HOW TO: Hide Distribution Group membership

by Bharat Suneja on November 1, 2007

Exchange Server 2003′s extensions for Active Directory Users & Computers console made hiding a Distribution Group’s membership a trivial task, accomplished by right-clicking a group, selecting Exchange Tasks and selecting Hide Membership.

Screenshot: Exchange Tasks in Active Directory Users & Computers
Figure 1: The Exchange Tasks wizard in ADUC provides an option to hide Distribution Group membership in Exchange Server 2003

As the task suggests, it hides the group’s membership in the Outlook Address Book/GAL. It also prevents users from clicking the + link that appears before a Distribution Group when composing a new message, and expanding the group so messages are sent individually to all members rather than the DG.


Figure 2: Distribution Groups that have their membership hidden cannot be expanded in Microsoft Outlook

What does Hide Membership do?

The Hide Membership task available from Exchange Tasks in ADUC denies Read Property permission for the Members attribute to the Everyone group. This also prevents Administrators trying to manage the group from seeing the group’s members.


Figure 3: Hiding a Distribution Group makes changes to the Distribution Group’s ACL

Hiding Distribution Group membership in Exchange Server 2007

Hiding Distribution Group membership is not supported in Exchange Server 2007. There is no option to hide Distribution Group membership in the console, nor a single parameter you can flip using the shell. (Update 5/9/2012: See You Cannot Hide Distribution Group Membership in Exchange 2007 in Exchange 2007 documentation on TechNet).

Nevertheless, you can prevent users from expanding the group in Microsoft Outlook, and hide the group’s Member attribute so it’s not visible in the properties pages in Outlook or OWA. The caveat &mdas; it’s not a way to hide membership completely, as noted later in the post.

1 Adding Deny ACE for the Members property

Use the following command to deny the ReadProperty permission for the Distribution Group’s Members property to a particular user or Security Group (Remember the security best practice – add users to Security Group -> assign permissions to Security Group?):

Add-ADPermission “Distribution Group Name” -user “User or Security Group Name” -Deny -AccessRights ReadProperty -Properties Member

Note, to simulate what Exchange Server 2003′s Hide Membership task does, you can use the Everyone group in the -users parameter. This hides membership from the EMC as well, but the shell can still show membership using the Get-DistributionGroupMember command.

Once the permission is added, clicking on the + link in Microsoft Outlook produces the following not-so-descriptive error message, and the user is prevented from expanding the Distribution Group.


Figure 4: With the Deny ACE in place, Outlook users get an error when trying to expand the Distribution Group. Click here to see a larger image

Additionally, membership of the group is not revealed in the group’s properties in the Address Book/GAL.

Adding Deny ACE using the GUI

If you’ve already used the shell to add the deny ACE, you can skip the following procedure and head to the next section.

For the console/GUI fans amongst us or those who simply haven’t developed an intimate relationship with the shell (hopefully the following will make you a convert… :), ADSIEdit is your friend. Fire it up:

  1. Navigate to the Distribution Group’s properties
  2. Select the Security tab
  3. Click Add
  4. Select the user or group you want to deny permission to (you can use the Everyone group to simulate what Exchange Server 2003 does)
  5. Click OK
  6. Click Advanced (wait… ) to open Advanced Security Settings
  7. Select the Permissions tab
  8. Select the user or group if not already selected
  9. Click Edit to open the Permissions Entry properties for the selected user/group
  10. Select Properties tab
  11. Click on the “Deny” checkbox for the Read Members property so it is checked.
  12. Click OK to close the Permissions pages.
  13. Click OK to close the Advanced Security Settings pages
  14. Click OK to close the Properties dialog box

Inspecting any non-inherited permissions and removing the Deny ACE

To determine any modifications to the Active Directory permissions for the Members property:

Get-ADPermission “Distribution Group Name” | where {$_.Properties -like “member”} | fl

To remove the Deny permission on the Member property for a Distribution Group, use the Remove-ADPermission command:

Remove-ADPermission “Distribution Group Name” -user “User/Security Group Name” -Deny -AccessRights ReadProperty -Properties Member

2 Prevent Delivery Reports from Distribution Group

Users can send a message to the Distribution Group with a Delivery Report requested, which can reveal the group membership.

To prevent a Delivery Report from being sent to the originator (consider this carefully, you may want senders to receive delivery reports if messages are not delivered to members of certain Distribution Groups. You can also enable delivery reports to the group Manager only.), use the following command:

Set-DistributionGroup “Distribution Group Name” -ReportToOriginatorEnabled $false

Once this is done, Exchange simply sends a Distributtion Group expanded/delivered to DG message in the Delivery Report, if one is requested, without revealing the group’s members.


Figure 5: Preventing Delivery Reports to originator returns a “delivered to DG” message when Delivery Reports are requested

3 Hiding group membership in OWA

Membership of the Distribution Group can be viewed in OWA (OWA 2007). As reader Bart points out, this is easily fixed by flipping the hideDLMembership attribute to TRUE. At first look, the attribute doesn’t seem to be exposed by the Exchange shell. You can use your LDAP/Active Directory tool of choice, including ADSIEdit, to modify it.

Screenshot: ADSIEdit - hideDLMembership attribute
Figure 6: Flipping the Distribution Group’s hideDLMembership attribute to True in ADSIEdit

With the attribute set to true, group membership is no longer revealed.

Yes, this means this workarounds mentioned above can be used to:

  • Hide Distribution Group membership from Outlook users
  • Prevent Outlook users from expanding the Distribution Group when composing new messages
  • Hide Distribution Group membership from OWA users
  • Prevent Delivery Reports from revealing group membership

The caveat:

These workarounds succeed in hiding membership by examining the Distribution Group (or sending a message to it). This may meet your requirements for hiding group membership. However, users can examine the Member Of property page of a recipient in Outlook and see which groups he/she is a member of. Agreed, this is not a convenient way of discovering group membership, particularly if you have a large number of recipients.

