HOW TO: Hide Distribution Group membership

by Bharat Suneja on November 1, 2007

Exchange Server 2003’s extensions for Active Directory Users & Computers console made hiding a Distribution Group’s membership a trivial task, accomplished by right-clicking a group, selecting Exchange Tasks and selecting Hide Membership.

Screenshot: Exchange Tasks in Active Directory Users & Computers
Figure 1: The Exchange Tasks wizard in ADUC provides an option to hide Distribution Group membership in Exchange Server 2003

As the task suggests, it hides the group’s membership in the Outlook Address Book/GAL. It also prevents users from clicking the + link that appears before a Distribution Group when composing a new message, and expanding the group so messages are sent individually to all members rather than the DG.

Figure 2: Distribution Groups that have their membership hidden cannot be expanded in Microsoft Outlook

What does Hide Membership do?

The Hide Membership task available from Exchange Tasks in ADUC denies Read Property permission for the Members attribute to the Everyone group. This also prevents Administrators trying to manage the group from seeing the group’s members.

Figure 3: Hiding a Distribution Group makes changes to the Distribution Group’s ACL

Hiding Distribution Group membership in Exchange Server 2007

Hiding Distribution Group membership is not supported in Exchange Server 2007. There is no option to hide Distribution Group membership in the console, nor a single parameter you can flip using the shell. (Update 5/9/2012: See You Cannot Hide Distribution Group Membership in Exchange 2007 in Exchange 2007 documentation on TechNet).

Nevertheless, you can prevent users from expanding the group in Microsoft Outlook, and hide the group’s Member attribute so it’s not visible in the properties pages in Outlook or OWA. The caveat &mdas; it’s not a way to hide membership completely, as noted later in the post.

1 Adding Deny ACE for the Members property

Use the following command to deny the ReadProperty permission for the Distribution Group’s Members property to a particular user or Security Group (Remember the security best practice – add users to Security Group -> assign permissions to Security Group?):

Add-ADPermission “Distribution Group Name” -user “User or Security Group Name” -Deny -AccessRights ReadProperty -Properties Member

Note, to simulate what Exchange Server 2003’s Hide Membership task does, you can use the Everyone group in the -users parameter. This hides membership from the EMC as well, but the shell can still show membership using the Get-DistributionGroupMember command.

Once the permission is added, clicking on the + link in Microsoft Outlook produces the following not-so-descriptive error message, and the user is prevented from expanding the Distribution Group.

Figure 4: With the Deny ACE in place, Outlook users get an error when trying to expand the Distribution Group. Click here to see a larger image

Additionally, membership of the group is not revealed in the group’s properties in the Address Book/GAL.

Adding Deny ACE using the GUI

If you’ve already used the shell to add the deny ACE, you can skip the following procedure and head to the next section.

For the console/GUI fans amongst us or those who simply haven’t developed an intimate relationship with the shell (hopefully the following will make you a convert… :), ADSIEdit is your friend. Fire it up:

  1. Navigate to the Distribution Group’s properties
  2. Select the Security tab
  3. Click Add
  4. Select the user or group you want to deny permission to (you can use the Everyone group to simulate what Exchange Server 2003 does)
  5. Click OK
  6. Click Advanced (wait… ) to open Advanced Security Settings
  7. Select the Permissions tab
  8. Select the user or group if not already selected
  9. Click Edit to open the Permissions Entry properties for the selected user/group
  10. Select Properties tab
  11. Click on the “Deny” checkbox for the Read Members property so it is checked.
  12. Click OK to close the Permissions pages.
  13. Click OK to close the Advanced Security Settings pages
  14. Click OK to close the Properties dialog box

Inspecting any non-inherited permissions and removing the Deny ACE

To determine any modifications to the Active Directory permissions for the Members property:

Get-ADPermission “Distribution Group Name” | where {$_.Properties -like “member”} | fl

To remove the Deny permission on the Member property for a Distribution Group, use the Remove-ADPermission command:

Remove-ADPermission “Distribution Group Name” -user “User/Security Group Name” -Deny -AccessRights ReadProperty -Properties Member

2 Prevent Delivery Reports from Distribution Group

Users can send a message to the Distribution Group with a Delivery Report requested, which can reveal the group membership.

To prevent a Delivery Report from being sent to the originator (consider this carefully, you may want senders to receive delivery reports if messages are not delivered to members of certain Distribution Groups. You can also enable delivery reports to the group Manager only.), use the following command:

Set-DistributionGroup “Distribution Group Name” -ReportToOriginatorEnabled $false

Once this is done, Exchange simply sends a Distributtion Group expanded/delivered to DG message in the Delivery Report, if one is requested, without revealing the group’s members.

Figure 5: Preventing Delivery Reports to originator returns a “delivered to DG” message when Delivery Reports are requested

3 Hiding group membership in OWA

Membership of the Distribution Group can be viewed in OWA (OWA 2007). As reader Bart points out, this is easily fixed by flipping the hideDLMembership attribute to TRUE. At first look, the attribute doesn’t seem to be exposed by the Exchange shell. You can use your LDAP/Active Directory tool of choice, including ADSIEdit, to modify it.

Screenshot: ADSIEdit - hideDLMembership attribute
Figure 6: Flipping the Distribution Group’s hideDLMembership attribute to True in ADSIEdit

With the attribute set to true, group membership is no longer revealed.

Yes, this means this workarounds mentioned above can be used to:

  • Hide Distribution Group membership from Outlook users
  • Prevent Outlook users from expanding the Distribution Group when composing new messages
  • Hide Distribution Group membership from OWA users
  • Prevent Delivery Reports from revealing group membership

The caveat:

These workarounds succeed in hiding membership by examining the Distribution Group (or sending a message to it). This may meet your requirements for hiding group membership. However, users can examine the Member Of property page of a recipient in Outlook and see which groups he/she is a member of. Agreed, this is not a convenient way of discovering group membership, particularly if you have a large number of recipients.

Nevertheless, from a security standpoint, this does mean there’s no hiding of group membership.

{ 21 comments… read them below or add one }

Leave a Comment

{ 1 trackback }

Previous post:

Next post: