3

I would like to manage my distribution lists indirectly, via security group. So that when I add a user to the appropriate security groups, they will automatically be members of the appropriate distribution groups.

Distribution Group Everyone (everyone@example.com)
  Security Group A
    User 1 (user1@example.com)
    User 2 (user2@example.com)
  Security Group B
    User 3 (user3@example.com)
    User 4 (user4@example.com)

The security groups are not (and I would prefer that they remain not) mail enabled. Is this a viable setup? Is there something special I need to do to have this work? On the surface, it appears to be failing, so I suspect I must make the security groups mail enabled, but it frustrates me that there is not a better solution.

The problem is that I do not want users to get into the habit of emailing security groups directly, and if I mail-enable them then expanding the distribution group will result in them seeing the child groups, and possibly using them instead of the distribution list. Similar to an unpublished API, having this information visible may come back to haunt me at some future point.

Myrddin Emrys
  • 638
  • 1
  • 10
  • 24

1 Answers1

6

No; distribution group membership checking is not recursive.

Exchange depends on the group expansion logic for nested membership, which means that all the groups down the chain must be mail-enabled.

It certainly would be nice if we could just dump security groups into distribution groups, especially if you've implemented role-based security, but the group expansion method fits a lot better with how a purely email implementation should behave.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248