PowerShellIT #1 – Distribution Groups Restrictions

This is one of the posts from the PoweshellIT series in which we get common and sometimes not so common usecases and try to simplify/automate them using PowerShell.

Today’s Use Case

Business need to restrict people to send email to specific distribution lists. E.g. Board Members, All Employees etc.

Infrastructure overview

Local Active Directory is an ultimate source of truth and all of the administration of mail enabled objects is performed in AD and then synced over to Office365.
When you try to change any properties of the object in the cloud you receive error saying that object is out of the write scope.

The action 'Set-DistributionGroup', 'AcceptMessagesOnlyFromSenderOrMembers' cant be performed on the object 'DistributionGroupName' because the object is being synchronized from your on premises organization. This action should be performed on the object in your on-premises organization.

Disclaimer: we are not considering long term solution like redesign Identity and Access Management infrastructure and implement ADFS or Azure AD. We are concentrating on the short term goal to automate/simplify outlined use case.

Context

In order to complete this task one prerequisite should be met:

  • Extend AD schema with Exchange attributes

Note: Best practice is to do it prior to implementing Office365.

This will add Exchange related object, classes and attributes to AD schema.
For detailed documentation please go here.

Once this has been accomplished each mail enabled group has 2 attributes which are responsible for handling who can send email to the group. Those attributes are:

  • authOrig
  • dlMemSubmitPerms

Now to allow user to send email to the distribution group we need to add distinguished name of the user to both attributes.

Distinguished name (DN)

A DN is a sequence of relative distinguished names (RDN) connected by commas. An RDN is an attribute with an associated value in the form attribute=value; normally expressed in a UTF-8 string format.

For example:

 CN=John Smith,OU=Managers,OU=Marketing,DC=Company,DC=Local

We can get this from the user object properties.

Challenges

  • Get the distinguished name of the user
  • To assign/manage permissions who can send email to distribution group admins need to adjust attributes on the DL object in AD. Usually it is performed in ADSI Edit tool and requires knowledge of the attributes to be modified with precision and accuracy during the execution. AD object can be easily corrupted via improper attribute values.
  • If group contain nested groups used should be added to authOrig and dlMemSubmitPerms attributes to all child groups. Which involves a lot of manual effort.

Proposed solution

Simple and elegant PowerShell function which will accept username and Distribution group name and will set both attributes to parent and nested groups.

Pseudo code

Get user object and get distinguished name
Get distribution group object
Get all distribution group members
Set attributes for parent group
For each member
If member is group
Set attributes to group recursively

It has been wrapped into the PowerShell module called DLSentPermission.

Module contains 3 pretty self explanatory functions:

  • Add-DLSentPermission
  • Remove-DLSentPermission
  • Get-DLSentPermission

Add-DLSentPermission

Grant User permissions to send email to specified Distribution Group using AD Attributes. If any of the group member is also group with “ReceiveEmailOnlyFrom” restriction add specified user to that group also.

EXAMPLE
Add-DLSentPermission -DLName "Project management" -User andrew.svintsitsky

Remove-DLSentPermission

Remove User permissions to send email to specified Distribution Group using AD Attributes. If any of the group members is also group with “ReceiveEmailOnlyFrom” restriction remove specified user permissions from that group also.

EXAMPLE
Remove-DLSentPermission -DLName "Project management" -User andrew.svintsitsky

Get-DLSentPermission

Get permissions to send email to specified Distribution Group using AD Attributes.

EXAMPLE
Get-DLSentPermission -DLName "Project management" 

All of the source code is available in PowerShellIT repository on the GitHub.

Thanks a lot for reading.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.