Distribution Global Groups in Security Global Groups

[Sam Workman]

I am running windows 2000 Active Directory in Native mode. I have several
distribution groups set up. I know security can not be applied to
distribution groups, but I can place the distribution groups inside of
security groups. Does anyone know if this works, i.e. can I apply security
to a security group and drop a distribution group inside the security group
and apply permissions that way. If that does not work why does ADUC let me
do this with no notifications?


Thank you,

Sam

 

[Richard Mueller [MVP]]

I am running windows 2000 Active Directory in Native mode. I have several
distribution groups set up. I know security can not be applied to
distribution groups, but I can place the distribution groups inside of
security groups. Does anyone know if this works, i.e. can I apply security
to a security group and drop a distribution group inside the security group
and apply permissions that way. If that does not work why does ADUC let me
do this with no notifications?

Hi,

I tested and I can make a user a member of a distribution group (Global),
then make this group a member of a security group (global), then give the
security group permission to read/write a share to a folder. The user is
revealed to be a member of the security group if I use a recursive
subroutine to enumerate the user object memberOf attribute. However, the
user is denied permission to view any files in the shared folder. I note
that a function that determines group membership by enumerating the
tokenGroups attribute of the user object does not reveal membership in
either the distribution group or the security group.

When the user logs on, a token is created with the objectSid of all security
groups the user is a member of. This token is used to check permissions. The
token does not include the objectSid of any distribution groups. I think the
token includes the same groups as the tokenGroups attribute. Since the
tokenGroup attribute does not include the Sid of the distribution group, it
also does not include the Sid of any groups that the distribution group
belongs to, even if they are security groups. It includes all security group
memberships, including nested groups and the primary group.

I guess Active Directory lets you make a distribution group a member of a
security group, even though this does not confer any permissions, because
you can still use this membership for other purposes. You can still test for
nested group membership and see that the user is a member of both groups.
However, the tokenGroups attribute never reveals memberhip in distribute
groups. Interesting.

 

[Sam Workman]

Hi,

I tested and I can make a user a member of a distribution group (Global),
then make this group a member of a security group (global), then give the
security group permission to read/write a share to a folder. The user is
revealed to be a member of the security group if I use a recursive
subroutine to enumerate the user object memberOf attribute. However, the
user is denied permission to view any files in the shared folder. I note
that a function that determines group membership by enumerating the
tokenGroups attribute of the user object does not reveal membership in
either the distribution group or the security group.

When the user logs on, a token is created with the objectSid of all security
groups the user is a member of. This token is used to check permissions. The
token does not include the objectSid of any distribution groups. I think the
token includes the same groups as the tokenGroups attribute. Since the
tokenGroup attribute does not include the Sid of the distribution group, it
also does not include the Sid of any groups that the distribution group
belongs to, even if they are security groups. It includes all security group
memberships, including nested groups and the primary group.

I guess Active Directory lets you make a distribution group a member of a
security group, even though this does not confer any permissions, because
you can still use this membership for other purposes. You can still test for
nested group membership and see that the user is a member of both groups.
However, the tokenGroups attribute never reveals memberhip in distribute
groups. Interesting.

This is similar to the testing and findings that I have done myself, it is
helpful to have a second set of eyes look at my problem.

Thanks,

Sam

 

[Sam Workman]

And,

I guess you could another reason AD lets you do this is in case you mail
enable that security group that the distribution group is nested in.

Sam