1

I'm running Exchange 2013 and would like to accept email on an additional .com domain, but only for users of a specific Security Group on the Windows Domain. I've added the email domain as an Accepted Domain on the Exchange server, but I don't want it to apply to everyone.

Is there a way to configure an accepted domain to apply only to users of a specific security group?

The reason I don't just apply a mail policy to a Department or Company in AD is that there are a few users that will be in multiple groups and will need to have multiple mail domains accepted. Unless I'm coming at this all wrong?

Thanks!

Nelson Hoover
  • 45
  • 11

2 Answers2

2

https://technet.microsoft.com/en-us/library/aa996314(v=exchg.150).aspx

Basically, you want a filtered Email address policy at this point.

Use the EAC to replace the existing primary email address for a filtered set of recipients To create additional email addresses that will be used as the primary email address for a filtered set of recipients, follow these steps. In the EAC, navigate to Mail flow > Email address policies, and then click Add Add Icon. On the Email Address Policy page, complete the following fields: Policy name
Enter a unique, descriptive name. Email address format Click Add Add Icon. On the Email Address Format page that appears, make the following selections: Select an accepted domain Click the drop-down list, and select the new authoritative domain. Email address format
Select the appropriate email address format for your organization. Select Make this format the reply email address. When you are finished, click Save. Run this policy in this sequence with other policies Typically, policies that apply to specific users should have a higher priority (indicated by a lower integer value) than other email address policies, including the default policy. Specify the types of recipients this email address will apply to Select the recipient types to which you want the email address policy applied. Create rules to further define the recipients that this email address policy applies to Click Add a rule to restrict the recipients that this policy will apply to. This creates a Boolean And statement. Repeat this step as many times as necessary. CautionCaution: If you apply too many rules, it’s possible to restrict the email address policy to the point that it doesn’t contain any users. Click Preview recipients the policy applies to to view the recipients that policy will apply to. Click Save to save your changes and create the policy. You’ll get a warning that the email address policy won’t be applied until you update it. After it’s created, select it, and then, in the details pane, click Apply.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • I've seen this. But it's not clear to me how I can apply it to a specific security group. When I add the email address policy and try to add a rule defining who this policy should apply to, I can only select things like Company, Department, etc. – Nelson Hoover Aug 04 '17 at 20:55
  • 1
    `RecipientFilter {((MemberOfGroup -eq "CN=groupname,OU=Groups,DC=domain,DC=com"))} ` – TheCleaner Aug 08 '17 at 17:58
  • Nice! I'll give this a try. – Nelson Hoover Aug 08 '17 at 19:40
  • I'm using the ECP administrative interface in the web browser. I can only select Recipient Container, Company Name, Department, State/Province, or Custom Attribute 1 through 15. How do I apply a Recipient Filter to a Mail Address Policy? – Nelson Hoover Aug 11 '17 at 17:05
  • After a bit of research, I see it should be possible using the Exchange Management Shell - I'll try that next. – Nelson Hoover Aug 11 '17 at 18:01
  • That is what my comment is stating. You'll need to use the Shell. – TheCleaner Aug 14 '17 at 12:37
  • Your comment didn't explicitly state that it can only be done in the Shell - your original answer obviously being about doing it in the web-based Admin Interface, but yes, after some additional research, it becomes obvious that it must be done in Shell. Thanks for pointing me in the right direction. It's all working nicely for me now. – Nelson Hoover Aug 14 '17 at 13:29
  • Good deal...sorry for the confusion. I tend to hit SF while working and might be too brief to fully walk through it with folks. – TheCleaner Aug 14 '17 at 15:42
1

Add a CustomAttribute to every Account belonging to the desired security group and set the address policy filter to match this.

done
  • 108
  • 4
  • But what about the "users in multiple groups" scenario I mentioned? If I add a custom attribute and try to match it, I can see a custom attribute working ok if the user is a member of a single group (even if it's a bit cumbersome and not very obvious to the next admin that has to deal with it), but some users will be members of two or more groups. – Nelson Hoover Aug 07 '17 at 13:48