Managing Mail-Enabled Groups | Mastering Microsoft Exchange Server 2007 SP1

If your organization is like most organizations today, you make significant use of mail groups. You may refer to these as mail-enabled groups, distribution groups, or distribution lists. The official term for a mail group, though, is mail-enabled group. Like mail-enabled users, mail-enabled groups are Active Directory groups but they have been assigned mail properties. Within Active Directory, there are two basic types of groups:

Security groups are groups that can be assigned permissions to resources or rights to perform certain tasks. Security groups can be mail-enabled and be used for addressing mail by Exchange Server recipients.
Distribution groups are groups that are not security principals; they have no security identifier and thus cannot be assigned any rights or permissions. Distribution groups are intended for use with a mail system that integrates with Active Directory, such as Exchange Server. There is a subset of distribution groups called a query-based distribution groups (QBDGs); a QBDG's membership list is dynamic based on some criteria the administrator defines.

When you create a new group using the Active Directory Users and Computers interface, you will also notice that you must provide a scope for the group in addition to defining the group type.

image from book

All groups that will be utilized by Exchange 2007 must be set to the Universal scope. This tells Active Directory that the membership list attribute for that group should be replicated to all global catalog servers in the organization. In previous versions of Exchange, you could mail-enable a global or domain local group. However, this could cause mail delivery problems in organizations that have multiple Active Directory domains.

Tip

Only universal groups should be used as mail-enabled groups in Exchange 2007.

Exchange 2007 and Global or Domain Local Groups

By default, the only type of group that you can mail-enable using the Exchange Management Console is a universal group. However, if you have migrated from Exchange 2000/2003, you may have domain local or global groups that have been mail-enabled previously. The recipient type is a MailEnabledNonUniversalGroup. We recommend that you convert each of these domain local and global groups to a universal group. This will ensure that you do not have group expansion problems in multi-domain environments.

Creating and Managing Mail-Enabled Groups

Let's first go through the process of defining a mail-enabled group and look at the steps necessary to do so. Groups can be created or mail-enabled using the EMC and the EMS command shell.

One consideration you think about when creating group names is that you should consider a standard for mail-enabled group display names. This will allow them to all be grouped together in the global address list.

Using the Exchange Management Console to Manage Groups

The simplest way to create and manage mail-enabled groups is to use the EMC graphical interface. Previously, in Active Directory, we created a group called IT Operations; the group's scope is universal and the type is a security group. However, just using Active Directory Users and Computers will not define any mail attributes.

Creating Mail-Enabled Groups

To create a mail-enabled, open the EMC, navigate to the Recipient Configuration work center, and then find the Distribution Group subcontainer. Click the New Distribution Group task in the Actions pane to launch the New Distribution Group Wizard. The first screen in the wizard is the Introduction page, which prompts you to either create a new group or choose an existing group.

image from book

Since the group we want to mail-enable is already in the Active Directory, choose the Existing Group radio button and then click the Browse button to locate and select the group. The only group types that will appear in the Select Group dialog box will be groups that are universal groups and have not already been mail-enabled.

image from book

Once you have clicked Next on the Introduction page, the next page you see is the Group Information page. The Group Information page will ask you to provide the display name for the group as well as the alias. By default, the alias is used to define the SMTP e-mail address for the group and should not have any spaces in it.

image from book

When you click Next on the Group Information page, you will see the confirmation page that allows you to verify the actions you are about to take. When you are sure that you have defined everything you need to define, you can click the New button and the group you have selected will be mail-enabled.

The resulting EMS command that performed the action is as follows:

 Enable-DistributionGroup -Identity:'fourthcoffee.com/Corporate/IT Operations' -DisplayName:'IT Operations' -Alias:'IT Operations'

The New Distribution Group Wizard can also be used to create new mail-enabled groups as well as to mail-enable existing ones. If you choose to create a new group on the Introduction page, then you have a few additional pieces of information you must provide on the Group Information page, including the group type (distribution or security), the OU in which the group will be created, the group's name, the group's pre-Windows 2000 name, the display name, and the alias. The EMS command that is executed uses the New-DistributionGroup cmdlet rather than the Enable-DistributionGroup cmdlet.

