Managing Exchange 2013 GroupsManaging Exchange 2013 Groups
Simplified System
In a simplified logical system, there are the following:
-user: a single individual.
-group: more than one user.
In addition, groups are universal in the company. A group is a group. There are no group types. A group can access resources and receive email.
Windows Server
In MS world, there are more options for fine-grain control. There is a security-group to access resources and a distribution-group to receive email.
(For the curious, these are the only two types of groups, there are no other types of groups.)
Let's begin, shall we.
GET-DISTRIBUTIONGROUP
To see all the distribution groups:
Get-DistributionGroup |select PrimarySMTPAddress
To see all the distribution groups that receive email from the outside world:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq $true} | select PrimarySMTPAddress
To see all the distribution groups that receive email only from within the company:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq $false} | select PrimarySMTPAddress
Great! Let's move on to the AD side of the system
GET-ADGROUP
But before we do, note that typically, using a command and "|fl" will let you see all the info. On get-adgroup command, it doesn't work. You have to use:
To see all of the AD group properties:
Get-ADGroup -identity "foo-group" -prop *
Also note that the get-adgroup command uses the SAMACCOUNTNAME (it does not use the NAME or DISPLAYNAME as other commands). So if you have an ad-group with the name FOO-GROUP-NAME but the SAMACCOUNTNAME is FOO-GROUP-SAMACCOUNTNAME, you have to use the SAMACCOUNTNAME:
Get-ADGroup -identity "foo-group-samaccountname" -prop *
To see all the groups (both AD and distribution as all distribution groups are AD groups):
Get-ADGroup -Filter * -Prop * |select name,samaccountname,mailnickname
To see AD security-groups (groups without email addresses):
Get-ADGroup -filter {GroupCategory -eq "Security"} |select name,samaccountname
To see AD distribution-groups:
Get-ADGroup -Filter 'GroupCategory -eq "Distribution"' -prop * |select name,samaccountname,mailnickname
ISSUES
Theoretically, this list should match the get-distributiongroup list from above. But you might notice that some distribution-groups that do not have email addresses. That's kinda strange. What gives?
Sometimes the AD distribution-group does not have the necessary info in the database. Having this info is called mail-enabled. There's even a command just to handle this.
To mail-enable a distribution group that needs it:
Enable-DistributionGroup -Identity "foo-group"
(NOTE: This will even work on security-groups.)
Also, there are some items in the get-distributiongroup list from above that are not in the get-adgroup command above. What gives?
Well because groups can be mail-enabled, it is possible for a security-group to be mail-enabled as well.
To see AD security-groups with mail-enabled:
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -prop * |select name,mailnickname
Finally as a last question, if both group-types (distribution and security) can be mail-enabled, what's the point of having group types? Good question. There isn't. It is the way the world works.