Microsoft Exchange and Blackberry Server Specialists

Groups - Hide the Group or Membership From All Users

By default, all distribution groups that you create are visible to all users through the global address list.
In some cases you may want to create a list that is maintained through Exchange, but restrict is visibility. You cannot control the visibility from the server, so must use a work around.

There are two, depending on whether you want to hide the existence of the group or just the membership.

Hide the Existence of the Group

  1. Create the group as normal.
    If the membership of the group is sensitive, don't populate it with members just yet.
  2. Check that the group is visible in the Global Address List (GAL). If you are using Outlook 2003 or higher in cached mode, then you may find that it cannot be seen on the client machines. Force the Offline Address Book (OAB) to update (see here) or check through Outlook Web Access.
  3. Go to each user who needs to see the address list and open up the GAL (Tools, Address Book).
    If you cannot see the new list, and you are using Outlook 2003 or higher in cached mode and have updated the OAB, then force it to download using Tools, Send/Receive, Download Address Book.
  4. Right click on the new list and choose "Add to Contacts".
  5. Repeat on the other clients that need to use the list.
    Remember to tell the users where the list is held.
  6. Hide the list from the address book. In Exchange 2003, use ADUC to find the group, right click on the list, choose Properties and then "Exchange Advanced". Enable the option "Hide from Exchange Address Lists". In Exchange 2007 use the Exchange Management Console, where the setting is on the Advanced tab of the properties of the group. 
  7. Populate the list with the recipients of the list.
  8. Force the OAB to update again, so that the list disappears from the GAL.

Hide the Membership of the Group

There are two ways of hiding the group members.

Method 1 - Exchange 2003 ONLY.

You can change the group properties to hide the membership of the group

  1. Open ADUC and find the group.
  2. Right click on the group and choose Exchange Tasks.
  3. Select "Hide Membership" from the list.

The drawback with this system is that once the changes have been made you cannot make any further changes to the security permissions of the group. If you need to be able to change the security permissions of the group, then you will have to use the second option.

However this is not foolproof - someone can bring the Properties of a user through Outlook and view the membership list.

Hiding the group membership is not available on Exchange 2007. However a work around is available. http://blogs.msdn.com/dgoldman/archive/2007/12/14/why-hiding-distribution-memberships-in-exchange-2007-is-not-supported.aspx

Membership can still be seen

It can take a while for the membership to disappear, so do not expect immediate results. However if the membership continues to be seen then you should review this article at the MS KB: http://support.microsoft.com/kb/812841

Method 2

It isn't possible to directly hide the membership of a group, but by using a workaround you can made it less obvious.

  1. Create the group as normal.
    If the membership of the group is sensitive, don't populate it with members just yet.
  2. Create a public folder with the name that you want to appear in the GAL using Outlook. You can also use one name for the group and then change the display name on the Properties of the group using Exchange System Manager (ESM) on the "Exchange General" tab. Change the option to "Use this name" and enter the name that you want the folder to appear under in the GAL.
    Tip: Put a space in front of the name and the folder will appear at the top of the GAL - example (Exchange 2000/2003 only).
  3. In ESM, mail enable the group and give it an email address
    For Exchange 2007, you will need to mail enable the folder using Exchange Management Shell:

    enable-mailpublicfolder -identity "\test\group folder" - note the \ at the start and that it is the full path to the folder enclosed in quotes.

    To confirm that it was mail enabled correctly, run get-publicfolder -identity "\test\group folder" | fl
     
  4. Ensure that "Hide from Address lists" is not enabled. This can be found on the "Exchange Advanced" tab. The public folder is what will be seen in the Global Address List.
  5. Click on the tab "Exchange General", then the "Delivery Options" button and put the group in the "Forward to".
    Optional whether you want to keep a copy of this message in the folder as well.
  6. Set the client permissions on the public folder. For Exchange 2007, use Outlook. For Exchange 2003 you can ESM - click on the tab "Permissions" then "Client Permissions". The permissions that you set will depend on who needs to use the group.
    1. Right click on the folder and choose Properties. Click on the tab "Permissions".
    2. Set "Default" to None.
    3. Depending on who is sending to the group will decide the permissions.
      In all cases, those who are sending to the group need to have contributor rights.
      For example, if everyone needs to be able to send to this group, then set the permission of "Contributor" to "All Staff"
    4. Ensure that someone is the folder owner. Use the "Email Admins Group" if appropriate. Other permissions can be set as required.
  7. Finally, hide the group from the GAL using the option on the Properties of the folder in Exchange System Manager.

The public folder will be visible to users on OWA and live Outlook users on Outlook 2002 (XP) or older immediately. Users on Outlook 2003 or higher in cached mode will need to wait until the next update of the Offline Address Book.

By adjusting the forwarding options you can use this method to keep a copy of messages sent to the group.