Distribution group restrictions & group expansion

blargoeblargoe Self-Described HuguenotNC, USAMember Posts: 4,174 ■■■■■■■■■□
I noticed that when I restrict a regular distribution group to accept messages only from certain people, that anyone else can still enter select the group and then click the + to expand the group's membership in the address field of the email message, and thus still be able to easily send to the group.

What is the best way to truly restrict access to send to a standard distribution list? We've always used query-based/dynamic groups for our large distributions which satisfied the requirement since they don't expand in Outlook, but in our migration to 2007 we're also migrating some of the people to a new domain, and there isn't a way to include more than one AD domain in a DDG because of the requirement that the group be scoped to a container.

Thanks
IT guy since 12/00

Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    blargoe wrote:
    we're also migrating some of the people to a new domain, and there isn't a way to include more than one AD domain in a DDG because of the requirement that the group be scoped to a container.

    Thanks

    Sure there is and will work across forests. Get ILM Feature Pack 1 ($$$$$), replicate the groups to each domain. Domain members can add members to the distribution group and ILM will just sync membership on both sides. May even be able to use IIFP for this (free), but not sure. I would think so since ILM FP1 is only needed to properly provision Exchange accounts by calling Update-Recipient when doing a GALsync for contacts, cross-forest delegation, and so Outlook will recognize it as a syncronized contact. Since I don't think you'd be using GALsync (never set it up) for distribution groups, I think you'd be able to do this with IIFP.

    But if the 2 domains are in the same forest, not sure why you wouldn't be able to add members from multiple domains. Create a Universal Group and add members or groups from each domain to the Universal Distribution Group and it should work just fine.

    Also, I'm assuming the method you're using right now is delivery restrictions?
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Hi royal, thanks for replying.

    Sorry, wasn't clear about the domains, they're in the same forest, same Exchange org. No need for GalSync or ILM.

    There's no reason why you can't add group from multiple domains to a Universal distribution, that's correct. But for dynamic distribution groups, it forces you to scope whatever criteria you pick for the filter to a particular container that will not go any farther up than the domain level, so the members end up coming from the same domain/OU or whatever container you pick. I only mentioned this in my OP because it was a way to prevent expansion of the restricted group, since it doesn't get expanded until the message is sent.

    I was really just looking for a simple way to prevent users or groups of users from sending to a regular, static universal distribution group.

    Thanks
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • ClaymooreClaymoore Member Posts: 1,637
    Have you tried hiding the Distribution Group from the Exchange Address List in addition to restricting whom may send to the group? If it won't show up in the To: field when the users type in the name, then they shouldn't be able to expand the group.
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    I thought of that, but the people for whom it is restricted need to see it in the address list.

    Iguess I'll just deal with it for a little while longer, eventually all of the users in this particular list are going to be in the same domain and I can create a dynamic distribution list for them.

    Thanks
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
Sign In or Register to comment.