In my article about restricting who can send to a distribution list Liz asked this question in the comments:

Is there a way to view a list of who is authorized to send to a distribution list once you have restricted it?

We have a good number of distribution lists within our company that are restricted and need a way to report on who is authorized to send without having to scroll and make screen shots every time HR wants to review them.

Exchange 2010 makes this easy thanks to the Exchange Management Shell. You can use Get-DistributionGroup to query a group for the message delivery restrictions.

Notice in this example that there are three attributes for AcceptMessagesOnlyFrom…

[PS] C:\>Get-DistributionGroup "All Staff" | fl name,accept*

Name                                   : All Staff
AcceptMessagesOnlyFrom                 : {exchangeserverpro.net/Company/Users/Branch Office/Aisha.Bhari}
AcceptMessagesOnlyFromDLMembers        : {}
AcceptMessagesOnlyFromSendersOrMembers : {exchangeserverpro.net/Company/Users/Branch Office/Aisha.Bhari}

If we look at the same group but this time configured to accept messages from members of a distribution list it looks like this.

[PS] C:\>Get-DistributionGroup "All Staff" | fl name,accept*

Name                                   : All Staff
AcceptMessagesOnlyFrom                 : {}
AcceptMessagesOnlyFromDLMembers        : {exchangeserverpro.net/Company/Groups/Administration Team}
AcceptMessagesOnlyFromSendersOrMembers : {exchangeserverpro.net/Company/Groups/Administration Team}

And now again the same group but this time configured to accept messages from both a single user and a distribution list.

[PS] C:\>Get-DistributionGroup "All Staff" | fl name,accept*

Name                                   : All Staff
AcceptMessagesOnlyFrom                 : {exchangeserverpro.net/Company/Users/Branch Office/Aisha.Bhari}
AcceptMessagesOnlyFromDLMembers        : {exchangeserverpro.net/Company/Groups/Administration Team}
AcceptMessagesOnlyFromSendersOrMembers : {exchangeserverpro.net/Company/Users/Branch Office/Aisha.Bhari, exchangeserver
                                         pro.net/Company/Groups/Administration Team}

As you can see the AcceptMessagesOnlyFrom attribute lists individual authorized senders, and the AcceptMessagesOnlyFromDLMembers attribute lists distribution lists that are authorized senders, and then both are shown in the AcceptMessagesOnlyFromSendersOrMembers attribute.

So for reporting purposes we can query the AcceptMessagesOnlyFromSendersOrMembers attribute.

[PS] C:\>Get-DistributionGroup "All Staff" | fl name,acceptmessagesonlyfromsendersormembers

Name                                   : All Staff
AcceptMessagesOnlyFromSendersOrMembers : {exchangeserverpro.net/Company/Users/Branch Office/Aisha.Bhari, exchangeserver
                                         pro.net/Company/Groups/Administration Team}

To list all distribution groups in the organization that are restricted for who can send to them you can run this command.

[PS] C:\>Get-DistributionGroup | where {$_.AcceptMessagesOnlyFromSendersOrMembers -ne $null} | fl name,acceptmessagesonlyfromsendersormembers

Name                                   : All Staff
AcceptMessagesOnlyFromSendersOrMembers : {exchangeserverpro.net/Company/Users/Branch Office/Aisha.Bhari, exchangeserver
                                         pro.net/Company/Groups/Administration Team}

Name                                   : Executives
AcceptMessagesOnlyFromSendersOrMembers : {exchangeserverpro.net/Company/Groups/Administration Team}

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Kavitha

    What is the security threat in allowing external users send mail to distribution list?

  2. Melina Stonehouse

    When some one searches for his vital thing, so he/she wishes to be available that in detail, thus that thing
    is maintained over here.

  3. Juan David Toro

    Hi there Paul

    First at all, thanks for your excellent post.

    I have this question:

    1. Do you know if this commands works fine with Office365 or further versions of Exchange like 2016?

    i’ll stay aware.

    Kind regards,

    Juan

  4. Ankit

    We have requirement to get the list of members who are able to send mails to a particular DL. We should be able to distinguish between the Group Mailbox, Distribution list and individual who has permissions to send mail to a DL. ? Can you help with this ?

  5. chiranjeevi

    How to copy the send permission list of 1 DL to another Dl via shell

  6. Pushparaj

    Hi Paul , I want to match two condition in script

    First Condition: I want to export the DL’s which is having above 250 members
    Second condition : I need to export unrestricted DL’s from first condition result.

  7. David Klein

    is there a way to get a list of distribution lists that are externally accessible for e-mail delivery?
    We have enabled certain distribution list to be accessible for delivery from external sources and I’m looking for a way to list the ones where the “require that all senders are authenticated” is not checked.

    1. Avatar photo
      Paul Cunningham

      Get-DistributionGroup | Where {$_.RequireSenderAuthenticationEnabled -eq $false}

  8. Jason

    Is there a way to use wildcards in the AcceptMessagesOnlyFrom attribute?

    For example, say I want to only allow e-mails from practical365.com and do not want to create a contact for every address.

    GREAT BLOG.

    1. Avatar photo
      Paul Cunningham

      No but you can do wildcards in some Transport Rule settings so take a look there instead.

  9. Lisa

    I’m trying to use:

    Get-DistributionGroup -organizationalunit “OUName” | Where {$_.AcceptMessagesOnlyFromSendersOrMembers -contains “avayamsg*”} | fl Name,AcceptMessagesOnlyFromSendersOrMembers

    Can a wildcard be used? I think the issue may be the “user” that contained in the Accept Messages From field is actually a contact for our Voice Mail system … “avayamsg@domain.gov”

    The command runs but returns no results. I’ve tried it with the Alias, full email address and a wildcard as shown above. Any suggestions?

    Thank you so much for helping to this point. I had actually realized my error in using the FL first. I know enough PS to be dangerous … :0/

    1. Avatar photo
      Paul Cunningham

      Wildcard won’t work with -contains but I just managed to do a quick test and it looks like -match is the operator that will work in your situation.

      For example this returns the expected result for me:

      Get-DistributionGroup | Where {$_.Acceptmessagesonlyfromsendersormembers -match “Alannah”}

      1. Lisa

        That worked like a charm! I’ve never used the -match operator before, but I will definitely use it in the future. Thank you so much for your help. Have a great day!

        1. Avatar photo
          Paul Cunningham

          No worries, glad it worked. -Match is pretty useful for basic string matches like that, and very powerful because it can also do Regex.

  10. Lisa

    Is there a way to find all distribution groups that have a specific user in the Accept Messages From.

    I tried this using the following command

    Get-DistributionGroup -organizationalunit “” |fl name,acceptmessagesonlyfrom | where {$_.AcceptMessagesOnlyFromSendersOrMembers -eq “”}

    I also tried the wildcard of the user name *username* but that did not work either.

    1. Lisa

      Command was …

      Get-DistributionGroup -organizationalunit “” |fl name,acceptmessagesonlyfrom | where {$_.AcceptMessagesOnlyFromSendersOrMembers -eq “<FQDN of user entered"}

    2. Avatar photo
      Paul Cunningham

      You’re trying to use Format-List (fl) and then pipe that to Where-Object (where). That won’t work, Format-* commands should always go last in a pipeline (if you need to use them).

      AcceptMessagesOnlyFromSendersOrMembers is also a multi-value attribute. So you might need to try -Contains instead of -Eq for the condition.

      So perhaps try this (I haven’t tested it yet):

      Get-DistributionGroup | Where {$_.AcceptMessagesOnlyFromSendersOrMembers -contains “user”} | fl Name,AcceptMessagesOnlyFromSendersOrMembers

      1. Siva

        I nave set of users and need to get who has sending access to the DL and Dynamic DL;s like below command.

        Get-DistributionGroup | where {$_.AcceptMessagesOnlyFromSendersOrMembers -eq “user name”} | fl name, acceptmessagesonlyfromsendersormembers | format-list

  11. Eric

    I migrated from Exchange 2007 to 2013 and had restricted some users from sending emails to specific distribution lists. How do I find and remove those now in 2013?

    The output I get from:

    Get-DistributionGroup “Group Namef” | fl name,accept*

    make it look as though there are no restrictions:

    Name : Group Name
    AcceptMessagesOnlyFrom : {}
    AcceptMessagesOnlyFromDLMembers : {}
    AcceptMessagesOnlyFromSendersOrMembers : {}

    1. Avatar photo
      Paul Cunningham

      Are you sure that’s how you restricted them in the first place?

      1. Eric

        Paul,

        Thanks for the reply.

        It was done while we were in Exchange 2007, and the interface was different, so it was done via Exchange Management console but I don’t recall the exact steps, I was not the one that did it.

        I found it in AD users and computers ‘unauthOrig’ on the attributes tab.
        I removed the user from there not sure if that broke anything yet or not.

        1. Eric

          No ill effects from editing with the attributes tab.

  12. welly

    Hi Paul,

    How are you, i have a question about Ms. Exchange 2013 . how to get list of all distribution group in Exchange filter by delivery mangement , and export the list to CSV format.

    thanks,
    welly

  13. Rick

    Can you tell me if it’s possible to assign a dynamic distribution group under “message restrictions”, “Only Senders from this list.

