Exchange & AD Security Groups: making security groups members of distribution lists?

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

We have a security group for each region in the world (North America, Europe, Asia, South America, Africa, etc).

In addition, we have security groups for departments of regions (NA_dpt_Accounting, NA_dpt_Engineering, etc). These groups are a member of their respective region ("North America").

We have a distribution list for each region in the form of dl-<region>, such as dl-northamerica, dl-europe, etc.

We also have one distribution list dl-company (or dl-world or dl-global or dl-all). All the dl-<region> distribution lists are a member of this. It works.

Problem is this: when a user needs to be able to send an e-mail company-wide, we can't simply just give privileges to dl-company ... we have to give privileges to every single dl-<region> and dl-company. We have tried adding plain security groups such as NA_dpt_InformationTechnology or 'North America' but mail is not delivered to these security groups -- we seem to have to use the security groups Exchange creates for distribution lists.

I did observe that the security groups Exchange creates are Universal+Distribution for Group scope and Group type respectively. The security groups we have for regions and departments use the default Global+Security. Some of our folder permissions, shares, GPOs and OU structure depend on these security groups.

Is there any way we can use our region and department security groups as members of distribution lists with success so that when a user needs privileges to send company-wide we don't need to go and modify every distribution list to give user access to those too (and without breaking anything)? It would certainly make administration for these type of requests a lot easier and less laboring.
 
Can you do a Dynamic OU-based Distro List? And/or is there any correlation between OU's and Security Groups? I'd approach it from that angle. See if this makes sense.

1) Create a Dynamic Distro List based on a Region/Dept/ETC OU. <-- Hide this from the GAL. This would be your dynamically updated "Security Group"

2) Open up Properties of the DL's in question and go into the Mail Flow Settings / Message Delivery Restrictions / Accept Messages From section, you should see the new list available.

That would restrict dynamically based upon OU, would that Fly?
 
Greetings,

The problem that I am encountering with this is that it will only allow me to specify one 'recipient container' (point it at OU), which would work great for dl-region-department (individually) and dl-region (north america vs europe). Example of real use: we have an IT department in Asia, Europe, and North America. In AD, these amount to three OUs named after the region --> then children 'departmental' OUs (such as OU=Information Technology,OU=Colorado,OU=North America and OU=Information Technology,OU=New York,OU=North America). Because I am only able to select one recipient container, we are unable to have a dl-northamerica-it distribution list that includes everyone in IT in North America.

But what about dl-global or dl-northamerica-colorado + dl-northamerica-california + dl-northamerica-newyork? For dl-northamerica-colorado/california/newyork we have users mixed and can't really separate them out due to the workflow across these facilities (actually they're in the same state and all three are within a 50 mile stretch of land) and have to manually maintain the list and be dependent on HR/manager informing us when someone transfers to a different facility. At present time, we also don't have the priority to go through AD and straighten out all those fields (Department, State or province, Company, Phone Number, and other attributes), but do have it on our list of future things to do.

Would dl-global be a regular distribution list that includes dl-northamerica as a member? If so, the problem is still that you have to modify multiple distribution lists to grant a user privileges to send, and I wouldn't be able to use a dynamic distribution list for dl-global.
 
You can also nest DLs, 1 or more Security DLs made up of dynamic DLs focused a level or 2 lower as you mentioned (i.e OU=Information Technology,OU=Colorado,OU=North America). It sounds like it would also help to get the AD house in order and add to existing procedures before automating this aspect. In an enterprise that big those fields become an invaluable alternative to nested complexity as mentioned above.
 
You're right that it is invaluable because I understand. ;o I appreciate your help and assistance. :) I will refer to this thread when the time calls
 
You must log in or register to reply here.
Back
Top