Chapter 8. Working with distribution groups and address lists
Distribution groups and address lists are extremely important in Microsoft Exchange Server and Exchange Online administration. Careful planning of your organization’s groups and address lists can save you countless hours in the long run. Unfortunately, most administrators don’t have a solid understanding of these subjects, and the few who do spend most of their time on other duties. To save yourself time and frustration, study the concepts discussed in this chapter and then use the step-by-step procedures to implement the groups and lists for your organization.
Using security and distribution groups
You use groups to grant permissions to similar types of users, to simplify account administration, and to make it easier to contact multiple users. For example, you can send a message addressed to a group, and the message will go to all the users in that group. Thus, instead of having to enter 20 different email addresses in the message header, you enter one email address for all of the group members.
Group types, scope, and identifiers
Windows defines several different types of groups, and each of these groups can have a unique scope. In Active Directory domains, you use three group types:
Security. You use security groups to control access to network resources. You can also use user-defined security groups to distribute email.
Standard distribution. Standard distribution groups have fixed membership, and you use them only as email distribution lists. You can’t use these groups to control access to network resources.
Dynamic distribution. Membership for dynamic distribution groups is determined based on a Lightweight Directory Access Protocol (LDAP) query; you use these groups only as email distribution lists. The LDAP query is used to build the list of members whenever messages are sent to the group.
Note
Dynamic distribution groups created for Exchange Server 2007 and Exchange Server 2010 are compatible with Exchange Server 2013. However, dynamic distribution groups created for Exchange Server 2003 are not compatible with Exchange Server 2013 and aren’t displayed in Exchange Admin Center. You can resolve this by forcing an upgrade. See “Modifying dynamic distribution groups using cmdlets” later in this chapter for details.
Security groups can have different scopes—domain local, global, and universal—so that they are valid in different areas of your Active Directory forest. With Exchange Server 2003, you could also create distribution groups with different scopes. To simplify group management, Exchange Server 2007 and later support only groups with universal scope. You can mail-enable security groups with universal scope, and you can create new distribution groups with universal scope.
Real World
If your organization has existing mail-enabled security groups or distribution groups with global scope, you will not be able to use those groups with Exchange Server 2007 and later editions of Exchange. You will either need to create a new architecture for your groups or convert those groups to universal groups. Using Active Directory Users And Computers, domain administrators can easily convert global groups to universal groups. They simply need to double-tap or double-click the group entry, select Universal under Group Scope, and then tap or click OK. However, some conversion restrictions apply. For example, you can convert a global group only if it isn’t a member of another global group. In addition, pre-planning is recommended to determine the impact on Active Directory. You also can use Set-Group to convert groups.
In Exchange Admin Center, you select Recipients in the feature pane and then select Groups to work with groups (see Figure 8-1). Only mail-enabled groups with universal scope are displayed. Groups with universal scope can do the following:
Contain users and groups from any domain in the forest
Be put into other groups and assigned permissions in any domain in the forest
When you work with dynamic distribution groups, keep in mind that the membership can include only members of the local domain, or it can include users and groups from other domains, domain trees, or forests. Scope is determined by the default apply-filter container you associate with the group when you create it. More specifically, the default apply-filter container defines the root of the search hierarchy and the LDAP query filters to recipients in and below the specified container. For example, if the apply-filter container you associate with the group is pocket-consultant.com, the query filter is applied to all recipients in this domain. If the apply-filter container you associate with the organizational unit is Engineering, the query filter is applied to all recipients in or below this container.
As with user accounts, Windows uses unique security identifiers (SIDs) to track groups. This means that you can’t delete a group, re-create it with the same name, and then expect all the permissions and privileges to remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.
When to use security and standard distribution groups
Exchange Server 2007 and later changed the earlier rules about how you can use groups. Previously, you could use groups with different scopes, but now you can use only groups with universal scope. As a result, you might need to rethink how and when you use groups.
You must change the scope of any global group to universal before you can mail-enable it. Rather than duplicating your existing security group structure with distribution groups that have the same purpose, you might want to selectively mail-enable your universal security groups, which converts them to distribution groups. For example, if you have a universal security group called Marketing, you don’t need to create a MarketingDistList distribution group. Instead, you could enable Exchange mail on the original universal security group, which would then become a distribution group.
You might also want to mail-enable universal security groups that you previously defined. Then, if existing distribution groups serve the same purpose, you can delete the distribution groups.
To reduce the time administrators spend managing groups, Exchange defines several additional control settings, including:
Group ownership. Mail-enabled security groups, standard distribution groups, and dynamic distribution groups can have one or more owners. A group’s owners are the users assigned as its managers, and they can control membership in the group. A group’s managers are listed when users view the properties of the group in Microsoft Office Outlook. Additionally, managers can receive delivery reports for groups if you select the Send Delivery Reports To Group Manager option when configuring group settings.
Membership approval. Mail-enabled security groups and standard distribution groups can have open or closed membership. There are separate settings for joining and leaving a group. For joining, the group can be open to allow users to join without requiring permission, be closed to allow only group owners and administrators to add members, or require owner approval to allow users to request membership in a group. Membership requests must be approved by a group owner. For leaving, a group can either be open to allow users to leave a group without requiring owner approval or closed to allow only group owners and administrators to remove members.
Your management tool of choice will determine your options for configuring group ownership and membership approval. When you create groups in Exchange Admin Center, you can specify ownership, membership, and approval settings when you create the group and can edit these settings at any time by editing the group’s properties. When you create groups in Exchange Management Shell, you can configure additional advanced options that you’d otherwise have to manage after creating the group in Exchange Admin Center.
When to use dynamic distribution groups
It’s a fact of life that over time users will move to different departments, leave the company, or accept different responsibilities. With standard distribution groups, you’ll spend a lot of time managing group membership when these types of changes occur—and that’s where dynamic distribution groups come into the picture. With dynamic distribution groups, there isn’t a fixed group membership and you don’t have to add or remove users from groups. Instead, group membership is determined by the results of an LDAP query sent to your organization’s Global Catalog.
Dynamic distribution groups can be used with or without a dedicated expansion server. You’ll get the most benefit from dynamic distribution without a dedicated expansion server when the member list returned in the results is relatively small (fewer than 25 members). In the case of potentially hundreds or thousands of members, however, dynamic distribution is inefficient and could require a great deal of processing to complete. Exchange 2013 shifts the processing requirements from the Global Catalog server to a dedicated expansion server (a server whose only task is to expand the LDAP queries). By default, Exchange 2013 uses the closest Exchange server that has the Mailbox server role installed as the dedicated expansion server. For more information on expansion servers, see “Designating an expansion server” later in this chapter.
One other thing to note about dynamic distribution is that you can associate only one specific query with each distribution group. For example, you could create separate groups for each department in the organization. You could have groups called QD-Accounting, QD-BizDev, QD-Engineering, QD-Marketing, QD-Operations, QD-Sales, and QD-Support. You could, in turn, create a standard distribution group or a dynamic distribution group called AllEmployees that contains these groups as members—thereby establishing a distribution group hierarchy.
When using multiple parameters with dynamic distribution, keep in mind that multiple parameters typically work as logical AND operations. For example, if you create a query with a parameter that matches all employees in the state of Washington with all employees in the Marketing department, the query results do not contain a list of all employees in Washington or all Marketing employees. Rather, the results contain a list of recipients who are in Washington and are members of the Marketing group. In this case, you get the expected results by creating a dynamic distribution group for all Washington State employees, another dynamic distribution group for all Marketing employees, and a final group that has as members the other two distribution groups.
Working with security and standard distribution groups
As you set out to work with groups, you’ll find that some tasks are specific to each type of group and some tasks can be performed with any type of group. Because of this, I’ve divided the group management discussion into three sections. In this section, you’ll learn about the typical tasks you perform with security and standard distribution groups. The next section discusses tasks you’ll perform only with dynamic distribution groups. The third section discusses general management tasks.
