Using "authOrig" attibute to restrict who can send mail to E-Mail account
-
Wednesday, January 25, 2012 10:35 PM
First, we are a State agency that has just move to a Cloud Exchange 2010 service. (We are using Outlook 2007 in a Windows 2008 AD environment. We have a mix of Windows XP and 7 PCs fully patched.)
We have "Very" limited access to maintenance of the Exchange environment provided through a WEB Portal. We do manage our own AD and would like to use the "authOrig" attribute (or other if needed/better) to accomplish the following:
1. We have serveral E-Mail Accounts (I'll identrify as "Restricted") that we only want specific users to mail to the "Restricted" accounts.
I tried using ADModify to set the "authOrig" attribute value to the distinguishedName of:
a. A "Security Group - Global " object. The object had an "E-Mail" address set.
b. A "Distribution List" object. This object had an "E-Mail" address set and is used for normal E-Mail distribution to it's "Members".
c. A "User" object.
Each step was done seperately (waited up to an hour to test each by sending an E-Mail message). Neither A or B worked. It wasn't until I added the "User" object distingueshedName that the authorized user was able to E-Mail the "Restricted" account.
Any suggestions????
2. We would also like to find out how to limit the "Restricted" account to only being able to E-Mail to a specified Distribution List or Group of User accounts.
Chris Premo
All Replies
-
Wednesday, January 25, 2012 11:32 PMThat seems like a normal request. Who is providing your hosted service. You, if not, they should be able to set restrictions on a mailbox.
Sukh -
Monday, January 30, 2012 2:50 AMModerator
Hi,
From your description, you want to limit restricted users to send emails to specific distribution group, which you can configure Mail Flow Settings to achieve it. You can refer to the following article, though it is from the third-party website, I think it is helpful for you:
http://exchangeserverpro.com/restrict-distribution-group-exchange-server-2010
Hope it helps.
Thanks
Sophia Xu
TechNet Community Support
-
Thursday, February 02, 2012 10:20 PM
No let me explain it a little better:
First, here are the different accounts that will be in play
1. Several "Board Member"
2. Internal "Organiation Members"
3. Internal "Distribution Lists"
This is what we want:
1. Set an attribute (which I guess would be on the "Board Members" object) that will limit who can send messages to the "Board Member".
2. Set an attribute (don't know where or which one(s)) that will prohibit the "Board Member" from E-Mailing outside of our Domain. Or possibly even to limit them to only E-Mailing to a specified Distribution List.
Again, we are using a "Cloud" Exchange 2010 system hosted by MicroSoft and managed by a Third party contractor. According to them, we should be able to use ADModify to set parameters on the following attributes, but I'm totally confused as to which one does what.
AuthOrig (Authorized Originators: Only these Users can send to the DL) – The way I read this, this value can only be a User object not a DL or Security Group. Although this seems to work, I'd rather user a DL or Security Group (those being easier to manage).
UnauthOrig(Unauthorized Originators: Anyone BUT these users can send to the DL) – The way I read this, this value can only be a User object not a DL or Security Group. Although this seems to work, I'd rather user a DL or Security Group (those being easier to manage).
dLMemRejectPerms (Unauthorized DLs: Anyone but members of these DLs can send to this DL) - Not sure if this is helpful for my purposes. Also, what "Value" would I sent in this attribute????
dLMemSubmitPerms (Authorized DLs: No one but members of these DLs can send to this DL) - Not sure if this is helpful for my purposes. Also, what "Value" would I sent in this attribute????
msExchRequireAuthToSendTo (Only Authenticated Senders can send to the DL, blocks External senders) - Not sure if this is helpful for my purposes. Also, what "Value" would I sent in this attribute????
For Example, we want to set a block on the Board Members Object and limit who can send to that member.
Board Member Authorized E-Mailers Members of DL 1
Jane Doe Distribution List 1 Bill Smith
Mary Jane
Carl Malton
So if James Lear tried to E-Mail Jane Doe, he would receive a rejection notification that he isn’t authorized to mail to Jane Doe. Yet if Bill Smith E-mailed Jane Doe, the message would be delivered.
Chris Premo
- Edited by Chris Premo Thursday, February 02, 2012 10:35 PM
- Edited by Chris Premo Thursday, February 02, 2012 10:35 PM
-
Thursday, February 02, 2012 10:41 PMCan you not set rectrictions on the mailbox and setup a transport rule?
Sukh -
Thursday, February 02, 2012 11:07 PMSure, but how. I'm totally new to Exchange/Outlook (previously on GroupWise). Instructions on how to set up this kind of parameters is slim to non-existent. (Really poor for such a well used and supposedly Superior product.)
Chris Premo -
Thursday, February 02, 2012 11:08 PM
This 3rd party contractor should be able to do this for, you shouldnt have to mess around with thise attributes, if he manages your service then he should really do it.
Sukh -
Friday, February 03, 2012 4:32 PM
I appreciate your help, but this seem very cumbersome. One would think that I as the administrator of my AD and user objects would be able to set some parameter that could/would accomplist what we want to do.
1. Set a “block” on several “Board Member” objects that would limit who can send an E-Mail to the member. For example, we would like to use a Distribution List to define who can E-Mail the member.
Board Member Authorized E-Mailers Members of DL 1
Jane Doe Distribution List 1 Bill Smith
Mary Jane
Carl Maldon
So if James Lear tried to E-Mail Jane Doe, he would receive a rejection notification that he isn’t authorized to mail to Jane Doe. Yet if Bill Smith E-mailed Jane Doe, the message would be delivered.
2. Set a “block” on several Board Member” objects that would disable their ability to E-Mail outside of our Domain.
Is this something that only the Exchange administrator can accomplish? If not, what attributes or object settings do we use? What values do we set in the attributes? One wold think that MS would have had this process requested before and that they would have procedures on how to accomplish these tasks!!!
Chris Premo -
Saturday, February 04, 2012 12:07 AM
What Cloud service do you have? BPOS? O365?
If yes, the I'd post in the cloud forum.
Sukh -
Saturday, February 04, 2012 12:16 AMBPOS
Chris Premo -
Saturday, February 04, 2012 12:25 AM
-
Monday, March 12, 2012 4:07 PM
Answer is in this thread
Chris Premo
- Marked As Answer by Chris Premo Monday, March 12, 2012 4:07 PM
.png)
