Thursday, October 16, 2014

How To: Limiting Inbound/Outbound Mail By Group. #MSExchange

Introduction

As a consultant, I have the opportunity to meet a lot of great people and amazing customers. Curious administrators that may not have the same sort of exposure to Exchange week in and week out always have loads of questions to ask! I always look forward to sharing my knowledge and helping to spread the great story that Exchange has to tell. Typically, these questions are asked around the lunch table or right after a meeting has ended. It’s funny though; the administrator usually starts out with a low key “sooo…I have a question.”

One of the more popular questions that I am asked is how to restrict inbound/outbound mail for a select group of on-premise users. A lot of times the customer is looking to restrict email functionality for call center, temporary or seasonal workers. There are numerous ways to tackle this question depending on the customer environment and if any other set of business criteria exists. I’m going to explain a very easy method to restrict inbound or outbound mail that is both repeatable and based on group membership.

Transport rules can do more than just create disclaimers in outbound email! In this case, the use of transport rules and a couple of strategic distribution groups will quickly solve our problem.

Limiting Outbound Mail by Group

Let’s begin by creating distribution groups.
  1.      The first distribution list should contain all the users that should be restricted from sending external email.
  2.      The second distribution list is optional. The second distribution list is required if you want to create exceptions for specific users that may be part of the first distribution group. If you do not have a need for an exception than you can skip creating the second distribution list.
Next, let’s open up the Exchange admin center (EAC) and select mail flow | rules. Once there, let’s then select the + to create a new transport rule.











The new rule dialog box will open and let’s type in a name for this transport rule. In this example, I used “Deny Outbound Email for Call Center.” In the “Apply this rule if…” drop down box choose “The sender is a member of” option. A new dialog box will open allowing you to choose the first distribution list created above.


At this point, let's select the option to “reject the message with the explanation.” This option will provide a free-form field where we can provide an end-user friendly explanation as to why this email has been rejected. In this example, I typed in “This mail account has been provisioned for demo purposes only. The ability to send outbound email has been restricted.

Click on More options and select the add exception button. 

We should apply this exception using the option if the recipient is a member of this group. For this group, we would select the second distribution list we created earlier.

Now, when users that are members of the first distribution list try and send email they will be presented with a customized non-deliverable report. This report will contain the custom verbiage we specified during the creation of our transport rule.
Limiting Inbound Mail by Group

Some customers would like to have the ability for employees to send email but not have the ability to receive email. The ability to limit inbound email is very similar to the procedures to limit outbound email.

Let’s begin by creating a distribution group. The first distribution list should contain all the users that should be restricted from receiving external email.

Next, let’s open up the Exchange admin center (EAC) and select mail flow | rules. Once there, let’s then select the + to create a new transport rule.

The new rule dialog box will open and let’s type in a name for this transport rule. In this example I used “Deny Inbound Email.” In the “Apply this rule if…” drop down box choose “The recipient is a member of” option. A new dialog box will open allowing you to choose the first distribution list created above.

Next, we will select the option to “reject the message with the explanation.” This option will provide a free-form field where we can provide an end-user friendly explanation as to why this email has been rejected. In this example, I typed in “This mail account has been provisioned for demo purposes only. The ability to receive inbound email has been restricted.

Now, when someone tries to send email to members of the first distribution list they will be presented with a customized non-deliverable report. This report will contain the custom verbiage we specified during the creation of our transport rule.
Conclusion

Microsoft Exchange (and Active Directory) is an amazing product that presents many different ways to solve complex business problems. Sometimes, using the built in functions of the product can solve problems very quickly.  Here’s to hoping the next time that I hear a low key “sooo…I have a question” the subject of public folder coexistence does not come up!
   

















No comments:

Post a Comment