You can use Exchange Admin Center or Exchange Management Shell to work with groups.
Group naming policy
Whether you work at a small company with 50 employees or a large enterprise with 5,000 employees, you should consider establishing a group naming policy that ensures a consistent naming strategy is used for group names. For administrators, your naming policy should be implemented through written policies within your IT department and could be applied to both security groups and distribution groups.
Exchange 2013 and Exchange Online also allow you to establish official naming policy for standard distribution groups. Group naming policy is:
Applied to non-administrators whenever they create or rename distribution groups.
Applied to administrators only when they create or rename distribution groups using the shell (and omit the -IgnoreNamingPolicy parameter).
Important
Group naming policy doesn’t apply to security groups or dynamic distribution groups. Each Exchange organization can have one and only one naming policy. Any naming policy you define is applied throughout the Exchange organization.
Understanding group naming policy
You use group naming policy to format group names according to a defined standard. The rules for naming policy allow for one or more prefixes, a group name, and one or more suffixes, giving an expanded syntax of:
<Prefix1><Prefix2>…<PrefixN><GroupName><Suffix1><Suffix2>…<SuffixN)
You can use any Exchange attribute as the prefix or suffix. You also can use a text string as a prefix or suffix. The prefix, group name, and suffix are combined without spacing. To improve readability, you can separate the prefix, name, and suffix with a placeholder character, such as a space ( ), a period (.) or a dash (-).
Group naming policy works like this:
A user creates a standard distribution group and specifies a display name for the group. After creating the group, Exchange applies the group naming policy by adding any prefixes or suffixes defined in the group naming policy to the display name.
The display name is displayed in the distribution groups list in Exchange Admin Center, the shared address book, and the To:, Cc:, and From: fields in email messages.
You can create a naming policy with only a prefix and a group name or with only a suffix and a group name. Common attributes that you might want to use as prefixes or suffixes include city, country code, department, office, and state. For example, you might want all distribution groups to have the following syntax:
State_GroupName
To do this, you would create a naming policy with two prefixes. As shown in Figure 8-2, the first prefix would have the <State> attribute. The second prefix would have the _text value. Thus, if a user in the state of New York (NY) creates a standard distribution group called Sales, Exchange adds the defined prefixes according to the naming policy and the display name becomes NY_Sales.
Group naming policy also allows you to specify blocked words. Users who try to use a word that you’ve blocked see an error message when they try to create the new group and are asked to remove the blocked word and create the group again.
Defining group naming policy for your organization
Group naming policy formats display names so that they follow a defined standard. When setting the naming format, keep in mind that users enter the desired display name when they create the group and Exchange transforms the format according to the defined policy. Because the display name is limited to 64 characters, you must consider this limit when defining the prefixes and suffixes in your naming policy.
You can create the group naming policy for the Exchange organization by completing the following steps:
In Exchange Admin Center, select Recipients in the feature pane and then select Groups.
Tap or click the More button (this button shows three dots) and then select Configure Group Naming Policy. This displays the Group Naming Policy dialog box.
If you want the naming policy to have a prefix, do one of the following and then optionally tap or click Add to add additional prefixes using the same technique:
Use the selection list to choose Attribute as the prefix. In the Select The Attribute dialog box, select the attribute to use and then tap or click OK.
Use the selection list to choose Text as the prefix. In the Enter Text dialog box, select the text string to use and then tap or click OK.
If you want the naming policy to have a suffix, do one of the following and then optionally tap or click Add to add additional suffixes using the same technique:
Use the selection list to choose Attribute as the suffix. In the Select The Attribute dialog box, select the attribute to use and then tap or click OK.
Use the selection list to choose Text as the suffix. In the Enter Text dialog box, select the text string to use and then tap or click OK.
As you define the naming policy, the Preview Of Policy area shows the naming format. When you are satisfied with the naming format, tap or click Save.
Defining blocked words in group naming policy
Blocked words allow you to specify words that users can’t use in the names of standard distribution groups they create. You can define or manage the blocked words list by completing the following steps:
In Exchange Admin Center, select Recipients in the feature pane and then select Groups.
Tap or click the More button (this button shows three dots) and then select Configure Group Naming Policy. This displays the Group Naming Policy dialog box.
On the Blocked Words page, any currently blocked words are displayed. Use the following techniques to manage the blocked word list:
To add a blocked word, type the word in the text box provided and then tap or click Add. Alternatively, type the word to block in the text box provided and then press Enter.
To modify a blocked word, select the word in the blocked word list and then tap or click Edit. Modify the word and then tap or click outside the text box provided for editing. Alternatively, press Enter to apply the edits.
To remove a blocked word, tap or click the word to remove and then tap or click Remove.
Tap or click Save.
Creating security and standard distribution groups
Security groups and distribution groups are available whether you are working with online or on-premises Exchange organizations. You use groups to manage permissions and to distribute email. As you set out to create groups, remember that you create groups for similar types of users. Consequently, you might want to create the following types of groups:
Groups for departments within the organization. Generally, users who work in the same department need access to similar resources and should be a part of the same email distribution lists.
Groups for roles within the organization. You can also organize groups according to the users’ roles within the organization. For example, you could use a group called Executives to send email to all the members of the executive team and a group called Managers to send email to all managers and executives in the organization.
Groups for users of specific projects. Often, users working on a major project need a way to send email to all the members of the team. To address this need, you can create a group specifically for the project.
You can create groups several ways. You can create a new distribution group, you can create a mail-enabled universal security group, or you can mail-enable an existing universal security group.
Creating a new group
You can create a new distribution group or a new mail-enabled security group by completing the following steps:
In Exchange Admin Center, select Recipients in the feature pane and then select Groups.
Tap or click New and then do one of the following:
Select Distribution Group to create a new Distribution Group. This opens the New Distribution Group dialog box. Figure 8-3 shows on-premises Exchange options on the left and Exchange Online options on the right.
Select Security Group to create a new mail-enabled Security Group. This opens the New Security Group dialog box, and the options are the same as those for new distribution groups.
In the Display Name text box, type a display name for the group. Group names aren’t case-sensitive and can be up to 64 characters long. Keep in mind that group naming policy doesn’t apply to administrators creating distribution groups in Exchange Admin Center (or to mail-enabled security groups in any way).
Like users, groups have Exchange aliases. Enter an alias. The Exchange alias is used to set the group’s SMTP email address. Exchange Server uses the SMTP address for receiving messages.
For Exchange Online, the name and domain components of the default email address are displayed in the Email Address text boxes. As appropriate, change the default name and use the drop-down list to select the domain with which you want to associate the group. This sets the fully qualified email address, such as [email protected].
With on-premises Exchange, the group account is created in the default user container, which typically is the Users container. To create the group in a specific organizational unit instead, tap or click Browse to the right of the Organizational Unit text box. In the Select Organizational Unit dialog box, choose the location where you want to store the account and then tap or click OK.
Group owners are responsible for managing a group. To add owners, under Owners, tap or click Add. In the Select Owner dialog box, select users, groups, or both that should have management responsibility for the group. Select multiple users and groups using the Shift or Ctrl key.
Members of a group receive messages sent to the group. By default, the group owners are set as members of the group. If you don’t want the currently listed owners to be members of the group, clear the Add Group Owners As Members checkbox.
To add members, under Members, tap or click Add. In the Select Members dialog box, select users, groups, or both that should be members of the group. Select multiple users and groups using the Shift or Ctrl key.
Choose settings for joining the group. The options are:
Open. Anyone can join this group without being approved by the group owners.
Closed. Members can be added only by the group owners. All requests to join will be rejected automatically.
Owner Approval. All requests are approved or rejected by the group owners.
Choose settings for leaving the group. The options are:
Open. Anyone can leave this group without being approved by the group owners.
Closed. Members can be removed only by the group owners. All requests to leave will be rejected automatically.
Tap or click Save to create the group. If an error occurs during group creation, the related group will not be created. You need to correct the problem before you can complete this procedure.
