+1 - we have some locked down ous like this for computer groups we control membership of for licensed software installations. You would need to make sure they don't have permission on the exchange side to add to them as well or they could just do it that way after it fails on the AD side.
From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Thursday, July 30, 2015 6:57 PM To: [email protected] Subject: [Exchange] RE: PS Script to see if specific DL has had members added recently to offset admins adding wrong people Assuming that the Help Desk should never be allowed to make changes to these sensitive groups (and not just when copying users), you could consider moving the DLs to an OU that does not allow the Help Desk to make changes to - this will prevent the Help Desk from adding the new user to that sensitive group. If you have a known good list of users, that could be compared to the DL. You could also check the date modified to see if the DL has been modified in the past xx days, but that will also flag legitimate adds. -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Alice Goodman Sent: Thursday, July 30, 2015 6:28 PM To: Exchange List <[email protected]<mailto:[email protected]>> Subject: [Exchange] PS Script to see if specific DL has had members added recently to offset admins adding wrong people New hires are inadvertently getting added to distribution lists when profiles are copied. Is there a way to stop this from happening on more strictly controlled lists? (I know, stop hitting head against the wall...) This is becoming a BIG problem here. Does anyone know of some PowerShell that we can run nightly or weekly against maybe 20 key DL's to see if anyone has been added to them in the past xx time? Or some other solution? The issue is that the Admins in Help Desk create new users by copying other users that "resemble' the new hire. I know that using Templates would be the best way, but that has never been implemented here. I realize that I am looking for a solution to a bad practice. I looked at Owner Approval, but an Admin updating a DL does not cause that to be triggered. Only end-users, using OWA. Thanks, Alice
