« Windows & AD Security Webcast
How to find me at TechEd »

Check who can send email to a group

Published May 28, 2010 Active Directory , AD , AD cmdlets , Examples , Exchange , PowerShell Comments

Today I wanted to get a list of people who had rights to send messages to a few distribution lists in our company. This information is not readily available in Outlook, but turned out to be very easy to retrieve using PowerShell – this is literally just a few attributes to retrieve from your Active Directory.

Here’s a sample output of my script:

PS:\> Get-DLRestriction "Worldwide Everyone"
Checking restrictions for Worldwide Everyone

The following users can send messages to this list:

Anne Smith
John Able

Members of this group can send messages to this list: Domain\Communicators) :

Susan Gallings
Terry Adams

Only authenticated users can send messages to this list.
External senders get blocked.

I’ve uploaded the script to poshcode, but for your convenience also posting it here:

function Get-DLRestriction {
  param([System.String]  $DLName  )

  "Checking restrictions for $DLName"

  $DL = Get-QADGroup $DLName `
      -IncludedProperties AuthOrig, UnauthOrig, dLMemRejectPerms,`
                      dLMemSubmitPerms, msExchRequireAuthToSendTo

  # we'll set this to true if we see a restriction
  $restricted = $false

  # if the group with such a name is found
  if ( $DL -ne $null ) { 
    
    if ( $DL.AuthOrig -ne $null ) { 
      $restricted = $true
      "`nThe following users can send messages to this list:"
      $DL.AuthOrig | Get-QADUser
    }
    
    if ( $DL.UnauthOrig -ne $null ) { 
      $restricted = $true
      "`nAnyone BUT the following users can send messages to this list:"
      $DL.UnauthOrig | Get-QADUser
    }
    
    if ( $DL.dLMemSubmitPerms -ne $null ) { 
      $restricted = $true
      "`nMembers of this group can send messages to this list: $($DL.dLMemSubmitPerms | Get-QADGroup)) :"
      Get-QADGroupMember $DL.dLMemSubmitPerms
    }
    
    if ( $DL.dLMemRejectPerms -ne $null ) { 
      $restricted = $true
      "`nAnyone BUT members of this group can send messages to this list: $($DL.dLMemRejectPerms | Get-QADGroup)) :"
      Get-QADGroupMember $DL.dLMemRejectPerms
    }
    
    if ( $DL.msExchRequireAuthToSendTo ) { 
      $restricted = $true
      "`nOnly authenticated users can send messages to this list.`nExternal senders get blocked."
    }
    
    if ( -not $restricted ) {
      "`nThis list is not restricted. Anyone can email it."
    }
  } else {
    "`nDL $DLName not found."
  }
}

3 Responses to “Check who can send email to a group”

Feed for this Entry Trackback Address
  1. 1 Anonymous March 27, 2012 at 11:39 am

    Hi there

    the only problem is that we can retrive members not groups.
    is there any possibility to retrive groups not users?

    Thanks

    Reply
    • 2 Dmitry Sotnikov March 28, 2012 at 1:02 am

      You mean, when it reports who has access? It reports users, because I had “Get-QADUser” in the script. Change it to Get-QADObject and it will show all objects: both users and groups.

      Reply

  1. 1 Dew Drop – May 28, 2010 | Alvin Ashcraft's Morning Dew Trackback on May 28, 2010 at 12:23 pm

Leave a comment

« Windows & AD Security Webcast
How to find me at TechEd »

 Subscribe in a reader

Subscribe by email

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2010
M T W T F S S
 12
3456789
10111213141516
17181920212223
24252627282930
31