Check Distribution Groups Created

Some organizations provide self-service for Distribution Groups (DG), that is, users are able to create DGs that are available in the Global Address List for everyone to use. Even if an organization does not have a naming convention in place, it is always important to keep an eye on what DGs are created in case a user creates one that is not acceptable.

To do this, we can use the Get-DistributionGroup cmdlet together with the WhenCreated parameter to search for DGs created in the last week, for example. However, using this cmdlet we can see who the DG’s manager is but not exactly who created it. So, we need to use the Admin Audit Logs feature already covered in some tips and articles at MSExchange.org such as the Administrator Audit Logging article by Neil Hobson. Since we will be relying on this feature, it is important that it is enabled and that we keep these logs for as long as we need to.

Another advantage of using these logs, is that we can check for DGs that were created and subsequently deleted!

The following basic script will search the Admin Audit Logs for any DG created and return some information about it such as when it was created, by whom and its display name:

Param (
 [Parameter(Position = 0, Mandatory = $False)]
 [String] $From = "01/01/2016"
)


[Array] $DGs = @()

Search-AdminAuditLog -StartDate $From -Cmdlets New-DistributionGroup | Sort RunDate | % {
 $DG = $_.ObjectModified.Split("/")
 $DG = $DG[$DG.count - 1]

 $user = $_.Caller.Split("/")
 $user = $user[$user.Count - 1]
 $userDN = (Get-Mailbox $user).DisplayName

 $DG = New-Object PSObject -Property @{
  Date  = $_.RunDate
  UserAlias = $user
  UserDN  = $userDN
  DG  = $DG
 }

 $DGs += $DG

}

$DGs | Sort Date | FT Date, UserAlias, UserDN, DG -AutoSize

  

 

For a more complete report, please check my Exchange Distribution Group Creation Report article on MSExchange.org which generates an HTML report similar to:

 



Setting Distribution Groups Default OU in Exchange 2010/2013/2016

When creating a Distribution Group in the Exchange Shell or Console, we are given the option to choose which Organizational Unit (OU) in Active Directory (AD) we want the group’s object to be created in:

However, we do not necessarily need to choose an OU. We can tell Exchange where it should create all OUs by default using the Set-OrganizationConfig cmdlet. By default, no OU is selected which means Exchange will create all distribution groups in the Users OU:

Let us say we want all distribution groups to be created in the Exchange -> Distribution Groups OU:

 

Using the above cmdlet it is easy to globally set the default OU for any newly created distribution group from now on:

When creating a new distribution group now, we still get the exact same wizard with the Organizational unit field not populated. However, if we don’t choose any OU, the distribution group will now be created in the OU we set up above.

Distribution Group SendAs Denied

When trying to assign Send As or Receive As permissions to a Distribution Group in Exchange 2010, 2013 or 2016 using the Add-ADPermission cmdlet, you might get an error message saying Access is denied and insufficient access rights:

Active Directory operation failed on . This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : 5557AD82,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

 

 

This is because, by default, Exchange Trusted Subsystem is not granted the “modify permissions” permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error.

To resolve this problem, add the modify permissions permission for the Exchange Trusted Subsystem to the organizational unit that contains the Distribution Group:

1.       Open Active Directory Users and Computers;

2.       Click View, and then click Advanced Features;

3.       Right-click the OU that contains the distribution lists, and then click Properties;

4.       In the Security tab, click Advanced;

5.       In the Permissions tab, click Add;

6.       In the Enter object name to select box, type Exchange trusted subsystem, and then click OK;

7.       In the Object tab, select This object and all descendants objects in the Apply onto list, locate Modify Permissions in the Permissions list, and then set it to Allow;

8.       Click OK.

 

Distribution Groups Statistics

As an Exchange Administrator, have you ever wondered if all those Distribution Groups are actually being used? Organizations running Microsoft Exchange Server are likely to have been running Exchange for a at least a few years and also likely to continue to do so for a while. After all those years, more and more distribution groups get created, some of them stop being used, some are simply forgotten, etc.

Maybe you got asked by the Audit department or by your manager for a list of the 20 most utilized groups, or maybe you are just curious. The good news is that as long as you have Message Tracking Logs enabled, you can easily get this information!

