Friday, November 13, 2015

Identifying Distribution Groups within Security Groups

It is important to identify Active Directory distribution groups that are embedded in AD security groups, since it is not best practice to use distro groups for file server permissions.  Unfortunately within Varonis DatAdvantage the 3a Group Members report does not have a filter to sort by Group Type.  Here is a workaround that I have used; identifying group types by their email properties.


There are several caveats here.  It is possible that a Security group has an email address and it is possible that a distribution list does not have an email address assigned.  To get a truly comprehensive picture we would have to create a CSV file from the 3d report of all distribution groups, create a CSV file from the 3a report just looking for Groups embedded in groups, and then use Excel or PowerShell to merge the data to identify the distribution group members.