I hesitate to call a QBDL by its other name, QBDG, because it isn’t a group. In fact of all of the letters in the acronym “Q” is really the pertinent one. The reason is that a Query Based Distribution List isn’t a list or a group, it is a query and only a query.
When you create a QBDL, you write a query. This query is stored in msExchDynamicDLFilter and msExchQueryFilter attributes in Active Directory. When Joe User sends an email to this list, Exchange resolves and expands the query into a list of users and sends the email. I am writing this sentence in red because warning flags should be going up right now deep in your administrator heart. What happens when somebody responds to that email? What happens when a mailstorm breaks out? What if that query returns a large number of users? That’s the problem with QBDL’s in a nutshell, it requires access to a Global Catalog server and a poorly designed or frequently used query for the DL could severely impact Exchange and Active Directory performance.
There are also limitations to the queries for end users. If you receive an email to QBDL@sampleco.com, you have no way to expand it in Outlook to see who the members are. Users are used to that capability; they tend to want to know who they are emailing most of the time. In today’s security conscious environment, you don’t want users responding to or sending emails to an unknown audience.
So you ask, what is a dynamic Active Directory group if it isn’t a QBDL? It’s a group that is created by a third party software (yes, Imanami sells one such software) that uses a query designer to actually create an Active Directory group behind the scenes. And there is the difference, it creates an actual group object and not just a query. This dynamic group can be a security group or a distribution group; heck, it can be a mail enabled security group.
The advantage to having a dynamic security group is that you can use it to grant access and permissions and always know it is accurate. A great example might be that everybody in sales needs to see the folder with the latest sales presentations, that query is simple (department=sales), and presto there is an always accurate dynamic AD group that grants that permission. If you need something more granular, only sales directors should see the sales reports folder, the query adds a step (department=sales, title=director) and that group grants that permission. Many security groups can be defined this easily, reducing a great burden on the help desk.
Going back to QBDL’s, does having a dynamic AD distribution group solve the problems above? Yes, they do. Since an actual group is created, end users can expand it to see who the members are. The group is created most likely during an off-peak hour and the query is run only once no matter how many times it is mailed to so there is very minimal performance hit on the network.
There is one advantage to a QBDL, the query is run in realtime so if somebody changes departments at 2:00PM, then an email at 2:01PM will reflect that change. But overall, the advantages to having dynamic Active Directory groups as opposed to a bunch of network-destroying queries are numerous.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
Quite honestly, all large distribution groups should have control over who can send to them. this prevents the storms before they start.
Query-based lists should be used with caution as only diligent users will bother to check the results of the query before using.
Michael, that is a great point regarding delivery restrictions. Look for a future post on best practices for large groups and one on how to use delivery restrictions and dynamic groups to create a wall between organizations (for example, at banks the analysts cannot email the bankers to avoid conflict of interest).