In Windows 2000, a group is a container of sorts that can hold users and other groups. You can assign permissions to a group that are inherited by all of the objects in that group. This makes the group a valuable Windows 2000 security construct. Exchange 2000 Server also uses groups for another purpose. A group can be mail enabled and then populated with other mail- or mailbox-enabled recipients to make a distribution list, a term you may be familiar with from earlier versions of Exchange Server. A group can contain users, contacts, public folders, and even other groups. When you send a message to a mail-enabled group, the message is sent to each member of the list individually. Groups are visible in the Global Address List.
Creating a new mail-enabled group is easy. Choose New Group from the Action menu of Active Directory Users and Computers. This command starts the New Group Wizard, as shown in Figure 9-19. Enter a group name that describes the members the group will contain. You must also choose a group scope and a group type. The group scope defines the level at which the group will be available in Active Directory. The group type defines whether the group is for security or distribution purposes. A security group can be mail enabled and used for distribution purposes, but a distribution group cannot be used for security purposes. When you're done, click Next.
Figure 9-19. Creating a distribution group.
On the next screen of the New Group Wizard, you can specify whether a mail address should be created for the new group, and you can enter an alias name. If you are creating a group to be used as a distribution list, you must create an email address. Once you click Finish in this screen, the new group is created and you are ready to add members. This process is described in the next section, along with other ways of configuring groups.
You configure a group in the same way that you configure other recipients—with a property sheet. Many of the tabs are identical to those of the same name for user objects; refer to the "Users" section earlier in this chapter for details on those tabs. Some of the tabs found on a user's property sheet simply don't exist for a group. This section covers the three Exchange-related tabs that do differ for a group.
The Members tab lists every member of the group. Use the Add button to access the Active Directory list, from which you can add new members to the group. You can use the Remove button to remove selected members.
The Managed By tab, shown in Figure 9-20, lets you assign an owner to the group. The owner manages the group's membership. By default, the administrator who creates the group is the owner, but you can designate as owner any user, group, or contact in the Global Address List. If you give ownership to another user, that user can use an Exchange client or Outlook to modify the group's membership and does not need access to Active Directory Users and Computers. You can relieve yourself of a great deal of work by specifying owners for the groups you create. As groups grow larger, they can consume a considerable amount of management time.
Figure 9-20. Specifying a group owner.
The Exchange Advanced tab, shown in Figure 9-21, holds several configuration options that may be familiar to you, such as a simple display name and the Custom Attributes button. You can also, however, configure several options that are specific to distribution lists:
Figure 9-21. Setting advanced properties for a group.
REAL WORLD Using Message Restrictions on GroupsThe Message Restrictions area of the Delivery Restrictions dialog box (displayed by clicking Delivery Restrictions on the Exchange General tab) is often much more useful for groups than for individual users. In large organizations, groups can grow quite large, sometimes holding thousands of users. Because of the possibility of misuse, it is usually not a good idea to provide general access to groups this large. Imagine the increase in traffic if your users sent messages to thousands of users every time their kids had candy bars to sell or they found a good joke. Placing delivery restrictions on large groups allows you to limit access to the groups to a few select, responsible users.
Another potential risk is that someone from the Internet could e-mail everyone in your company, using a group's SMTP address. Imagine what your job would be like on the day that an anonymous person e-mailed malicious information to the entire company. Limiting access to the group will also help prevent this type of unwanted mail from occurring.