How do I restrict permissions to send to a Distribution List in an AD-synchronized Exchange Online environment?

Follow

This is actually not terribly simple - that is to say, it's more complicated than one might think. In a non-AD-sync scenario, you simply edit DL properties ans specify which group should have permissions to send to the selected DL (or use powershell to accomplish the same). However, in an AD-sync scenario you can't modify DL properties because they are copied from local AD.

Pre-requisites

The security group (to which you are restricting permission to send to the given distribution list) must:

  1. Have an email address
  2. Be a universal security group
  3. Have its displayName attribute set

...otherwise the group won't be availble to Exchange Online. If these properties weren't set, you need to do it and then either wait for changes to sync up to Exchange Online or force the sync. You also need to lookup the distinguished name (distinguishedName attribute) of the security group, which will be used in a later step.

Instructions

in the local AD you have to modify dlMemSubmitPerms attribute on the object to which you wish to restrict access. Trouble is, the dlMemSubmitPerms attribute is of type DN-binary, which can't be edited by ADSI Edit or the ADUC if it's not already populated, which means you have to use LDP.EXE, which is as user-friendly as command-line DNS management in Linux (hint: not very).

When using LDP.exe, you first connect to your domain controller, then you bind to the connection, then you show the AD tree. Once you navigate to the object you wish to modify, you right-click on it, select Modify, and now you chain commands together to execute on the object, which you then execute by clicking the Run button.

The Operation you need to execute is to Add to dlMemSubmitPerms, and the value that you add is the distinguishedName of the group which you wish to have permissions to send to the DL. Once you specify the Add operation, the attribute name (dlMemSubmitPerms), the value (CN=[security group],CN=... etc.) that you recorded in Pre-requisites and click on the Run button, LDP.exe will do what you've asked. Hopefully, there won't be any error messages. Now you can switch to ADUC or ADSIE and verify that the dlMemSubmitPerms attribute contains the distinguished name of the group which you wish to have access to send to the group.

Once verified, the properties need to be propagated to Exchange Online via an automated or manual directory synchronization, after which you can sign in to the portal and view DL properties to make sure your changes synced up.

 

Have more questions? Submit a request

Comments

  • Avatar
    Daniel Millbank

    Wow, that should be enough of an answer to anyone asking if Office365 is difficult to manage... :)

  • Avatar
    Ilya Lehrman

    Ha ha - well, some things are easier than others! Do you have to perform this kind of DL management frequently in your environment?

  • Avatar
    Carl R.

    Thanks for the article. I used it as a guide but ended up modifying dlMemSubmitPerms using ps.

  • Avatar
    Ilya Lehrman

    That's great, Carl! Do you mind sharing the script here?

  • Avatar
    Cody VanDeusen
    Hey, I had the same issue, googled the article, posting a quest active roles script to hopefully save other people from the same headache (make sure to copy and paste everything below, update with your domain/mailbox/etc... and remove wordwrap from notepad) Set-QADUser 'mailboxUPN' -objectAttributes @{dLMemSubmitPerms='CN=mailboxUPN,OU=ExchangeMailboxes,OU=Other,DC=company,DC=NotCom'}
  • Avatar
    mahmoud shoaala

    Even this isn't working with me.

  • Avatar
    Ilya Lehrman

    Mahmoud - can you provide more detail about what's not working for you?

  • Avatar
    Dustin Fry

    How would you allow an Office365 created resource calendar access to a restricted distribution list? I've Powershelled into my Office365 tenant and retrived the distinguished name of the resource calendar . When I add the DN to the distribution group my local directory I receive an operation failed. I have several resource calendars that need to be able to send to groups with restricted senders.

  • Avatar
    Luis Marrero

    Regards;

    The email from the security group as you stated must be a different one than the one used by the D.L or can be the same?

    Thanks (I should point that I am a novice on working with servers).

  • Avatar
    Mike Mason

    ok, i need further help, I have a distribution group labeled hk all.

    So in modify - i have DN: hk all
    and in attribute i have dlMemSubmitPerms
    Values you say to use cn=hk all ?

  • Avatar
    Gary Judycki

    Thanks this worked as described and was, Yes easy to follow :-)

  • Avatar
    Richard

    Mike I have the same issue and same setup. Here's what I tried.

    DN: the full DN path of the group I'm trying to modify
    Attribute: dlMemSubmitPerms
    Values: the full DN path of the group I'm trying to allow sent-to capabilities.

    Did you get the same thing? Were you able to find the solution? I get a vague error, "Error 0x57 The parameter is incorrect"

  • Avatar
    Scott Abel

    I have the same problem as the above poster. I also get

    Server error: 00000057: LdapErr: DSID-0C090B91, comment: Error in attribute conversion operation, data 0, v1db1
    Error 0x57 The parameter is incorrect.

  • Avatar
    Scott Abel

    Ok... figured it out. After entering the values hit the "Enter" button first. That adds the value to the entry list. Then hit Run

Powered by Zendesk