A domain local group is a security or distribution group that can contain universal groups, global groups,

other domain local groups from its own domain, and accounts from any domain in the forest. You can give
domain local security groups rights and permissions on resources that reside only in the same domain where
the domain local group is located.

A global group is a group that can be used in its own domain, in member servers and in workstations of
the domain, and in trusting domains. In all those locations, you can give a global group rights and
permissions and the global group can become a member of local groups. However, a global group can
contain user accounts that are only from its own domain.

A universal group is a security or distribution group that contains users, groups, and computers from any
domain in its forest as members. You can give universal security groups rights and permissions on resources
in any domain in the forest. Universal groups are not supported.

Distribution groups are mail-enabled Active Directory directory service group objects that are created to expedite
the mass sending of e-mail messages and other information within an Exchange organization.

Exchange 2007 supports the following types of distribution groups:

 Mail-enabled universal distribution groups   These are Active Directory distribution group objects that

are mail-enabled. They can be used only to distribute messages to a group of recipients.
 Mail-enabled universal security groups   These are Active Directory security group objects that are
mail-enabled. They can be used to grant access permissions to resources in Active Directory and can also
be used to distribute messages.
 Mail-enabled non-universal groups   These are Active Directory global or local group objects that are
mail-enabled. In Exchange 2007, you can create or mail-enable only universal distribution groups. You
may have mail-enabled groups that were migrated from previous versions of Exchange that are not
universal groups. These groups can still be managed by using the Exchange Management Console or the
Exchange Management Shell.
 Dynamic distribution groups   These are distribution groups for which membership is based on specific
recipient filters rather than a defined set of recipients. Dynamic distribution groups were called query-
based distribution groups in Exchange 2003.

how to create and configure Exchange Server 2007 recipient objects, such as mailboxes, users, contacts,
distribution groups and address lists, using the Exchange Management Console (EMC) or the Exchange
Management Shell (EMS).

with Exchange 2007, there are four types of mailboxes you can create. A user mailbox is an Exchange
2007-based mailbox associated with an Active Directory user. A room mailbox is a mailbox that is
associated with a disabled user for the purpose of room scheduling. An equipment mailbox, like a room
mailbox, is associated with a disabled user, but is used for the purpose of scheduling equipment within
your organization. Last, a linked mailbox is a mailbox that is accessible by a security principle (such as a
user account) in a separate forest that exists across a trust.
A distribution group is an Active Directory group that is mail-enabled, having an email address
on the Exchange system. Messages sent to a distribution group will be sent to each of the
members of that group. Lastly, public folders are automatically assigned email addresses. Table
3-1 compares the various recipient types.

While you have been using Active Directory Users and Computers on a server that has the
Exchange management tools installed to manage your recipients for years, in order to manage
Exchange 2007 recipients, you'll need to focus your attention on the Exchange 2007 management
tools.

Associated
Internal or
Recipient Object Type in
Accessed By External Example of Usage
Type Active
Recipient?
Directory
Associated user
User mailbox User Internal Internal user
account
Room
User Other users Internal Conference room
mailbox
Equipment
User Other users Internal Video projector
mailbox
Centralized company email
User account in a mailbox accessed by a user in
Linked
User trusted domain in Internal a business unit using a
mailbox
a separate forest separate (but trusted) Active
Directory forest
External person commonly
Mail contact Contact n/a External
sent email
Contractor with temporary
Mail user User n/a External internal user account but
external email
Can include
Distribution Associated user internal and Combines multiple recipients
Group
group account external into a single destination
recipients
Receives messages needed to
Public folder Public folder n/a Internal
be viewed by multiple users
Table 3-1. Comparison of Exchange 2007 recipients
Tip: If you have a mixed Exchange 2007/Exchange 2000 or 2003 environment, you can use the
Active Directory Users and Computers MMC snap-in to manage Exchange 2000/2003 recipients.

Managing Full Mailbox Access using the EMC in Exchange

Server 2007 SP1
Exchange Server 2007 SP1 adds management of Full Mailbox Access permission to the EMC.

1. From Recipient Configuration | Mailbox | select mailbox.

2. In the Action pane (or by right-clicking the mailbox), click Manage Full Mailbox
Access…

Viewing permissions using Get-MailboxPermission

To view permissions on a mailbox, use the Get-MailboxPermission command:

Get-MailboxPermission “Joe Adams”

To view explicitly assigned permissions (i.e. permissions that are not inherited):

Get-MailboxPermission “Joe Adams” | where {$_.IsInherited -eq $false}

To view all security principals with Full Access permission on a mailbox:

Get-MailboxPermission “Joe Adams” | where {$_.AccessRights -like “*FullAccess*”}

Creating and Managing Administrative Groups

Topic Last Modified: 2005-04-21

In Exchange 5.5 (and earlier), a site defined both the administrative boundary and the physical routing topology
for a group of servers. Exchange 2000 (and later) split the concept of a site into physical and logical components,
as follows:

 Routing groups define the physical network topology of your Exchange servers.

 Administrative groups define a logical grouping of servers and other objects for the purpose of
administration.
For more information about routing groups, see Understanding and Configuring Message Routing and Transport.
This topic focuses only on administrative groups.

An administrative group can contain any of the following Exchange objects:

 Servers

 Policies
 Routing groups

 Public folder trees

Administrative groups allow you to delegate specific administrative permissions, and define system policies for the
administrative groups and the objects in the group. You can create system policies that control the administration
of servers, mailbox stores, and public folder stores in an administrative group.

The remainder of this section focuses on the following topics:

  Understanding the types of administrative models
 Displaying administrative groups

 Creating administrative groups

 Creating a system policy

 Moving objects between administrative groups

 Deleting administrative groups

Note:

Use the Exchange Administration Delegation Wizard to assign a specific group permission to manage an
administrative group. For more information about the Exchange Administration Delegation Wizard, see
Managing Exchange Server 2003 Permissions