After creating a group, you might want to do the following:
Set message size restrictions for messages mailed to the group.
Limit users who can send to the group.
Change or remove default email addresses.
Add more email addresses.
In Exchange Management Shell, you can create a new distribution group using the New-DistributionGroup cmdlet. New-DistributionGroup cmdlet syntax and usage provides the syntax and usage. You can set the -Type parameter to Distribution for a distribution group or to Security for a mail-enabled security group.
Mail-enabling universal security groups
You can’t use Exchange Admin Center to mail-enable a security group. In Exchange Management Shell, you can mail-enable a universal security group using the Enable-DistributionGroup cmdlet. Enable-DistributionGroup cmdlet syntax and usage provides the syntax and usage.
You can manage mail-enabled security groups in several ways. You can add or remove group members as discussed in the “Assigning and removing membership for individual users, groups, and contacts” section of this chapter. If a group should no longer be mail-enabled, you can use Disable-DistributionGroup to remove the Exchange settings from the group. If you no longer need a mail-enabled security group and it is not a built-in group, you can permanently remove it from Active Directory by selecting it in Exchange Admin Center and tapping or clicking Delete. Alternatively, you can delete a group using Delete-DistributionGroup.
Using Exchange Management Shell, you can disable a group’s Exchange features using the Disable-DistributionGroup cmdlet, as shown in Disable-DistributionGroup cmdlet syntax and usage.
Assigning and removing membership for individual users, groups, and contacts
All users, groups, and contacts can be members of other groups. To configure a group’s membership, follow these steps:
In Exchange Admin Center, double-tap or double-click the group entry. This opens the group’s Properties dialog box.
On the Membership page, you’ll see a list of current members. Tap or click Add to add recipients to the group. In the Select Members dialog box, select users, groups, or both that should be members of the group. Select multiple users and groups using the Shift or Ctrl key.
You can remove members on the Membership page as well. To remove a member from a group, select a recipient, and then tap or click Remove. When you’re finished, tap or click Save.
In Exchange Management Shell, you can view group members using the Get-DistributionGroupMember cmdlet. Get-DistributionGroupMember cmdlet syntax and usage provides the syntax and usage.
You add members to a group using the Add-DistributionGroupMember cmdlet. Add-DistributionGroupMember cmdlet syntax and usage provides the syntax and usage.
You remove members from a group using the Remove-DistributionGroupMember cmdlet. Remove-DistributionGroupMember cmdlet syntax and usage provides the syntax and usage.
Adding and removing managers
Group owners are responsible for managing a group. Every group must have at least one owner. To configure a group’s managers, follow these steps:
In Exchange Admin Center, double-tap or double-click the group entry. This opens the group’s Properties dialog box.
On the Ownership page, you’ll see a list of current owners. Tap or click Add to add recipients to the group. In the Select Owners dialog box, select users, groups, or both that should be owners of the group. Select multiple users and groups using the Shift or Ctrl key.
You can remove owners on the Ownership page as well. To remove an owner from a group, select a recipient, and then tap or click Remove. When you’re finished, tap or click Save.
In Exchange Management Shell, you can add or remove group managers using the -ManagedBy parameter of the Set-DistributionGroup cmdlet. To set this parameter, you must specify the full list of managers for the group by doing the following:
Add managers by including existing managers and specifying the additional managers when you set the parameter.
Remove managers by specifying only those who should be managers and excluding those who should not be managers.
If you don’t know the current managers of a group, you can list the managers using Get-DistributionGroup. You’ll need to format the output and examine the value of the -ManagedBy property.
Adding and removing group managers provides syntax and usage examples for adding and removing group managers.
Configuring member restrictions and moderation
Membership in distribution groups can be restricted in several ways. Groups can be open or closed for joining or require group owner approval for joining. Groups can be open or closed for leaving. Groups also can be moderated. With moderated groups, messages are sent to designated moderators for approval before being distributed to members of the group. The only exception is for a message sent by a designated moderator. A message from a moderator is delivered immediately because a moderator has the authority to determine what is and isn’t an appropriate message.
To configure member restrictions and moderation, follow these steps:
In Exchange Admin Center, double-tap or double-click the group entry. This opens the group’s Properties dialog box.
On the Membership Approval page, choose settings for joining the group. The options are:
Open. Anyone can join this group without being approved by the group owners.
Closed. Members can be added only by the group owners. All requests to join will be rejected automatically.
Owner Approval. All requests are approved or rejected by the group owner.
Choose settings for leaving the group. The options are:
Open. Anyone can leave this group without being approved by the group owners.
Closed. Members can be removed only by the group owners. All requests to leave will be rejected automatically.
The Message Approval page displays the moderation options. To disable moderation, clear the Messages Sent To This Group Have To Be Approved By A Moderator check box. To enable moderation, select the Messages Sent To This Group Have To Be Approved By A Moderator check box, and then use the options provided to specify group moderators, specify senders who don’t require message approval, and configure moderation notifications.
Tap or click Save to apply your changes.
In Exchange Management Shell, you manage distribution group settings using Set-DistributionGroup. You configure member restrictions for joining a group using the -MemberJoinRestriction parameter and configure member restrictions for leaving a group using the -MemberDepartRestriction parameter. If you want to check the current restrictions, you can do this using Get-DistributionGroup. You’ll need to format the output and examine the values of the -MemberJoinRestriction property, the -MemberDepartRestriction property, or both.
Configuring member restrictions for groups provides syntax and usage examples for configuring member restrictions.
Set-DistributionGroup parameters for configuring moderation include -ModerationEnabled, -ModeratedBy, -BypassModerationFromSendersOrMembers, and -SendModerationNotifications. You enable or disable moderation by using -ModerationEnabled. If moderation is enabled, you can do the following:
Designate moderators using -ModeratedBy.
Specify senders who don’t require message approval by using -BypassModerationFromSendersOrMembers.
Configure moderation notifications using -SendModerationNotifications.
Configuring moderation for groups provides syntax and usage examples for configuring moderation.
Working with dynamic distribution groups
Just as there are tasks that apply only to security and standard distribution groups, there are also tasks that apply only to dynamic distribution groups. These tasks are discussed in this section.
Creating dynamic distribution groups
With dynamic distribution groups, group membership is determined by the results of an LDAP query. You can create a dynamic distribution group and define the query parameters by completing the following steps:
In Exchange Admin Center, select Recipients in the feature pane and then select Groups.
Tap or click New and then select Dynamic Distribution Group. This opens the New Dynamic Distribution Group dialog box. Figure 8-4 shows on-premises Exchange options on the left and Exchange Online options on the right.
In the Display Name text box, type a display name for the group. Group names aren’t case-sensitive and can be up to 64 characters long. Keep in mind that group naming policy doesn’t apply to administrators creating distribution groups in Exchange Admin Center.
Like users, groups have Exchange aliases. Enter an alias. The Exchange alias is used to set the group’s SMTP email address. Exchange Server uses the SMTP address for receiving messages.
With on-premises Exchange, the group account is created in the default user container, which typically is the Users container. To create the group in a specific organizational unit instead, click Browse to the right of the Organizational Unit text box. In the Select Organizational Unit dialog box, choose the location where you want to store the account and then tap or click OK.
Group owners are responsible for managing groups. Unlike standard distribution groups, dynamic distribution groups don’t need to be assigned an owner. If you want to specify an owner, under Owner, tap or click Add. In the Select Owner dialog box, select the user or group that should have management responsibility for the group.
Specify the recipients to include in the group (see Figure 8-5). To allow any recipient type to be a member of the group, select All Recipient Types. Otherwise, choose Only The Following Recipient Types and then choose the types of recipients to include in the dynamic distribution group.
Membership in the group is determined by the rules you define. To define a rule, tap or click Add A Rule and set the filter conditions. The following types of conditions as well as conditions for custom attributes are available:
Recipient Container. Filters recipients based on where the related account is stored in Active Directory. Selecting this option displays the Select An Organizational Unit dialog box. Tap or click the container where the recipients are stored, such as Users or an organizational unit, and then tap or click OK.
