June 29, 2009
Do you know what attributes are used to control who can and can’t send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?
Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.
Seeing as how a picture is worth a thousand words I’ll include some after a brief explanation:
At first I was afraid that it used the SendTo permission on DACLs but fortunately that is not what the Exchange GUI tools change. This is fortunate since ILM does not have an out of the box MA that modifies DACLs on AD objects, it is also fortunate since programming against DACLs is somewhat complicated. I must give thanks to my friend Joe Kaplan and his co-author Ryan Dunn for the helps in their book (see page 302 listing 8.2 listing the DACL) and their forum http://directoryprogramming.net/default.aspx
The .NET Developer’s Guide to Directory Services Programming
With the help from their book I was able to eliminate DACLs since the darn things never changed. FC never lies.
Open the Exchange Console, navigate to the Distribution lists open their properties and go to Mail Flow Settings click on Message Delivery Restrictions and then click on the Blue check mark next to Properties:
So what I found was five attributes that control the fate of who can and who can’t send to a particular recipient (in this case a distribution list)
authOrig, unauthOrig, and msExchRequireAuthToSendTo,
Attribute Name
Name in GUI
Explanation
Powershell (Set-DistributionGroup)
Just as an FYI
authOrig
Accept messages from
Only senders in the following list:
If this attribute and dLMemSubmitPerms are both empty then that is the equivalent of All Senders. If populated only those recipients and the members of Distribution Lists enumerated in dLMemSubmitPerms can sends listed can send items to this distribution list minus anyone listed in unauthOrig and anyone that is a member of distribution lists enumerated in dLMemRejectPerms
-AcceptMessagesOnlyFrom
dLMemSubmitPerms
same as above
see above
-AcceptMessagesOnlyFromDLMembers
unauthOrig
Reject messages from
Senders in the following list:
Prevents recipients listed here from sending to this Distribution list
-RejectMessagesFrom
dLMemRejectPerms
same as above
Prevents recipients who are members of the Distribution lists mentioned from sending email to this Distribution list
-RejectMessagesFromDLMembers
msExchRequireAuthToSendTo
Require that all senders are authenticated
When set to True only authenticated users (no external users) can send mail to this Distribution list
-RequireAllSendersAreAuthenticated
For more info on attribute to Powershell attribute name conversions see
http://blogs.technet.com/evand/archive/2007/02/19/filterable-properties-in-exchange-2007-rtm.aspx
For more on the Powershell commands with some examples see
http://technet.microsoft.com/en-us/library/bb397214.aspx
What would be really nice would be if FIM 2010 already had the schema and OVC extended for this. Since this is the very next thing people at a big company ask for after finding out they can automate distribution list maintenance.
As promised some pretty pictures to help explain (on the left you see the screenshot from ADSI edit and on the right the snapshot of the Exchange Console
On this one I reverse the order
By now you get the idea, that if you select a distribution listt in the Senders in the following list they get put here:
So we see that the Exchange Console clever sorts the DLs from the individuals and puts them into their separate attributes.
http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices