Freigeben über

Error when you try to restrict senders to send message to specified distribution group in on-premise organization that has no Exchange server

  • Artikel

Symptom

Consider the following scenario:

 

  • You have activated Active Directory Synchronization in Office 365 and installed Directory Synchronization tool in your on-premise organization,
  • There is no Exchange Server in your on-premise organization,
  • You try to configure the distribution group that restricts specified senders that can send messages to the distribution group,

 

In this scenario, you receive the following error:

The action 'Set-DistributionGroup', 'ModerationEnabled', can’t be performed on the object 'Office365' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

 

Cause

The issue occurs because Exchange schema extension on-premise AD server is required if you activate DirSync service and no Exchange server is installed in your on-premises organization.

 

 

Resolution

To resolve the issue, install Exchange schema extension on-premise AD server, and then edit/sync “authOrig” attribute which is a list of senders that are allowed to send to the distribution group. To do this, follow the steps below:

 

1)      Obtain the Exchange Server 2010 DVD

2)      Copy to or place the DVD in the Schema Master or Member Server of the Forest Root Domain.

3)      Login as an account with the appropriate rights

4)      Run the following Schema Update commands in the Forest Root Domain

a.      It is highly recommend this be run from the Schema Master DC directly.b.

    1.      

Using the Exchange 2010 DVD run the following commands in the order specified in the following table. Force replication in between each command.

Command

Permission

Domain Membership

Domain Controller

Runtime

setup /ps

Schema and Enterprise Admin

Forest Root

Schema Master

5 mins

c.     Check the following log to verify there were no errors.

%systemdrive%\ExchangeSetupLogs\ExchangeSetup.log

d.   Force replication, and verify updates are successful.

 

5)      Create the DL in the local Active Directory

6)      If you have Exchange installed, assign the permissions to the DL.

7)      If you do not have Exchange installed, but do have the schema extensions, you will need the following attributes configured (all visible via ADSIEdit):

a.  authOrig: List of senders that are allowed to send to the DL(This attribute is your requirement)

b. unAuthOrig: List of senders to BLOCK from sending to the DL

c. dlMemRejectPerms: Used in place of unAuthOrig when using SG’s to indicate senders to reject

d. dlMemSubmitPerms: Used in place of authOrig when using SG’s to indicates senders to approve

e. msExchRequireAuthToSendTo: Used to limit senders to only Authenticated users (internal) to be able to send to this DL.

NOTE: You will need to specify the DN of the objects added to these fields.

8)      You should be able to use Contacts to allow senders from external to send to the DL, but will be prevented if msExchRequireAuthToSendTo is set to True.

9)      Perform force directory synchronization.

 

More Information

Set-DistributionGroup

https://technet.microsoft.com/en-us/library/bb124955.aspx

 

Synchronize your directories

https://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx

 

Applies To

Office 365 Exchange Online post deployment

Comments

  • Anonymous
    September 01, 2014
    Does it mean that i need to purchase exchange server in order to extend AD schema?
    or i can use trial version?
    by default now when i create dist group in AD it allows external users to send email to that group.
  • Anonymous
    October 15, 2014
    This solution doesn't really work. An error is presented stating "There is no editor registered to handle this attribute type" when you try and edit the attributes mentioned.
  • Anonymous
    October 23, 2014
    You can use PowerShell to edit the authOrig field. Once the field has been updated via PowerShell you can open it using ADSI edit.

    Set-ADObject "DN" -replace @{authorig="DN"}
  • Anonymous
    May 08, 2015
    Are there any alternatives to adding the Exchange schema?
  • Anonymous
    May 25, 2015
    Office 365 and Dirsync: Why should you have at least one Exchange Server on-premises
    For those of
  • Anonymous
    June 10, 2015
    Just to clarify/validate Joe's comment, you do NOT need to install Exchange, as this article describes and you CAN just use the ActiveDirectory snap-in for PowerShell:
    Import-Module activedirectory
    DN in his example refers to the distinguishedName attribute. I would recommend using a mail-enabled Security Group for use with assigning the authorig, rather than listing each and every user that is permitted to send to that DG.

    Set-ADObject "your Large DG's DN" -replace @{authorig="DN of mail-enabled SG"}
  • Anonymous
    August 24, 2015
    yes,its working..
  • Anonymous
    October 14, 2015
    Kenneth H, what do you mean with "your Large DG's DN", I'm facing the same problem here.
    Thanks!
  • Anonymous
    October 19, 2015
    I have added DN of group(Mail enabled security group) to authOrig , unfortunately it does not sync to "Delivery Management" on O365, by the way adding DN of users works fine. So not sure authOig is work only for individual users list or contact ? or thing goes wrong ?
  • Anonymous
    February 04, 2016
    Boworn - correct, authorig and unauthorig only work for individual users. For groups, use dlMemSubmitPerms or dlMemRejectPerms instead to authorise or block