State Or Province. Filters recipients based on the value of the State/Province text box on the Contact Information page in the related Properties dialog box. Selecting this option displays the Specify Words Or Phrases dialog box. Type a state or province identifier to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Department. Filters recipients based on the value of the Department text box on the Organization page in the related Properties dialog box. Selecting this option displays the Specify Words Or Phrases dialog box. Type a department name to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Company. Filters recipients based on the value of the Company text box on the Organization page in the related Properties dialog box. Selecting this option displays the Specify Words Or Phrases dialog box. Type a company name to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Important
Although each rule acts as an OR condition for matches on specified values, the rules are aggregated as AND conditions. This means that a user that matches one of the values in a rule passes that filter but must be a match for all the rules to be included in the group. For example, if you were to define a state rule for Oregon, California, or Washington and a department rule for Technology, only users who are in Oregon, California, or Washington and in the Technology department match the filter and are included as members of the group.
Tap or click Save to create the group. If an error occurs during group creation, the related group will not be created. You need to correct the problem before you can complete this procedure.
Creating the group isn’t the final step. Afterward, you might want to do the following:
Set message size restrictions for messages mailed to the group.
Limit users who can send to the group.
Change or remove default email addresses.
Add more email addresses.
In Exchange Management Shell, you can create a dynamic distribution group using the New-DynamicDistributionGroup cmdlet. New-DynamicDistributionGroup cmdlet syntax and usage provides the syntax and usage.
Changing query filters and filter conditions
With dynamic distribution groups, the filter conditions determine the exact criteria that must be met for a recipient to be included in the dynamic distribution group. You can modify the filter conditions by completing the following steps:
In Exchange Admin Center, double-tap or double-click the dynamic distribution group entry. This opens the group’s Properties dialog box.
On the Membership page, use the Specify The Types Of Recipients options to specify the types of recipients to include in the query. Select either All Recipient Types or select Only The Following Recipient Types, and then select the types of recipients.
The Membership page lists the current conditions. The following types of conditions as well as conditions for custom attributes are available:
State Or Province. Filters recipients based on the value of the State/Province text box on the Contact Information page in the related Properties dialog box. Tap or click the related Enter Words link. In the Specify Words Or Phrases dialog box, type a state or province identifier to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Department. Filters recipients based on the value of the Department text box on the Organization page in the related Properties dialog box. Tap or click the related Enter Words link. In the Specify Words Or Phrases dialog box, type a department name to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Company. Filters recipients based on the value of the Company text box on the Organization page in the related Properties dialog box. Tap or click the related Enter Words link. In the Specify Words Or Phrases dialog box, type a company name to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Tap or click Save to apply the changes.
Designating an expansion server
When there are potentially hundreds or thousands of members, dynamic distribution groups are inefficient and can require a great deal of processing to complete. This is why Exchange 2013 shifts the processing requirements from the Global Catalog server to dedicated expansion servers. However, the routing destination is the ultimate destination for a message. A distribution group expansion server is the routing destination when a distribution group has a designated expansion server that’s responsible for expanding the membership list of the group. A distribution group expansion server is always an Exchange 2013 Mailbox server, an Exchange 2010 Hub Transport server, or an Exchange 2007 Hub Transport server.
Each routing destination has a delivery group, which is a collection of one or more transport servers that are responsible for delivering messages to that routing destination. When the routing destination is a distribution group expansion server, the delivery group may contain Exchange 2013 Mailbox servers, Exchange 2010 Hub Transport servers, and Exchange 2007 Hub Transport servers.
How the message is routed depends on the relationship between the source transport server and the destination delivery group. If the source transport server is in the destination delivery group, the routing destination itself is the next hop for the message. The message is delivered by the source transport server to the mailbox database or connector on a transport server in the delivery group.
On the other hand, if the source transport server is outside the destination delivery group, the message is relayed along the least-cost routing path to the destination delivery group. In a complex Exchange organization, a message may be relayed to other transport servers along the least-cost routing path or relayed directly to a transport server in the destination delivery group.
Real World
Keep in mind that when a distribution group expansion server is the routing destination, the distribution group is already expanded when a message reaches the routing stage of categorization on the distribution group expansion server. Therefore, the routing destination from the distribution group expansion server is always a mailbox database or a connector.
By default, Exchange 2013 uses the closest Exchange server that has the Mailbox server role installed as the dedicated expansion server. Because routing destinations and delivery groups can also include Exchange 2010 and Exchange 2007 Hub Transport servers in mixed environments, Exchange 2010 and Exchange 2007 Hub Transport servers could perform distribution group expansion in mixed Exchange organizations.
In some cases, you might want to explicitly specify the dedicated expansion server to handle expansion processing for some or all of your dynamic distribution groups. A key reason for this is to manage where the related processing occurs and in this way shift the processing overhead from other servers to this specified server. You can specify a dedicated expansion server for a dynamic distribution group using the -ExpansionServer parameter of the Set-DynamicDistributionGroup cmdlet.
Modifying dynamic distribution groups using cmdlets
In Exchange Management Shell, you can use the Get-DynamicDistributionGroup cmdlet to get information about dynamic distribution groups and modify their associated filters and conditions using the Set-DynamicDistributionGroup cmdlet.
You also can use the Set-DynamicDistributionGroup cmdlet to upgrade dynamic distribution groups created for Exchange 2003 to allow incompatible dynamic distribution groups to be rewritten to work with Exchange Server 2013. Set -ForceUpgrade to $true, and then modify any incompatible included recipients or recipient filters as necessary.
Get-DynamicDistributionGroup cmdlet syntax and usage provides the syntax and usage for the Get-DynamicDistributionGroup cmdlet.
Set-DynamicDistributionGroup cmdlet syntax and usage provides the syntax and usage for the Set-DynamicDistributionGroup cmdlet.
Previewing dynamic distribution group membership
You can preview a dynamic distribution group to confirm its membership and determine how long it takes to return the query results. The specific actions you take depend on the following factors:
In some cases, membership isn’t what you expected. If this happens, you need to change the query filters, as discussed earlier.
In other cases, it takes too long to execute the query and return the results. If this happens, you might want to rethink the query parameters and create several query groups.
You can quickly determine how many recipients are in the group by checking how many recipients received the last message sent to the group. One way to do this is to follow these steps:
In Exchange Admin Center, select the dynamic distribution group entry.
In the details pane, look under Membership to see the number of recipients who received the last message sent to the group.
In Exchange Management Shell, you can determine the exact membership of a dynamic distribution group by getting the dynamic group and then using the associated recipient filter to list the members. Consider the following example:
$Members = Get-DynamicDistributionGroup "TechTeam" Get-Recipient -RecipientPreviewFilter $Members.RecipientFilter
In this example, Get-DynamicDistributionGroup stores the object for the TechTeam group in the $Members variable. Then Get-Recipient lists the recipients that match the recipient filter on this object. Note that the Exchange identifier can be the display name or alias for the group.
Other essential tasks for managing groups
Previous sections covered tasks that were specific to a type of group. As an Exchange administrator, you’ll need to perform many additional group management tasks. These essential tasks are discussed in this section.
Changing a group’s name information
Each mail-enabled group has a display name, an Exchange alias, and one or more email addresses associated with it. The display name is the name that appears in address lists. The Exchange alias is used to set the email addresses associated with the group.
Whenever you change a group’s naming information, new email addresses can be generated and set as the default addresses for SMTP. These email addresses are used as alternatives to email addresses previously assigned to the group. To learn how to change or delete these additional email addresses, see the Changing, adding, or deleting a group’s email addresses section later in this chapter.
To change the group’s Exchange name details, complete the following steps:
In Exchange Admin Center, double-tap or double-click the group entry. This opens the group’s Properties dialog box.
On the General page, the first text box shows the display name of the group. If necessary, type a new display name.
