Do you know what attributes are used to control who can and can't send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?
Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.
Seeing as how a picture is worth a thousand words I'll include some after a brief explanation:
At first I was afraid that it used the SendTo permission on DACLs but fortunately that is not what the Exchange GUI tools change. This is fortunate since ILM does not have an out of the box MA that modifies DACLs on AD objects, it is also fortunate since programming against DACLs is somewhat complicated. I must give thanks to my friend Joe Kaplan and his co-author Ryan Dunn for the helps in their book (see page 302 listing 8.2 listing the DACL) and their forum http://directoryprogramming.net/default.aspxThe .NET Developer's Guide to Directory Services Programming
With the help from their book I was able to eliminate DACLs since the darn things never changed. FC never lies.
Open the Exchange Console, navigate to the Distribution lists open their properties and go to Mail Flow Settings click on Message Delivery Restrictions and then click on the Blue check mark next to Properties:
So what I found was five attributes that control the fate of who can and who can't send to a particular recipient (in this case a distribution list)
authOrig, unauthOrig, and msExchRequireAuthToSendTo,
|Attribute Name||Name in GUI||Explanation||Powershell (Set-DistributionGroup) |
Just as an FYI
|authOrig||Accept messages from |
Only senders in the following list:
|If this attribute and dLMemSubmitPerms are both empty then that is the equivalent of All Senders. If populated only those recipients and the members of Distribution Lists enumerated in dLMemSubmitPerms can sends listed can send items to this distribution list minus anyone listed in unauthOrig and anyone that is a member of distribution lists enumerated in dLMemRejectPerms||-AcceptMessagesOnlyFrom|
|dLMemSubmitPerms||same as above||see above||-AcceptMessagesOnlyFromDLMembers|
|unauthOrig||Reject messages from |
Senders in the following list:
|Prevents recipients listed here from sending to this Distribution list|| |
|dLMemRejectPerms||same as above||Prevents recipients who are members of the Distribution lists mentioned from sending email to this Distribution list|| |
|msExchRequireAuthToSendTo||Require that all senders are authenticated||When set to True only authenticated users (no external users) can send mail to this Distribution list|| |
For more info on attribute to Powershell attribute name conversions see
For more on the Powershell commands with some examples see
What would be really nice would be if FIM 2010 already had the schema and OVC extended for this. Since this is the very next thing people at a big company ask for after finding out they can automate distribution list maintenance.
As promised some pretty pictures to help explain (on the left you see the screenshot from ADSI edit and on the right the snapshot of the Exchange Console
On this one I reverse the order
By now you get the idea, that if you select a distribution listt in the Senders in the following list they get put here:
So we see that the Exchange Console clever sorts the DLs from the individuals and puts them into their separate attributes.