This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Global Security group nested inside a Distribution group

Good afternoon,

I am stuck, perplexed and honestly hitting my head against a wall. Something happened this week, I cannot figure out what, that caused our AD structure to start failing in a way that I am unfamiliar with. In my career, I have always been able to nest an AD user inside a single global security group, add any and all "permissions" (or other global security groups) to the group, as well as any distribution groups or mail enabled security groups. When I add the nested global security to the mail enabled security group or distribution group, I have never had an issue with the end user not receiving email. Email has simply flowed through the path to the end user using the nested security group to the nest users and into their Outlook.

So recently, over the past several months, I have been working on a new project (with my current company) to take their AD structure and do the same thing. Taking there AD users, nesting each of them individually into their own global security group, then nesting that security group into all the misc security groups (mail enabled or not) and distribution groups that each users needs and so far it has worked without any issues. I do have to mention that this company has local AD, several different geographical locations, each one has it's own DC but each one replicates to each other. We are using Office 365 for email and we use (I have been told) Azure to sync local AD to the cloud.

So up until a few days ago when I sent an email to a distribution group which has nothing but global security groups nested inside it (and each security group had a single user nested inside of it) each user would get their email. But now when I send email to the same distribution group, nothing happens. I do not get a bounce back, I don't get the email. I have now had to add each user, individually, back into the distribution group, but the whole purpose of the project was to get away from that and now I don't know what caused it. I cannot find anything online about it, there is nothing from MS about any updates that I could find.

I talked to the other Network admins at the other locations and nothing has changed, we keep all of our servers up to date, but they have not updated or restarted their servers in recently, nor have I. Any help would be greatly appreciated.

Thank you in advance.


  • I would suggest tracing the email in Exchange (I assume this is your email server). Go to Exchange Management Console, then Toolbox, then Tracking Log Explorer. Search for the email from you with the subject you had, see if it was accepted by the server and what decisions was made by the server for its delivery. If you have multiple servers you will have to perform the trace across each one, following the message as it goes. The CAS is probably the best to start with. For something going to a DL you should see RECEIVE, EXPAND, TRANSFER then DELIVER. You can also use some Transport rules on the server to forward you emails as they flow through the transport service, which can help you find where they fail. Just be careful with the transport rules, they can be very powerful.

  • ​I am working on a project very similar to this and found that the nested groups need to be mail enabled for the users in those groups to receive the email.  It's the goofiest thing but, it works.