The Alias text box shows the Exchange alias. If necessary, type a new alias. Tap or click Save.
Changing, adding, or deleting a group’s email addresses
When you create a mail-enabled group, default email addresses are created for SMTP. Any time you update the group’s Exchange alias, new default email addresses can be created. The old addresses aren’t deleted, however; they remain as alternative email addresses for the group.
To change, add, or delete a group’s email addresses, follow these steps:
In Exchange Admin Center, double-tap or double-click the group entry. This opens the group’s Properties dialog box.
On the Email Options page, use the following techniques to manage the group’s email addresses:
Create a new SMTP address. Tap or click Add. In the New Email Address dialog box, SMTP is selected as the address type by default. Enter the email address, and then tap or click OK.
Create a custom address. Tap or click Add. In the New Email Address dialog box, select Custom Address Type. Enter a prefix that identifies the type of email address, and then enter the associated address. Tap or click OK.
Tip
Use SMTP as the address type for standard Internet email addresses. For custom address types, such as X.400, you must manually enter the address in the proper format.
Set a new Reply To Address. Double-tap or double-click the address that you want to use as the primary SMTP address. Select Make This The Reply Address, and then tap or click OK (Exchange Online only).
Edit an existing address. Double-tap or double-click the address entry. Modify the settings in the Address dialog box, and then tap or click OK.
Delete an existing address. Select the address, and then tap or click Remove.
Configuring a group’s primary SMTP email address provides syntax and usage examples for configuring a group’s primary SMTP email address. If email address policy is enabled, you won’t be able to update the email address unless you set -EmailAddressPolicyEnabled to $false.
Hiding groups from Exchange address lists
By default, any mail-enabled security group or other distribution group that you create is shown in Exchange address lists, such as the global address list. If you want to hide a group from the address lists, follow these steps:
In Exchange Admin Center, double-tap or double-click the group entry. This opens the group’s Properties dialog box.
On the General page, select the Hide This Group From Address Lists check box. Tap or click OK.
Note
When you hide a group, it isn’t listed in Exchange address lists. However, if a user knows the name of a group, he or she can still use it in the mail client. To prevent users from sending to a group, you must set message restrictions, as discussed in the next section, Setting usage restrictions on groups.
Tip
Hiding group membership is different from hiding the group itself. In Outlook, users can view the membership of groups. In Exchange Server 2013, you cannot prevent viewing the group membership. In addition, membership of dynamic distribution groups is not displayed in global address lists because it is generated only when mail is sent to the group.
In Exchange Management Shell, you can return a list of groups hidden from address lists using either of the following commands:
Get-DistributionGroup -filter {HiddenFromAddressListsEnabled -eq $true}
Get-DistributionGroup | where {$_.HiddenFromAddressListsEnabled -eq $true}Setting usage restrictions on groups
Groups are great resources for users in an organization. They let users send mail quickly and easily to other users in their department, business unit, or office. However, if you aren’t careful, people outside the organization could use groups as well. Would your boss like it if spammers sent unsolicited email messages to company employees through your distribution lists? Probably not—and you’d probably be sitting in the hot seat, which would be uncomfortable, to say the least.
To prevent unauthorized use of mail-enabled groups, groups are configured by default to accept mail only from authenticated users so that only senders inside an organization can send messages to groups. An authenticated user is any user accessing the system through a logon process. It does not include anonymous users or guests. If you use the default configuration, any message from a sender outside the organization is rejected. Off-site users will need to log on to Exchange before they can send mail to groups, which might present a problem for users who are at home or travelling.
Real World
If you have users who telecommute or send email from home using a personal account, you might be wondering how these users can send mail with a restriction that allows only senders inside the organization to send messages to the group. What I’ve done in the past is create a group called OffsiteEmailUsers and then added this as a group that can send mail to my mail-enabled groups. The OffsiteEmailUsers group contains separate mail-enabled contacts for each authorized off-site email address. Alternatively, users could simply log on to Outlook Anywhere, Outlook Web App, or Exchange ActiveSync and send mail to the group; this is an approach that doesn’t require any special groups with permissions to be created or maintained.
Alternatively, you can allow senders inside and outside the organization to send email to a group. This settings allows unrestricted access to the group, so anyone can send messages to the group. However, this exposes the group to spam from external mail accounts.
Another way to prevent unauthorized use of mail-enabled groups is to specify that only certain users or members of a particular group can send messages to the group. For example, if you create a group called AllEmployees, of which all company employees are members, you can specify that only the members of AllEmployees can send messages to the group. You do this by specifying that only messages from members of AllEmployees are acceptable.
To prevent mass spamming of other groups, you can set the same restriction. For example, if you have a group called Technology, you could specify that only members of AllEmployees can send messages to that group.
You can set or remove usage restrictions by completing the following steps:
In Exchange Admin Center, double-tap or double-click the group entry. In the Properties dialog box for the group, select the Delivery Management page.
To ensure that messages are accepted only from authenticated users, select Only Senders Inside My Organization.
To accept messages from all email addresses, select Senders Inside And Outside Of My Organization.
To restrict senders, specify that messages only from the listed users, contacts, or groups be accepted. To do this, tap or click Add to display the Select Allowed Senders dialog box. Select a recipient, and then tap or click OK. Repeat as necessary.
Tip
You can select multiple recipients at the same time. To select multiple recipients individually, hold down the Ctrl key and then tap or click each recipient that you want to select. To select a continuous sequence of recipients, select the first recipient, hold down the Shift key, and then tap or click the last recipient.
Tap or click Save.
Creating moderated groups
By default, senders don’t require approval for their messages to be sent to all members of a group. Sometimes though you’ll want to appoint moderators who must approve messages before they are sent to all members of the group. If you enable moderation but don’t specify a moderator or moderators, the group owner is responsible for reviewing and approving messages. When moderation is enabled, you also can specify users who don’t require approval for their messages to be sent to all members of the group.
To see how moderation could be used, consider the following example. A project team is set up to work on a restricted project. The team leader wants a moderated group for the project team so that she must review and approve all messages sent to the group before they are sent to members of the team. As the moderator, the team leader’s messages don’t require approval and are sent directly to all members of the group.
To configure moderation for a group, complete the following steps:
In Exchange Admin Center, double-tap or double-click the group name to open the Properties dialog box for the group.
On the Message Approval page, do one of the following:
To enable moderation, select Messages Sent To This Group Have To Be Approved By A Moderator. Next, use the options provided to specify moderators and senders who don’t require message approval.
To disable moderation, clear Messages Sent To This Group Have To Be Approved By A Moderator. Tap or click Save and then skip the rest of the steps.
If a message addressed to the group isn’t approved, the message isn’t distributed to members of the group, and all users receive a nondelivery report (NDR) by default whether they are inside or outside the organization. Alternatively, you can notify only senders in your organization when their messages aren’t approved or you can disable notification completely.
Tap or click Save.
Deleting groups
If you are an owner of a group, you can delete it. Deleting a group removes it permanently. After you delete a security group, you can’t create a security group with the same name and automatically restore the permissions that the original group was assigned because the SID for the new group won’t match the SID for the old group. You can reuse group names, but remember that you’ll have to re-create all permissions settings.
You cannot delete built-in groups in Windows. In Exchange Admin Center, you can remove other types of groups by selecting them and clicking Delete. When prompted, tap or click Yes to delete the group. If you tap or click No, Exchange Admin Center will not delete the group.
In Exchange Management Shell, only a group’s manager or other authorized user can remove a group. Use the Remove-DistributionGroup cmdlet to remove distribution groups, as shown in Remove-DistributionGroup cmdlet syntax and usage.
You can use the Remove-DynamicDistributionGroup cmdlet to remove dynamic distribution groups. Remove-DynamicDistributionGroup cmdlet syntax and usage shows the syntax and usage.
