Exchange Distribution Groups: Your How-To Ultimate Guide

Published:13 April 2021 - 10 min. read

Remove Exchange on-premises without compromising ease of management: Replace AD Users & Computers with EasyEntra – Lightning Fast! Easy to Use! 100% Free!

Exchange distribution groups are collections of recipient email addresses in your organization’s address book. And a topic you should know in and out as an Exchange admin. Do you know how to manage distribution groups using both the Exchange Admin Center (EAC) and PowerShell? If not, you will!

Not a reader? Watch this related video tutorial!

Remove Exchange on-premises without compromising ease of management. Use EasyEntra instead of AD Users & Computers – Completely Free!





Not seeing the video? Make sure your ad blocker is disabled.

In this tutorial, you’ll learn how to create, modify, and delete different Exchange distribution group types using both the GUI approach and using PowerShell step by step.

The first half of the tutorial will focus on using the EAC while the second half will be all PowerShell. Happy learning!

# Add members to the group
@('[email protected]','[email protected]') | Add-DistributionGroupMember -Identity [email protected]

# Remove members from the group and skip confirmation
@('[email protected]','[email protected]') | Remove-DistributionGroupMember -Identity [email protected] -Confirm:$false

If you have many members to add, manually adding them to an array is impractical. Instead, create a text file that contains the list of members’ identities and use the Get-Content cmdlet to import the list of members into your PowerShell session.

# Add members to the group
get-content .\members.txt | Add-DistributionGroupMember -Identity [email protected]

# Remove members from the group and skip confirmation
get-content .\members.txt | Remove-DistributionGroupMember -Identity [email protected] -Confirm:$false

Adding and Removing Distribution Group Owners

There are times when a group’s ownership must change. Perhaps a change in leadership initiates a change of ownership for a team’s distribution group. To do so, invoke the Set-DistributionGroup cmdlet with the ManagedBy parameter.

To assign a new owner for a distribution group, run the code below in PowerShell. Make sure to change the ManagedBy value to the identity of the new owner first. The command below assigns a distribution group owner [email protected] to the distribution group UDG2.

# Replace the current distribution group owner(s) with only one owner
Set-DistributionGroup -Identity UDG2 -ManagedBy [email protected]

Distribution groups may have more than one owner. To assign multiple owners, change the ManagedBy values to an array or owner identities (eg. -ManagedBy 'owner1','owner2') like the code below.

# Replace the current distribution group owner(s) with only one owner
Set-DistributionGroup -Identity UDG2 -ManagedBy "[email protected]","[email protected]"

On the other hand, you may not want to replace all of the current owners. To add or remove owners without affecting the current owners’ list, create a PowerShell hashtable with a key of either add or remove indicating the action you’d like to take and a value of the recipient’s address ([email protected]).

The below code snippet is adding an owner of [email protected] to the UDG2 distribution group and removing the owner [email protected] from the distribution group.

# Add a new owner
Set-DistributionGroup -Identity UDG2 -ManagedBy @{add="[email protected]"}

# Remove an owner
Set-DistributionGroup -Identity UDG2 -ManagedBy @{remove="[email protected]"}

Creating Dynamic Exchange Distribution Groups with PowerShell

Admittedly, creating DDLs in EAC is convenient. But the membership filters are limited to a specific set of attributes.

There is a limited set of attributes for membership filtering to choose from when creating a DDL in EAC. The only attributes available are Company, Department, State or province, and Custom Attribute (1-15). To learn more about all available filterable attributes, visit Filterable properties for the RecipientFilter parameter on Exchange cmdlets.

When you need to create a DDL with a filter that includes an attribute not available in EAC, that’s where PowerShell comes in. For example, to create a DDL that includes members based on title, you can only do so in PowerShell because the title attribute is not available in EAC.

To create a dynamic distribution group with PowerShell, invoke the New-DynamicDistributionGroup cmdlet as shown below. This code creates a new DDL whose members are those with the title of director or manager.

