Distribution group restrictions & group expansion

I noticed that when I restrict a regular distribution group to accept messages only from certain people, that anyone else can still enter select the group and then click the + to expand the group's membership in the address field of the email message, and thus still be able to easily send to the group.

What is the best way to truly restrict access to send to a standard distribution list? We've always used query-based/dynamic groups for our large distributions which satisfied the requirement since they don't expand in Outlook, but in our migration to 2007 we're also migrating some of the people to a new domain, and there isn't a way to include more than one AD domain in a DDG because of the requirement that the group be scoped to a container.

Thanks

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

royal

blargoe wrote:

we're also migrating some of the people to a new domain, and there isn't a way to include more than one AD domain in a DDG because of the requirement that the group be scoped to a container.

Thanks

Sure there is and will work across forests. Get ILM Feature Pack 1 ($$$$$), replicate the groups to each domain. Domain members can add members to the distribution group and ILM will just sync membership on both sides. May even be able to use IIFP for this (free), but not sure. I would think so since ILM FP1 is only needed to properly provision Exchange accounts by calling Update-Recipient when doing a GALsync for contacts, cross-forest delegation, and so Outlook will recognize it as a syncronized contact. Since I don't think you'd be using GALsync (never set it up) for distribution groups, I think you'd be able to do this with IIFP.

But if the 2 domains are in the same forest, not sure why you wouldn't be able to add members from multiple domains. Create a Universal Group and add members or groups from each domain to the Universal Distribution Group and it should work just fine.

Also, I'm assuming the method you're using right now is delivery restrictions?

blargoe

Hi royal, thanks for replying.

Sorry, wasn't clear about the domains, they're in the same forest, same Exchange org. No need for GalSync or ILM.

There's no reason why you can't add group from multiple domains to a Universal distribution, that's correct. But for dynamic distribution groups, it forces you to scope whatever criteria you pick for the filter to a particular container that will not go any farther up than the domain level, so the members end up coming from the same domain/OU or whatever container you pick. I only mentioned this in my OP because it was a way to prevent expansion of the restricted group, since it doesn't get expanded until the message is sent.

I was really just looking for a simple way to prevent users or groups of users from sending to a regular, static universal distribution group.

Thanks

Claymoore

Have you tried hiding the Distribution Group from the Exchange Address List in addition to restricting whom may send to the group? If it won't show up in the To: field when the users type in the name, then they shouldn't be able to expand the group.

blargoe

I thought of that, but the people for whom it is restricted need to see it in the address list.

Iguess I'll just deal with it for a little while longer, eventually all of the users in this particular list are going to be in the same domain and I can create a dynamic distribution list for them.

Thanks