matheisen [MVP] on 27 Mar 2008 21:07
"Ed Crowley [MVP]" <curspice(a)mvpsnospam.org> wrote: [ snip ] >> So, what is the *purpose* of a distribution group that is not mailbox >> enabled, > >That's a good point. Those are pretty useless. I don't think so. I use them to populate groups in other systems. The other system uses LDAP (of course) to read the membership of the AD group and populates the membership of its local group. The group membership isn't very large (several hundred members per group), but the local access is faster than dynamic LDAP queries. Just becasue a group isn't a security principal or have an email address doesn't make them "pretty useless". :-) -- Rich Matheisen MCSE+I, Exchange MVP MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm Don't send mail to this address mailto:h.pott(a)getronics.com Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com |