Need of distribution groups in active directory

I know the basic purpose of security group and distribution group in active directory. The security group is used to access the network resource and distribution group is used to send distribution lists on mail. But my doubt is, security group can also be used to distribute the mail to that group using mail enabled security group. If the security group has be used for both of security and distributing mail, what is the need of using the distribution group in active directory?


A security group ends up in the user's (or computer's) Kerberos Token, so you can assign rights based on group membership.

However, the Kerberos Token has a maximum size limit and weird thing will happen if the user belongs to many groups

[...]When authenticating, the user may see a message such as HTTP 400 - Bad Request (Request Header too long. The user also has problems accessing resources, and the user's Group Policy settings may not update correctly.

Logon may completely fail too

[...]The system cannot log you on due to the following error: During a logon attempt, the user's security context accumulated too many security IDs. Please try again or consult your system administrator.

This situation is generally refered to as a "token bloat"

The distribution groups will not be added to the Kerberos Token (that's why you can't grant/deny permissions based on distribution groups), thus avoiding increasing the size of the user's token.

In short, use security groups sparingly, because you certainly don't want to reach the maximum number of groups per user!