Restricting Who Can Send to a Distribution Group

Some distribution groups are too large to allow just anybody to send an email to it. Some distribution groups have important members whose time is too valuable to waste with CC storms and chatter from the rank and file. Exchange 2010 allows you to restrict who can send a message to a distribution group. If you open the group from within the Exchange Management Console, go to the Mail Flow Settings tab and open the Message Delivery Restrictions property. From here you can add one or more specific users who you want to allow to send to this distribution group.

Message Delivery Restrictions

 

However, as your organization grows and matures, managing these restrictions could become a veritable nightmare.

Microsoft has long recommended a strategy of assigning access to resources in which the users are put in a group and then only the group is given access to the resource. In this way, when you want to manage the permissions of resources scattered throughout your environment, you don’t have to go to the resource. You can do it all from Active Directory. Here’s how you can leverage this strategy to simplify managing these distribution groups in Exchange.

Follow these steps when you create a group that needs to be restricted. If you want to restrict a group that already exists, I’m sure you’re smart enough to adapt this to your own situation. You are an Exchange Administrator after all.

  1.  Decide what you will name the distribution group. Everyone will see this group in the Global Address List, but only a few people will be able to send messages to it. For this example, I’ll use “Company Executives”.
  2. Create an authorization group.
    • I recommend you create a separate OU in your Active Directory tree to hold email authorization groups. That way you don’t have to hunt for them when you need to make changes. You should also consider restricting access to this OU so that the helpdesk or other IT people don’t inadvertently add people to the wrong groups.
    • Name your authorization group in such a way that it will always be obvious what it is for. In this case, I’ll name my group “Authorized Company Executive Senders”.
    • On the Advanced tab of the distribution group in EMC, check the “Hide group from Exchange address lists” box.
    • Add the people you want to be able to send to “Company Executives” as members of the “Authorized Company Executive Senders” group.
  3. Create the primary distribution group and name it “Company Executives”.
    • In the EMC, open this primary distribution group and go to the Mail Flow Settings tab.
    • Open the Message Delivery Restrictions property and add the “Authorized Company Executive Senders” group.
    • Add the recipients to the primary “Company Executives” distribution group.

Now, whenever you want to add or remove someone from the list of people authorized to send messages to all of your company executives, you can just edit the authorization group membership instead of modifying the delivery restrictions on the distribution group itself. This is a little more complicated to set up, but you will be very glad you went to the extra trouble now. It will save you a lot of work and confusion later. 

2 responses to “Restricting Who Can Send to a Distribution Group”

  1. Nate Smyre says:

    I wrote this function that you may find useful. In our organization, we have more distribution groups than we do AD accounts, so we wanted an easy way to manage this feature without adding additional groups.

    Hope you enjoy.

    -Nate

    Function Set-DistroGroupAllowSendList
    {
    Param(
    [parameter(Position=0, Mandatory=$true, ValueFromRemainingArguments=$true, ValueFromPipeLine=$true)][string]$DistroName,
    [parameter(Position=0, Mandatory=$true, ValueFromRemainingArguments=$true, ValueFromPipeLine=$true)][string]$PersonToAdd
    )
    $DistroGroup = Get-DistributionGroup $DistroName -ErrorAction silentlycontinue -WarningAction silentlycontinue
    $DynDistroGroup = Get-DynamicDistributionGroup $DistroName -ErrorAction silentlycontinue -WarningAction silentlycontinue

    If ($DistroGroup)
    {
    $DDGArray = $DistroGroup.AcceptMessagesOnlyFrom.ToArray()
    }
    Elseif ($DynDistroGroup)
    {
    $DDGArray = $DynDistroGroup.AcceptMessagesOnlyFrom.ToArray()
    }
    Else
    {
    Write-Host “Invalid Group Name specified”
    exit 1
    }
    $DDGArrayUpdated = @()
    Foreach ($u in $DDGArray)
    {
    $umbx = Get-Mailbox $u -ErrorAction silentlycontinue -WarningAction silentlycontinue
    If ($umbx -eq $null)
    {
    Write-Host “Removing $u as this user is no longer valid”
    }
    Else
    {
    $DDGArrayUpdated += $umbx.Identity
    }
    }

    $UserToAdd = Get-Mailbox $PersonToAdd -ErrorAction silentlycontinue -WarningAction silentlycontinue
    If ($UserToAdd -eq $null)
    {
    Write-Host “Invalid User Defined”
    exit 1
    }
    else
    {
    $DDGArrayUpdated += $UserToAdd.Identity
    }

    If ($DistroGroup)
    {
    Set-DistributionGroup $DistroGroup -AcceptMessagesOnlyFrom $DDGArrayUpdated
    }
    ElseIf ($DynDistroGroup)
    {
    Set-DynamicDistributionGroup $DynDistroGroup -AcceptMessagesOnlyFrom $DDGArrayUpdated
    }
    else
    {
    Write-Host “Error in $DistroGroup”
    }
    }
    Write-Host “Function Set-DistroGroupAllowSendList loaded successfully” -ForegroundColor Green

  2. jcadmin says:

    Thanks, Nate! I’ll look this over.

Leave a Reply

Your email address will not be published.