Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Best practices for groups?!
Best practices for groups?! [message #161491] Tue, 29 September 2009 07:01 Go to next message
UselessUser  is currently offline UselessUser
Messages: 16
Registered: October 2009
Junior Member
Hi,

2003 SP2 with Exchange 2003 SP2...

We are suddenly realizing the fact that our groups and their structure is
truely awful...

We have a OU called groups and all groups have been thrown in there... and
the problems are for example:

Some distribution groups have been turned into security groups by using them
for permissions as public folders

We have used the DL for file permissions, with GG as member, and then
populated the GG group but other admins have just added users direct to the
permissions or made them members of the DL so I need to sort that out...

Basically I am trying to work out a usable structure and create a kind of
hierarchy of groups, and I am a bit unsure of how to do it with Public
Folders also... I was going to do the following...

Create top OU called groups, create sub OU's called distribution, security,
distribution and security and then put each group in its respective place,
however with any distribution groups that have been given permission to
public folders they are now both distribution and security which could be a
bit confusing...

How do others deal with this?
Re: Best practices for groups?! [message #161500 is a reply to message #161491] Tue, 29 September 2009 09:07 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"UselessUser" <UselessUser@discussions.microsoft.com> wrote in message
news:CC34321C-9E82-4B65-A02C-CA69770FB793@microsoft.com...
> Hi,
>
> 2003 SP2 with Exchange 2003 SP2...
>
> We are suddenly realizing the fact that our groups and their structure is
> truely awful...
>
> We have a OU called groups and all groups have been thrown in there... and
> the problems are for example:
>
> Some distribution groups have been turned into security groups by using
> them
> for permissions as public folders
>
> We have used the DL for file permissions, with GG as member, and then
> populated the GG group but other admins have just added users direct to
> the
> permissions or made them members of the DL so I need to sort that out...
>
> Basically I am trying to work out a usable structure and create a kind of
> hierarchy of groups, and I am a bit unsure of how to do it with Public
> Folders also... I was going to do the following...
>
> Create top OU called groups, create sub OU's called distribution,
> security,
> distribution and security and then put each group in its respective place,
> however with any distribution groups that have been given permission to
> public folders they are now both distribution and security which could be
> a
> bit confusing...
>
> How do others deal with this?


The way Public Folders work, if you select to use a Distribution Group
(non-Security Group), the system will "honor" the request and change the
group type to a Security Group, whether you have AD permissions to change
the type directly or not, such as if you are an Exchange admin without AD
permissions.

I've seen this in one place I worked at. The AD group was upset and fuming
trying to nail down who changed them. We kind of smiled and said it was
Exchange. The AD guy wasn't well versed in Exchange, and he simply referred
to Exchange as a big "virus." Go figure...

To deal with it, requires SOPs and a little training and understanding of
what's going on. Not much you can do about it. Have your admins understand,
that although it is appropriate to use groups (and not direct user
accounts), to be careful when choosing a group to make sure that it's not a
Dist Group. If it is, submit the appropriate ticket to change the group
type, or a ticket to create a group for this purpose.

What's also funny (not laughing) is when you use a user account for PF
permissions, and that account gets disabled and deleted, it still shows up
in the ACL as "NTUser\jsmith" or whatever their name is. But Exchange will
NOT remove it from the ACL when the account's deleted. Go figure... So if
the PF is mail enabled, and is used by a department to send out mail to the
group such as when something gets posted to the PF, and you have rules to
send to the group, it will generate an NDR, which winds up confusing the
sender, and sometimes the Exchange admins trying to nail it down. THis is
another good reason to use a group, and not direct user accounts.

I hope that helps...

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Previous Topic:Domain Administrator Account
Next Topic:Security event log, no event 540
Goto Forum:
  


Current Time: Thu Jan 18 20:51:57 MST 2018

Total time taken to generate the page: 0.02340 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software