Yibaodian article -- how to manage exchange server 2013 security groups

As you all know, the Active Directory can be divided into common, global, and local domain based on the scope of action. The type can be divided into the communication group used for communication and the security group used for permission assignment. Previously, we talked about the management of distribution groups in Exchange Server 2013, so some users may need the same access permissions for some resources in the enterprise, in addition, you need to receive Group emails sent to them. For example, all members of a project team need to access the content of a UNC path, and because of project requirements, they often need to send emails to the group of user groups at the same time. In this case, you can use the security group and enable the mail function for this security group in Exchange Server 2013. In this way, you do not need to create two different groups for the mail and permissions respectively.

However, because a security group can be used for permission assignment, we recommend that you exercise caution when planning to avoid improper recipient objects being mistakenly added to the security group, resulting in permission leakage.

1. Manage Security groups through EAC

1. Access https: // exchange-server (FQDN)/ECP through IE to open EAC. In the exchange management center window, click "recipients" in the navigation bar, select "group" in the navigation bar of the right window, click "+", and select "Security Group" from the drop-down menu ".

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/30/C5/wKiom1OpSLmCb-fBAAFxS4U2l-w900.jpg "Title =" 1.png" alt = "wKiom1OpSLmCb-fBAAFxS4U2l-w900.jpg"/>

2. In the new security group window, define the "display name" and "alias" of the Distribution Group ". Like a distribution group, the "alias" directly affects the mailing address of the Distribution Group.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/30/C4/wKioL1OpSJmQFE4PAAG7oaLjAqs651.jpg "Title =" 2.png" alt = "wkiol1opsjmqfe4paag7oaljaqs651.jpg"/>

Because a Security Group involves permission assignment, all its members cannot join the group freely. There are two options:

I. By default, the "Owner approval required" option is not selected. if you add a user to this group, the system will prompt "the user has automatically refused to join the group ".

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/30/C4/wKioL1OpSLDwICf_AAGGC_6BxnM037.jpg "Title =" 9.png" alt = "wkiol1opsldwicf_aaggc_6bxnm037.jpg"/>

II. If you select "Owner approval required", the user will be prompted "the request for joining must be approved ".

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/30/C5/wKiom1OpSOrj3YQsAAGC9TCgGB8583.jpg "Title =" 10.png" alt = "wkiom1opsorj3yqsaagc9tcggb8583.jpg"/>

3. You can manage existing security groups by double-clicking the distribution group you want to configure in EAC. Most tabs of this window are similar to the distribution group, so we will not describe them here. This document only describes the different tabs-"member identity approval ".

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/30/C4/wKioL1OpSMyT24KDAAHgbssVjPk646.jpg "Title =" 3.png" alt = "wkiol1opsmyt24kdaahgbssvjpk646.jpg"/>

This tab has only one option, that is, the option that previously controls whether to allow users to join by themselves. The setting method and function are the same as those at creation. However, you must note that if the group object is not created through exchange and is created by the Active Directory administrator Based on the Active Directory, if you enable mail through exchange, you may encounter "the group is not managed by any recipients, but the memberjoinrestriction attribute is set to approvalrequired." Warning:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/30/C5/wKiom1OpSQqiVeA4AAHn0IcuGTw630.jpg "Title =" 8.png" alt = "wkiom1opsqqivea4aahn0icugtw630.jpg"/>

In this case, check whether the current configuration user is in the "ownership" List of the group. If not, add the current user to this list. By default, the list is empty. When you add a group, you will receive a notification that the Group Administrator is not in the group and the group has insufficient permissions. In this case, on the "Active Directory users and computers" console, open the Properties dialog box for this group, select the "manager" tab, and specify the corresponding administrator.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/30/C4/wKioL1OpSO2iH7tIAAGOLp8x2lY837.jpg "Title =" 11.png" alt = "wkiol1opso2i?tiaagolp8x2ly837.jpg"/>

2. Manage Security groups through EMS

The commands for managing security groups through EMS are similar to those for managing distribution groups.Distributiongroup".

When I see this word, it is estimated that most of the administrators in the early Windows Active Directory will be happy. Isn't this the "distributed group" in the Windows Server 2000 active directory? Indeed, the "Distribution Group" in the Active Directory is called "distributed group ".

1. PassGet-distributiongroupFor all existing security groups enabled for emails, filter the group type as"Mailuniversalsecuritygroup", That is:

Get-distributiongroup-resultsize unlimited-filter {(recipienttypedetails-EQ 'mailuniversalsecuritygroup ')}

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/30/C4/wKioL1OpSQyjxsW4AADYG-YN64E167.jpg "Title =" 4.png" alt = "wKioL1OpSQyjxsW4AADYG-YN64E167.jpg"/>

2. UseSet-distributiongroupTo modify the settings of an existing security group. For example, you need to hide the specified security group in the user email address list for security reasons.

Get-distributiongroup-resultsize unlimited-filter {(recipienttypedetails-EQ 'mailuniversalsecuritygroup')} | set-distributiongroup-hiddenfromaddresslistsenabled $ true

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/30/C5/wKiom1OpSUfDtlmiAAGZLegQTCc147.jpg "Title =" 5.png" alt = "wkiom1opsufdtlmiaagzlegqtcc147.jpg"/>

Once this setting takes effect, you can confirm its existence in the EAC:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/30/C4/wKioL1OpSSSjYA7FAAGEbbJl2L8087.jpg "Title =" 12.png" alt = "wkiol1opsssjya7faagebbjl2l8087.jpg"/>

But it is not displayed in the mail address list of the user client:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/30/C5/wKiom1OpSVzwEHWRAAHbDQJVCHY004.jpg "Title =" 13.png" alt = "wkiom1opsvzwehwraahbdqjvchy004.jpg"/>

3. PassEnable-distributiongroupEnable email for existing security groups in the Active Directory.

Enable-distributiongroup "Beijing sales"-alias bjsales

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/30/C4/wKioL1OpST_ihiQpAAD0LQO8bQk893.jpg "Title =" 6.png" alt = "wkiol1opst_ihiqpaad0lqo8bqk893.jpg"/>

This article describes:

Operating system version: Windows Server 2012r2 datacenter Edition

Email system version: Exchange Server 2013sp1 Enterprise Edition

 

 

This article from "fat brother Technology Hall" blog, please be sure to keep this source http://liulike.blog.51cto.com/1355103/1430436