# Compose the new DDL properties such as name, email address, and recipient filter.
$ddl_splat = @{
	Name = "DDL_Directors and Managers"
	PrimarySMTPAddress = "[email protected]"
	RecipientFilter = "(RecipientType -eq 'UserMailbox') -and (Title -eq 'Director' -or Title -eq 'Manager')"
}
# Create the new DDL
New-DynamicDistributionGroup @ddl_splat

Listing Group Members with PowerShell

Viewing distribution group members in the EAC is possible, but there’s no way to export the list. And viewing dynamic distribution list members is not even possible in the EAC.

What if you need to export the list of members? Maybe for reporting or audit purposes, or perhaps to confirm that your dynamic distribution groups do have members. To do these, you’ll need to use PowerShell.

Static Exchange Distribution Group Members

Using the Get-DistributionGroupMember cmdlet, you can easily find all members of a static distribution group. Whether the group is a UDG or a USG, the command to run is the same. For example, to list the members of the distribution group UDG2, run the command below in PowerShell.

The example below is using the Select-Object cmdlet to limit the properties shown. This command is optional.

# Get the members of UDG2 | List only their name and email address
Get-DistributionGroupMember -Identity UDG2 | Select-Object Name,PrimarySMTPAddress

As you can see below, the command completes and lists the members of the UDG2 distribution group.

Listing distribution group members
Listing distribution group members

Dynamic Exchange Distribution Group Members

To find current members of a dynamic distribution group is a bit more involved. To do so, you must first find the DDL’s RecipientFilter string. This is a string that represents the filter Exchange applies to popular the dynamic distribution group. With this string, you can then find the distribution group members.

Find the Recipient Filter

To get the filter string, use the Get-DynamicDistributionGroup cmdlet. One of the properties this cmdlet returns is RecipientFilter. To discover the string, run the command below which only returns the value of the RecipientFilter property for DDL_Directors and Managers group and assigns it to the variable $filter.

# Get the DDL's RecipientFilter string
$filter = (Get-DynamicDistributionGroup -Identity "DDL_Directors and Managers").RecipientFilter

Find the Recipients

Once you know the filter string, pass that string to the RecipientPreviewFilter parameter on the Get-Recipient cmdlet. You can also optionally return certain properties using the Select-Object cmdlet as the code shows below.

# Get recipients that match the DDL's RecipientFilter string | Show the name, title, and email address
Get-Recipient -RecipientPreviewFilter $filter | Select-Object Name,Title,PrimarySMTPAddress

The screenshot below shows the extracted dynamic distribution group members based on the recipient filter.

Listing dynamic distribution group members
Listing dynamic distribution group members

Exporting Distribution Group Members

Now that you know how to list group members, you can export the member list to a file. To do so, pipe the result to the Export-Csv cmdlet, which lets you export PowerShell objects to CSV files.

# Get the members of UDG2 | List only their name and email address | Export to a CSV file
Get-DistributionGroupMember -Identity UDG2 | Select-Object Name,PrimarySMTPAddress | Export-Csv -Path .\udg_members.csv -NoTypeInformation

# Get recipients that match the DDL's RecipientFilter string | Show the name, title, and email address | Export to a CSV file
Get-Recipient -RecipientPreviewFilter $filter | Select-Object Name,Title,PrimarySMTPAddress | Export-Csv -Path .\DDL_members.csv -NoTypeInformation

Configuring Address Book Visibility with PowerShell

Like with the EAC, you can also hide or unhide distribution groups from the global address book with PowerShell.

Hiding Static Distribution Groups

To hide and unhide static distribution groups, invoke the Set-DistributionGroup cmdlet providing the name of the distribution group and using the HiddenFromAddressListsEnabled as shown below.

# Hide the UDG in the address book
Set-DistributionGroup -Identity UDG1 -HiddenFromAddressListsEnabled $true

# Unhide the UDG in the address book
Set-DistributionGroup -Identity UDG1 -HiddenFromAddressListsEnabled $false

Exchange Online updates the offline address book once every 24 to 48 hours, which means that any address book changes may not reflect in Outlook’s offline address book until then.