    Thanks

  14. mumin cicek

    hi all,

    Get-QADGroup -SizeLimit 0 | where {($_.CanonicalName -notlike “*MYGAL*”) -and ($_.PrimarySMTPAddress -like “*@*”)} | Select-Object Name,@{n=’MemberCount’;e={$($_.AllMembers.Count)}}

    I can get groups count with the script below, it works fine and also I need to find which groups have Delivery Restrictions (AcceptMessagesOnlyFromSendersOrMembers) is set on.

    And I want both of the scripts will work only in one session and export result just like;

    Group Name Count Delivery Restrictions (AcceptMessagesOnlyFromSendersOrMembers)
    muminDL 1500 Email Allowed Group;mumincicek etc
    cicekDL 1000 Email Allowed Group, bill gates, SendMailSG etc

  15. ravindra pawar

    Hi, is there any way to find and send a auto generated mails to distribution list where as DL manager name is missing?

  16. Poppy Moreno

    I’m using:

    “get-distributiongroup “DistroName” | fl name,AcceptMessagesOnlyFrom”

    The problem is the results is truncated. Is there some way I can get it to display the full access list, or how would I go about feeding the output to a text file?

    1. Chet

      I have the same issue. I have compared it to the actual list and some members are missing. Did you get the info you needed?

      1. Lars Panzerbjørn

        Personally I would quite like to get these in list format as well -_-

      2. Bruno

        Having the same problem

  17. Jay

    Trying to export the output to a csv file using this command :

    “Get-DistributionGroup | where {$_.AcceptMessagesOnlyFromSendersOrMembers -ne $null} | fl name,acceptmessagesonlyfromsendersormembers | Export-Csv c:maildistrogroup.csv -notype”

    Keep getting what appears to be a list of GUID’s and nothing else.
    Any ideas how I can export this to csv file
    Thanks!

    1. David Taig

      This will help with your export

      Get-DistributionGroup | where {$_.AcceptMessagesOnlyFromSendersOrMembers -ne $null} | Select Name,@{Name=”AcceptMessagesOnlyFromSendersorMembers”;Expression={[string]::join(“;”,($_.AcceptMessagesOnlyFromSendersorMembers | foreach {$_.Name}))}} | Export-Csv C:MailDistrGroupAccept.csv -NoType -Force

      Orginal source from Shay – http://www.powergui.org/message.jspa?messageID=34099#34099

      1. Jon W

        With the release of SP3 for Exchange 2010, this now returns no results when you try to translate the guids to the regular names. Any Ideas?

  18. Peter McArdle

    Paul

    I can’t get this to work at all. When I run the command below nothing happens, I am just returned to the prompt. I must be doing something wrong.

    Get-DistributionGroup | where {$_.AcceptMessagesOnlyFromSendersOrMembers -ne $null} | fl name,acceptmessagesonlyfromsendersormembers

    I’m using Exchange 2007 and have also tried truncating the attribute both ways as you suggested in answer to route above.

    Please help.

    Peter

  19. Lee Hutchinson

    Now that I have a list of users who can send to this Distribution List, how do I remove one person? The EMC shows the same list, minus one person. I’m hoping they can be removed using the shell.

  20. Tom Cheung

    For the output of AcceptMessagesOnlyFromSendersOrMembers, how can I just get the Display name of the members? IE to filter out those domain.OU field

    Thanks

    1. Lars Panzerbjørn

      I was hoping for exactly the same thing -_-

      1. Clint Swiney

        Me too… Been fighting this for a while…. Manually doing it in Excel is painful.

        1. Jon

          get-distributiongroup “groupname” | select -expandproperty AcceptMessagesOnlyFrom | select name

          1. Lars Panzerbjørn

            Thanks, this doesn’t work for me though, I just get an empty list…

          2. Brian

            Thank you Jon, just what i needed!

  21. route

    how do you make this work in Exchange 2007?

    1. Avatar photo
      Paul Cunningham

      Hi route, the same attributes exist on distribution groups in Exchange 2007 as well.

      1. route

        is ther something on the end of the command that I am missing? I’m not getting the same reults. Nothing appears on screen. it just goes back the prompt.

        [PS] C:\>Get-DistributionGroup | where {$_.AcceptMessagesOnlyFromSendersOrMembers -ne $null} | fl name,acceptmessagesonlyfromsendersormembers

      2. Avatar photo
        Paul Cunningham

        Whoops, should have said only these two attributes exist (at least on the groups I’m looking at here):

        AcceptMessagesOnlyFrom
        AcceptMessagesOnlyFromDLMembers

        So you’d need to query those two instead.

  22. Abhi

    We receive one query where user wants list of all Distribution list which start with specific name (sul), Is it possible to find out all the DL ?

      1. Abhi

        Yes.. Thanks..

Leave a Reply