The easiest way to track messages sent to distribution groups is to list all the expansion events. When a user sends an email to a group, Exchange needs to expand that group in order to know who to send the email to. This gets registered with an EventID of EXPAND. Additionally, the RelatedRecipientAddress field in the EXPAND entry contains the PrimarySmtpAddress of the expanded group. And this is pretty much all the information we need.

Using the following cmdlet, we can get a list of all the emails sent to distribution groups on the 1st of January 2016:

Get-MessageTrackingLog -Start 01/01/2016 –End 01/02/2016 -EventID Expand | Select Timestamp, RelatedRecipientAddress, MessageSubject

But what we really want is to know how many emails were sent to which groups during a particular time. Not a problem! All we need to do is tweak the cmdlet above and add Group-Object:

Get-MessageTrackingLog -Start 01/01/2016 –End 01/02/2016 -EventID Expand | Group RelatedRecipientAddress | Sort Count –Descending | Select Count, Name

Do not forget to add Get-TransportService (or Get-TransportServer in Exchange 2007 and 2010) to get the logs across all transport servers if you have more than one!

If you are interested in getting the Top 20 most used groups, for example, this is also very easy:

Get-TransportService | Get-MessageTrackingLog -ResultSize Unlimited -Start 01/01/2016 -EventID Expand | Group RelatedRecipientAddress | Sort Count -Descending | Select -First 20 | FT Count, Name -AutoSize

How to Convert a Distribution List into a Mailbox

Sometimes, an organization/administrator might have the need to convert a Distribution Group (DG) (or Distribution List) into a normal mailbox or a shared mailbox. Reasons for this vary, but the most common one is when an organization has the need to start sending emails as that DG.

 

Unfortunately, there is no native way of achieving this. But it is completely achievable and straightforward. The best way is to:

1. Write down the DG’s LegacyExchangeDN. To do so, you can run the cmdlet: Get-DistributionGroup “DG_name” | Select LegacyExchangeDN;
2. Delete the DG;
3. Create a (shared) mailbox with the same SMTP address;
4. Add the DG’s legacyExchangeDN as an X500 address to the new mailbox.

I am not going into detail of what the legacyExchangeDN is and how or why it is used as this is already well documented all over the Internet. As a quick overview, the auto-complete cache in Outlook and in OWA uses the value of the legacyExchangeDN attribute to route email messages internally. If the value changes, the delivery of email messages may fail with a 5.1.1 NDR.

 

If you already deleted the DG and have no way of retrieving its legacyExchangeDN, you have two options:

1. Clear the auto-complete cache (straightforward but most of the times not the best approach);
2. Manually create an X500 proxy address for the old legacyExchangeDN attribute for the DG.

To create an X500 proxy address, you need to use an NDR you have received when emailing the DG, which should contain the recipient’s address such as:

IMCEAEX-_O=LetsExchange_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=f6a32c0ab0e64f33b2a7b3f9a48c2da6@nunomota.pt

From here, make the following changes based on the recipient address in the NDR:

• Replace any underscore character (_) with a slash character (/);
• Replace “+20” with a blank space;
• Replace “+28” with an opening parenthesis character;
• Replace “+29" with a closing parenthesis character;
• Delete the “IMCEAEX-“ string;
• Delete the “@nunomota.pt” string;
• Add “X500:” at the beginning.

After you make these changes, the proxy address will look similar to:

X500:/O=LetsExchange/OU=Exchange Administrative Group (FYDIBOHF23SPDLT)/CN=Recipients/CN=f6a32c0ab0e64f33b2a7b3f9a48c2da6

Dynamic Distribution Groups with MultiValued Attribute

Ever wondered how to use the Multi-Valued Attributes in Exchange 2010 SP2 (or above) with Dynamic Distribution Groups? The following example shows you how to do this:

First we use 3 users and set their ExtensionCustomAttribute1 attribute to something we want to use:

Set-Mailbox User1 -ExtensionCustomAttribute1 Area1,Area2,Area3
Set-Mailbox User2 -ExtensionCustomAttribute1 Area2,Area3,Area4
Set-Mailbox User3 -ExtensionCustomAttribute1 Area3,Area4,Area5

Now we create our dynamic groups based on the information we want to “filter”:

New-DynamicDistributionGroup -Name Area1 -RecipientFilter {ExtensionCustomAttribute1 -eq “Area1”}
New-DynamicDistributionGroup -Name Area2 -RecipientFilter {ExtensionCustomAttribute1 -eq “Area2”}
New-DynamicDistributionGroup -Name Area3 -RecipientFilter {ExtensionCustomAttribute1 -eq “Area3”}

If we want to make sure they are working as expected, we can easily return each group’s members:

$Group = Get-DynamicDistributionGroup Area1
Get-Recipient -RecipientPreviewFilter $Group.RecipientFilter

In the example above the group:

• Area1 will have User1;

• Area2 will have User1 and User2;

• Area3 will have User1, User2 and User3.

