I am a Unix guy who recently picked up powershell to help my Exchange admin coworkers implement a challenging project in Exchange 2010. (The requirements we've been given are challenging if not impossible to meet.)
I'll try to keep this simple. Here's my first question.
We have been given the requirement that certain DLs must be restricted so that only certain internal AD users can send to the DL. Additionally, these DLs must remain visible in the address book. Setting the 'HiddenFromAddressBookEnabled' property to $true is unacceptable. Leadership has stated that "The only people who should be allowed to see who's in the group are the people that can send to the group. Furthermore, the only people who should even be able to SEE the DL entries in the address book are the people who are allowed to send to the DL." I don't think that's doable, because:
- I can get around sender-security restrictions by calling up the (visible) entry in the address book, plopping it in the To: field, and then clicking the '+' in Outlook to expand it to individual people, which then bypasses group security. (I've confirmed this.)
- I do not believe it's possible to selectively hide address book entries only from certain users, but not others.
So here are my questions:
- Does my understanding seem mostly correct? If not, feel free to offer corrections
- Is there any way to hide DLs in address books from only a specific set of users?
- Is there a way to prevent users from clicking the '+' sign in Outlook to get around security restrictions that limit who can send to a group? Technically, you're not sending to a group anymore – just the exact set of individuals that are in that group.
Please – any additional enlightenment or comments encouraged. I think we have to go back to the business and tell them their requirements are not achievable. (And I have two other nasty requirements that I'll start separate questions for.)
Thanks everyone!
Best Answer
Your understanding is dead on. You could potentially maintain a number of different default address lists based on a user's access level (only letting them have a given group in their list if they're authorized), but that's incredibly ugly and would be nearly impossible to maintain.
One way to get rid of the expandability would be to use Dynamic Distribution Groups - they expand based on a query during transport, and thus cannot be expanded in Outlook.
This prevents access to the curious, but not the determined/knowledgeable - keep in mind that without some nasty permissions changes, a lot of the user and group attributes in question are readable to any domain user with the tools and knowledge needed to view them.