Managing Mail-Enabled Groups
Mail-enabled groups are typically Active Directory
security and distribution groups that have been assigned an e-mail
address, and when mail is sent to the group address, it is routed
automatically to each member of the group. Mail-enabling an existing
group is done through the Exchange Task Wizard by choosing the Create An
E-Mail Address task from the list. Mail-enabling a new group as you
create it adds one extra step, as Exchange extends the New Object
creation wizard to prompt you with the option to create an e-mail
address and assign the object to an administrative group.
Before mail-enabling
Active Directory groups, you should have a clear understanding of the
effects of group scope on the Exchange Server messaging capability of
these groups. There are three scopes for groups: domain local, global,
and universal.
Domain local group Membership
of this group is not published to the global catalog server. This means
that Exchange Server users cannot view full membership of a
mail-enabled domain local group when their user accounts are located in
domains other than the domain in which the group exists.
Global group
Membership of this group is not published to the global catalog server.
This means that Exchange Server users cannot view full membership of a
mail-enabled global group when their user accounts are located in
domains other than the domain in which the group exists.
Universal group
Membership of this group is published to all global catalog servers in a
forest. This means that Exchange Server users in any domain can view
full membership of mail-enabled universal groups. If you have multiple
domains in your environment, it is recommended that you mail-enable only
universal groups and not domain local or global groups.
Expansion Servers
An expansion server
is a server that is used to resolve or expand the membership of a
mail-enabled group whenever a message is sent to that group. Because of
the limited scopes of a domain local group or a global group, Exchange
users in one domain are not able to view the membership of groups
defined in another domain. Exchange is unable to deliver messages sent
by users in one domain to groups defined in another domain. To resolve
group membership, you must use an expansion server when mail-enabling
domain local groups or global groups in environments that have multiple
domains. The expansion server that you choose must exist in the same
domain as the mail-enabled group. Expansion servers are identified on a
group-by-group basis by editing the properties of the group in the
Active Directory Users And Computers console and then clicking the
Exchange Advanced tab. The default setting is to use any server in the
organization, but you can click the drop-down list and choose a specific
server.
Query-Based Distribution Groups
A query-based distribution group
is a new type of distribution group introduced in Exchange Server 2003.
A query-based distribution group provides essentially the same
functionality as a standard distribution group; however, instead of
specifying static user memberships, a query-based distribution group
enables you to use a Lightweight Directory Access Protocol (LDAP) query
to specify membership in the distribution group dynamically (for
example, all employees in an accounting department or all employees in a
particular office building). Therefore, adding a user account in the
accounting department would result in their automatic membership in a
query-based distribution list for the accounting department. The use of
query-based distribution groups can considerably lower the
administrative overhead in maintaining certain distribution groups,
especially those that have memberships that undergo frequent changes.
Query-based
distribution groups are not without disadvantages though. They place
more of a performance load on server resources. Every time an e-mail
message is sent to a query-based distribution group, an LDAP query is
executed against Active Directory to determine the membership of the
query-based distribution group. In addition, a query-based distribution
group can only be created in an organization that is running Exchange
Server 2003 or later and that has been switched to Native mode.
To create a query-based distribution group, perform the following steps:
1. | Start
the Active Directory Users And Computers console, then right-click the
Users container and select New, and then click Query-Based Distribution
Group.
|
2. | The
New Object wizard starts, and the first page prompts you for the name
of the group and an alias for it (by default the alias will be the same
as the name). Complete the two fields, and then click Next to continue.
|
3. | The
next step is to build the LDAP query by filtering the types of
addresses you want to include in the query. You can also specify what
Active Directory container the query should begin at (all subcontainers
will be included), shown in Figure 35. Select the address types, and then click Next to continue.
|
4. | The wizard will prompt you to confirm your selections and then will create the group when you click Finish.
|
You
can preview the results of the query-based distribution group by
editing the properties of the group in Active Directory Users And
Computers and going to the Preview tab. The preview will show you the
contents of the group, as well as the syntax of the LDAP query that is
being run. If the results are not what you intended, you can simply
click the General tab and modify the query, then preview it again to see
if the changes corrected the problem.
Limiting Access to Mail-Enabled Groups
In certain situations,
you might want to limit access to your mail-enabled groups to only
members of the group. For example, if you have a mail-enabled group that
is intended for a particular purpose, such as receiving customer
feedback from external customers, you might want to limit the amount of
unwanted internal messages sent to this group. Similarly, you might want
to prevent users from sending messages to a mail-enabled group if it
contains sensitive information, as in the case of a mail-enabled group
that is reserved for management.
There are two ways to
limit access to a mail-enabled group: hiding the mail-enabled group and
restricting access to the mail-enabled group.
Hiding a mail-enabled group
When you hide a mail-enabled group, it will not appear in Exchange
address lists, so users will not be able to look up the mail-enabled
group and send e-mail to it. However, users can still use the SMTP
address of the mail-enabled group to send messages to it. To hide a
mail-enabled group from Exchange address lists, edit its properties in
the Active Directory Users And Computers console and click the Exchange
Advanced tab. Select the option to Hide Group From Exchange Address
Lists. This solution prevents users who legitimately need to use the
mail-enabled group from being able to browse to it in Exchange address
lists.
Restricting access to a mail-enabled group
By configuring a mail-enabled group to specifically identify the users
who can send messages to the group or who can receive messages sent to
the group, you can effectively limit who uses the mail-enabled group to
only those users that have been granted permission. This is a more
effective solution than simply hiding a group because it allows the
group to be displayed for the people who legitimately use it but
prevents users who shouldn’t use the group from being able to send to
it. Configuring message restrictions is done from the Exchange General
page of the group’s properties. By default, everyone can send to the
group, but you can also set it to allow only authenticated users or to
allow only a specific list of users.
Note
Groups
exist to provide a convenient way to send e-mail to a number of users
simultaneously, but they do not preclude users from simply selecting all
of the individual members they wish to send to. Therefore, while
restricting group access can limit the convenience factor of sending
e-mail, it cannot prevent a determined user from selecting every
individual user in the GAL to get around the restriction. |