Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
Exchange Server 2003's ADUC extensions made hiding a Distribution Group's membership a trivial task, accomplished by right-clicking a group, selecting Exchange Tasks and selecting Hide Membership.
Figure 1: The Exchange Tasks wizard in ADUC provides an option to hide Distribution Group membership in Exchange Server 2003
As the task suggests, it hides the group's membership in Outlook Address Book/GAL. It also prevents users from clicking the + link that appears before a Distribution Group when composing a new message, and expanding the group so messages are sent individually to all members rather than the DG.
Figure 2: Distribution Groups that have their membership hidden cannot be expanded in Microsoft Outlook
Hiding Distribution Group membership is not supported in Exchange Server 2007. There is no option to hide Distribution Group membership in the console, nor a single parameter you can flip using the shell.
Nevertheless, you can prevent users from expanding the group in Microsoft Outlook, and hide the group's Member attribute so it's not visible in the properties pages in Outlook or OWA. The caveat - it's not a way to hide membership completely, as noted later in the post.
Adding Deny ACE for the Members property
Use the following command to deny the ReadProperty permission for the Distribution Group's Members property to a particular user or Security Group (Remember the security best practice - add users to Security Group -> assign permissions to Security Group?):
Once the permission is added, clicking on the + link in Microsoft Outlook produces the following not-so-descriptive error message, and the user is prevented from expanding the Distribution Group.
Figure 4: With the Deny ACE in place, Outlook users get an error when trying to expand the Distribution Group. Click here to see a larger image
Additionally, membership of the group is not revealed in the group's properties in the Address Book/GAL.
Adding Deny ACE using the GUI
If you've already used the shell to add the deny ACE, you can skip the following procedure and head to the next section.
For the console/GUI fans amongst us or those who simply haven't developed an intimate relationship with the shell (hopefully the following will make you a convert... :), ADSIEdit is your friend. Fire it up:
1. Navigate to the Distribution Group's properties
2. Select the Security tab
3. Click Add
4. Select the user or group you want to deny permission to (you can use the Everyone group to simulate what Exchange Server 2003 does)
5. Click OK
6. click Advanced (wait... ) to open Advanced Security Settings
7. Select the Permissions tab
8. Select the user or group if not already selected
9. Click Edit to open the Permissions Entry properties for the selected user/group
10. Select Properties tab
11. Click on the "Deny" checkbox for the Read Members property so it is checked.
12. Click OK to close the Permissions pages.
13. Click OK to close the Advanced Security Settings pages
14. Click OK to close the Properties dialog box
Prevent Delivery Reports from Distribution Group
Users can send a message to the Distribution Group with a Delivery Report requested, which can reveal the group membership.
To prevent a Delivery Report from being sent to the originator (consider this carefully, you may want senders to receive delivery reports if messages are not delivered to members of certain Distribution Groups. You can also enable delivery reports to the group Manager only.), use the following command:
Figure 5: Preventing Delivery Reports to originator returns a "delivered to DG" message when Delivery Reports are requested
Hiding group membership in OWA
Membership of the Distribution Group can be viewed in OWA (OWA 2007). As reader Bart points out, this is easily fixed by flipping the hideDLMembership attribute to TRUE. At first look, the attribute doesn't seem to be exposed by the Exchange shell. You can use your LDAP/AD tool of choice, including ADSIEdit, to modify it.
Figure 6: Flipping the Distribution Group's hideDLMembership attribute to True in ADSIEdit
With the attribute set to true, group membership is no longer revealed.
Yes, this means this workarounds mentioned above can be used to:
- Hide Distribution Group membership from Outlook users
- Prevent Outlook users from expanding the Distribution Group when composing new messages
- Hide Distribution Group membership from OWA users
- Prevent Delivery Reports from revealing group membership
The caveat: These workarounds succeed in hiding membership by examining the Distribution Group (or sending a message to it). This may meet your requirements for hiding group membership. However, you can examine the Member Of property page of a recipient and see which groups he/she is a member of. Agreed, this is not a convenient way of discovering group membership— particularly if you have a large number of recipients. Nevertheless, from a security standpoint, this does mean there's no hiding of group membership.
Figure 1: The Exchange Tasks wizard in ADUC provides an option to hide Distribution Group membership in Exchange Server 2003
As the task suggests, it hides the group's membership in Outlook Address Book/GAL. It also prevents users from clicking the + link that appears before a Distribution Group when composing a new message, and expanding the group so messages are sent individually to all members rather than the DG.
Figure 2: Distribution Groups that have their membership hidden cannot be expanded in Microsoft Outlook
The Hide Membership task available from Exchange Tasks denies Read Property permission for the Members attribute, to the Everyone group. This also prevents Administrators trying to manage the group from seeing the group's members.
Figure 3: Hiding a Distribution Group makes changes to the Distribution Group's ACL
Hiding Distribution Group membership is not supported in Exchange Server 2007. There is no option to hide Distribution Group membership in the console, nor a single parameter you can flip using the shell.
