You are here: Blog Managing Exchange 2013 Groups

Managing Exchange 2013 Groups

Managing Exchange 2013 Groups

Simplified System

In a simplified logical system, there are the following:
-user: a single individual.
-group: more than one user.

In addition, groups are universal in the company. A group is a group. There are no group types. A group can access resources and receive email.

Windows Server

In MS world, there are more options for fine-grain control. There is a security-group to access resources and a distribution-group to receive email.
(For the curious, these are the only two types of groups, there are no other types of groups.)

Let's begin, shall we.


To see all the distribution groups:
Get-DistributionGroup |select PrimarySMTPAddress

To see all the distribution groups that receive email from the outside world:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq $true} | select PrimarySMTPAddress

To see all the distribution groups that receive email only from within the company:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq $false} | select PrimarySMTPAddress

Great! Let's move on to the AD side of the system


But before we do, note that typically, using a command and "|fl" will let you see all the info. On get-adgroup command, it doesn't work. You have to use:

To see all of the AD group properties:
Get-ADGroup -identity "foo-group" -prop *

Also note that the get-adgroup command uses the SAMACCOUNTNAME (it does not use the NAME or DISPLAYNAME as other commands). So if you have an ad-group with the name FOO-GROUP-NAME but the SAMACCOUNTNAME is FOO-GROUP-SAMACCOUNTNAME, you have to use the SAMACCOUNTNAME:
Get-ADGroup -identity "foo-group-samaccountname" -prop *

To see all the groups (both AD and distribution as all distribution groups are AD groups):
Get-ADGroup -Filter * -Prop * |select name,samaccountname,mailnickname

To see AD security-groups (groups without email addresses):
Get-ADGroup -filter {GroupCategory -eq "Security"} |select name,samaccountname

To see AD distribution-groups:
Get-ADGroup -Filter 'GroupCategory -eq "Distribution"' -prop * |select name,samaccountname,mailnickname


Theoretically, this list should match the get-distributiongroup list from above. But you might notice that some distribution-groups that do not have email addresses. That's kinda strange. What gives?

Sometimes the AD distribution-group does not have the necessary info in the database. Having this info is called mail-enabled. There's even a command just to handle this.

To mail-enable a distribution group that needs it:
Enable-DistributionGroup -Identity "foo-group"
(NOTE: This will even work on security-groups.)

Also, there are some items in the get-distributiongroup list from above that are not in the get-adgroup command above. What gives?

Well because groups can be mail-enabled, it is possible for a security-group to be mail-enabled as well.

To see AD security-groups with mail-enabled:
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -prop * |select name,mailnickname

Finally as a last question, if both group-types (distribution and security) can be mail-enabled, what's the point of having group types? Good question. There isn't. It is the way the world works.

Contact Dak Networks

Please contact us at the following.