Managing online address lists
Address lists are collections of recipients in an Exchange organization that are selectable in the address book of client applications. You can use address lists to organize recipients by department, business unit, location, type, and other criteria. The default address lists that Exchange Server creates, as well as any new address lists that you create, are available to the user community based on their view of the global address list. Users can navigate these address lists to find recipients to whom they want to send messages.
Using default address lists
During setup, Exchange Server creates a number of default address lists that are selectable in the address book of client applications, including the following:
Default Global Address List. Lists all mail-enabled users, contacts, and groups in the organization.
Default Offline Address Book. Provides an address list for viewing offline that contains information on all mail-enabled users, contacts, and groups in the organization.
All Contacts. Lists all mail-enabled contacts in the organization.
All Groups. Lists all mail-enabled groups in the organization.
All Rooms. Lists all resource mailboxes for rooms.
Public Folders. Lists all public folders in the organization.
All Users. Lists all mail-enabled users in the organization.
Important
Generally, whenever you specify address list paths in Exchange Management Shell, you must reference their position relative to the root container. The root container is identified as . If the address list name contains spaces, you also must enclose the address list path in quotes. Thus, you reference the Default Address List as ’Default Address List’ and All Rooms as ‘All Rooms’.
The most commonly used address lists are the global address list and the offline address book. In Exchange Admin Center for your on-premises organization, you access online address lists and offline address books by selecting Organization in the feature pane and then selecting Address Lists. As Figure 8-6 shows, the main pane shows each address list by name and up-to-date status. If an address list isn’t up-to-date, you can tap or click the Update option to update it.
Important
Any address list created using the shell should be managed only with the shell. Address lists created with the GUI can be managed with either the GUI or the shell. That said, Microsoft recommends that you manage address lists from the shell whenever the list contains several thousand or more recipients. The reason for this is that Exchange Admin Center will be locked until the task is completed.
Using address book policies
Most Exchange organizations don’t need address book policies. However, when multiple companies share one Exchange organization, you may want to segment the global address list to provide customized (scoped) views of recipient data to users in each separate company. You segment the global address list using address book policies. Each address book policy contains a global address list, an offline address book, a room list, and one or more address lists.
You use address book policies when you need to complete separation of the recipient data. Consider the following example:
Coho Winery merges with Coho Vineyard, resulting in a merged company called Coho Vineyard & Winery. While publicly a single company, internally the winery and vineyard operations are distinct and separate. The only overlap between the operations is in the top-level executive team.
The company has a single Exchange organization and wants those that work in one part of the operation to have access only to recipients and resources in that operation. Employees get scoped views of All Users, All Groups, and All Rooms as well as the default global address list and the default offline address list. These scoped views include only those that work as part of the winery or vineyard operations and not both.
The top-level executives and their direct support staff have access to the original, unscoped address lists. This ensures they can access recipients and resources in both operations areas.
Keep in mind that the need for custom views of recipients doesn’t mean that your organization needs address book policies. You can create new address lists at any time and those address lists can be scoped however you’d like them to be scoped. For example, you could create an address list called All Marketing that includes only employees in the marketing department.
You can assign address book policy to recipients in both on-premises and online Exchange organizations. Before you can use address book policy, you must do the following:
Install and enable the Address Book Policy Routing Agent using these commands:
Install-TransportAgent -Name "ABP Routing Agent" -TransportAgentFactory "Microsoft.Exchange.Transport.Agent .AddressBookPolicyRoutingAgent .AddressBookPolicyRoutingAgentFactory" -AssemblyPath "C:Program FilesMicrosoftExchangeV15 TransportRolesAgentsAddressBookPolicyRoutingAgent Microsoft.Exchange.Transport.Agent .AddressBookPolicyRoutingAgent.dll" Enable-TransportAgent "ABP Routing Agent"
Next, you must restart the transport service and then enable Address Book Policy routing in the organization using these commands:
Restart-Service MSExchangeTransport Set-TransportConfig -AddressBookPolicyRoutingEnabled $true
Set an attribute on all recipients that can be used to segment the Exchange organization. For example, you could use a custom attribute to do this.
Create one or more address lists that provide the segmented views of the organization-wide global address list. Typically, you’ll want a list for mailbox users, contacts, distribution lists, and rooms. Use New-AddressList with recipient filters that look for the special attribute to create these lists. Here are examples:
New-AddressList -Name "B - All Users" -RecipientFilter {(RecipientType -eq 'UserMailbox') -and (CustomAttribute8 -eq "CompanyB")} New-AddressList -Name "B - All Contacts" -RecipientFilter {((RecipientType -eq "MailUser") -or (RecipientType -eq "MailContact")) -and (CustomAttribute8 -eq "CompanyB")} New-AddressList -Name "B - All Groups" -RecipientFilter {((RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup") -or (RecipientType -eq "MailUniversalSecurityGroup")) -and (CustomAttribute1 -eq "CompanyB")} New-AddressList -Name "B - All Rooms" -RecipientFilter {(Alias -ne $null) -and (CustomAttribute8 -eq "CompanyB")-and (RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox')}Create a segmented global address list and then use this address list to create the segmented offline address book. Here are examples:
New-GlobalAddressList -Name "B - GAL" -RecipientFilter {(CustomAttribute8 -eq "CompanyB")} New-OfflineAddressBook -Name "B - OAB" -AddressLists "B - GAL"Create an address book policy for the first company within the organization and then assign this policy to the appropriate mailboxes. Here are examples:
New-AddressBookPolicy -Name "CompanyB ABP" -AddressLists "B - All Users", "B - All Contacts", "B - All Contacts" -OfflineAddressBook "B - OAB" -GlobalAddressList "B - GAL" -RoomList "B - All Rooms" Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute8 -eq "CompanyB"} | Set-Mailbox -AddressBookPolicy "CompanyB ABP"As necessary, repeat Steps 4 through 6 to configure address lists and policies for each company within the Exchange organization.
Creating and applying new address lists
You can create new address lists to create customized views of recipient data. For example, if your organization has offices in Seattle, Portland, and San Francisco, you might want to create separate address lists for each office.
To create an address list that users can select in their Outlook clients, follow these steps:
In Exchange Admin Center, select Organization in the feature pane and then select Address Lists.
Tap or click New. This opens the New Address List dialog box.
Type an internal Exchange name and a display name for the address list, as shown in Figure 8-7. The display name should describe the types of recipients that are viewed through the list. For example, if you’re creating a list for recipients in the Boston office, you can call the list Boston Office.
The container on which you base the address list sets the scope of the list. The list will include recipients in address lists in and below the specified container. The default (root) container, , specifies that all address lists are included by default. To specify a different container for limiting the list scope, tap or click Browse, and then use the Address List Picker dialog box to select a container. In most cases, you’ll want to select the default (root) container. The list path is fixed when you create a list, so you won’t be able to specify a different list path later.
Use the Types Of Recipients To Include options to specify the types of recipients to include in the address list. Select All Recipient Types or select Only The Following Recipient Types and then select the types of recipients. You can include mailbox users, mail-enabled contacts, mail-enabled groups, mail-enabled users, and resource mailboxes.
Next, you can create rules that further filter the address list. Each rule acts as a condition that must be met. If you set more than one rule, each condition must be met for there to be a match. To define a rule, tap or click Add A Rule and then set the filter conditions. The following types of conditions are available as well as conditions for custom attributes:
Recipient Container. Filters recipients based on where in Active Directory the related account is stored. Selecting this option displays the Select An Organizational Unit dialog box. Tap or click the container where the recipients are stored, such as Users or an organizational unit, and then tap or click OK.
State Or Province. Filters recipients based on the value of the State/Province text box on the Contact Information page in the related Properties dialog box. Selecting this option displays the Specify Words Or Phrases dialog box. Type a state or province identifier to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Department. Filters recipients based on the value of the Department text box on the Organization page in the related Properties dialog box. Selecting this option displays the Specify Words Or Phrases dialog box. Type a department name to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Company. Filters recipients based on the value of the Company text box on the Organization page in the related Properties dialog box. Selecting this option displays the Specify Words Or Phrases dialog box. Type a company name to use as a filter condition and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Tap or click Save to create the address list. After the address list is created, users will be able to use the new address list the next time they start Outlook. In the details pane, the new list will have a status of Not Up To Date.
Creating and fully populating address lists can be resource intensive, so new address lists aren’t populated. You can populate the address list for the first time by updating it. To do this, tap or click the address list and then tap or click Update.
You’ll see a warning prompt explaining that it could take a long time to update the address list. When you tap or click Yes, Exchange Admin Center begins updating the address list and displays the update progress in a bar graph, as shown in Figure 8-8. If you find the update is taking too long, you can tap or click Stop to halt the update. You can then restart the update process later.
In Exchange Management Shell, creating and applying address lists are two separate tasks. You can create address lists using the New-AddressList cmdlet. You apply address lists using the Update-AddressList cmdlet. New-AddressList cmdlet syntax and usage provides the syntax and usage for the New-AddressList cmdlet. Update-AddressList cmdlet syntax and usage provides the syntax and usage for the Update-AddressList cmdlet. For -IncludedRecipients, you can include mailbox users, mail-enabled contacts, mail-enabled groups, mail-enabled users, and resource mailboxes.
Tip
Exchange Server 2013 does not support Recipient Update Service (RUS). To replace the functionality of RUS, you can schedule the Update-AddressList and Update-EmailAddressPolicy cmdlets to run periodically using Task Scheduler. Alternatively, you can run the cmdlets manually when you modify addresses.
Configuring clients to use address lists
Address books are available to clients that are configured for corporate or workgroup use. To set the address lists used by the client, complete these steps:
In Office Outlook 2013, on the Home panel, select Address Book. Alternatively, press Ctrl+Shift+B.
In the Address Book dialog box, from the Tools menu, select Options, and then set the following options to configure how address lists are used:
When Sending E-Mail, Check Address Lists In This Order. Sets the order in which Outlook searches address books when you send a message or tap or click Check Names. You can start with either the global address list or the contact folders. Or you can choose the Custom option and then use the up and down arrows to change the list order.
When Opening The Address Book, Show This Address List First. Sets the address book that the user sees first whenever he or she works with the address book.
Tap or click OK.
Tip
When checking names, you’ll usually want the global address list (GAL) to be listed before the user’s own contacts or other types of address lists. This is important because users often put internal mailboxes in their personal address lists. The danger of doing this without first resolving names against the GAL is that although the display name might be identical, the properties of a mailbox might change. When changes occur, the entry in the user’s address book is no longer valid, and any mail sent bounces back to the sender with a nondelivery report (NDR). To correct this, the user should either remove that mailbox from his or her personal address list and add it based on the current entry in the GAL, or change the check names resolution order to use the GAL before any personal lists.
Updating address list configuration and membership throughout the domain
Exchange Server doesn’t immediately replicate changes to address lists throughout the domain. Instead, changes are replicated during the normal replication cycle, which means that some servers might temporarily have outdated address list information. Rather than waiting for replication, you can manually update address list configuration, availability, and membership throughout the domain. To do this, follow these steps:
In Exchange Admin Center, select Organization in the feature pane and then select Address Lists.
Tap or click the address list you want to work with and then tap or click Update.
You’ll see a warning prompt explaining that it could take a long time to update the address list. Tap or click Yes. Exchange Admin Center begins updating the address list and displays the update progress in a bar graph.
If you find the update is taking too long, you can tap or click Stop to halt the update. You can then restart the update process later.
Alternatively, you can use the Update-AddressList cmdlet to update lists. See Update-AddressList cmdlet syntax and usage for syntax and usage.
Previewing and editing address lists
Although you can’t change the properties of default address lists, you can change the properties of address lists that you create using either Exchange Admin Center or Exchange Management Shell. You can edit a list’s settings or preview the recipients in the list by completing the following steps:
In Exchange Admin Center, select Organization in the feature pane and then select Address Lists.
Tap or click the address list you want to work with. If there’s a note in the details pane stating the list was created in Exchange Management Shell, you won’t be able to modify its settings. You can, however, view the list’s settings in the Address List dialog box.
Tap or click Edit. In the Address List dialog box, you’ll see the name, path, and recipient filter associated with the list.
To preview the recipients included in the list, tap or click the link provided.
Modify the name as necessary. Use the Types Of Recipients To Include options to specify the types of recipients to include. Select All Recipient Types or select Only The Following Recipient Types and then select the types of recipients.
Create new rules or modify existing rules to further filter the recipients.
Tap or click Save. In the details pane, the modified list will have a status of Not Up To Date. To update the membership of the address list, tap or click Update and then follow the prompts.
In Exchange Management Shell, you can modify an address list using the Set-AddressList cmdlet. Set-AddressList cmdlet syntax and usage provides the syntax and usage. Address lists created for Exchange Server 2003 aren’t compatible with Exchange Server 2013. You can upgrade address lists created for Exchange Server 2003 so that they work with Exchange Server 2013 by using -ForceUpgrade $true and then modifying any incompatible included recipients or recipient filters as necessary. After you update an address list, you can make the changes visible by using the Update-AddressList cmdlet, as shown previously in Update-AddressList cmdlet syntax and usage. You don’t need to upgrade address lists created for Exchange Server 2007 or Exchange Server 2010.
Renaming and deleting address lists
You can only rename or delete user-defined address lists.
Renaming address lists. To rename an address list, in Exchange Admin Center, select its entry and then select Edit. Type a new name in the Display Name text box. In the details pane, the modified list will have a status of Not Up To Date. To update the membership of the address list, tap or click Update and then follow the prompts.
Deleting address lists. To delete an address list, in Exchange Admin Center, select its entry and then select Remove. When prompted to confirm the action, tap or click Yes.
In Exchange Management Shell, you can remove address lists using the Remove-AddressList cmdlet. Remove-AddressList cmdlet syntax and usage provides the syntax and usage. If you also want to remove address lists that reference the address list you are removing and match a portion of it (child address lists), you can set the -Recursive parameter to $true. By default, the cmdlet does not remove child address lists of the specified list.
Managing offline address books
Exchange 2013 has a new offline address book generation and distribution architecture. You configure offline address books differently than online address lists. To use an offline address book, the client must be configured to have a local copy of the server mailbox, or you can use personal folders. Clients using Outlook 2007 or later retrieve the offline address book from the designated offline address book (OAB) distribution point.
Note
Although future updates may change this, Exchange Admin Center doesn’t have options for managing offline address books at the time of this writing. This means that you need to use Exchange Management Shell to manage offline address books.
Important
An OAB distribution point is a virtual directory to which Outlook 2007 and later clients can connect to download the offline address book. OAB distribution points are hosted by Client Access servers running Internet Information Services (IIS) as virtual directories. Each distribution point can have two URLs associated with it: one URL for internal (on-site) access and another for external (off-site) access.
Creating offline address books
The default offline address book includes all the addresses in the global address list. It does this by including the default global address list. All other offline address books are created by including the default global address list or a specific online address list as well.
Note
You can create other custom offline address books using Exchange Management Shell. You cannot use Exchange Admin Center to create other offline address books.
In Exchange Management Shell, you can create offline address books using the New-OfflineAddressBook cmdlet. You apply offline address books using the Update-OfflineAddressBook cmdlet. New-OfflineAddressBook cmdlet syntax and usage provides the syntax and usage for the New-OfflineAddressBook cmdlet. Update-OfflineAddressBook cmdlet syntax and usage provides the syntax and usage for the Update-OfflineAddressBook cmdlet.
Note
Public folder distribution is no longer associated with offline address books. Public folders are now stored in special mailboxes, as discussed in Chapter 7.