Hiding Dynamic Distribution Groups

To hide and unhide dynamic distribution groups from the global address book, you’ll use two cmdlets, one to hide and another to unhide.

To hide a dynamic distribution group, invoke the Set-DynamicDistributionGroup cmdlet. This cmdlet allows you to change a dynamic distribution group’s properties, including the group’s address book visibility.

To unhide a dynamic distribution group, the PowerShell command is the same as a static distribution group.

# Hide the DDL in the address book
Set-DynamicDistributionGroup -Identity DDL_Accounts -HiddenFromAddressListsEnabled $true

# Unhide the DDL in the address book
Set-DistributionGroup -Identity DDL_Accounts -HiddenFromAddressListsEnabled $false

Configuring Delegate Permissions with PowerShell

Like the EAC, PowerShell can also configure delegate permissions for Exchange distribution groups both for Send As and Send on Behalf of permission.

Send As Distribution Group Permission

To add Send As distribution group (static or dynamic) permission, use the Add-RecipientPermission PowerShell cmdlet. This cmdlet allows you to add Send As distribution group permission to a trustee.

A valid trustee can be a mailbox user or a mail-enabled security group.

To add the Send As distribution group permission, run the command below in PowerShell. This command gives the recipient [email protected] rights to send as the distribution group UDG2. The AccessRights parameter only accepts SendAs as its value.

Add-RecipientPermission -Identity UDG2 -Trustee [email protected] -AccessRights SendAs

Suppose the trustee no longer needs the Send As distribution group permission, run the Remove-RecipientPermission to remove the trustee.

Remove-RecipientPermission -Identity UDG2 -Trustee [email protected] -AccessRights SendAs

Send on Behalf of Distribution Group Permission

To configure Send on behalf of distribution group permission, run the Set-DistributionGroup for a UDG or USG and Set-DynamicDistributionGroup for a DDL. Both cmdlets have a parameter called GrantSendOnBehalfTo, which accepts the identity of the delegate.

For example, the code below gives [email protected] Send on behalf permission (GrantSendOnBehalfTo) to a distribution group (UDG2).

# Add Send on behalf permission for a distribution group (USG or UDG).
Set-DistributionGroup -Identity UDG2 -GrantSendOnBehalfTo @{add="[email protected]"}
# Remove Send on behalf permission for a distribution group (USG or UDG).
Set-DistributionGroup -Identity UDG2 -GrantSendOnBehalfTo @{remove="[email protected]"}

# Add Send on behalf permission for a dynamic distribution group.
Set-DynamicDistributionGroup -Identity DDL_Accounts -GrantSendOnBehalfTo @{add="[email protected]"}
# Remove Send on behalf permission for a dynamic distribution group.
Set-DynamicDistributionGroup -Identity DDL_Accounts -GrantSendOnBehalfTo @{remove="[email protected]"}

Configuring Sender Restrictions with PowerShell

Let’s now use PowerShell to configure sender restrictions. Like in the previous sections, because you’ll be changing the settings of distribution groups, you’ll be using Set-DistributionGroup and Set-DynamicDistributionGroup to do so.

Restricting Senders to a Distribution Group

A distribution group’s RequireSenderAuthenticationEnabled value determines whether the group allows external emails or internal emails only. If the value is $false, the group accepts emails from external senders. If the value is $true, the group only accepts internal messages.

To allow external and internal senders to the static distribution groups and dynamic distribution groups, run the code below in PowerShell. Make sure to change the Identity values to your groups’ identities.

# Allow the distribution group to receive emails from external and internal senders
Set-DistributionGroup -Identity USG2 -RequireSenderAuthenticationEnabled $false

# Allow the dynamic distribution group to receive emails from external and internal senders
Set-DynamicDistributionGroup -Identity DDL_Accounts -RequireSenderAuthenticationEnabled $false

To allow internal senders only, change the RequireSenderAuthenticationEnabled to $true by running the code below.

# Allow the distribution group to receive emails from internal senders only
Set-DistributionGroup -Identity USG2 -RequireSenderAuthenticationEnabled $true

# Allow the distribution group to receive emails from internal senders only
Set-DynamicDistributionGroup -Identity DDL_Accounts -RequireSenderAuthenticationEnabled $false

Adding Allowed Senders

Suppose you want more granular control as to who can send emails to the group. You can do so by adding allowed senders.

To allow individual senders, specify the senders’ identities to add using the AcceptMessagesOnlyFrom parameter. The example below assigns one user as the only sender allowed.

Valid AcceptMessagesOnlyFrom individual sender types are mailbox, mail users, and mail contacts.

# Set allowed-sender to a distribution group
Set-DistributionGroup -Identity USG2 -AcceptMessagesOnlyFrom [email protected]

# Set allowed-sender to a dynamic distribution group
Set-DynamicDistributionGroup -Identity DDL_Accounts -AcceptMessagesOnlyFrom [email protected]

To add more than one sender, specify an array of sender identities in the AcceptMessagesOnlyFrom.

# Set allowed-sender to a distribution group
Set-DistributionGroup -Identity USG2 -AcceptMessagesOnlyFrom [email protected],[email protected]

# Set allowed-sender to a dynamic distribution group
Set-DynamicDistributionGroup -Identity DDL_Accounts -AcceptMessagesOnlyFrom [email protected],[email protected]

To add or remove allowed senders without affecting the existing entries, apply this syntax to the AcceptMessagesOnlyFrom parameter instead.

  • @{add="sender1","sender2"} to add sender groups
  • @{remove="sender1","sender2"} to remove sender groups.

Apart from allowing individual senders, you can also allow members of different groups. To do so, specify the group’s identity to the AcceptMessagesOnlyFromDLMembers parameter, as shown in the code below.

Valid AcceptMessagesOnlyFromDLMembers group sender types are distribution groups, mail-enabled security groups, and dynamic distribution groups.

# Set allowed-sender group to a distribution group
Set-DistributionGroup -Identity USG2 -AcceptMessagesOnlyFromDLMembers UDG2

# Set allowed-sender group to a dynamic distribution group
Set-DynamicDistributionGroup -Identity DDL_Accounts -AcceptMessagesOnlyFromDLMembers "DDL_Directors and Managers"

To add or remove allowed group senders without affecting all existing entries, apply the following syntax with AcceptMessagesOnlyFromDLMembers

  • @{add="group1","group2"} to add sender groups
  • @{remove="group1","group2"} to remove sender groups.

Deleting Exchange Distribution Groups with PowerShell

Finally, it’s time to clean up and deleting some distribution groups using PowerShell. To do so, invoke the Remove-DistributionGroup cmdlet to remove a static group and the Remove-DynamicDistributionGroup to delete dynamic distribution groups.

The commands below removes the USG2 static group and the DDL_Accounts dynamic group.

# Deleting a static distribution group
Remove-DistributionGroup -Identity USG2

# Deleting a dynamic distribution group
Remove-DynamicDistributionGroup -Identity DDL_Accounts

At the confirmation prompt, press Enter to select the default answer (Yes) to confirm the group’s deletion.

Confirming a static distribution group deletion
Confirming a static distribution group deletion

Manage and Report Active Directory, Exchange and Microsoft 365 with ManageEngine ADManager Plus. Download Free Trial!

With EasyEntra, first-level support teams can focus on what instead of where! Manage AD, Entra ID, and Exchange Online from a consolidated, intuitive console.

Conclusion

In this article, you’ve learned the most common tasks that an admin can perform on static and dynamic distribution groups. You learned that the tasks you can do in EAC have counterpart steps using PowerShell.

But there are a lot more you can do with PowerShell that are not possible in EAC. You can learn more about working with distribution groups in PowerShell by reading the official Exchange Online PowerShell documentation.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!