Universal Group


  • Can someone explain the difference between Distribution vs Security mode in Universal. Which mode of Universal group is recommended for ADRMS

    Any help will be appreciated

    • Edited by Amar1467 Monday, January 9, 2017 7:33 PM
    Monday, January 9, 2017 7:25 PM

All replies

  • Any security group can have permissions applied, which then apply to all members. Group Policies can also be applied to security groups. A distribution group is just a list of members, often used to email a list of people.

    Edit: Reference:

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, January 9, 2017 8:43 PM
  • As Richard mentioned the distribution group is usually used for messaging purposes which are mainly to creation distribution lists. You cannot use them to apply permissions unless if they are nested in another security group and you use this security group to apply permissions. Please take note that, on Exchange, a security group could also be used for e-mail distribution. For ADRMS, you need to use security groups to apply permissions and not distribution ones.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 10, 2017 12:46 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, January 16, 2017 8:59 AM
  • Distribution group:- Can be used to distribute messages. It is a list of mailbox users. DG is associated with a unique email address. If you have a single AD and Exchange environment you can limit a DG to Global. If you are running multiple AD and exchange environment you will have to use DG in a Universal mode. This will allow co-existence users to expand the membership list via Outlook. 

    Security group:- Is used to grant access to certain users to resources. e.g i will create a security group if i have to assign few users "domain admin" rights. SG can also be a mail enabled group. Hence, SG can be used to distribute messages as well as to grant access permissions to resources in Active Directory.

    For ADRMS you should make use of a security group 

    Hope it helps

    • Proposed as answer by Akabe Monday, January 16, 2017 9:49 AM
    Monday, January 16, 2017 9:49 AM
  • The name of the securiyt group type defines where the group can be assigned as for object security.

    Domain Local: Contains users, universal groups, and global groups from any domain. It can also contain domain local groups from the same domain. It is assignable for permissions to objects only within the domain it was created in. It can be a member of domain local groups from the same domain.

    Global: Contains users and global groups from only within the domain it was created in. It is assignable for permissions to objects in any domain. It can be a member of universal and domain local groups in any domain.

    Universal: Contains users, universal groups, and global groups from any domain. It can be assigned for permissions to objects in any domain. Can be a member of domain local or universal groups in any domain.

    The distribution list of the same 3 types contain user/group objects the same way, but cannot be assigned security permissions and can be used for email if they are mail-enabled.

    Universal Distribution Groups should only be used when you only intend to use the group as an email distribution group in Exchange.
    Universal Security Groups can be used for email distribution and also to assign permissions on either public folders, mailboxes, or regular file/folder resources as long as it is mail-enabled?

    In a single domain forest universal groups really don't offer you anything. In large multi-domain enviroments they should be used sparingly as already stated. Thankfully once you move to Windows Server 2003 forest or higher functionality mode, you get Linked-Value-Replication, so only group changes are replicated and not the entire group when making a change. This cuts down on the amount of replication traffic, but the # of replications is still the same because UGs still have to be updated accordingly
    Monday, January 16, 2017 1:20 PM