Cloud Services Thread, Office 365: prevent pupils sending to groups in Technical; Is there a way to stop members of certain groups sending to distribution groups?
Pupils are bulk emailing whole year ...
4th June 2014, 04:49 PM #1
Office 365: prevent pupils sending to groups
Is there a way to stop members of certain groups sending to distribution groups?
Pupils are bulk emailing whole year groups with junk. Pupils are members of distribution groups Year7, year8 etc...
I'm experimenting with mail flow rules. I've created a rule that says "If the sender is a member of... and the recipient is this person ... then reject the message". This only blocks the message if the recipient is an individual person. It does not trigger if I specify the group name. It also doesn't trigger if I specify the recipient containing certain text or matching text patterns (the group email address) with wildcards.
Does anyone have a solution to this? I can't be the only person.
Last edited by OverWorked; 4th June 2014 at 04:50 PM.
4th June 2014, 05:42 PM #2
Replying to my own threads again...
I've got the solution. In the group properties, delivery management, add the groups allowed to send to that group. Tis works for group and individuals.
I still don't understand why mail flow rules didn't work, but anyway the solution is delivery management, not mail flow rules.
4th June 2014, 05:46 PM #3
Why not approach it from the other way (If sender <> staff member, reject message) - in Exchange we'd use:
Distribution Group Name > Properties > Mail Flow Settings > Message Delivery Restrictions > Properties > Accept messages from > Only Senders in the following List > Staff*
4th June 2014, 05:52 PM #4
pete, Thanks. I've had a look but I don't think that applies to Office 365.
I'm not familiar with Exchange, but I guess it's a lot more flexible and powerful in that way.
4th June 2014, 10:36 PM #5
Are these groups sync'd from ad? If so do you change the properties in the local ad or in the cloud?
5th June 2014, 07:26 AM #6
If the group is ad synced then you can't change that property on office 365 you are supposed to do it locally in ad, however I have not been able to find the ad field that needs setting. Anyone know?
5th June 2014, 07:31 AM #7
Have you extended your schema to include the exchange attributes? I'll check when I get in... I found the option on office 365 but didn't try to set it.
5th June 2014, 07:34 AM #8
No, as we have never had exchange installed, not found any microsoft documentation on what to update as yet.
5th June 2014, 08:27 AM #9
I've just checked my environment.
I can confirm as you thought you cannot edit in the cloud if it's AD sync'd.
I have found a way to edit the local properties but it's not an easy thing and i'm not sure if you need to have extended you schema first.
If you do need to extend you schema you can do that by starting the installation process from exchange, the schema extension happens very early on and then you can just cancel it. I was nervous about doing it but it was quite easy and i didn't have any issues. I would of course advise having full backups etc and take care.
The attributes you need to edit are of a type DN-Binary which cannot be edited in either ADCU or using ADSI edit. so for this you have to use LDP.exe
The attributes that are relevant are:
authOrig: List of senders (users, not groups) that are allowed to send to the DL
unAuthOrig: List of senders (users, not groups) to BLOCK from sending to the DL
dlMemRejectPerms: Used in place of unAuthOrig when using security groups
dlMemSubmitPerms: Used in place of authOrig when using using security groups to approve senders
msExchRequireAuthToSendTo: Used to limit senders to only Authenticated users (internal) to be able to send to this D (TRUE/FALSE)
There are some instructions here.
I have not followed this procedure myself but there does seem to be links to it from quite a few different places, so hopefully it's what you're looking for.
5th June 2014, 08:35 AM #10
5th June 2014, 08:50 AM #11
Thanks Ben, I should've dug that out too.
5th June 2014, 09:25 AM #12
Just tried this on one of our DirSync'd mail groups and it seems to work quite nicely.
For testing purposes, I used the CN value for the synced mail group. Once it had uploaded and I logged in as a user that does not have permission, as soon as I had entered the e-mail address into the TO field, it popup up with the mail tip notification that I did not have permission to send to that address and if I wanted the recipient removed.
Now to roll it out to the rest of the group when we update them in the Summer.
5th June 2014, 11:07 AM #13
I'm considering using Dynamic Distribution groups. within Office 365 Environment as I know you can prevent the sending to the groups via rules.
One reason if I'm not mistaken is that any group changes if an AD Security Group (i.e. Members added) are not updated until a DirSync.
Although Setting up mail enabled security groups within AD does have it's advantages i.e. you can much more easily manage permissions on the Group if you have a Hybrid Setup in place.
Last edited by Davit2005; 5th June 2014 at 11:32 AM.
5th June 2014, 11:48 AM #14
It depends how often you have DirSync running.
We have it set to the default 3 hours, but if we make any major changes, we run the manual sync command which takes a minutes.
I tried a DDG, but it got a little bit complex for us and they were not appearing in the address books. Managing list membership via AD is a bit easier and we can also delegate the responsibility for keeping them up to date to another member of admin staff.
By col214 in forum Cloud Services
Last Post: 21st March 2014, 08:38 AM
By pknet in forum Cloud Services
Last Post: 25th May 2013, 07:51 PM
By steele_uk in forum Windows
Last Post: 23rd September 2008, 05:23 PM
By Millsy79 in forum Office Software
Last Post: 29th August 2008, 08:29 PM
By frontal in forum Windows
Last Post: 9th March 2007, 09:10 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread