Managing Distribution Groups with hidden membership (when hideDLMembership is true)
There are situations in messaging environments where we want to manage distribution groups through Outlook client and want to ensure that its membership is visible to none but the distribution group owner. In legacy versions of Exchange it was quite straight forward, but Exchange 2010 presents little complexity that can be easily overcome by following a workaround.
To recapitulate, how it’s done and what the final result looks like in legacy versions of Exchange, I am documenting the steps below. Post that we’ll see what’s the change in Exchange 2010 and how to deal with it.
It will be easier to convey and absorb the concept with an example, so let’s consider following scenario.
Exchange Server 2003
There is a team of IT experts with members – Antony Edwards, Brendon Frank, Charles Gomes, Douglas Huston and Sherlock Irwin.
Now, the requirement is that there should be a distribution group for the team, with Sherlock as the owner, and the group membership should be visible to only him.
So, the IT Admin performs the following steps.
- Creates a distribution group Subject Matter Experts. [ Group type: (Security), Scope: (Global)]
- On the Managed by tab of the Group properties page, makes the following modification.
The above two steps are performed in Active Directory Users and Computers console on Exchange Server 2003.
Now, we’ll create Outlook 2010 profile in Exchange Online mode for Sherlock and Charles. Just to see how it appears.
Since the objective is to ensure that the membership is visible only to the owner, we set the attribute hideDLMembership through ADSIedit.msc tool to TRUE from <Not Set> - the default.
Now, both Sherlock & Charles close their Outlook client and re-launch it. The distribution group membership page appears as below in their Outlook profiles.
So, we have achieved the desired. The distribution group owner can see the membership information, but distribution group members can’t.
On an existing message, the distribution group owner will be able to expand the distribution group and will be able to see membership, but member will receive following error.
Now, this is all from client perspective.
From the Server end as well, the membership will appear blank.
Now, what if Sherlock wants to add a new member? Will he be able to do so?
The following error pops up.
Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
To make it work, we need to set the check box “Manager can update membership list”.
As you’ll notice, it’s grayed out. Reason – the hideDLMembership attribute is set to TRUE.
We need to set it to <Not Set> in ADSIedit, then select the check box here in Active Directory Users & Computers, and again set the value for the hideDLMembership attribute to TRUE.
Now, the distribution group owner can modify membership from Outlook 2010 client.
Exchange Server 2007
The process remains exactly same for users with mailbox on Exchange 2007. Only exception – the mailbox and distribution is group is created through Exchange Management Console.
Exchange Server 2010
With Exchange Server 2010, things change a little bit. Two aspects that need to be considered - RBAC & Address Book Service.
Let's go by an example.
We have mailbox-enabled users Jeff Oscar , Kevin Pascal, Laura Qunitero, Mike Ruth and Noel Swan on Exchange Server 2010.
We have a distribution group - Escalation Services, Noel Swan being the distribution group owner.
If the distribution group owner has mailbox on Exchange 2010, then even he can’t see the membership details, if hideDLMembership attribute is set to TRUE.
It’s something like below.
In addition, if the owner attempts to modify the membership of the distribution group through Outlook, following message pops up (even though the check box “Manager can update membership list” is selected).
So, for both issues the reason(s) there are couple of different workaround(s).
In Exchange 2010, with the introduction of RBAC, we have to perform some additional steps to ensure that the owner can modify the membership (even with the check box “Manager can update membership list” selected.).
The steps are documented in KB 982349 “Changes to the distribution list membership cannot be saved" error message when you try to remove members from an Exchange Server 2010 distribution list”
Solution 1: If you just want to enable the owner to modify the distribution group membership (with membership hidden for owner as well), then just run following commands - (i) to create a new role group, (ii) add Noels as member, (iii) and verify the membership.
[PS] C:>New-RoleGroup DistributionGroupManagement -Roles "Distribution Groups"
[PS] C:>Add-RoleGroupMember DistributionGroupManagement -Member Noels
[PS] C:>Get-RoleGroupMember DistributionGroupManagement
Now, the distribution group membership can be modified by the owner via Outlook client (obviously only additions, as s/he can't see the membership).
Solution 2: If you want to enable the owner (a) to view distribution group membership (b) to modify distribution group membership through Outlook client, then just hard code the Outlook client to talk to closest GC, by following the KB 319206 “How to configure Outlook to a specific global catalog server or to the closest global catalog server”.
On the Edit menu, click Add Value, and then add the following registry value:
Value name: DS Server
Data type: REG_SZ (string)
Value data: FQDN of the global catalog server
And, one more interesting aspect that I would like to mention.
If, following conditions are true..
- The check box for "Manager can update membership list" in Active Directory Users and Computers is not selected on the Distribution Group property.
- Distribution Group owner has been provided appropriate RoleGroupMembership [ RBAC "Distribution Groups"].
[ These will be the most likely situations when the distribution group and distribution group owner are created via Exchange Management Console in Exchange Server 2010 environments.]
Then, the result as observed by Distribution Group owner via Outlook client will be as follows.
Without "DS Server" registry key --
a. Will not be able to see membership in Outlook client.
b. But will be able to add members to the distribution group via Outlook client
With the "DS Server" registry key --
a. Will be able to see membership in Outlook client.
b. But will not be able to remove/add members to the distribution group via Outlook client.
So, the solution -- ensure that the check box "Manager can update membership list" is selected, if you want the distribution group owner to see & modify the membership.
I hope this helps.