Exchange 2010 - emails to "All Staff"
Hi
just migrated to Exchange 2010 from 2003. We have a Mail-enabled secuirty group call "All Staff" this has a restriction that only IT department can send emails to "All Staff". We have today noticed an email sent by a user to "All Staff" even though that
user is not a member of the IT department. How is this user able to send???? Is is something to do with Exchange 2010 and the affects on security groups that are also mail enabled?
Thanks.
February 24th, 2011 11:48am
On Thu, 24 Feb 2011 16:43:15 +0000, Fizzmo wrote:
>just migrated to Exchange 2010 from 2003. We have a Mail-enabled secuirty group call "All Staff" this has a restriction that only IT department can send emails to "All Staff". We have today noticed an email sent by a user to "All Staff" even though that
user is not a member of the IT department. How is this user able to send???? Is is something to do with Exchange 2010 and the affects on security groups that are also mail enabled?
Is the group also restricted to accepting e-mail only from
authenticated users? If it isn't, it should be. That restriction
prevents anonymous SMTP sessions from sending e-mail to the group.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2011 8:57pm
Hi,
Thanks for the suggestion. I have impliemented and now users of OWA and Outlook 2010 will be given a warning " you do not have permissions to send to this group ". I have in a teat lab made the same change, but notice the user is still able to send despite
the warning appearing. Why does it do that?
Also the "all Staff" email is a universal, security, mail enabled nested group that has 20 other similar groups as members. under Exchange 2003 the restriction worked, but has obviously changed now we are on Exchange 2010. But what changed?
At this point I am considering hidding the "all staff" group [needed at present for sharepoint access] and creating a new group "all_staff" universal, distrbution group populated with 20 nested universal, distribtution groups.
Please advise.
March 3rd, 2011 6:39am
On Thu, 3 Mar 2011 11:28:46 +0000, Fizzmo wrote:
>Thanks for the suggestion. I have impliemented and now users of OWA and Outlook 2010 will be given a warning " you do not have permissions to send to this group ". I have in a teat lab made the same change, but notice the user is still able to send despite
the warning appearing. Why does it do that?
Most likely because you have some sort of problem with the way the
group is protected.
Have you restricted the group by using another group as the control
(maybe a group named "IT department"), or by adding individual users
to the "allowed senders" list?
Does this reveal anything unexpected?
Get-DistributionGroup "all staff" | fl acceptmess*,*authent*
>Also the "all Staff" email is a universal, security, mail enabled nested group that has 20 other similar groups as members. under Exchange 2003 the restriction worked, but has obviously changed now we are on Exchange 2010. But what changed?
>
>At this point I am considering hidding the "all staff" group [needed at present for sharepoint access] and creating a new group "all_staff" universal, distrbution group populated with 20 nested universal, distribtution groups.
>
>Please advise.
>
>
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2011 8:53pm
Hi,
I have run the powershel comand restults below. This seems correct, so "should" prevent anyone not in the 3 groups from sending to the distribution group?
[PS] C:\Windows\system32>Get-DistributionGroup "all staff" | fl acceptmess*,*authent*
AcceptMessagesOnlyFrom : {}
AcceptMessagesOnlyFromDLMembers : {
A.local/Security Groups/Service Departments/Information Technology/IT All Staff Senders,
A.local/Security Groups/Service Departments/Human Resources/HR_Human Resources Staff,
A.local/Security Groups/Board Groups/DIR Divisional Directors}
AcceptMessagesOnlyFromSendersOrMembers : {
A.local/Security Groups/Service Departments/Information Technology/IT All Staff Senders,
A.local/Security Groups/Service Departments/Human Resources/HR_Human Resources Staff,
A.local/Security Groups/Board Groups/DIR Divisional Directors}
RequireSenderAuthenticationEnabled : True
March 4th, 2011 5:26am
On Fri, 4 Mar 2011 10:17:45 +0000, Fizzmo wrote:
>I have run the powershel comand restults below. This seems correct, so "should" prevent anyone not in the 3 groups from sending to the distribution group?
>
>[PS] C:\Windows\system32>Get-DistributionGroup "all staff" | fl acceptmess*,*authent*
>
>AcceptMessagesOnlyFrom : {} AcceptMessagesOnlyFromDLMembers : {
>
>A.local/Security Groups/Service Departments/Information Technology/IT All Staff Senders, A.local/Security Groups/Service Departments/Human Resources/HR_Human Resources Staff, A.local/Security Groups/Board Groups/DIR Divisional Directors} AcceptMessagesOnlyFromSendersOrMembers
: {
>
>A.local/Security Groups/Service Departments/Information Technology/IT All Staff Senders, A.local/Security Groups/Service Departments/Human Resources/HR_Human Resources Staff, A.local/Security Groups/Board Groups/DIR Divisional Directors} RequireSenderAuthenticationEnabled
: True
That sure looks correct.
Do all three of the groups in the list have a "universal" scope? Are
the Exchange servers all in the same AD Domain?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2011 8:33pm
Hi
Thanks for the reply. All Exchange servers are in the same AD domain. Will check on the group [s] scope and advise.
Fizzmo
March 7th, 2011 12:01pm