There are some additional properties that you should be aware of when you are creating mail-enabled groups. Let's start with the Mail Flow Settings property page; on the Mail Flow Settings property page, there are two different components you can configure: Message Size Restrictions and Message Delivery Restrictions. If you select the Message Size Restrictions option and click the Properties button, you will see the Message Size Restrictions dialog box. Notice that we have restricted the maximum message size for this particular group to 100KB; this can help prevent misuse of distribution groups or the accidental distribution of large files.

image from book

The Message Delivery Restrictions dialog box (shown in Figure 10.34) has a little more information. If you have looked at the message delivery restrictions for a single mailbox, you are already familiar with these settings and concepts. In the example in Figure 10.34, we have restricted who is allowed to send mail to this group. You can specify individuals and other groups. We recommend you always restrict who is allowed to send mail to large groups or groups that contain VIPs. This will help prevent accidents and keep unwanted mail content from your VIPs.

image from book
Figure 10.34: A distribution group's Message Delivery Restrictions dialog box

You may also note that there is a Require That All Senders Are Authenticated check box. For mail-enabled groups, this box is checked by default. We recommend that you keep it set this way; after all, you probably don't want spammers or external sales people to start sending mail to your Everyone@company.com or Executives@company.com addresses.

The E-Mail Addresses property page (Figure 10.35) shows the e-mail addresses that can be used to address a message to the group. From here, you can edit or add e-mail addresses that are used for a particular group.

image from book
Figure 10.35: E-mail address properties of a mail-enabled group

If a distribution list is used entirely within your organization, the Reply To address will not be particularly important. However, if you use lists both internally and externally, then the reply address is the address that will be seen externally. For example, if someone sends messages to your HelpDesk@company.com address and then your internal users reply to that message and courtesy copy (Cc) the distribution group, then what ever address is the reply to address is what is seen externally.

The final property page we want to take a look at is the Advanced property page. There are several properties here that you should be aware of, and you should know what they may mean to your organization and users. The Advanced property page is shown in Figure 10.36. The first property is the Simple Display Name field. By default, when a message is sent from a recipient, the recipient's display name is included; in some organizations the display name can be quite long. Exchange also allows non-ASCII characters (Unicode characters) to be included in the display name. If you are connecting to older mail systems that do not support long display names or Unicode characters, you can include a simple display name that consists only of ASCII characters.

image from book
Figure 10.36: Advanced properties of a mail-enabled group

Message expansion is the process of enumerating the members of a mail-enabled group and figuring out where each member is either within your organization or externally. Expansion of large mail-enabled groups can be a pretty intensive process for a Hub Transport server as well as the Active Directory global catalog server that it is using.

The Expansion Server drop-down list provides you with a listing of all of the Hub Transport servers in your organization. By default, Expansion Server is set to Any Server in the Organization. This means that the first Exchange Hub Transport server that receives the message is either responsible for expanding the mail-enabled group or sending it on to another Hub Transport server to expand the group. In some environments, you may want to manually specify which Hub Transport server handles expansion.

An example of this might be a mail-enabled group called Executives; you know that all members of the Executives group are in the headquarters office and thus you could designate a Hub Transport server in the headquarters office to be responsible for expansion. Unfortunately, if that Hub Transport server is down (or taken offline permanently), there is no fault tolerance in manual expansion configuration. We recommend that you keep the default settings and allow Exchange to perform manual expansion.

Tip

We recommend that you avoid using expansion servers. Allow Exchange to determine the appropriate place to expand the group's membership.

The Hide Group from Exchange Address Lists check box (unchecked by default) allows you to prevent a mail-enabled group from being displayed in the address lists. This might be useful for specialized groups that are used just for mail distribution by an automated system or for users that know the SMTP address.

The Send Out-of-Office Message to Originator check box allows you to specify if an out-of-office message will be sent to the sender of a message if someone's out-of-office rule is enabled. This option is unchecked by default. For small or departmental mail-enabled groups, it might be useful to turn it on, but for large or company-wide distribution groups, you should probably leave this disabled.

If messages are not properly delivered to the intended recipients of a message sent to a mail-enabled group, you can control how the delivery reports are generated. There are three options:

Send Delivery Reports to Group Manager will send the delivery reports to the person listed as the manager on the group's properties.
Send Delivery Reports to Message Originator sends the delivery report back to the message sender.
Do Not Send Delivery Reports prevents delivery reports from being sent to anyone.

Creating Dynamic Distribution Groups

Do you have a problem keeping your distribution groups up-to-date? Dynamic distribution groups (DDGs) may be the answer you have been looking for. Mail is sent to users in a DDG based on one or more criteria, such as organizational unit, city, department, and so on. As a user's Active Directory properties are changed or updated, the DDG membership changes automatically.

