On our Exchange 2003 SP2 (Enterprise Edition) server we want to prevent specific users from sending mail to external. I believe the best way to do this on Exchange 2003 is to use the delivery restrictions (Reject messages from) on the server's SMTP connector and add the disallowed users to it. To use this functionality it must be enabled via the registry (CheckConnectorRestrictions) and there is understandably a performance hit to using this feature as every outbound message must then be checked to see if it is restricted. My question is, how much of a performance hit can be expected from this? Is it safe to use this or will our messaging grind to a halt? We are roughly 1500 users and are planning to restrict 50~100 users from sending mail to external. Mail server spec is: Dell PowerEdge 2950 (Quad Xeon 2Ghz, 4GB RAM with EMC SAN for storage). Also, am I correct in thinking that there would be less of a performance hit by adding the restricted users individually to the "reject messages from" form instead of using a mail enabled distribution list and adding said users to it? My thinking is that by using a DL it adds an extra step (looking up the DL membership) for the server to perform when checking the restriction list. Appreciate any advice or feedback on this matter. Thank you.

I only use a group for this and have never seen a performance hit. The last site I did this on restricted over 2000 users without issue. The reason to use a group is that Exchange caches permissions. If you use individual entries it can take 2 hours for Exchange to recognise the change. However if you use a group then the change is almost immediate because the group lookup is done live. It is also easier to manage, as you can see in the user's group membership that they are restricted. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Thank you for your reply Sembee. If I may as, does the number of users you place in the restricted group have any effect on the overhead at all? Also, when you add users to the restricted DL is there any requirement to restart the services on the Exchange server or is this only required when you first "CheckConnectorRestrictions"? Thanks.

Thank you for your reply Sembee. If I may ask, does the number of users you place in the restricted group have any effect on the overhead at all? Also, when you add users to the restricted DL is there any requirement to restart the services on the Exchange server or is this only required when you first "CheckConnectorRestrictions"? Thanks.

Once the setting is applied, no further changes are required because Exchange knows to do the lookup. The number of users in the group shouldn't be a performance hit on the Exchange server, because it is a regular group expansion. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources