daknetworks.com

You are here: Blog Managing Exchange 2013 Groups

Managing Exchange 2013 Groups

Managing Exchange 2013 Groups

Simplified System

In a simplified logical system, there are the following:
-user: a single individual.
-group: more than one user.

In addition, groups are universal in the company. A group is a group. There are no group types. A group can access resources and receive email.

Windows Server

In MS world, there are more options for fine-grain control. There is a security-group to access resources and a distribution-group to receive email.
(For the curious, these are the only two types of groups, there are no other types of groups.)

Let's begin, shall we.

GET-DISTRIBUTIONGROUP

To see all the distribution groups:
Get-DistributionGroup |select PrimarySMTPAddress

To see all the distribution groups that receive email from the outside world:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq $true} | select PrimarySMTPAddress

To see all the distribution groups that receive email only from within the company:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq $false} | select PrimarySMTPAddress

Great! Let's move on to the AD side of the system

GET-ADGROUP

But before we do, note that typically, using a command and "|fl" will let you see all the info. On get-adgroup command, it doesn't work. You have to use:

To see all of the AD group properties:
Get-ADGroup -identity "foo-group" -prop *

Also note that the get-adgroup command uses the SAMACCOUNTNAME (it does not use the NAME or DISPLAYNAME as other commands). So if you have an ad-group with the name FOO-GROUP-NAME but the SAMACCOUNTNAME is FOO-GROUP-SAMACCOUNTNAME, you have to use the SAMACCOUNTNAME:
Get-ADGroup -identity "foo-group-samaccountname" -prop *

To see all the groups (both AD and distribution as all distribution groups are AD groups):
Get-ADGroup -Filter * -Prop * |select name,samaccountname,mailnickname

To see AD security-groups (groups without email addresses):
Get-ADGroup -filter {GroupCategory -eq "Security"} |select name,samaccountname

To see AD distribution-groups:
Get-ADGroup -Filter 'GroupCategory -eq "Distribution"' -prop * |select name,samaccountname,mailnickname

ISSUES

Theoretically, this list should match the get-distributiongroup list from above. But you might notice that some distribution-groups that do not have email addresses. That's kinda strange. What gives?

Sometimes the AD distribution-group does not have the necessary info in the database. Having this info is called mail-enabled. There's even a command just to handle this.

To mail-enable a distribution group that needs it:
Enable-DistributionGroup -Identity "foo-group"
(NOTE: This will even work on security-groups.)

Also, there are some items in the get-distributiongroup list from above that are not in the get-adgroup command above. What gives?

Well because groups can be mail-enabled, it is possible for a security-group to be mail-enabled as well.

To see AD security-groups with mail-enabled:
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -prop * |select name,mailnickname

Finally as a last question, if both group-types (distribution and security) can be mail-enabled, what's the point of having group types? Good question. There isn't. It is the way the world works.

Contact Dak Networks

Please contact us at the following.