DDGs are created a little differently than a regular mail-enabled group since you have to define the filter settings and the conditions of the group. In the Distribution Group subcontainer of the Recipient Configuration work center, you can launch the New Dynamic Distribution Group Wizard by clicking the New Dynamic Distribution Group task in the Actions pane. The Introduction page of the wizard shows some typical information required for creating a new group object. This page requires that you specify the organizational unit in which you want the object created, the display name (Name), and the Exchange alias of the group.

image from book

Once you have specified the information necessary on the Introduction page, click Next. The next page, Filter Settings, allows you to specify which recipient container (or the entire domain) you want to apply to the filter and which types of recipients.

image from book

The following recipient types can be included in the filter settings:

All types of recipients
Mailbox-enabled user accounts (Users with Exchange Mailboxes)
Mail-enabled user accounts (Users with External E-mail Addresses)
Resource mailboxes (Room and equipment)
Contacts with external e-mail addresses
Mail-enabled groups

After selecting the recipient type and OU scope for the DDG and clicking Next, you will be able to further refine the scope of the group membership on the Conditions page. In the example shown in Figure 10.37, we have selected all users whose state or province is Hawaii.

image from book
Figure 10.37: Narrowing the membership of a dynamic distribution group

The Conditions page of the DDG allows you to specify the following attributes for inclusion in the DDG:

State or province
Department
Company
Custom attribute 1 through 15

Using DDGs will help emphasize the importance of having accurate information in Active Directory. Looking back to the example in Figure 10.37, when the account was created, if there were users who misspelled their state name or used an abbreviation rather than spelling it out, the DDG would not reflect everyone we wanted it to reflect.

The Preview button on the Conditions property page is helpful in confirming that your scope and conditions are defined properly. By clicking this button, you will see the Dynamic Distribution Group Preview dialog box. From here, you should verify that the membership appears to be what you expected.

image from book

The next screen after the Conditions screen is the New Dynamic Distribution Group screen where you confirm the configuration properties. When you are sure that the properties are correct, click the New button. As with most wizards in the EMC, the Completion screen will include the EMS command that was executed:

 New-DynamicDistributionGroup -Name 'Everyone in Honolulu' -IncludedRecipients 'MailboxUsers, MailGroups, MailUsers' -ConditionalStateOrProvince 'Hawaii' -OrganizationalUnit 'fourthcoffee.com/Corporate' -Alias 'EveryoneinHonolulu' -RecipientContainer 'fourthcoffee.com/Corporate'

For DDGs that are already created, you can edit or redefine the conditions and the scope of the group on the Filter and Conditions property pages. Examples of these are shown in Figure 10.38.

image from book
Figure 10.38: Dynamic distribution group Filter and Conditions property pages

Using the Exchange Management Shell to Manage Groups

If you are just getting started with Exchange 2007 and the EMS, then managing groups is going to be a little tougher using the EMS than it will be if you use the EMC. However, we want to review the cmdlets that are available for managing and manipulating mail-enabled groups so that as you learn more about the EMS, you will have these cmdlets in your management arsenal. Table 10.6 lists the EMS cmdlets that you can use to manage groups and mail-enabled groups.

Table 10.6: EMS and PowerShell Cmdlets for Group Management
Open table as spreadsheet
Cmdlet	Function
Get-Group	Retrieves information about all Active Directory groups. This is a built-in PowerShell cmdlet; it is not added with the EMS.
Set-Group	Sets information about an Active Directory group; this will work for any Active Directory group, not just mail-enabled ones. This is a built-in PowerShell cmdlet; it is not added with the EMS.
Get-DistributionGroup	Retrieves information related to mail-enabled groups.
Set-DistributionGroup	Sets properties of mail-enabled groups.
New-DistributionGroup	Creates a new group in Active Directory and mail-enables that group.
Enable-DistributionGroup	Mail-enables an existing group that was previously created in Active Directory.
Disable-DistributionGroup	Removes mail attributes from a mail-enabled group but does not remove the group from the Active Directory.
Remove-DistributionGroup	Deletes the mail attributes of a mail-enabled group and removes the group from the Active Directory.
Get-DistributionGroup Member	Retrieves membership list information from a mail-enabled group.
Add-DistributionGroup Member	Adds members to a mail-enabled group.
Remove-DistributionGroup Member	Removes members from a mail-enabled group.
Get-DynamicDistribution Group	Retrieves information about a dynamic distribution group.
Set-DynamicDistribution Group	Sets properties for dynamic distribution groups.
New-DynamicDistribution Group	Creates a new dynamic distribution group.
Remove-DynamicDistribution Group	Removes mail properties from a dynamic distribution group and deletes the group from the Active Directory.

