Why hiding distribution memberships in Exchange 2007 is no longer supported.
In exchange 2007 there is no more RUS (Recipient Update Service). Because the RUS is not around to stamp acls on hidden distribution lists, we can no longer ensure the distribution list will still be hidden. When ADUC changes or updates a distribution list it will set canonical acls, and to hide the membership we need to set non-canonical acls.
Due to these limitations with Exchange 2007 and the Active Directory we no longer support hiding Distribution List Memberships. There is a new workaround that can be used which is explained later on in this blog.
With regards to the names of the groups, a QBDG (Query Based Distribution Group) is exactly the same as DDG (Dynamic Distribution Group). DDG does not “replace” QBDG. If you create a DDG in E2k7, it will show as QBDG in E2k3. If you create a QBDG in E2k3, it will show as DDG in E2k7. We just renamed the friendly name of the existing object :)
Truth be known hiding (static) Distribution Group membership never really worked to begin with due to limitations of Active Directory. If you were part of a distribution list that was hidden it was very easy for someone to pull up your account in the global address list via outlook and see what groups you are in!! As a part of a security audit by the product group, it was decided to remove this insecure feature from the product in favor of using the QBDG/DDG feature, which serves as reasonable (if awkward) mitigation”.
With Exchange 2007 dynamic distribution groups are expanded by the transport service to include any recipient(s) in the Active Directory service with attributes that match its filter.Note that a side effect of this dynamic membership means that a recipient that is not expected to be part of a dynamic distribution group could inadvertently become a member and start receiving messages sent to the dynamic distribution group if the recipient's properties are modified to match the filter. This could result in a recipient receiving messages that the recipient is not supposed to receive. Well-defined, consistent account provisioning processes will reduce the chances of this happening.
New Workaround!!
The work around in Exchange 2007 is now to create a DDG. Let me elaborate on this. To get this to work you need to do the following:
- Stamp your users with a custom attribute or some other distinguishing, filterable characteristic. You can use custom attributes 1 - 15 for this.
- Create a Dynamic Distribution Group which has a filter for the custom attribute (or characteristic/property) that you stamped on your user(s).
- Send an email to your Dynamic Distribution Group.
- If you want to truly hide this membership in the DDG, you also need to ACL the property that you're using to define the DDG filter. (Example: if you use CustomAttribute1 = "Org 1" as the filter criteria, you need to make sure you ACL down the CustomAttribute1 property in Active Directory Schema so that it's not readable by anyone but admins and the Exchange Servers (so transport can still do DDG expansions).
By default, all new dynamic distribution groups require that all senders be authenticated. This prevents external senders from sending messages to dynamic distribution groups. This default setting is different from previous versions of Exchange where, by default, new query-based distribution groups accepted messages from all senders.
To configure a dynamic distribution group to accept messages from all senders in Exchange 2007, you must modify the message delivery restriction settings for that dynamic distribution group. For more information about configuring message delivery restrictions, see How to Configure Message Delivery Restrictions.
For more information on how to create Dynamic Distribution Lists please refer to: https://technet.microsoft.com/en-us/library/aa996561.aspx
Thanks to Evan Dodds for his review!!
Dave