Trouble understanding how Exchange uses groups
in [Microsoft Exchange]
|
Prev: ESM Error
Next: OAB path change
From: Rich Matheisen [MVP] on 27 Mar 2008 21:13 PufferDude <PufferDude(a)discussions.microsoft.com> wrote: >I'm very new to Exchange (2003) and some things are not making sense to me. >It seems that (nearly) all security in Exchange is based on objects that >appear in the GAB.... which seems problematic to me. > >For example, if I create a public folder with the intent of it being a >shared calendar, and I only want a small subset of Exchange users to be able >to see/use it, in the permissions tab of the folder I can *only* select users >or groups from the GAB. So, I go and create a distribution list in AD and add >the appropriate subset of users to it, but it is ONLY selectable in the >permissions of the shared folder if it is a) mailbox enabled and b) visible. > >So, what is the *purpose* of a distribution group that is not mailbox >enabled, and what is the purpose of hidden groups, if they can't be used to >grant rights to users WITHOUT that group showing up as a mail-enabled group >in the GAB? > >I guess I'm not understanding why everything in Exchange related to security >permission is only applicable to VISIBLE users/groups in the GAB, instead of >groups that can be hidden from users but STILL controlling their access to >various things. What am I missing? The fact that Exchange is using "backwards compatible" ways of doing things. Exchange 5.x still coexists with Exchange 200x in many organizations, and 5.x had its own directory and security model. >It seems that the GAB will eventually be >filled with a bunch of groups that you had to put there to grant permissions, >but DON'T really want/need users to send emails to those groups. I think "filled" is a bit overstating things. But the need to use mail-enabled groups isn't going away as long as MS continues to allow ancient software (all the way back to the pre-Outlook days of "Capone) to work with current software. -- Rich Matheisen MCSE+I, Exchange MVP MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm Don't send mail to this address mailto:h.pott(a)getronics.com Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Rich Matheisen [MVP] on 27 Mar 2008 21:15 PufferDude <PufferDude(a)discussions.microsoft.com> wrote: >Thanks Ed, that helps. Just so I understand what you're saying... if I want >to apply permissions to a specific group but not have it be visible in the >GAL, I must let it be visible long enough to apply the permission and THEN >make it hidden? Or you could use the legacyExchangeDN property value instead of the Display Name -- then the thing can remain hidden. The reason you need to find the thing in the GAL is to resolve the name to the legacyExchangeDN. Think about it working something like DNS name resolution. -- Rich Matheisen MCSE+I, Exchange MVP MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm Don't send mail to this address mailto:h.pott(a)getronics.com Or to these, either: mailto:h.pott(a)pinkroccade.com mailto:melvin.mcphucknuckle(a)getronics.com mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: Ed Crowley [MVP] on 27 Mar 2008 23:28 I didn't say completely useless, just pretty useless. -- Ed Crowley MVP - Exchange "Protecting the world from PSTs and brick backups!" "Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message news:orgou3dftca1v9hf6nrshhjfa6990bj41h(a)4ax.com... > "Ed Crowley [MVP]" <curspice(a)mvpsnospam.org> wrote: > > [ snip ] > >>> So, what is the *purpose* of a distribution group that is not mailbox >>> enabled, >> >>That's a good point. Those are pretty useless. > > I don't think so. I use them to populate groups in other systems. The > other system uses LDAP (of course) to read the membership of the AD > group and populates the membership of its local group. The group > membership isn't very large (several hundred members per group), but > the local access is faster than dynamic LDAP queries. > > Just becasue a group isn't a security principal or have an email > address doesn't make them "pretty useless". :-) > > > -- > Rich Matheisen > MCSE+I, Exchange MVP > MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm > Don't send mail to this address mailto:h.pott(a)getronics.com > Or to these, either: mailto:h.pott(a)pinkroccade.com > mailto:melvin.mcphucknuckle(a)getronics.com > mailto:melvin.mcphucknuckle(a)pinkroccade.com
From: fhp198e on 3 Apr 2008 09:09
On Mar 27, 11:28 pm, "Ed Crowley [MVP]" <cursp...(a)mvpsnospam.org> wrote: > I didn't say completely useless, just pretty useless. > -- > Ed Crowley > MVP - Exchange > "Protecting the world from PSTs and brick backups!" > > "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote in messagenews:orgou3dftca1v9hf6nrshhjfa6990bj41h(a)4ax.com... > > > "Ed Crowley [MVP]" <cursp...(a)mvpsnospam.org> wrote: > > > [ snip ] > > >>> So, what is the *purpose* of a distribution group that is not mailbox > >>> enabled, > > >>That's a good point. Those are pretty useless. > > > I don't think so. I use them to populate groups in other systems. The > > other system uses LDAP (of course) to read the membership of the AD > > group and populates the membership of its local group. The group > > membership isn't very large (several hundred members per group), but > > the local access is faster than dynamic LDAP queries. > > > Just becasue a group isn't a security principal or have an email > > address doesn't make them "pretty useless". :-) > > > -- > > Rich Matheisen > > MCSE+I, Exchange MVP > > MS Exchange FAQ athttp://www.swinc.com/resource/exch_faq.htm > > Don't send mail to this address mailto:h.p...(a)getronics.com > > Or to these, either: mailto:h.p...(a)pinkroccade.com > > mailto:melvin.mcphucknuc...(a)getronics.com > > mailto:melvin.mcphucknuc...(a)pinkroccade.com I'm encountering a similar problem-adding users individually to the permissions of a PF works just fine, but attempting to add those in a DG which is a universal, security, mail enabled group does not allow them to access the folders. |