Active Directory Security vs Distribution Groups

AD Security vs Distribution Groups


This post contains information on security groups versus distribution groups in a Windows Active Directory, how to make use of mail enabled security groups and how to convert groups between different scopes.

Groups of type distribution do not have a SID, and without a security identifier, they cannot be part of an Access Control Entry or a security token, even though the members of the distribution group may be accounts that do have SIDs.

Security groups can be mail-enabled, allowing the group to be used for both access control and mail distribution, and depending on your level of service autonomy and delegation of administration this may be suitable. If you nest security and/or distribution groups, there may also be some confusion if using mail enabled security groups.

Implementing Mail-enabled Security Groups

In a simple Exchange 2003 environment, you may be able to:

  1. Convert the groups of type distribution to security, with a scope of global. Universal could be used instead of global, but this depends on whether you have a requirement for cross-domain intra-forest GC access to group membership.
  2. Ensure the security groups are mail enabled
  3. Set the 'Managed By' information on the group to an individual or local group to manage the DL and update the membership list. This will set ACLs on the AD group object to allow members to be updated in the group.
  4. Add the global group to existing local groups used to manage permissions on file shares.


  • One reason to use distribution groups rather than mail-enabled security groups is because of service and data autonomy – to separate Exchange DL admins from security group admins, using the method above would make this difficult.
  • You can use the 'dsmod group' command to change the scope and type of a 200x Active Directory group. See the examples below.

Converting an Active Directory security group from Global to Local or vice versa:

This process was tested on an XP workstation against a Windows 2000 Active Directory domain in native mode. Identify the DN of the group by running
– dsquery group -name %GroupName%

Find the current group scope of the group just identified, by running
– dsget group %GroupDN% -scope -secgrp

Change the group scope to universal, a stepping stone required as groups can't be converted directly between global and local, by running:
– dsmod group %GroupDN% -scope u

Change the group scope to global or local (depending on the requirements), by running:
– dsmod group %GroupDN% -scope g
– dsmod group %GroupDN% -scope l

This modifies an existing group, without changing the SID, useful when the group is already used to apply permissions.


Group Objects Group scope
Troubleshooting mail transport and distribution groups in Exchange 2000 Server and in Exchange Server 2003
Group Types
Global Catalog Server Requirement for User and Computer Logon


Leave a Comment