Microsoft

TechRepublic Tutorial: Use Windows 2000 security groups as Exchange 2000 distribution lists

Mail-enable Windows 2000 security groups as Exchange 2000 distribution lists


I mentioned in the Daily Feature "Understanding Exchange 2000 integration with Windows 2000" that Microsoft gives you the ability to use security groups as distribution lists for messaging. However, making it work takes a little bit of doing. In this Daily Feature, I’ll show you how.

Mail-enabled groups
If you do decide to use a security group as a distribution list, the security groups become known as mail-enabled groups. However, simply installing Exchange 2000 doesn’t convert all of your security groups to mail-enabled groups. After all, let’s face it—a lot of networks have so many groups that it would be extremely confusing if all of the groups showed up as distribution lists.

Therefore, Exchange requires that you mail-enable a group before the group can be used as a distribution list. To do so, select either a global group or a universal group from Active Directory Users And Computers. Right-click on the group and select the Exchange Tasks command from the resulting context menu. When you do, Windows will launch the Exchange Task Wizard.

Click Next to bypass the Welcome screen. On the next screen, select Establish An E-mail Address from the list of available tasks and click Next.

On the following screen, you’ll have the chance to enter an alias for the group and to select an administrative group for the group that you’re mail-enabling. You’ll also see a warning, shown in Figure A, that tells you that you should have a detailed understanding of the way Exchange works before mail-enabling groups.

Figure A
Be careful about which groups you mail-enable.


I’ll explain what this means a little later, but for now, enter an alias, select an administrative group, and click Next. At this point, Windows will perform the necessary tasks to mail-enable the group and will display a summary page. Click Finish to close the wizard.

Now, open Outlook and look at the global address list. You’ll see that your security group is now also a distribution group, as shown in Figure B. Any messages you send to the group will be sent to all users in the group.

Figure B
Your security group can also serve as a distribution list.


What about that warning about universal groups?
Right now, you may be wondering why the warning in Figure A specifically recommends only mail-enabling universal groups, even though I mail-enabled a global group with no negative effects. To understand this, you’ve got to understand the nature of global groups and universal groups.

In Windows 2000, universal groups are all powerful. Universal groups can contain members from any domain and can control access to resources in a variety of domains. The downside to universal groups is that they only exist in Windows 2000 environments that are running in native mode. Therefore, if you’ve still got Windows NT domain controllers, or you just haven’t worked up the nerve to convert to native mode yet, you won’t be able to use universal groups.

Global groups, on the other hand, are available on all Windows 2000 domains but are more restrictive. As with universal groups, global groups can be used to control access to resources in a variety of domains. However, global groups can only contain members from a single domain. This means that if a user in one domain needs to send a message to a global group from another domain, the local domain’s expansion server must have an IP path to the remote domain. Because of the way global groups work, the process of getting a group’s membership list can take some time if the group exists in a remote domain.

Of course, the global group restrictions are a nonissue if your network includes only a single domain. If your network uses multiple domains, though, and is running in native mode, Microsoft recommends only mail-enabling universal groups.

Even with the flexibility of universal groups, though, you still have to be careful with the mail-enabling process. The reason is that any time that you make a change to a universal group’s membership, the change is replicated to every global catalog server in your organization. This replication process can generate a lot of network traffic and can get out of hand on big networks if universal group changes are made frequently.

Therefore, Microsoft recommends that you create global groups within each domain and then add the appropriate global groups to a universal group. Then, when the group membership needs to change, you can apply the change to a global group. Since the universal group’s membership consists entirely of groups, its membership list won’t change when you add and remove users from the individual global groups. This means that you can use group nesting to avoid excess replication traffic on your network.

Conclusion
Distribution lists can save your users lots of time when they have to e-mail large numbers of people at once. You can save yourself some administrative time by mail-enabling your security groups and creating distribution lists with them.

Editor's Picks