[Note: These needs are external demands from the client and can/will not change. Please keep that in mind when answering]
We have a small overworked 2.5 man Windows admin team (2 vets, 1 junior). As an I.T. infrastructure group, we have been asked to implement the following:
- We must set up mailing lists (dist. groups) for use in Outlook.
- All mailing lists will include internal AD Users and external mail contacts
- For all dist. groups, Reply-All for both internal users and external contacts should always fail, no exceptions. (A bounce is acceptable)
- SECURITY: If a person is not allowed to send to a distribution group, then:
- It must be 100.000% guaranteed they are NEVER, IN ANY CONCEIVABLE WAY, allowed to discover the existence of the group, even if they are an internal AD user.
- It must be 100.000% guaranteed they are NEVER, IN ANY CONCEIVABLE WAY, able to dig and determine what individual members are in a group, even if they are an internal AD user.
SECURITY: If a person IS allowed to send to a security-enabled dist. group, then:
- They must be able to see that group in a specific address book (we've done that already)
- They must easily be able to determine who is in the group
IN NO WAY, SHAPE, OR FORM, IS "USER-TRAINING" ALLOWED. People sending to these lists are extremely non-tech-savvy, extremely powerful within the organization politically, and will not change their habits in any way. This means we can't suggest they use the 'Bcc:' field. It also means we can't suggest "Don't click the '+' button to expand the group or you lose security."
Reminder - you can't change the facts above.
On a scale of 1 to 10, with 1 being 'Trivial' and 10 being 'A factual impossibility', where does this project rate? We have a manager that is cracking the whip, not understanding that the requirements, as stated precisely above, are pretty conflicting. Even given a reasonable amount of time, I don't think this can be done without a substantial inconvenience and risk to the overall AD infrastructure. (Extreme security permissions so users can't go digging through objects.)
I'm not so concerned with the guts and tech. details of how you'd implement such a thing, but feel free to share them. I'm more curious the feasibility of the above and how long it would take, IF it's even doable.
As you consider your answer, please keep the strict requirements in mind. We have triple-confirmed they can not bend, by even one word. For example, "You could use a custom mail client." Wrong. Outlook is the required client. "You could just hide the groups". Wrong. Someone in AD can still go digging and find them. Etc. etc.
THANK YOU!!! I'm a Unix guy who's heavily involved because I've gotten pretty decent with Powershell and have about 1,000 lines of code to help build and maintain these (thousands of) contacts and groups.
EDIT: I know there are a lot of good answers on this topic, but please keep your thoughts coming. I need as much ammunition as possible to take back to the business. Five people saying this is next to impossible is great. Ten people saying it is even better. Thanks everyone.