Security & Distribution groups

  • Thread starter Daniel Sullivan
  • Start date
D

Daniel Sullivan

For the properties of a group in active directory, what is
the difference between a security group and a distribution
group? Thanks in advance...

~Dan
 
C

Cary Shultz [MVP]

-----Original Message-----
For the properties of a group in active directory, what is
the difference between a security group and a distribution
group? Thanks in advance...

~Dan
.
Dan,

The short answer is that a Security Group can be used to
apply permissions. Both Security and Distribution Groups
can be mail-enabled.

If I might think out loud, I like to keep the two group
types separate. Meaning, I like to use Securtiy Group on
a File Server to apply permissions to folders.
Furthermore, I like to use Distribution Groups for
puroposes of sending e-mail. Remember, I could just as
easily mail-enable a Security Group.

HTH,

Cary
 
T

Tony Yuhas [MSFT]

Hi Daniel,

As the name implies, security groups are for use in
designating security-required tasks. For example, you
can assign the administration of a set of users to
security group - any members of the security group would
have administrative privileges over those specified users.

Distribution groups are for information sharing, but can
not be assigned any AD security tasks.

Hope this helps,
Tony Yuhas
Microsoft
Active Directory Tools
 
J

Joe Richards [MVP]

You have gotten some good answers but I will put my spin on it which is always slightly off center.

1. Both groups can be used to ACL resources. (no one argue this point until they try it...)
2. Only security group SIDS will be placed in user tokens so even if a user was in a DL and that DL had perms on an
object, they couldn't use it as they don't get the SID in the logon token.
3. Groups that are used in any Exchange permissioning will AUTOMATICALLY and with NO WARNING be turned into security
groups.
4. Both can be mail enabled for exchange for mail routing (keep note of where the resolution will be to determine what
kind of group to use - you don't always have to use universals).
5. I visualize more and more use of DL groups for authorization within LDAP only applications as you don't incur the
overhead of large tokens (and blown up kerb certs) when placed in large numbers of DL's.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top