An Office 365 administrator had a problem:
We restricted who can send email to a distribution group but users expand it and can send the email to everyone on it. How do we stop this?
You have three options with Exchange Server and Outlook: use the DisableDLExpansion registry value to disable distribution list expansion in Outlook desktop, use a dynamic DL, or set the list to be moderated and add the people who can send to the list to the bypass moderation list.
While users without proper permissions won't be able to send to either a moderated or dynamic group, anyone can view the list of group members in a moderated group. Group members are not shown in a dynamic group (because the members are determined by the server when it's sent).
If you want to prevent everyone from seeing the members, use a dynamic distribution group. However, for small groups you need to have a value to filter on, such as city, office, etc, and may need to add additional attributes to user's account in order for a dynamic group to work.
To create a dynamic group:
- Open the Exchange Admin Center
- Select Recipients in the sidebar
- Click on Groups
- Expand the plus sign and choose Dynamic Distribution Group
- Enter the Display name, Alias, Recipient types who will be members and add rules to filter by attributes.
- Click Save when finished.
When a user opens a dynamic distrubation group, they'll see a simple contact:
In the Address Book, the Dynamic Distribution Group is marked with a gear icon over the group icon.
To change a distribution group to moderated:
- Open the group in the Exchange admin center and select the group (in Office 365, it's under Recipients > Groups)
- Choose Message approval.
- Tick the option for Messages sent to the group have to be approved by a moderator
- Add the people who can send to the group in the Senders who don't require approval section.
- Choose whether to notify senders if their message is rejected.
- When you are finished, click Save.
When a user opens a moderated group, they will be able to see a list of all group members:
Use the DisableDLExpansion registry key
The DisableDLExpansion registry value is supported in Outlook 2007 and up. To use it in Outlook 2016, add the DisableDLExpansion DWORD to the registry at HKCU\Software\Policies\Microsoft\office\16.0\Outlook\Options\Mail\
and set the value to 1. For the other supported versions, change the version number in the registry path. As with moderated groups, users will be able to open the distribution group and view the members but will not be able to expand the list to bypass list controls.
Outlook 2016
HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail\
HKCU\Software\Policies\Microsoft\office\16.0\Outlook\Options\Mail\
DWORD: DisableDLExpansion
Value: 1
Outlook 2013
HKCU\Software\Microsoft\Office\15.0\Outlook\Options\Mail\
HKCU\Software\Policies\Microsoft\office\15.0\Outlook\Options\Mail\
DWORD: DisableDLExpansion
Value: 1
Outlook 2010
HKCU\Software\Microsoft\Office\14.0\Outlook\Options\Mail\
HKCU\Software\Policies\Microsoft\office\14.0\Outlook\Options\Mail\
DWORD: DisableDLExpansion
Value: 1
Outlook 2007
HKCU\Software\Microsoft\Office\12.0\Outlook\Options\Mail\
HKCU\Software\Policies\Microsoft\office\12.0\Outlook\Options\Mail\
DWORD: DisableDLExpansion
Value: 1