Restrict view access to a distribution group

Similar Messages

• How to view members of Dynamic Distribution Group via Outlook client?

  Hello,
  Is it possible to view the members of a DDG via the outlook cliënt (exchange 2010 SP1 + Outlook 2010)? For a normal Distribution Group I can see who are the members by viewing it's properties but not for a Dynamic Distribution Group....
  Thnx Remco

  The members of a DDG are calculated when someone sends a message to it and might not be the same eight seconds before the message of three seconds after it. Simply trying to look at the membership from
  Outlook does not enumerate the potential membership and anyway, even if you could there's every chance that the membership could change in the period of time between looking at the membership and actually crafting the message.
  "Remco Tiel" wrote in message
  news:39415e3a-af02-4dde-bcc4-cc7334233e55...
  Hello,
  Is it possible to view the members of a DDG via the outlook cliënt (exchange 2010 SP1 + Outlook 2010)? For a normal Distribution Group I can see who are the members by viewing it's properties but not for a Dynamic Distribution Group....
  Thnx Remco
  Mark Arnold, Exchange MVP.
  If I open a new email in outlook 2010, and I click on the TO: button, it brings up the Global Address List.  If I use the Drop Down under "Address Book" I can select the Dynamic Distribution List and the members are show in the main window.
  That being said, I notice that two of the three that I'm using didn't get updated until I went in and edited it, and walked through the wizard without making any changes.  Then they got updated.  One of the three was up to date without me doing
  anything, which is what I thought the whole point of Dynamic Distribution Lists was?
  Was this in a Exchange 2010 server environment?

• Restricted/View Access Only - User

  Hi,
  I have a need to create a user account on our ASA (8.x code) device but only allow them read access; particularly, view the overall config and interface statistics.
  I have tested with an account, but my attempts at setting the privilege level seem to be ineffective at restricting accesss. How might I accomplish this task?
  thanks,
  Jim

  Jim, you should get it working after reference this thread.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB?cmd=display_location&location=.2cc2c575/4
  If still have issues let us know.
  B.regards

• Restricted view access to other schemas 'showstopper' problem

  I'm tasked with the potential roll-out of SQL Developer across a large number of users (doing away with equivalent software in the process).
  The feedback has been very positive. However, the only real issue stopping the replacement from progressing is that we cannot view certain objects in other schemas (package bodies, triggers etc) ... i.e. we need to connect as the schema owner to view these. This is essential, otherwise everyone would need to know the application schemas password.
  Our current software has the same issue unless the following option in the Options/Startup window is activated: 'Check for access to DBA views. Otherwise, SYS.ALL_xx views will be used when listing objects'. Thereafter the issue is resolved.
  Is there any workaround (e.g. like the above) in SQL Developer?
  Many Thanks.

  Sue, thanks for your reply although I already have access to Package code via tools like SQL*Plus.
  I guess the problem being discussed here is similar to the following thread (for which you have already logged a bug). See:
  How do I view package bodies in another schema ?
  Re: How do I view package bodies in another schema ?
  On a similar issue, I note that there is a possibility that a fix will indeed be implemented in release 1.1. See:
  Package body not visible
  Re: Package body not visible
  Please advise what the current status is relating to a fix?
  Many thanks for any clarification.

• Restricting Wireless Access using ACS 3.3

  We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
  Erik

  Hi,
  On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  -Parm

• Assistance with distribution group behavior

  We have a new Exchange 2013 server.  So far, we are happy with it, except for this one issue with distribution groups.
  On our old, non-Microsoft mail server, we had mailing lists.  When someone sent an email to the list, the members of the list would receive an email that was listed as "From:
  [email protected] on behalf of [email protected]".  We like this behavior because it allows people to easily see who the messages posted on a mailing list came from, but when hitting reply,
  the reply would go back to the mailing list, and ***NOT*** the user that sent the email being replied to.
  In Exchange 2013, distribution groups function differently.  If a user sends an email to
  [email protected], our users see a message that is listed as "From: [email protected]" and "To: [email protected]".  If a user hits reply to this
  message, the reply by default goes to the original send and NOT the entire list.  We do NOT like this behavior and wish to change it.
  Hitting Reply All when viewing emails from a distribution group is not a viable option...our users will not remember to do that and it will create confusion.
  So, to recap, what we want to see when User A send an email to Distribution Group A, then all other users should receive an email that is "From:
  [email protected] on behalf of [email protected]".  When our users hit reply to this message, the reply's To: field should, by default, be filled in with
  [email protected] and not
  [email protected]
  How can we accomplish this?

  You might be able to achieve something using transport rules/agents (if someone sends to the list, re-write the reply address to the list). It would be ugly though... cringing just thinking about it...
  We already attempted this with Transport Rules.  Specifically, we tried to rewrite the Reply-To header.  When attempting to create the rule, Exchange pitches an error message: "Can't set header reply-to with value [email protected]".  Are
  we missing something somewhere, some setting that will allow this?

• Restricting owa 2013 from internet for group users using ARR

  I am trying to restrict owa access from internet for group of users using ARR.
  http://www.msexchange.org/articles-tutorials/exchange-server-2013/mobility-client-access/iis-application-request-routing-part1.html
  please suggest

  Hello,
  Thank you for your question.
  This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.
  Regards,
  Winnie Liang
  TechNet Community Support

• Dynamic Distribution Groups - Message Delivery Restrict to Security Group

  Hi,
  I have created a dynamic distribution group and want to restrict mail delivery to only accept messages from members of a security group.  How do I achieve this?
  The idea is the DDG's are set with their criteria and if anyone leaves/joins the relevant SG then they will have permission to send to those DDG's.
  Thanks in advance.

  Hi ,
  In exchange management console it is very simple to provide the access.Please follow steps.
  1.Open the Exchange Management Console (EMC)
  2.Locate the distribution list .
  3.Right-click on it and select Properties
  4.Open the Mail Flow Settings tab
  4.Select Message Delivery Restrictions
  5.Then select the option only senders in the following list and add the DL that you would like to provide access to send email to that group.
  Thanks & Regards S.Nithyanandham

• Anyconnect IKEV2 restricting access via AAA auth Group

  Hi Everyone,
  I have ASA config with 2 connection groups
  Say Group  1 and 2.
  Currently both are assigned to Same Auth AAA group
  One of our external vendor has access to both XM files of connection group 1 and 2..
  If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
  Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
  Regards
  Mahesh

  Hi Rick,
  There is info
  Our ASA is configured with two connection groups.Our Vendor has XML files of both the
  Connection groups say                                      1 and 2.
  AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
  We are using 2 factor Authentication.
  We want vendor to connect to connection group 2 only.
  We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
  If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
  it restrict the vendors connection to connection group 2 only?
  Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
  Need to know how i can do this?
  Regards
  MAhesh

• Restricting  Access for SQ01 User Group

  Hi ,
  Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
  Thank you
  Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

  Hi,
  Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
  If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

• Effective Permissions to send email to distribution group having "only senders in the following list"

  Our environment is a mixed Exchange 2007 and Exchange 2010 server environment, still in transition (after 4 years). Users have Exchange 2007 mailboxes. A recent problem has been reported in a distribution group access model that has been working without
  complaint for several years.
  [email protected] has member John Doe ([email protected]), Jane Doe ([email protected]), "only senders in the following list" is set to GroupA
  [email protected] has member Rob Smith ([email protected]), Diane Smith ([email protected]), "only senders in the following list" is set to GroupB
  [email protected] has members GroupA, GroupB, "only senders in the following list" is set to GroupC
  When designed, we thought that when [email protected] sends an email to [email protected] it would be resolved to the user members of GroupC and delivered to everyone ([email protected], [email protected], [email protected], [email protected]). (While
  it seems unlikely, that this model has functioned for several years without experiencing this problem, it is conceivable that until recently [email protected] and [email protected] have with few exceptions always had the same membership. Recent changes in
  our organizational model have caused this to have some exceptions, and may be the root cause of this problem.)
  What we are experiencing is that users [email protected] and [email protected] receive the original email. Users [email protected], [email protected] do not receive the email. [email protected] receives an email "Undeliverable: test
  Delivery has failed to these recipients or distribution lists:
  [email protected]
  Your message wasn't delivered because of security policies. Microsoft will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator. Sent by Microsoft Exchange Server 2007.
  Diagnostic information for administrators
  Generating server: mail3.domain.com
  [email protected]
  #550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized ##
  Original message headers:
  Received: from MAIL7.domain.com ([::1]) by mail3.domain.com ([::1]) with
  mapi; Mon 9 Mar 2015 07:00:30 -500
  Content-Type: application/ms-tnef;name="winmail.dat"
  Content-Transfer-Encoding: binary
  From: Jane Doe <[email protected]>
  To: GroupC <[email protected]>
  Date: Mon 9 Mar 2015 07:00:29 -500
  Subject: test
  What is the expected behavior?
  Does Exchange resolve the "To" distribution group to member mailboxes for delivery purposes, or does it walk the subordinate child groups and check security at each level?
  Is this a configurable behavior that may have recently changed as we have a "new" Exchange Admin poking around?
  Might this be related to the mixed Exchange 2007 / 2010 environment?
  Is there a way to obtain "effective permissions" for delivery restrictions?
  emc2

  Hi,
  From your description, I would like to verify if you have done some changes for GroupB distribution group. Ensure that "[email protected]" is added to the "accept list" in GroupB's message delivery
  restrictions.
  What's more, are GroupA GroupB and GroupC Exchange 2010 distribution groups?
  Best regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Amy Wang
  TechNet Community Support

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• Cannot Send Mail to Distribution Group

  We are running Exchange 2013 and have a problem where users are getting NDR reports when trying to send mail with a small attachment a Universal Distribution Group. The message received back is:
  Delivery has failed to these recipients or groups:
  _Group ([email protected])
  The recipient won't be able to receive this message because it's too large.
  The maximum message size that's allowed is 2 MB. This message is 3 MB
  Why are messages to distribution groups capped at 2MB and how can I increase it to at least 10?

  Hi Will,
  Check the distributiongroup maxreceivesize parameter. With Powershell.
  Get-DistributionGroup -Name <Name> | FL
  It can be changed using:
  Set-DistributionGroup -Name <Name> -MaxReceiveSize XXXXX
  It can also be changed in the Exchange Administreative Center here:
   Recipients > Mailboxes > EditEdit icon > Mailbox features > Mail flow > Message size restrictions > View details > Received messages
  You can Refer to this link for further Exchange 2013 Message size limits.
  http://technet.microsoft.com/en-us/library/bb124345(v=exchg.150).aspx
  All the best, Jesper Hassing - MCTS SCCM 2012 - MCSA 2012 Server - MCP

• "Active Directory operation failed on DC " when assigning Send As permissions on a distribution group

  I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
  Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
  Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
      + FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
  What could be the problem, considering the items below :
  - inheritance is not broken to the level of the distribution group object
  - the account used to run the cmdlet is a member of the Organization Management group
  - creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
  shows no differences.
  - adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
  - there is no Deny permission on the group's ACL
  - the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues

  Anyone ever come up with a solution to this?  I get something similar when Activesync tries to create objects on user containers.
  Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
  Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
  Details:%3
  So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment.  You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes:  check the "inherit permissions",
  and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
  I got to this point by following a Migrate to Exch2010 paper by MS.  I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched.  The Exch server is also a DC.  I installed a new 2012r2 server and then patched
  it.  Installed Exch2010SP3Ru8 and all seems well.  
  The old Exch2003 server is still in production.  My iPhone army connects remotely for mail, and all works great.  I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit.  It eventually shows up in the Server
  Manager on the new 2010 Exch Server.  I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works.  I go to the SM on the 2010 box and migrate the mailbox to the new server.  It works.  I can connect with
  outlook, send receive mail to other users in the org.  I then try to connect with my iPhone and I get the message in Event Viewer over and over.
  Went so far as to Promo the new 2012 server to a DC.  seems to be fine.  Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues....

• Import Distribution Group into SharePoint as "Audience"

  I've been searching these threads all day for a solution, and I haven't located one that answers my question...
  We are creating a SharePoint3 site which will have 4 different departments as the audience for it.  Due to the ingress and egress of employees & contractors, both onshore and off, attempting to maintain individual users
  and permissions will be incredibly difficult.
  Is there a way to add the Distribution Group into SharePoint so that all those people on the list can be provided access, with the same permissions, and maintained along with the DG?  There will be little to no emailing from the site itself, we just
  need a way to import the staff without having to do it manually.
  Can this be done? And if so, can you help guide me through the process?
  Thanks in advance.

  Are you sure you want to use an audience? Audiences are for showing/hiding information, but are not to be used as a security boundary (permissions).
  You can instead set up Active Directory Security Groups, then add those Security Groups to a SharePoint Group (or even down to individual lists/items). Add/remove members from the group (using ADUC, etc.) to allow/deny them access to the site.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.