Nevertheless, from a security standpoint, this does mean there’s no hiding of group membership.

{ 21 comments… read them below or add one }

1 Anonymous November 16, 2007 at 12:44 pm

Is there a way to create a custmom GAL that ignores msExchHideFromAddressLists attribute?

I am working with a compliance software that works with GAL and it cannot do anything with mailboxes hidden from it.

Reply

2 Pete February 19, 2008 at 1:15 pm

Is there a way to hide the membership in OWA as well?

Reply

3 Bart July 25, 2008 at 11:05 am

Yes. In order to hide the membership in OWA, set the attribute hideDLMembership to TRUE.

Reply

4 Bharat Suneja July 25, 2008 at 1:47 pm

@bart: Thanks much for pointing out the OWA issue— the post has been updated (and almost rewritten.. from "it's not possible to completely hide… " to "yes, it's possible… " :).

Cheers!

Reply

5 whats4lunch January 23, 2009 at 7:45 am

“Get-DistributionListMember” should be “get-distributionGroupMember” in EMC / Powershell.

Reply

6 Bharat Suneja January 23, 2009 at 8:30 am

Thanks for catching that! Corrected.

Reply

7 Anonymous May 12, 2009 at 12:16 am

I’ve created certain contacts on my Exchange Server which i marked as hidden
from global address book but unfortunately clients like thunderbird/OE have
LDAP configured for adress book lookup which can see the hiddden addresses..is there a way to hide
it from both locations…early solution will be of great help

Reply

8 fawzi August 13, 2009 at 5:24 am

Thanks a lot I never know before that we can do that

Reply

9 Shreekanth Murali September 2, 2009 at 3:58 am

what is the maximum number of DLs can a user be member of ?
Do we have any limitation set?
if so why and what will happen if the user is member of more than that limitation

Reply

10 Bharat Suneja September 2, 2009 at 9:05 am

@Shreekanth: Check out this post on the Exchange team blog:
Maximum number of members in a Distribution Group?

Reply

11 Anonymous November 19, 2009 at 8:12 pm

Hi Bharat,

Thanks for sharing. How can we hide member from dynamic distribution list? Fyi, we have only exch 2k7 and i've added recipient filter which has grayed out condition options.
If i use AD to add everyone under security for this Dynamic DL, i don't get Read members option under advance security setting + Apply to: This object only selected with grayed.

Reply

12 Bharat Suneja November 19, 2009 at 9:01 pm

Unlike regular distribution groups, dynamic distribution groups don't have members per se – the "membership" is determined by the ldap/opath filter. Nothing to hide there.

Reply

13 Gus Gallows December 21, 2009 at 11:38 am

Unless you base the membership of the Dynamic Distribution group on the MemberOfGroup attribute which points to a Security Group. You cannot expand or even do an export on the filter from EMC and get results when you set it up that way. All other filter results using other attributes, I think, are exportable.

Reply

14 Bharat Suneja December 21, 2009 at 11:45 am

@Gus: Yes, but that almost beats the purpose of a dynamic distribution group, doesn't it?

Reply

15 whats4lunch January 14, 2010 at 9:45 am

@Bharat Suneja
RE:
"Membership of the Distribution Group can be viewed in OWA (OWA 2007). As reader Bart points out, this is easily fixed by flipping the hideDLMembership attribute to TRUE. At first look, the attribute doesn't seem to be exposed by the Exchange shell. "

I took a second look at this (now we just need to combine the two scripts together):

## Nicholas Leader
## 01/14/2010

# Serverless bind to the domain, and define the root DN
$root = [adsi]""
$rootdn = $root.distinguishedName

#syntax at CLI "group"

$userinput = $args[0]
$groupobj = get-group $userinput
$groupdn = $groupobj.DistinguishedName

# Bind to Group object

$group = [adsi]"LDAP://$groupdn"

$group.put("hideDLMembership", "TRUE" )
$group.setinfo()

Reply

16 whats4lunch January 14, 2010 at 10:07 am

Complete DL membership hide script:

## Nicholas Leader
## 01/14/2010

#syntax at CLI: "group"
$userinput = $args[0]

# necessary to hide DL membership in Exchange 2007
Add-ADPermission $userinput -user "everyone" -deny -AccessRights ReadProperty -Properties Member

# Serverless bind to the domain, and define the root DN
$root = [adsi]""
$rootdn = $root.distinguishedName

$groupobj = get-group $userinput
$groupdn = $groupobj.DistinguishedName

# Bind to Group object
$group = [adsi]"LDAP://$groupdn"

# necessary to hide DLmembership on OWA
$group.put("hideDLMembership", "TRUE" )
$group.setinfo()

Reply

17 Mohammad Mustafa August 23, 2012 at 8:53 am

Please how we can apply these steps on exchange 2007, because there is differences between exch2003 and exch 2007.

please ASAP.

Reply

18 Vivek October 11, 2012 at 7:04 am

I think we can achieve this one from Exchange console(2010)

Go to that DL property–> Advanced–>Hide GP Exchange address lists

Tx,
Vivek

Reply

19 Bharat Suneja January 29, 2013 at 4:03 pm

That simply hides the distribution group from Exchange address lists, including the Global Address List (GAL). As indicated in the post, there are other ways to access the Member property of groups.

Reply

20 sass January 28, 2013 at 3:20 pm

shouldn’t the powershell script in step 1 read “memberS” at the end instead of simply “member”?

Reply

21 Bharat Suneja January 29, 2013 at 4:01 pm

No – the property name is Member.

Reply

Leave a Comment

Previous post:

Next post: