You Cannot Hide Distribution Group Membership in Exchange 2007
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Microsoft Exchange Server 2007 does not support hiding distribution group membership. This behavior differs from the functionality in Exchange Server 2003.
When you use the Active Directory Users and Computers snap-in to update a distribution group, Active Directory uses the canonical name of the object to set Access Control List (ACL) entries. However, to hide distribution group membership, Exchange requires setting non-canonical ACLs. In Exchange 2003, the Recipient Update Service (RUS) is available to stamp ACLs on hidden distribution lists. However, because Exchange 2007 does not include the RUS, Exchange 2007 cannot verify that the distribution group membership remains hidden.
Because of this limitation in Exchange 2007 and in Active Directory, we do not support hiding distribution group membership in Exchange 2007. For more information about how to work around this issue, see the "For More Information" section.
For More Information
You can work around the issue that is described in this topic by using dynamic distribution groups in Exchange.
An Exchange 2007 dynamic distribution group is functionally equivalent to an Exchange 2003 query-based distribution group. Between the two versions of Exchange, only the friendly name of the object has been changed. Therefore, when you create a dynamic distribution group in Exchange 2007, the group appears as a query-based distribution group in Exchange 2003. Also, when you create a query-based distribution group in Exchange 2003, the group appears as a dynamic distribution group in Exchange 2007.
In Exchange 2007, the transport component expands dynamic distribution groups to include any recipient who has attributes in Active Directory that match the group's filter. Because of this, you must make sure that a recipient who is not intended to be part of the group is not unintentionally included in the group membership filter. For example, if a recipient's attributes are modified, the recipient may match the filter criteria of the dynamic distribution group. In this scenario, the recipient would become a member of the group and would receive messages that are sent to the dynamic distribution group. To help prevent this situation, it is best to develop a well-defined and consistent account provisioning process.
One method to reduce the possibility that a recipient will unintentionally match the filter criteria is to stamp the appropriate user accounts with a particular characteristic for which they may be filtered. For example, you can configure the recipients account by using one of the Exchange custom attributes. Then, create a dynamic distribution group that has a filter for the particular custom attribute. When the Exchange transport component handles e-mail messages for the group, the transport component uses the filter to determine which users receive the e-mail messages.
To use the Active Directory Users and Computers snap-in to set a custom attribute in Exchange 2003
On a computer that is running Exchange 2003, start the Active Directory Users and Computers MMC snap-in.
Locate the user account that you want to modify, right-click the account, and then click Properties.
Click the Exchange Advanced tab, and then click Custom Attributes.
Click an attribute such as extensionAttribute1, and then click Edit.
In the Custom Attributes dialog box, type a value for the attribute, such as HiddenDG-1, and then click OK three times.
To use the Exchange Management Console to set a custom attribute in Exchange 2007
Start the Exchange Management Console.
Expand Recipient Configuration, and then click Mailbox.
Click a recipient, and then click Properties.
Click the General tab, and then click Custom Attributes.
In the Custom Attributes dialog box, type a value into the appropriate custom attribute box. For example, type HiddenDG-1 in the Custom attribute 1 box.
Click OK two times.
To create a dynamic distribution group filter that is based on a custom attribute in Exchange 2007
Start the Exchange Management Console.
Click Recipient Configuration, and then click New Dynamic Distribution Group in the Actions pane.
On the Introduction page, complete all the following fields:
Organizational unit By default, the Organizational unit displays the organizational unit that is set as the recipient scope. Click Browse to select the appropriate organizational unit, and then click OK.
Name In this box, type a name for the dynamic distribution group. The name cannot exceed 64 characters.
Alias In this box, type an alias for the dynamic distribution group. The alias cannot exceed 64 characters and must be unique in the forest.
On the Filter Settings page, define the recipient filter for the new dynamic distribution group:
Click Browse to select the organizational unit from which to select recipients. A dynamic distribution group contains all the recipients that are in the particular organizational unit together with any organizational units that are under the selected organizational unit.
Select the recipient types that you want to include in the dynamic distribution group. You can select All recipient types or The following specific types. If you select The following specific types, you must click to select at least one recipient type check box.
On the Conditions page, click to select the check box that corresponds to the custom attribute that you configured earlier. For example, click to select the Custom Attribute 1 equals Value check box.
In the Step 2 box, click the specified link to modify the custom attribute filter.
In the Specify Custom Attribute 1 box, type the custom attribute value that you configured earlier. For example, type HiddenDG-1. Click Add, and then click OK.
Click Next, click New, and then click Finish.
By default, dynamic distribution groups require senders to be authenticated. This behavior prevents external senders from sending messages to dynamic distribution groups. This default setting differs from earlier versions of Exchange. By default, in Exchange 2003, query-based distribution groups accept messages from all senders. To configure an Exchange 2007 dynamic distribution group to accept messages from all senders, you must modify the message delivery restriction settings for the dynamic distribution group. For more information about how to configure message delivery restrictions, see How to Configure Message Delivery Restrictions.
Be cautious about creating or modifying dynamic distribution groups within search scopes. Also, avoid creating multiple levels of distribution group membership (also known as nested groups). Creating nested groups may cause a high level of LDAP requests and slow LDAP responses.
For more information about how to create a dynamic distribution group, see How to Create a New Dynamic Distribution Group.