Nevertheless, you can prevent users from expanding the group in Microsoft Outlook, and hide the group's Member attribute so it's not visible in the properties pages in Outlook or OWA. The caveat - it's not a way to hide membership completely, as noted later in the post.
Adding Deny ACE for the Members propertyUse the following command to deny the ReadProperty permission for the Distribution Group's Members property to a particular user or Security Group (Remember the security best practice - add users to Security Group -> assign permissions to Security Group?):
Add-ADPermission "Distribution Group Name" -user "User or Security Group Name" -Deny -AccessRights ReadProperty -Properties Member
Note, to simulate what Exchange Server 2003's Hide Membership task does, you can use the Everyone group in the -users parameter. This hides membership from the EMC as well, but the shell can still show membership using the Get-DistributionGroupMember command.Once the permission is added, clicking on the + link in Microsoft Outlook produces the following not-so-descriptive error message, and the user is prevented from expanding the Distribution Group.
Figure 4: With the Deny ACE in place, Outlook users get an error when trying to expand the Distribution Group. Click here to see a larger image
Additionally, membership of the group is not revealed in the group's properties in the Address Book/GAL.
Adding Deny ACE using the GUI
If you've already used the shell to add the deny ACE, you can skip the following procedure and head to the next section.
For the console/GUI fans amongst us or those who simply haven't developed an intimate relationship with the shell (hopefully the following will make you a convert... :), ADSIEdit is your friend. Fire it up:
1. Navigate to the Distribution Group's properties2. Select the Security tab
3. Click Add
4. Select the user or group you want to deny permission to (you can use the Everyone group to simulate what Exchange Server 2003 does)
5. Click OK
6. click Advanced (wait... ) to open Advanced Security Settings
7. Select the Permissions tab
8. Select the user or group if not already selected
9. Click Edit to open the Permissions Entry properties for the selected user/group
10. Select Properties tab
11. Click on the "Deny" checkbox for the Read Members property so it is checked.
12. Click OK to close the Permissions pages.
13. Click OK to close the Advanced Security Settings pages
14. Click OK to close the Properties dialog box
Prevent Delivery Reports from Distribution GroupUsers can send a message to the Distribution Group with a Delivery Report requested, which can reveal the group membership.
To prevent a Delivery Report from being sent to the originator (consider this carefully, you may want senders to receive delivery reports if messages are not delivered to members of certain Distribution Groups. You can also enable delivery reports to the group Manager only.), use the following command:
Set-DistributionGroup "Distribution Group Name" -ReportToOriginatorEnabled $false
Once this is done, Exchange simply sends a Distributtion Group expanded/delivered to DG message in the Delivery Report, if one is requested, without revealing the group's members.Figure 5: Preventing Delivery Reports to originator returns a "delivered to DG" message when Delivery Reports are requested
Hiding group membership in OWAMembership of the Distribution Group can be viewed in OWA (OWA 2007). As reader Bart points out, this is easily fixed by flipping the hideDLMembership attribute to TRUE. At first look, the attribute doesn't seem to be exposed by the Exchange shell. You can use your LDAP/AD tool of choice, including ADSIEdit, to modify it.
Figure 6: Flipping the Distribution Group's hideDLMembership attribute to True in ADSIEdit
With the attribute set to true, group membership is no longer revealed.
Yes, this means this workarounds mentioned above can be used to:
- Hide Distribution Group membership from Outlook users
- Prevent Outlook users from expanding the Distribution Group when composing new messages
- Hide Distribution Group membership from OWA users
- Prevent Delivery Reports from revealing group membership
The caveat: These workarounds succeed in hiding membership by examining the Distribution Group (or sending a message to it). This may meet your requirements for hiding group membership. However, you can examine the Member Of property page of a recipient and see which groups he/she is a member of. Agreed, this is not a convenient way of discovering group membership— particularly if you have a large number of recipients. Nevertheless, from a security standpoint, this does mean there's no hiding of group membership.
Labels: Administration, Exchange Server 2007, Exchange Shell, GAL/Address Lists, Security
7 Comments:
Is there a way to create a custmom GAL that ignores msExchHideFromAddressLists attribute?
I am working with a compliance software that works with GAL and it cannot do anything with mailboxes hidden from it.
Is there a way to hide the membership in OWA as well?
Yes. In order to hide the membership in OWA, set the attribute hideDLMembership to TRUE.
@bart: Thanks much for pointing out the OWA issue— the post has been updated (and almost rewritten.. from "it's not possible to completely hide... " to "yes, it's possible... " :).
Cheers!
"Get-DistributionListMember" should be "get-distributionGroupMember" in EMC / Powershell.
Thanks for catching that! Corrected.
I've created certain contacts on my Exchange Server which i marked as hidden
from global address book but unfortunately clients like thunderbird/OE have
LDAP configured for adress book lookup which can see the hiddden addresses..is there a way to hide
it from both locations...early solution will be of great help
Post a Comment
Links to this post:
Create a Link
<< Home