- Microsoft Graph: A single (PowerShell) API for Microsoft’s cloud services - Tue, Aug 23 2022
- Exchange impersonation: Grant permissions to service accounts - Mon, Aug 8 2022
- Send Microsoft Teams meeting invitations in multiple languages - Thu, Jul 21 2022
Distribution groups exist in Exchange on Prem as well as in Exchange Online and behave in the same way in both environments. Before you start creating distribution groups, you should clearly define their purpose and subsequent maintenance.
A basic distinction is made between static distribution groups, security groups, and dynamic distribution groups:
- Distribution group: Generally a static group; that is, the members are assigned manually.
- Security group: For managing distribution lists, security groups in Active Directory can be email-enabled. Like a distribution group, it is also static, but can also be used for other purposes, such as permissions on mailboxes or in the file system.
- Dynamic distribution group: Unlike the normal distribution group, it is, as the name suggests, not static. Rather, it uses rules and filters to automatically assign members to the group. For example, membership can depend on attributes. Dynamic distribution groups are generally very low-maintenance, because here a set of rules is responsible for the maintenance of the memberships. They are particularly suitable for departmental or complete company distribution lists.
If you want to get an overview of all existing distribution groups in your environment, you can use the command Get-DistributionGroup. It shows both the normal distribution groups and the security groups.
Of course, the members of a distribution group can also be displayed; this is done by Get-DistributionGroupMember:
Get-DistributionGroupMember -Identity "Contoso static"
Create a distribution group by using PowerShell
This task is performed by the New-DistributionGroup cmdlet. A command might look like this:
New-DistributionGroup -Name "Contoso static" -Alias ContSta -MemberJoinRestriction open
The MemberJoinRestriction open parameter allows the owner of the group to add members. In practice, however, this is rarely used.
If you want to create a security group, add the Type parameter with the Security value to the above command:
New-DistributionGroup -Name 'Windowspro Sec' -Alias 'WproSec' -Type 'Security'
You can use the Members parameter to add the first members when you create the distribution group. After that, you can use Add-DistributionGroupMember to add more members to the group; pass the names to the cmdlet via the Member parameter.
Deleting distribution groups and removing members
Removing groups or users from them is also a part of maintaining distribution groups. The former can be done with Remove-DistributionGroup. The example below deletes the group Contoso Sec:
Remove-DistributionGroup -Identity "Contoso Sec"
If you only want to remove members from a distribution group, then proceed as follows:
Remove-DistributionGroupMember -Identity "contoso static" -Member Ernie.Meier@smartsocke.com
We have thus far demonstrated the creation and administration of static distribution groups as well as security groups.
Existing security group as distribution group
Another common requirement in practice is to email enable a security group in Active Directory that already exists. This has to be a universal security group; otherwise, it will not work.
This can also be done quite easily via PowerShell with Enable-DistributionGroup or Disable-DistributionGroup. A command could look like this:
Enable-DistributionGroup -Identity "contoso sec"
Creating dynamic distribution group
Creating a dynamic distribution group is somewhat more complex because the rule for automatic membership must take several criteria into account, depending on the requirements. This post on Microsoft Docs shows all properties that can be used for the RecipientFilter parameter in the New-DynamicDistributionGroup.
The following example creates a dynamic distribution group whose members comprise all user mailboxes that have the value Contoso in the Company attribute.
New-DynamicDistributionGroup -Name "Contoso dyn" ` -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (Company -eq 'Contoso')"
Subsequently, the members of the group are not visible for the time being, not even in the ECP. Before that happens, you need to execute another PowerShell command:
Get-Recipient -RecipientPreviewFilter (Get-DynamicDistributionGroup "Contoso dyn").RecipientFilter
If a user still does not appear as a member, it is either excluded by the rules or because the necessary attributes have not been correctly maintained in Active Directory.
If you want to extend the filter or change it completely, you don't have to create the distribution group again; rather, you can update it using Set-DynamicDistributionGroup.
Like the other distribution groups, the dynamic distribution group can also be deleted via PowerShell:
Subscribe to 4sysops newsletter!
Remove-DynamicDistributionGroup -Identity "Contoso dyn"
There is, of course, no cmdlet to remove members as in static groups, because the filter is responsible for the membership of users in dynamic distribution groups.
Join the 4sysops PowerShell group!
Your question was not answered? Ask in the PowerShell forum!