Creating Distribution Groups Using the EMS

For our purposes in this chapter, we are going to focus on only a few of the cmdlets listed in Table 10.6 and some of the more common properties that can be used with them. The best way to illustrate them is to use some examples. In the first example, let's say that we already have a universal group in the Corporate OU in Active Directory. The group is called Raptor Pilots.

Since the group already exists in the Active Directory, you'll use the Enable-DistributionGroup cmdlet. You need to assign the group an Exchange alias (the -Alias property) and you need to assign it a display name (-DisplayName). The following is an example of a command that would accomplish this:

 Enable-DistributionGroup "Raptor Pilots" -DisplayName: "Raptor Pilots" - Alias: "raptorpilots"

You could have accomplished the exact same thing (provided the group name Raptor Pilots is unique) by removing the domain and the -Identity parameter and typing this:

 Enable-DistributionGroup "Raptor Pilots" -DisplayName: "Raptor Pilots" -    Alias: "raptorpilots"

If the group did not exist in Active Directory and you wanted to create it in addition to mail-enabling it, you could have used the New-DistributionGroup cmdlet. This example would create the Raptor Pilots group in the Corporate OU; the -OrganizationalUnit properties is required. Notice that the -SamAccountName property is required if the group will be a security group.:

 new-DistributionGroup -Name:'Raptor Pilots' -Type:'Distribution' -OrganizationalUnit:'fourthcoffee.com/Corporate' -SamAccountName:'RaptorPilots' -DisplayName:'Raptor Pilots' -Alias:'Raptor Pilots'

To add members to that group, you use the Add-DistributionGroupMember cmdlet. Conversely, you can use the Remove-DistributionGroupMember cmdlet to remove members. For example, if you want to add user Elizabeth.Owusu to this group, you would type this:

 Add-DistributionGroupMember "Raptor Pilots" -Member "elizabeth.owusu"

To enumerate the members of this group, you would use the Get-DistributionListMember cmdlet. Here is an example and the resulting output:

 [PS] C:\>Get-DistributionGroupMember "raptor pilots" Name                                    RecipientType ----                                    ------------- Jim McBee                               UserMailbox Elizabeth                               Owusu UserMailbox Clayton                                 Kamiya UserMailbox

There are a lot of properties that you can set for a mail-enabled group, as you probably recall from seeing what you can set through the graphical user interface. To update properties of a group from the EMS, you use the Set-DistributionGroup cmdlet. Table 10.7 lists some of the more common properties that you can define for a mail-enabled group.

Table 10.7: Common Mail-Enabled Group Properties
Open table as spreadsheet
Property	Function
Alias	Sets the Exchange alias for the group. By default, the alias is used when SMTP addresses are generated.
CustomAttribute1 through CustomAttribute15	Sets 1 of the 15 custom attributes (aka extension attributes).
DisplayName	Sets the display name of the mail-enabled group; the display name is what is visible in address lists.
HiddenFromAddressLists Enabled	Sets whether or not the group will be displayed in address lists. The default is that the objects are visible. You can set this to $True and it will hide the lists.
MaxReceiveSize	Sets the maximum size message that can be sent to the group.

Finally, if you no longer need this group, you can use Remove-Group to get rid of it completely (including the group object in Active Directory) or Disable-Group to simply remove the mail attributes from it.

You can also view the group's properties using the EMS cmdlet Get-DistributionGroup. This cmdlet lets you view the properties of the group. Many of these you can modify using the Set-DistributionGroup cmdlet. Here is an example of viewing a mail-enabled universal group:

 Get-DistributionGroup "Executives" | FL GroupType                          : Universal SamAccountName                     : Executives ExpansionServer                    : /o=Volcano Surfboards/ou=Exchange   Administrative Group(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HNLEX03 ReportToManagerEnabled             : False ReportToOriginatorEnabled          : True SendOofMessageToOriginatorEnabled  : False AcceptMessagesOnlyFrom             : {} AcceptMessagesOnlyFromDLMembers    : {} AddressListMembership              : {Default Global Address List, All Groups} Alias                              : Executives OrganizationalUnit                 : volcanosurfboards.com/Users CustomAttribute1                   : CustomAttribute10                  : CustomAttribute11                  : CustomAttribute12                  : CustomAttribute13                  : CustomAttribute14                  : CustomAttribute15                  : CustomAttribute2                   : CustomAttribute3                   : CustomAttribute4                   : CustomAttribute5                   : CustomAttribute6                   : CustomAttribute7                   : CustomAttribute8                   : CustomAttribute9                   : DisplayName                        : Executives EmailAddresses                     :    {smtp:Executives@volcanosurfboards.com,    smtp:Executives@research.somorita.com, smtp:Executives@directory-update.com, X400:C=US;A= ;P=Volcano Surfboar;O=Exchange;S=Executives;,  SMTP:Executives@somorita.com} GrantSendOnBehalfTo                : {} HiddenFromAddressListsEnabled      : False LegacyExchangeDN                   : /o=Volcano Surfboards/ou=First    Administrative Group/cn=Recipients/cn=Executives MaxSendSize                        : unlimited MaxReceiveSize                     : unlimited PoliciesIncluded                   : {{}, {}} PoliciesExcluded                   : {} EmailAddressPolicyEnabled          : True PrimarySmtpAddress                 : Executives@somorita.com RecipientType                      : MailUniversalDistributionGroup RecipientTypeDetails               : MailUniversalDistributionGroup RejectMessagesFrom                 : {} RejectMessagesFromDLMembers        : {} RequireSenderAuthenticationEnabled : False SimpleDisplayName                  : UMDtmfMap                          : {} WindowsEmailAddress                : Executives@somorita.com IsValid                            : True OriginatingServer                  : HNLDC01.volcanosurfboards.com ExchangeVersion                    : 0.1 (8.0.535.0) Name                               : Executives DistinguishedName                  : CN=Executives,CN=Users, DC=volcanosurfboard,DC=com Identity                           : volcanosurfboards.com/Users/Executives Guid                               :  ObjectCategory                     : volcanosurfboards.com/Configuration/ Schema/Group ObjectClass                        : {top, group} WhenChanged                        : 12/9/2006 12:41:21 PM WhenCreated                        : 11/27/2006 8:38:44 AM

Creating Dynamic Distribution Groups Using the EMS

Let's now look at an example where we create and manage a dynamic distribution group using the EMS. Let's say that we have a group we need to create called Everyone who's on the West Coast and consists of just mailbox-enabled users. We want to create the Active Directory object in the fourthcoffee.com domain and in the Corporate organizational unit. Further, let's say that the maximum receive size should be only 75KB.

To create this DDG, you would use the following cmdlet:

 New-DynamicDistributionGroup -Name "Everyone on the West Coast" -IncludedRecipients 'MailboxUsers' -ConditionalStateOrProvince 'California, Oregon, Washington' -OrganizationalUnit 'fourthcoffee.com/Corporate' -Alias 'EveryoneOnWestCoast' -RecipientContainer 'fourthcoffee.com/Corporate'

After you get the group created, you have to use the Set-DynamicDistributionGroup cmdlet to update the maximum receive message size like so:

 New-DynamicDistributionGroup -Name "Everyone on the West Coast" -MaxReceiveSize 75KB

Dynamic distribution groups have a few additional property types that can be viewed using the EMS. Here is the output of the EMS and some of the additional properties that are found when using a dynamic distribution group:

 Get-DynamicDistributionGroup "Everyone in Organization" | FL Name,*Recipient*,Conditional* Name                         : Everyone in Organization RecipientContainer           : volcanosurfboards.com/Somorita Surfboards RecipientFilter              : LdapRecipientFilter          : (&(!cn=SystemMailbox{*}) (& (mailnickname=*) (|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*)) (!(msExchHomeServerName=*)))(&(objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))) IncludedRecipients           : RecipientFilterType          : Legacy RecipientType                : DynamicDistributionGroup RecipientTypeDetails         : DynamicDistributionGroup ConditionalDepartment        : ConditionalCompany           : ConditionalStateOrProvince   : ConditionalCustomAttribute1  : ConditionalCustomAttribute2  : ConditionalCustomAttribute3  : ConditionalCustomAttribute4  : ConditionalCustomAttribute5  : ConditionalCustomAttribute6  : ConditionalCustomAttribute7  : ConditionalCustomAttribute8  : ConditionalCustomAttribute9  : ConditionalCustomAttribute10 : ConditionalCustomAttribute11 : ConditionalCustomAttribute12 : ConditionalCustomAttribute13 : ConditionalCustomAttribute14 : ConditionalCustomAttribute15 :