LiquidObject

Hiding Distribution Group memberships

Under Exchange 2010 the need arose to create some distribution groups which the membership was hidden. The most published method is to actually use two groups. The first is a non-mail enabled group and the second is a dynamic distribution group. While these do have there place in many organizations I wanted to maintain the same functionality without needing the second group.

To keep my life simple here is the PowerShell method to this problem.

Lets define some variables

$listname = "allemployees"
$orgunit = "liquidobject.com/Exchange/Distribution Groups"
$managedby = "MyDummyAdmin"
#Build the Group
New-DistributionGroup -Name $listname -SamAccountName $listname -OrganizationalUnit $orgunit -Type "Distribution" -ManagedBy $managedby -MaxReceiveSize "5120 KB"
sleep 4
#Restrict commandline to view membership via net group command
Add-ADPermission -Identity $listname -User "Normal_Employee_Group" -Deny -AccessRights ReadProperty -Properties Member
#Restrict Outlook & OWA Access to view membership
set-ADGroup -identity $listname -Replace @{HideDLMembership=$true}

This method has been used in the past via ADSI Edit but I was looking for a native PowerShell approach for a process to automate group creation.

The only drawback is the HideDLMembership is organization wide, so regular managers cannot see the group memberships. Administrators can still see membership via the EMS, EMC, or via the old net group method.

, , , ,
August 12, 2012 at 9:00 am Comments (0)