In almost every organization running Microsoft Exchange, distribution groups play an important role in the communication architecture. Although these can be created and managed in the Exchange Admin Center (ECP), this article shows how to use PowerShell as a more efficient alternative.

Distribution groups exist in Exchange on Prem as well as in Exchange Online and behave in the same way in both environments. Before you start creating distribution groups, you should clearly define their purpose and subsequent maintenance.

A basic distinction is made between static distribution groups, security groups, and dynamic distribution groups:

  • Distribution group: Generally a static group; that is, the members are assigned manually.
  • Security group: For managing distribution lists, security groups in Active Directory can be email-enabled. Like a distribution group, it is also static, but can also be used for other purposes, such as permissions on mailboxes or in the file system.
  • Dynamic distribution group: Unlike the normal distribution group, it is, as the name suggests, not static. Rather, it uses rules and filters to automatically assign members to the group. For example, membership can depend on attributes. Dynamic distribution groups are generally very low-maintenance, because here a set of rules is responsible for the maintenance of the memberships. They are particularly suitable for departmental or complete company distribution lists.

If you want to get an overview of all existing distribution groups in your environment, you can use the command Get-DistributionGroup. It shows both the normal distribution groups and the security groups.

Displaying distribution groups with PowerShell

Displaying distribution groups with PowerShell

Of course, the members of a distribution group can also be displayed; this is done by Get-DistributionGroupMember:

Get-DistributionGroupMember -Identity "Contoso static"
Listing members of a distribution group using Get DistributionGroupMember

Listing members of a distribution group using Get DistributionGroupMember

Create a distribution group by using PowerShell ^

This task is performed by the New-DistributionGroup cmdlet. A command might look like this:

New-DistributionGroup -Name "Contoso static" -Alias ContSta -MemberJoinRestriction open
Creating new distribution group with New DistributionGroup

Creating new distribution group with New DistributionGroup

The MemberJoinRestriction open parameter allows the owner of the group to add members. In practice, however, this is rarely used.

If you want to create a security group, add the Type parameter with the Security value to the above command:

New-DistributionGroup -Name 'Windowspro Sec' -Alias 'WproSec' -Type 'Security'
Create a new distribution group of the type Security

Create a new distribution group of the type Security

You can use the Members parameter to add the first members when you create the distribution group. After that, you can use Add-DistributionGroupMember to add more members to the group; pass the names to the cmdlet via the Member parameter.

Adding members to a distribution group with Add DistributionGroupMember

Adding members to a distribution group with Add DistributionGroupMember

Deleting distribution groups and removing members ^

Removing groups or users from them is also a part of maintaining distribution groups. The former can be done with Remove-DistributionGroup. The example below deletes the group Contoso Sec:

Remove-DistributionGroup -Identity "Contoso Sec"
Delete a distribution group with PowerShell

Delete a distribution group with PowerShell

If you only want to remove members from a distribution group, then proceed as follows:

Remove-DistributionGroupMember -Identity "contoso static" -Member Ernie.Meier@smartsocke.com
Removing a user from a distribution group with Remove DistributionGroupMember

Removing a user from a distribution group with Remove DistributionGroupMember

We have thus far demonstrated the creation and administration of static distribution groups as well as security groups.

Existing security group as distribution group ^

Another common requirement in practice is to email enable a security group in Active Directory that already exists. This has to be a universal security group; otherwise, it will not work.

This can also be done quite easily via PowerShell with Enable-DistributionGroup or Disable-DistributionGroup. A command could look like this:

Enable-DistributionGroup -Identity "contoso sec"
Activating existing security group for email in Active Directory

Activating existing security group for email in Active Directory

Creating dynamic distribution group ^

Creating a dynamic distribution group is somewhat more complex because the rule for automatic membership must take several criteria into account, depending on the requirements. This post on Microsoft Docs shows all properties that can be used for the RecipientFilter parameter in the New-DynamicDistributionGroup.

The following example creates a dynamic distribution group whose members comprise all user mailboxes that have the value Contoso in the Company attribute.

New-DynamicDistributionGroup -Name "Contoso dyn" `
-RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (Company -eq 'Contoso')"
Creating a new dynamic distribution group

Creating a new dynamic distribution group

Subsequently, the members of the group are not visible for the time being, not even in the ECP. Before that happens, you need to execute another PowerShell command:

Get-Recipient -RecipientPreviewFilter (Get-DynamicDistributionGroup "Contoso dyn").RecipientFilter

If a user still does not appear as a member, it is either excluded by the rules or because the necessary attributes have not been correctly maintained in Active Directory.

If you want to extend the filter or change it completely, you don't have to create the distribution group again; rather, you can update it using Set-DynamicDistributionGroup.

Like the other distribution groups, the dynamic distribution group can also be deleted via PowerShell:

Subscribe to 4sysops newsletter!

Remove-DynamicDistributionGroup -Identity "Contoso dyn"
Delete dynamic distribution group

Delete dynamic distribution group

There is, of course, no cmdlet to remove members as in static groups, because the filter is responsible for the membership of users in dynamic distribution groups.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account