Distribution groups within exchange - multi tenanted

I have created a multi-tenant exchange server and the users are in the correct OU/GALS etc.

I am having an issue with tenant distribution groups - I use the following command to create the group:

New-DistributionGroup -Name 'test' -OrganizationalUnit 'test.co.uk/exchange tenant/tenant1'

Then I use:

Set-DistributionGroup -Identity 'test' -CustomAttribute test1

This changes the email to @test.co.uk and also ensures it is in the GAL for the tenant1.

The problem is, when I use the EMC at the top level I see group and when I want to add a new user it lists everyone in the organisation and all tenants.
Is there anyway I can set the distribution group to only allow me to see users who have the test1 attribute set (instead of seeing every person listed) ?
Who is Participating?
Todd NelsonConnect With a Mentor Systems EngineerCommented:
You will need to create a dynamic distribution group to set conditions based on attributes.

New-DynamicDistributionGroup -Name "Test DG" -IncludedRecipients "AllRecipients" -ConditionalCustomAttribute1 "Test" -OrganizationalUnit "contoso.com/My OU" -Alias "Test DG" -RecipientContainer "contoso.com"

Open in new window

Member_2_7970364Author Commented:
I dont want a dynamic one .. I want a normal distribution group that when I select members and add it only lists members within tat specific OU
Todd NelsonSystems EngineerCommented:
Don't believe you can do what you want with a "normal" DG because they cannot be condition-based.  And based on what you are described your need is, you need a DG that is condition-based which can only be accomplished with dynamic DGs.

If I am understanding your need different then what you are intending, please provide further clarification (maybe a screenshot or a textual example).
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Adam BrownSr Solutions ArchitectCommented:
I'm assuming you're using Exchange 2010, since you mention EMC, otherwise let me know. In the EMC, you should be able to change the Scope of results to just the OU you want. https://technet.microsoft.com/en-us/library/bb124527(v=exchg.141).aspx has instructions. I don't know if that setting applies to the Group Member selection UI, though. You can try doing that, though.

When working with a multi-tenant environment, though, it's usually best to use the Management Shell to do things. That's the main reason the Exchange 2010 Hosted installation doesn't even include the EMC. In EMS, you would basically just limit your get-mailbox cmdlet with the -organizationalunit switch to sift through the mailboxes in just one OU instead of the whole environment.
Todd NelsonSystems EngineerCommented:
If you need to create a DG with a filter targeting a specific OU, then you have to use a dynamic DG.

New-DistributionGroup does not have the ability to do filtering.

Your first command...

New-DistributionGroup -Name 'test' -OrganizationalUnit 'test.co.uk/exchange tenant/tenant1'

...Basically creates a DG named "test" in an OU named "tenant1".

Your second command...

Set-DistributionGroup -Identity 'test' -CustomAttribute test1

Shouldn't work because you don't specify which custom attribute you are setting. You will need to state which custom attribute by using the correct parameter ... CustomAttribute1-CustomAttribute15.

Giving you the benefit of the doubt that you defined a valid parameter, then the "test" DG is assigned a custom attribute of "test1".

What then are you planning to do with it?  IMO, it does nothing and will only do something if you manually add group members.

Just because the DG is created in the "tenant1" OU with a custom attribute of "test1" doesn't mean that any users are assigned as members of the group.  And that's because a "normal" DG does not have the ability to filter.

If you want to filter based on OU, try this command to create a dynamic DG in the "tenant1" OU that has a filter set to look at all recipient types in the "tenant1" OU and dynamically assign them as members of the DG because they reside in the OU specified by the filter...

New-DynamicDistributionGroup -Name "Test" -IncludedRecipients "AllRecipients" -RecipientContainer "test.co.uk/exchange tenant/tenant1" -OrganizationalUnit "test.co.uk/exchange tenant/tenant1"

Open in new window


Let me know.

P.S.  If you are running a multi-tenant Exchange environment, don't you have support or some sort of partnership with Microsoft specific for your organization that would allow you to call at any time for assistance?
Member_2_7970364Author Commented:

I may have explained this badly (sorry)  ... so I will attempt with pictures:

On our exchaneg server we have the top level - orglevel attached.

When I create a user in the avonvale OU I enter the following command:

New-Mailbox -Name 'Dawn Gilroy' -Alias 'dawn.gilroy' -OrganizationalUnit 'company.co.uk/ExchangeTenants/avonvets' -UserPrincipalName 'bob.smith@avonvets.co.uk' -SamAccountName 'bob.smith' -FirstName 'Bob' -LastName 'Smith' -AddressBookPolicy 'Avonvets'

Then I run:

Set-Mailbox bob.smith@avonvets.co.uk -CustomAttribute1 "Avonvets"

This works perfectly - Bob is in the correct OU and within the Avonvets users and can only see users within Avonvets

I then want to create a group called: "Avoncale Test1", so I run the command:

New-DistributionGroup -Name 'Avonvale test1' -OrganizationalUnit 'company.co.uk/ExchangeTenants/avonvets'


Set-DistributionGroup -Identity 'Avonvale Test1' -CustomAttribute1 Avonvets

And this works perfectly .. creates a group that is in the right OU and only members of the Avonvets can see  - attached pic

if I then go into the EMC and into groups .. i see eveything within the org .. which is OK (see attached group layout)

My problem is .. from within the MMC when I want to add users to that group I see everyone within the WHOLE of the organisation /Ous etc...  whereas I only want to be able to select users that are in the avonvale OU  - see attached issue

I hope this has now made sense.

When I run the command as suggested to create a dynamic group:

New-DynamicDistributionGroup -Name "Test11" -IncludedRecipients "AllRecipients" -RecipientContainer "company.co.uk/ExchangeTenants/avonvets" -OrganizationalUnit "company.co.uk/ExchangeTenants/avonvets"

the group does not even show in the users list of groups (avonvets - All Groups) .. see attached mising group

I know I have replaced the co.uk with the word company !!
Todd NelsonSystems EngineerCommented:
Let me ask this...

You are needing to restrict the avonvets.co.uk users to only see other users within avonvets.co.uk?

So you need to restrict what they see in their address lists?
Member_2_7970364Author Commented:
Yes avonvets can only see people within its own GAL ... and this works perfectly.
We have created users in the other companies and they can only see their own companies etc..

The top level company can see everyone - this is fine also

It is just the groups from an administrative point of view ... at the moment the groups I create people can only see them within their own company ...  but ideally the administrator when adding people into the groups should only see the people within that OU
Jason CrawfordTransport NinjaCommented:
So what you're talking about is the local helpdesk for the tenant in question, correct?  They should have the ability to perform common administrative tasks, like modifying group membership, but no permissions that extent outside their own tenant, correct?  

Assuming this is what you're referring to it sounds like a typical multi-tenant setup, and I've had this exact request myself from one of my tenants.  Just let me know if all this is correct and I'll provide the steps for accomplishing what you're requesting.

On a side note, Dynamic Distribution Groups are great for dynamically adding users to groups based on one or more conditions, but it does nothing to maintain tenant separation.
Member_2_7970364Author Commented:
Hi Jason

This is is correct ... it merely for the administration
Jason CrawfordTransport NinjaCommented:
Right I gotcha...basically allowing end-users to manage DGs which they can't do out of the box.  It's actually a lot more involved than I initially thought and involves RBAC roles and managing DGs out of the EAC, not MMC.  If an end-user logs in to the EAC and has the appropriate RBAC roles assigned they will be able to manage DG membership and will only have a view of their own tenant to work with.  

Jason CrawfordTransport NinjaCommented:
On a side note, do you use any kind front end application like Hosting Controller to handle the tenant separation configuration or are you doing everything manually?  I've done it both ways, and I found the additional cost of Hosting Controller well worth it.
Member_2_7970364Author Commented:
Doing everything manually
In fairness didnt know anything about the hosting controller .. so will look into that
Jason CrawfordTransport NinjaCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Todd Nelson (https:#a41833713)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Jason CrawfordTransport NinjaCommented:
A dynamic distribution group would not be the solution in a multi-tenant Exchange environment, and I'm not sure how my contribution was ignored as the solution.
Todd NelsonSystems EngineerCommented:
I agree with Jason.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.