AD distribution and security group usage

[Guest]

I am auditing AD,

1. Removing unused distribution/security groups
2. Changing groups used for both distribution and security to distribution
only (in order to remove security groups email addresses from the GAL)

I think the best way to do this would be to;

1. Know the last time that distribution groups were being used/are being
used so I do not remove groups in use - How?
2. Recreate any security groups being used as both security and distribution
groups
to distribution groups only - What will this affect?
3. Determine which security groups are currently in use - How?

I have looked at dsget and dsquery aswell as cvsde and ldife, which do not
seem to provide the information that I require. Can anyone help?

 

[Joe Richards [MVP]]

You mention GAL so you are using Exchange, note that Exchange will convert DLs
to security groups as it needs to when people assign permissions to DLs in
Exchange. This could be the lowliest worker who decided to set some mailenabled
group to have access to something on their mailbox. You really can't stop it,
trying to will hurt Exchange.

As for whether or not groups are being used, it is one of the hardest questions
to answer, there is nothing that tells you when it was last used, the best you
can do for security groups is look at every user in the group or part of the
group through nesting and find out when they last logged on, that is the last
time that group was used by them as its SID was inserted into their token,
whether they used that SID or not you can not ascertain unless you are auditing
the resources the group gives access to. You can try to figure this out by
security disabling the groups but that doesn't help a lot again because if they
are exchange based, Exchange will just resecurity enable them if necessary.

DLs are much tougher, you basically just need to boot all members out and see if
anyone complains.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Guest]

What do you mean by assign permissions to DL's in Exchange? Can you provide a
link or more detailed information?

I do not believe our users currently have permission to do this. The problem
is the admin staff have set security groups, mainly for file access, and have
associated an email address with that group.

1. This looks ugly in the GAL
2. When a user asks to be removed from one of these mail enabled security
groups, they lose permission to access files.

How can I work around this?

 

[Joe Richards [MVP]]

I don't know if I have seen it officially documented.

The issue is that Exchange now uses SIDs instead of DNs for security on Exchange
objects. This means that you need the SIDs in your tokens to access Exchange
resources, so if someone uses a DL to secure an object, say a public folder or a
even their calendar, Exchange will only work with that if the group has been
security enabled so it goes ahead and security enables it if it isn't already.
Try it, you will see it.

Your users don't have permission to do it but Exchange does. That is one of the
permissions it gives itself when you do the domain prep. All your users need to
do is assign a DL to something to secure it, again like their own mailbox and
they certainly have those rights.


joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Guest]

I am attempting to recreate this, but I am not sure what you mean by

"if someone uses a DL to secure an object".

I have created a test DL and given it permission to review my calendar. Yet
ADUC still reports the group as a DL and not a sec group.

We are currently using exchange 2000, is this where the difference lies?

 

[Joe Richards [MVP]]

Nope, that will occur on Exchange 2000 or Exchange 2003. I first started seeing
it back several years ago on Exchange 2000 Enterprise systems. You may have to
wait for replication as you may be hitting a different DC from the one Exchange
is using.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Guest]

I could create security groups and hide them from the GAL, hence users wil
not be able to see the security groups to apply priveliges to - what do you
think ?

Is this how admins generally deal with this? I imagine, that admins do not
want users seeing security group membership...

 

[Joe Richards [MVP]]

Hiding things from Exchange can be a trying experience. You can certainly try
it, but again, it does nothing to prevent someone from adding a normal
non-security DL into an ACL and having Exchange converting it to a security group.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm