Active Directory and Exchange offer a great tool for managing communication to distribution lists: message delivery restrictions. This concept is pretty easy to understand, if you have an Exchange distribution list that you want only certain people to be able to email, you include them in the message delivery restriction. Conversely, if you want certain people to not be able to email that distribution group, you exclude them.
There is rarely a case that you want this to apply to specific users; it is much more common to apply this restriction to groups. The most obvious example is the “everyone” list, it is generally a good idea to keep that list email-able only by a certain set of users such as “marketing communications”. So you simply create an Active Directory group with the MarCom users as members of that group. Simple.
But this is one of those deep-in-the-infrastructure things that you really don’t want to spend a lot of time managing. If a new employee is hired in MarCom do you really want to have to remember to add them to the group? Can you expect somebody in MarCom to remember *before* it becomes an urgent issue and they need this solved five minutes ago? No and no.
So you have to make that security group dynamic. Of course there is no such thing as a “native” query based security group (and based on Exchange’s method of handling QBDG’s you should count yourself lucky). Imanami offers GroupID Automate which will allow you to dynamically manage the membership of that Active Directory group (security or distribution). You can even have include/excludes so that you can statically add or remove users (or groups) from having the delivery restriction apply to them. Heck, that include/exclude group can even be dynamic (maybe MarCom employees on probation shouldn’t be able to email the everyone list).
This is just one of the little things that you have to think about when managing Active Directory and Exchange. The more you automate the less calls you get!
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.