When you create an offline address book, you must use the -AddressLists parameter to specify the address lists that are included. If you want the offline address book to include all recipients in the organization, specify that the Default Global Address List is the address list to include as shown in this example:
New-OfflineAddressBook -Name 'Offline – Entire Organization' -Server 'CorpSvr127' -AddressLists 'Default Global Address List' -VirtualDirectories 'CORPSVR127OAB (Default Web Site)'
You can include multiple address lists using a comma-separated list, as shown in this example:
New-OfflineAddressBook -Name 'Offline – Sales & Marketing' -Server 'CorpSvr127' -AddressLists 'All Marketing', 'All Sales', 'Sales Teams' -VirtualDirectories 'CORPSVR127OAB (Default Web Site)'
If you want the new offline address book to be the default, use the -IsDefault parameter.
Configuring clients to use an offline address book
Offline address lists are available only when users are working offline. You can configure how clients use offline address books by completing the following steps:
Do one of the following:
In Outlook 2007, tap or click Tools, select Send/Receive, and then select Download Address Book. The Offline Address Book dialog box appears.
In Outlook 2010, tap or click the Office button. On the Info pane, select Download Address Book. The Offline Address Book dialog box appears.
In Outlook 2013, on the File pane, tap or click Info. On the Info page, tap or click Account Settings and then select Download Address Book. The Offline Address Book dialog box appears.
Select the Download Changes Since Last Send/Receive check box to download only items that have changed since the last time you synchronized the address list. Clear this check box to download the entire contents of your address book.
With Outlook 2007 and Outlook 2010, specify the information to download as either of the following two options:
Full Details. Select this option to download the address book with all address information details. Full details are necessary if the user needs to encrypt messages when using remote mail.
No Details. Select this option to download the address book without address information details. This reduces the download time for the address book.
If multiple address books are available, use the Choose Address Book drop-down list to specify which address book to download. Tap or click OK.
Designating OAB generation servers and schedules
In Exchange 2013, the organization has a dedicated OAB generation server. This server is responsible for generating the offline address books for the entire organization. Although the first Mailbox server you install with Exchange 2013 may be designated as the OAB generation server, this isn’t always the case.
To identify the OAB generation server, you need to locate the arbitration mailbox that handles the offline address book generation. In Exchange 2013, an arbitration mailbox with the persisted capability “OrganizationCapabilityOABGen” handles offline address book generation. You can locate this mailbox and identify the server and database it resides on using the following command:
Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like "*oab*"} |
ft name, servername, databaseIf your Mailbox servers are configured in an availability group, ensure you’ve identified the active copy of the database using the following command:
Get-MailboxDatabaseCopyStatus DatabaseNamewhere DatabaseName is the database to check. The active copy has the status Mounted.
By default, the OAB generation server rebuilds offline address books on a daily schedule and does so once each day. You can confirm the current settings using the following command:
Get-MailboxServer -Identity OABGenerationServer | fl OABGeneratorWorkCycle,
OABGeneratorWorkCycleCheckpointwhere OABGenerationServer is the Mailbox server hosting the OAB generation mailbox. The output of this command is as shown here:
OABGeneratorWorkCycle : 1.00:00:00 OABGeneratorWorkCycleCheckpoint : 1.00:00:00
Note
In Exchange 2010, offline address book generation occurs according to a fixed schedule set with the -Schedule parameter of Set-OfflineAddressBook. In Exchange 2013, this schedule is not used.
The Mailbox server uses the default daily schedule and will rebuild the offline address books once each day. The schedule uses the following format:
D.HH:MM:SS
where D is the number of days, HH sets the hours, MM sets the minutes, and SS sets the seconds.
You can configure a different schedule using Set-MailboxServer. Use -OABGeneratorWorkCycle to set the master schedule and -OABGeneratorWorkCycleCheckpoint to set the rebuild interval within this schedule. For example, if you want address books to be rebuilt daily and update every six hours, use the following command:
Set-MailboxServer -OABGeneratorWorkCycle 1.00:00:00 -OABGeneratorWorkCycleCheckpoint 06:00:00
The OAB generation server manages and propagates the offline address books. If the OAB generation server is being overutilized and you want to move the offline address book generation responsibility to a server with more resources, you can do this using several different techniques. When the database and server are part of an availability group, you can move the OAB generation mailbox from one server in the group to another server in the group. However, to do this, you must activate the corresponding mailbox database on the other server (and thereby inactivate the mailbox database on its current server). Consider the following example:
Move-ActiveMailboxDatabase Database42 -ActivateOnServer MailServer18
In this example, MailServer18 hosts an inactive copy of the mailbox database that contains the OAB generation mailbox and this database is activated. When Database42 is activated, MailServer18 becomes the OAB generation server.
When the database and server are not part of an availability group, you can use a standard move request to move the OAB generation mailbox from a database on one server to a database on another server. Consider the following example:
Get-Mailbox -Arbitration -database Database42| where
{$_.PersistedCapabilities -like "*oab*"} | New-MoveRequest
-TargetDatabase Database14When the move request is completed and final, the new server becomes the OAB generation server. As may be required for load balancing, fault tolerance, or geographically disbursed Exchange organizations, you can create an additional OAB generation mailbox. To do this, use the following commands:
New-Mailbox -Arbitration -Name "OAB 2" -Database Database42 -UserPrincipalName [email protected] -DisplayName "OAB Mailbox 2" Set-Mailbox -Arbitration oab2 -OABGen $true
Rebuilding the OAB manually
Although the offline address book is generated automatically according to the generator work cycle, you can force the OAB generator to rebuild offline address books manually. To do this, use the Update-OfflineAddressBook cmdlet as shown in this example:
Update-OfflineAddressBook -Identity 'Default Offline Address Book'
This example initiates an update of the default offline address book. This command initiates an RPC request to each mailbox server hosting an active OAB generation mailbox.
You also can force Exchange to rebuild the offline address book if you restart the Mailbox Assistance service on the server hosting an active OAB generation mailbox.
Setting the default offline address book
Although you can create many offline address books, clients download only one. This address list is called the default offline address book. To specify the default offline address book, use Set-OfflineAddressBook with this basic syntax:
Set-OfflineAddressBook -Identity OABName -IsDefault [-DomainController FullyQualifiedName]
In the following example, Offline – All Company is set as the default offline address book:
Set-OfflineAddressBook -Identity 'Offline – All Company' -IsDefault
Changing offline address book properties
The offline address book is based on other address lists that you’ve created in the organization. In Exchange Management Shell, you can modify offline address books using the Set-OfflineAddressBook cmdlet. Set-OfflineAddressBook cmdlet syntax and usage provides the syntax and usage.
One way to modify an offline address book is to modify the list of included address lists. You can make additional address lists a part of the offline address book. If you no longer want an address list to be a part of the offline address book, you can remove it. To perform either task, use the -AddressLists parameter. This parameter specifies the exact list of address lists to include, and you must always explicitly specify each address list that should be included. Consider the following example:
Get-OfflineAddressBook
Name Versions AddressLists
---- -------- ------------
Default Offline Address Book {Version4} {Default Global Address List}
Temp Employees Address Book {Version4} {All Support, All Temps}In this example, the organization has two offline address books. One for full-time employees and one for temporary employees who provide on-site support. For temporary employees, the offline address book includes recipient data only for members of the support team and other temps on the support team. If the offline address book for temporary employees should also include recipient data for All Help Desk, you could add this address list as shown in this example:
Set-OfflineAddressBook -Identity 'Temp Employees Address Book' -AddressLists 'All Support', 'All Temps', 'All Help Desk'
If you later decided to remove All Help Desk from this offline address book, you could do so by entering the following command:
Set-OfflineAddressBook -Identity 'Temp Employees Address Book' -AddressLists 'All Support', 'All Temps'
Deleting offline address books
If an offline address book is no longer needed, you can delete it as long as it isn’t the default offline address book. Before you can delete the default offline address book, you must set another address book as the default.
In Exchange Management Shell, you can delete an offline address book using the Remove-OfflineAddressBook cmdlet. Remove-OfflineAddressBook cmdlet syntax and usage provides the syntax and usage. Set the -Force parameter to $true to force the immediate removal of an offline address book.