Prevent user "click-expansion" of Exchange distribution group?
Solution 1
Your understanding is dead on. You could potentially maintain a number of different default address lists based on a user's access level (only letting them have a given group in their list if they're authorized), but that's incredibly ugly and would be nearly impossible to maintain.
One way to get rid of the expandability would be to use Dynamic Distribution Groups - they expand based on a query during transport, and thus cannot be expanded in Outlook.
This prevents access to the curious, but not the determined/knowledgeable - keep in mind that without some nasty permissions changes, a lot of the user and group attributes in question are readable to any domain user with the tools and knowledge needed to view them.
Solution 2
If you go in ADUC and right click, properties, attribut editor, hideDLMembership (set that to true) they will be able to see the group but will not be able to expand it's members.
Solution 3
If you enable Moderation on the DL, users will not be able to click the "+" sign to expand the group. Attempting to do so in Outlook will result in the following message:
Of course, this means someone (or a group of people, if desired) will then have to moderate all messages that are sent to that DL. In our case, we wanted moderation anyway, so this worked well for our needs.
(This worked for me on Exchange 2010 SP3)
Related videos on Youtube
15 : 51
09 : 01
08 : 53
07 : 38
10 : 03
Larold
Updated on September 18, 2022Comments
-
Larold over 1 year
I am a Unix guy who recently picked up powershell to help my Exchange admin coworkers implement a challenging project in Exchange 2010. (The requirements we've been given are challenging if not impossible to meet.)
I'll try to keep this simple. Here's my first question.
We have been given the requirement that certain DLs must be restricted so that only certain internal AD users can send to the DL. Additionally, these DLs must remain visible in the address book. Setting the 'HiddenFromAddressBookEnabled' property to $true is unacceptable. Leadership has stated that "The only people who should be allowed to see who's in the group are the people that can send to the group. Furthermore, the only people who should even be able to SEE the DL entries in the address book are the people who are allowed to send to the DL." I don't think that's doable, because:
- I can get around sender-security restrictions by calling up the (visible) entry in the address book, plopping it in the To: field, and then clicking the '+' in Outlook to expand it to individual people, which then bypasses group security. (I've confirmed this.)
- I do not believe it's possible to selectively hide address book entries only from certain users, but not others.
So here are my questions:
- Does my understanding seem mostly correct? If not, feel free to offer corrections
- Is there any way to hide DLs in address books from only a specific set of users?
- Is there a way to prevent users from clicking the '+' sign in Outlook to get around security restrictions that limit who can send to a group? Technically, you're not sending to a group anymore - just the exact set of individuals that are in that group.
Please - any additional enlightenment or comments encouraged. I think we have to go back to the business and tell them their requirements are not achievable. (And I have two other nasty requirements that I'll start separate questions for.)
Thanks everyone!
-
Larold over 12 yearsThanks! Being so inexperienced in the realm of AD and Exchange, I'm never sure if I'm properly understanding limitations of the software / environment. Also, sorry - I tried to up-vote your answer but I don't have 15 reputation yet. :)