This is one of the posts from the PoweshellIT series in which we get common and sometimes not so common usecases and try to simplify/automate them using PowerShell.
Today’s Use Case
Business need to restrict people to send email to specific distribution lists. E.g. Board Members, All Employees etc.
Local Active Directory is an ultimate source of truth and all of the administration of mail enabled objects is performed in AD and then synced over to Office365.
When you try to change any properties of the object in the cloud you receive error saying that object is out of the write scope.
The action 'Set-DistributionGroup', 'AcceptMessagesOnlyFromSenderOrMembers' cant be performed on the object 'DistributionGroupName' because the object is being synchronized from your on premises organization. This action should be performed on the object in your on-premises organization.
Disclaimer: we are not considering long term solution like redesign Identity and Access Management infrastructure and implement ADFS or Azure AD. We are concentrating on the short term goal to automate/simplify outlined use case.
In order to complete this task one prerequisite should be met:
- Extend AD schema with Exchange attributes
Note: Best practice is to do it prior to implementing Office365.
This will add Exchange related object, classes and attributes to AD schema.
For detailed documentation please go here.
Once this has been accomplished each mail enabled group has 2 attributes which are responsible for handling who can send email to the group. Those attributes are:
Now to allow user to send email to the distribution group we need to add distinguished name of the user to both attributes.
Distinguished name (DN)
A DN is a sequence of relative distinguished names (RDN) connected by commas. An RDN is an attribute with an associated value in the form attribute=value; normally expressed in a UTF-8 string format.
We can get this from the user object properties.
- Get the distinguished name of the user
- To assign/manage permissions who can send email to distribution group admins need to adjust attributes on the DL object in AD. Usually it is performed in ADSI Edit tool and requires knowledge of the attributes to be modified with precision and accuracy during the execution. AD object can be easily corrupted via improper attribute values.
- If group contain nested groups used should be added to authOrig and dlMemSubmitPerms attributes to all child groups. Which involves a lot of manual effort.
Simple and elegant PowerShell function which will accept username and Distribution group name and will set both attributes to parent and nested groups.
Get user object and get distinguished name Get distribution group object Get all distribution group members Set attributes for parent group For each member If member is group Set attributes to group recursively
It has been wrapped into the PowerShell module called DLSentPermission.
Module contains 3 pretty self explanatory functions:
Grant User permissions to send email to specified Distribution Group using AD Attributes. If any of the group member is also group with “ReceiveEmailOnlyFrom” restriction add specified user to that group also.
Add-DLSentPermission -DLName "Project management" -User andrew.svintsitsky
Remove User permissions to send email to specified Distribution Group using AD Attributes. If any of the group members is also group with “ReceiveEmailOnlyFrom” restriction remove specified user permissions from that group also.
Remove-DLSentPermission -DLName "Project management" -User andrew.svintsitsky
Get permissions to send email to specified Distribution Group using AD Attributes.
Get-DLSentPermission -DLName "Project management"
All of the source code is available in PowerShellIT repository on the GitHub.
Thanks a lot for reading.