Hello, Does anyone know if it is possible to block the creation of query based D-lists? We just had one go horribly wrong (email going to everyone in the org) and would like to prevent it from happening again. This is an Exchange/AD 2003 environment. Thanks in advance, Joe

No, there's no way to block the creation of dynamic distribution groups. Maybe next time the results of DL should be checked before it's used. ;) Missy

You could set a deny ACE in AD to prevent creating the specific object class if you wanted...Active Directory, 4th Edition - www.briandesmond.com/ad4/

Hi, Add something to Brian's reply. You can use Adsiedit.msc to change schema. Please make a system state backup before doing this. DC-> run->adsiedit.msc->Schema->CN=Schema,CN=configuration,DC=domain,DC=com find CN=ms-Exch-Dynamic-Distrubution-List, right click porperties-> security-> add deny permission to your Exchange administrator's accout. Suggest you don't use same account between domain admin and Exchange admin, if you use same account, the domain admin will also be denied. Reopen the ADUC on the Exchange server using Exchange admin account, you will find the option to new query based D-lists disappeared. But I think it's a better choise to set the query based D-lists: Hide from Exchange address lists, thus senders will not find the address in the GAL.Frank Wang

Hi, Add something to Brian's reply. You can use Adsiedit.msc to change schema. Please make a system state backup before doing this. DC-> run->adsiedit.msc->Schema->CN=Schema,CN=configuration,DC=domain,DC=com find CN=ms-Exch-Dynamic-Distrubution-List, right click porperties-> security-> add deny permission to your Exchange administrator's accout. Suggest you don't use same account between domain admin and Exchange admin, if you use same account, the domain admin will also be denied. Reopen the ADUC on the Exchange server using Exchange admin account, you will find the option to new query based D-lists disappeared. Frank Wang While that might work I would really NOT recommend doing that. You're going to end up with all sorts of wierd errors and support issues down the road. Guaranteed this isn't a test scenario and things are going to fail in strange ways. Active Directory, 4th Edition - www.briandesmond.com/ad4/

I think the important thing to remember in cases like this is Ed Crowley's adage, "There are seldom good technological solutions to behavioral problems". If someone's breaking stuff, take away their ability to do so instead of trying to adapt the technology to keep them from mucking it up.

Hi, How about your question? Any updates?Frank Wang