Prevent user "click-expansion" of Exchange distribution group?

Question

I am a Unix guy who recently picked up powershell to help my Exchange admin coworkers implement a challenging project in Exchange 2010. (The requirements we've been given are challenging if not impossible to meet.)

I'll try to keep this simple. Here's my first question.

We have been given the requirement that certain DLs must be restricted so that only certain internal AD users can send to the DL. Additionally, these DLs must remain visible in the address book. Setting the 'HiddenFromAddressBookEnabled' property to $true is unacceptable. Leadership has stated that "The only people who should be allowed to see who's in the group are the people that can send to the group. Furthermore, the only people who should even be able to SEE the DL entries in the address book are the people who are allowed to send to the DL." I don't think that's doable, because:

• I can get around sender-security restrictions by calling up the (visible) entry in the address book, plopping it in the To: field, and then clicking the '+' in Outlook to expand it to individual people, which then bypasses group security. (I've confirmed this.)
• I do not believe it's possible to selectively hide address book entries only from certain users, but not others.

So here are my questions:

• Does my understanding seem mostly correct? If not, feel free to offer corrections
• Is there any way to hide DLs in address books from only a specific set of users?
• Is there a way to prevent users from clicking the '+' sign in Outlook to get around security restrictions that limit who can send to a group? Technically, you're not sending to a group anymore - just the exact set of individuals that are in that group.

Please - any additional enlightenment or comments encouraged. I think we have to go back to the business and tell them their requirements are not achievable. (And I have two other nasty requirements that I'll start separate questions for.)

Thanks everyone!

Answer 1

Your understanding is dead on. You could potentially maintain a number of different default address lists based on a user's access level (only letting them have a given group in their list if they're authorized), but that's incredibly ugly and would be nearly impossible to maintain.

One way to get rid of the expandability would be to use Dynamic Distribution Groups - they expand based on a query during transport, and thus cannot be expanded in Outlook.

This prevents access to the curious, but not the determined/knowledgeable - keep in mind that without some nasty permissions changes, a lot of the user and group attributes in question are readable to any domain user with the tools and knowledge needed to view them.

Answer 2

If you go in ADUC and right click, properties, attribut editor, hideDLMembership (set that to true) they will be able to see the group but will not be able to expand it's members.

Answer 3

If you enable Moderation on the DL, users will not be able to click the "+" sign to expand the group. Attempting to do so in Outlook will result in the following message:

Of course, this means someone (or a group of people, if desired) will then have to moderate all messages that are sent to that DL. In our case, we wanted moderation anyway, so this worked well for our needs.

(This worked for me on Exchange 2010 SP3)

Answer 4

I know this is old but for anyone searching for a way to do this, there is a registry key that you can add that will disable expansions of a distribution list. A GPO is the best means to enforce to all computers in your organization.

Outlook 2007 - HKCU\Software\Microsoft\Office\12.0\Outlook\Options\Mail\DisableDLExpansion=1 Outlook 2010 - HKCU\Software\Microsoft\Office\14.0\Outlook\Options\Mail\DisableDLExpansion=1 Outlook 2013 - HKCU\Software\Microsoft\Office\15.0\Outlook\Options\Mail\DisableDLExpansion=1 Outlook 2016 - HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail\DisableDLExpansion=1

The key DisableDLExpansion is DWORD (32-bit) and you set the value to 1.