"Changes to the distribution list membership cannot be saved" - Part 2

One of my first posts was regarding Distribution Groups Managers, how they work and how to set them up both through Active Directory and through PowerShell.

Recently, I wrote another post regarding the “Changes to the distribution list membership cannot be saved” error that Exchange 2010 users might receive when trying to manage Distribution Lists (DLs).

In this new post, again about DLs, I will talk about another scenario where users are not able to manage their DLs even if you followed the instructions on the previous two posts and if you transitioned from an Exchange 2003 environment.

If you still have users experiencing the following error whenever they try to add or remove a member from a DL they manage, check if the DL’s scope is set to Global:

If you can’t remember what the differences are between Group Scopes, here’s a quick (and simplified!) overview:

• Universal Group: can include accounts, global groups and universal groups from any domain of the same forest. Can be assigned permissions in any domain or forest;
• Global Group: can include accounts and global groups from the same domain. Can be assigned permissions in any domain;
• Domain Local: can include accounts, global groups and universal groups from the any domain (can also include other Domain Local groups but only from the same domain). Can be assigned permissions only in same domain.

If you look in the EMC, these DLs will most probably be greyed out and showing as Mail Non-Universal Group, which are not supported by Exchange 2010, thus causing the problem...

E-mails are still delivered to their members but you will not be able to manage or change them.

To check the Group Scope, the easier way is to use AD Users and Computers. In the following picture we can see that the DL HP-SSL-VPN is a Global DL:

To fix this issue, all you have to do is convert these DLs to Universal. You can easily do this using the EMC by sorting your DLs by Recipient Type Details, selecting the DLs you want to convert (you can select/convert multiple at a time!) and then clicking in Convert to Universal Group:

Alternatively, you can use PowerShell with the following cmdlet:

Import-Module ActiveDirectory
Get-ADGroup -Filter {(mail -like "*") -and (GroupScope -eq "Global")} | Set-ADGroup -GroupScope Universal -WhatIf

WARNING: Just make sure you want to convert all of them or update the cmdlet to only convert the ones you want to!

Exchange Server 2003

In the beginning of this post I mentioned that this might happen if you transitioned from Exchange 2003. This is because Exchange 2003 used different DL types.

To check the version of a DL, run the following cmdlet in the EMS:

Get-DistributionGroup HP-SSL-VPN | Select Name, ExchangeVersion

Name                   ExchangeVersion
----                   ---------------
HP-SSL-VPN             0.0 (6.5.6500.0)

From the output, we can see that the Exchange version of this DL is 6.5 (Exchange 2003).

You can use the same command to see the versions of all the DLs in your environment to check exactly how many you have that are still 2003 or, possibly, 2007:

Get-DistributionGroup | Select Name, ExchangeVersion | Sort ExchangeVersion

Or if you want to group and count them:

Get-DistributionGroup | Group ExchangeVersion

Count   Name
-----   ----
  207   0.0 (6.5.6500.0)
   12   0.10 (14.0.100.0)
   45   0.1 (8.0.535.0)

For these ones, if you try to add a Manager to it, you will get the following warning:

If you click Yes, Exchange will automatically convert the DL to Exchange 2010 so you can edit it.

The easiest way to convert all your DLs from Exchange 2003/2007 to Exchange 2010 is by using the 2010 EMS and simply running the following cmdlet:

Get-DistributionGroup | Set-DistributionGroup

Which will ask you the following:

To save changes on object "HP-SSL-VPN", the object must be upgraded to the current Exchange version. After the upgrade, this object cannot be managed by an earlier version of the Exchange Management Tools. Do you want to continue to upgrade and save the object?

Hope this helps!

Changes to the distribution list membership cannot be saved

If you are in the middle of a migration from Exchange 2003/2007 to Exchange 2010 (or already finished) and your users are complaining that they can no longer manage distribution lists they own, please note that this is RBAC working as expected.

I will not go through the explanation of why and all the steps involved to fix it as that would be rewriting this excellent post: How to Manage Groups that I already own in Exchange 2010?

Just be aware of this before you actually start migrating users across!

Subscribe/Unsubscribe from Distribution Groups

Finally we can create Distribution Groups (DG) which users can subscribe and/or unsubscribe from by themselves! Don’t know why this option wasn’t made available in Exchange 2007, but anyway... It is here!


If we go to the Properties of a DG (obviously this option is not available for a Dynamic DG), there’s a new tab, Membership Approval. Here we can configure how membership requests should be handled:

Choose whether owner approval is required to join the group
· Open: allows users to join this DG without the approval of the DG owners;
· Closed: allows only DG owners to add members. Requests to join will be rejected automatically;
· Owner approval: allows users to request membership on this DG. Requests to join must be approved by a DG owner before the user can join.

Choose whether the group is open to leave
· Open: allows users to leave the DG without the approval of the DG owners;
· Closed: allows only DG owners the ability to remove members from it. Requests to leave will be rejected automatically.

But that’s not all! On the Mail Flow Settings tab, we now have a Message Moderation option. Here we can configure whether messages sent to this DG must be approved by a moderator before they are delivered to its members.

In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box to require all messages sent to the DG to be approved by a moderator.

In the Specify group moderators list, click Add to select the recipients you want to add as moderators of the distribution group.

In the Specify senders who don't require message approval list, click Add to select the recipients you want to add who do not require message approval to send to the DG.




But how can users subscribe/unsubscribe from a DG? Since Outlook 2010 is not here yet and this functionality can’t be used with Outlook 2007, let me show you in the new version of Outlook Web Access (OWA).

In OWA, if you go to Options and then Groups you get the Public Groups I Belong To list. Here’s where we can subscribe/unsubscribe ourselves from a DG.

To join a group just click Join... and select the DG you wish to join:




To leave just click on Leave:



If you ask me, this functionality is more than welcome and should be added a long time ago. Nonetheless, thank you Exchange Team guys!

Distribution Group Manager

When I first start using Exchange 2007 I couldn’t understand why in order to give a user the ability to manage a Distribution Group (DG), adding and/or removing users, we needed to add him on the Exchange Console and then on Active Directory (AD) Users and Computers.

Well, that’s not exactly necessary... Here’s the explanation (which I think is somewhat stupid…):

In Exchange 2007, the Managed By property works in a different way than in previous versions of Exchange. According to Microsoft, this property is an informational field that users see in Outlook when viewing the properties of the distribution group. This property does not provide the user who is identified in the Managed By property with the ability to modify the members of that DG in Outlook.
To do that we must explicitly grant the required AD directory service permissions, and we have three options:

1. Using the Add-ADPermission cmdlet that adds permissions to an AD object. For example, to grant me the rights to add members to the Lets Exchange Admins distribution group:
Add-ADPermission -Identity "Lets Exchange Admins" -User "Nuno Mota" -AccessRights WriteProperty -Properties "Member"

• Waning: This option does not show in AD Users and Computers (see screenshot bello) nor to Outlook users that I am the manager for this DG, but I can still add/remove members, so you might want to use this together with the option on Exchange.


• Tip: You can also do this by going to the Security tab on the Properties of the DG and manually assign the Write Members special permission to the user.


• For detailed syntax and information, refer to Add-ADPermission

2. Using the Set-Group cmdlet that modifies the settings of an existing Microsoft Windows group:
Set-Group -Identity "Lets Exchange Admins" -ManagedBy “Nuno Mota”

• For detailed syntax and information, refer to Set-Group

3. Using Active Directory Users and Computers itself: right-click on the DG you want to set the manager, click on Properties, go to Managed By, select the desired user and tick the Manager can update membership list box:

Note: you can only be granted the manager rights on groups in your own domain. This is a limitation because of how Exchange uses the Global Catalogs.

Also, when using steps 2 or 3 you can only assign one manager per DG. If you want to have several managers for the same DG you must use the first option. However, you might also want to set the Exchange Managed By property so that users can see at least one of the managers.

Exchange 2010: in the new version of Exchange, this process stays the same. However, through the Exchange Console you can select several managers but you still have to set the permission on AD and there, only one can manage it. So why can we select several users on the Exchange Console? I still don’t know…