- Exchange's Core Components
- Design Goals
- Architecture Similarities
- Terminology Changes
- Architecture Changes
- Directory Services
- Directory Access
- How DSProxy Is Used
- How DS Referral Is Used
- Transport Services
- IIS Integration
- Distributed Configurations
- Addressing with Exchange 2000
- Address Generation
- Directory Connectivity
- Active Directory Connector (ADC)
- Site Replication Service
- Address Lists
- Accessing Filter Rules for Address Lists
- Configuring Filter Rules for Address Lists
- Active Directory Users and Computers
- Creating Users
- Creating Groups
- Creating Contacts
- Managing Users
- Managing Groups
- Managing Contacts
- Tools
- ADSIEDIT
- NTDSUTIL
- Troubleshooting
- DS Referral
- Configuration of Diagnostic Logging
- Displaying Routing and Administrative Groups
Creating Groups
Exchange 5.5 distribution lists have changed to group objects. These groups can be security groups with a Security ID (SID), or distribution groups without a SID. When an object does not have a SID, the object cannot be placed in the access control list.
Windows 2000 groups appear as distribution lists in an Exchange directory. The administrator can specify the group to be a security group, which allows the group to be placed in an access control list. If the group is specified as a distribution group, it can be used for email, but not for security.
SID—Security ID. The SID is a core component of the Windows NT security model. Every user object has an associated SID.
TIP
When public folders are migrated from Exchange 5.5, the distribution lists become distribution groups without SIDs. In the prerelease version of Exchange 2000, the administrator must perform an additional task to create groups based on distribution lists from Exchange 5.5. The administrator must also add the groups to the ACLs manually.
Groups are not created using a standalone program, such as admin.exe from Exchange 5.x, nor are groups created using the Exchange Service Manager (ESM) MMC snap-in. Groups are created using the AD Users and Computers MMC snap-in. (See Figure 3.18.) This is because a group is now an object residing in the AD. A group somewhat blurs lines between mailbox-enabled and mail-enabled. Whereas a mailbox cannot be assigned to a Group object, a public folder can be assigned. Thus, a Group object cannot access a mailbox, but it can participate in the Exchange database via the public folder structure.
){kind=link}
Figure 3.18 Notice that Group objects use a different icon from a user. A similar icon with a superimposed star is on the toolbar. Icons on the toolbar with the star are used to create new objects.
CDO can be used to programmatically manipulate AD and Exchange objects. This means that group objects could be created by a custom application or Web interface. More detail about CDO and CDOEXM (CDO for Exchange Management) is in the section of this book that covers CDO in depth.
For an explanation of mail-enabled versus mailbox-enabled objects, see the "Address Generation" section of this chapter.
To create a new group from the AD Users and Computers interface, either select Action, New, Group from the menu, or click the Create a new group in the current container icon.
Figure 3.19 The quickest way to create a new group is to use this icon.
){kind=link}
Either method initiated from the AD Users and Computers MMC snap-in results in the start of the group-creation process. Three dialog boxes will be presented for this process.
After initiating the new-group creation process, a series of three dialog boxes guide the administrator through the entire process.
The first dialog box of the new-group creation process contains fields for both the Group name and the pre-Windows 2000 Group name. (See Figure 3.20.) After entering the name for the group, the Group Scope and Group Type must be selected.
){kind=link}
Figure 3.20 This interface has a useful data-entry feature. When the Group name is typed in, the Group name (pre-Windows 2000) field is simultaneously filled in with the same data.
Two types of groups are in Windows 2000: Security and Distribution. A Security group is a security principal defining a collection of users and groups. Windows 2000 uses this security principal to control access to resources. A Distribution group is a distribution list that is not a security principal. Both varieties of AD groups can be assigned an email address.
Three types of Group Scopes are Domain local, Global, and Universal. The local scope allows only users from the local domain to belong to the group. The Global scope allows users in any domain to be added as members of the group. Neither Domain local nor Global groups are published in the Global Catalog (GC). The Universal group accepts members from any domain, and is published in the Global Catalog (GC) Universal groups are published in the GC and this aligns them most closely with the behavior of groups from Exchange 5.5.
NOTE
Universal Groups are only available if the environment is in Native mode.
In the second dialog box of the new-group creation process, the Alias of the group object can be changed. This is the alias that is used for addressing. (See Figure 3.21.) After clicking Next, the information can be verified for the new group.
){kind=link}
Figure 3.21 There might be an instance where an administrator does not want a list to be accessed from within Exchange. Deselecting the Create an Exchange email address check box will create a list without an Exchange email address.
In the third dialog box of the new-group creation process, clicking Finish will create the new group. If the information is not correct, the administrator can click Cancel to terminate the process without creating the group. After clicking Finish, the new group is ready for use.
Security groups in Windows 2000 can be automatically used as Exchange 2000 distribution lists, removing the need to create a parallel set of distribution lists for each department or group.