cancel
Showing results for 
Search instead for 
Did you mean: 

AD Distribution groups

David_Lee
Level 3
EV 5 SP5, Exchange 2003 SP1

In the journaling functionality of exchange / kvs it seems as though kvs does not store the meta data for members of the distribution list. You can only review the distribution group membership when viewing the whole e-mail in outlook but at that time the distribution group resolves itself to the current membership... As a compliance issue this is not good as the distribution group may have changed...

Can anyone confirm / deny this for me please?
1 ACCEPTED SOLUTION

Accepted Solutions

David_Messeng1
Level 6
Drache - just spotted your last post. Isn't it the best typo yet? :) In EV if something misbehaves and I find a reg key for it I always set it even if it's just reiterating the (supposed) default behaviour. I think it was IncludeInheritedPermissions in CP2 that turned me on to this way of working with EV. Sad but true :-(.

David - you are getting there. Fantastic stuff dude.

Dino - oh no. A bug d'you think? The good news is that you ARE compliant for SOX et al at the data level. Your problem is not "this is the email, tell us who knew about it" - you can do that... it's the "tell us all the email xxx recieved" you can't do right? If it's a bug to fix or a hack to the indexes then it can all be made right can't it?!? I know nothing about CA. Have you tried DA instead? (I know nothing about DA either by the way!)

Suggest you put the call into Symantec and let us know how is goes? Unless Ghost, Dodo, Drache, etc know?



David
http://www.UDStech.com

View solution in original post

13 REPLIES 13

Tremaine
Level 6
Employee Certified
At the time that the message is archived the recipients in the DL are enumerated and stored in the saveset on disk. These are then added to the index for compliance searches. However if you retrieve the message then, yes it would use exchange to enumerate the current members of the DL and not EV.

This will not affect your compliance searches though as it will use EV's historical representation and not the current exchange membership.

Hope that helps.

Cheers

David_Lee
Level 3
This is a great help and makes it very clear.....

However.... If I search my journal for a particular mail within the browser results it only shows me the distribution list name in the recipient field, if I open the mail fully it consolidates the distribution list against the current members, not the members at the time the e-mail was sent. How can I find out who was a member of the group at the time the mail was sent?

Thanks for your valuable help

David_Messeng1
Level 6
Hi David,

Do you have the regitry key set?

ExpandDistributionLists
Location
HKEY_LOCAL_MACHINE
\SOFTWARE
\KVS
\Enterprise Vault
\Agents
Content
DWORD

0 - (Default) The Journaling Service does not expand distribution lists.

1 - The Journaling Service does expand distribution lists.

Description
By default a Journaling Service always expands distribution lists. ExpandDistributionLists enables you to turn off the expansion.

Introduced
4.0

Cheers

David
http://ww.UDStech.com

Tremaine
Level 6
Employee Certified
I don't think there is any way currently within EV that you can actually view the historical representation for the DL at the point the message was archived.

I mean you would think you should be able to seeing as you can search on it.
Sounds like one of those nasty words---- 'Requirement'!

Although to be honest, can't say that I have had the same need for this in the past. Could see it's uses though :) Especially if someone blew the DL away and I needed to rebuild it without AD restores.

David_Lee
Level 3
David,

I have set the registry as instructed by it seems to have no affect at all.....

From a compliance point of view we or a legal person would need to know who was a member of the distribution list at the time the e-mail was sent.... Is this at all possible?

Thanks for helping me on this one

__Drache__
Level 3
> I don't think there is any way currently within EV
> that you can actually view the historical
> representation for the DL at the point the message
> was archived.

How about when opening the item in HTML view instead of Outlook format? Does the HTML version still reconcile against Exchange, or does it pull the names directly from the archived item?

David_Messeng1
Level 6
Guys,

we don't do compliance but I agree with David, you have to have this information. As I say, I know zip about this but my understanding is that envelope journalling on Exchange took care of it (which is why you have to have 2000+ for compliance).

David
http://www.UDStech.com

__Drache__
Level 3
You shouldn't have to set that registry key, by the way.

Notice how it first tells you in the Content section that '0' is the default, indicating that by default it doesn't expand the lists? However, in the Description section, it tells you that, by default, the journaling service DOES expand the list.

Ya gotta love those persistant typos...

Anyway, the Description section is correct. The journaling service does expand Distribution lists by default, so that reg key is only necessary if you want to disable expansion.

David_Lee
Level 3
Gents,

I've kinda lost the plot a bit in this discussion!!! (not hard!)

We rightly or wrongly assumed that KVS journaling would be able to record the all of the details in all of the mail transactions that occurred on our Exchange 2003 system which in principle it does.

What I am finding is that if an e-mail is sent to a distribution list KVS will only record the e-mail address of the distribution list. You cannot then expand that list to see who was a member at that time (all though the HTML search engine) If you open the mail fully in Outlook from KVS Outlook reconciles the group to whoever is a member at the present time.

Should I be able to do this? What does the registry key mentioned above actually do becuase in my eyes it is not working correctly or I am reading it wrong?

As for compliance we were sold the product on the fact that journal will allow us to do compliance (i.e. keep a copy of every mail transaction in our environment for 10 years or more) If journaling isn't a form of compliance what's the point?

David_Messeng1
Level 6
David,

you are absolutely right.

Have you read this:

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3Journal/11270098-88d8-44ef-b492-6b42e413caf6.mspx

It is a subset of this:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/journaling.mspx

which I seem to remember as being a very good article (it's been a while since I read it through).


David

David_Lee
Level 3
Ahhh.... It's like a light has been switched on!!!!

Envelope journaling is what I need.... I am now off to turn it on!!!!

Thanks for your patience gents.. You are all very freindly and helpfull... I hope I can return the favour to someone else in this forum...

Regards

Dave

Dino_Caputo
Not applicable
We are presently using envelope journaling however, are finding that expansion of distribution lists (especially as undisclosed recipients) is not being displayed in CA. Forget viewing this info in EV using the web interface - its not shown at all. It may be stored in the index but there is no way to see it in the EV search pages which is extremely disappointing to say the least. You can see *some* of the recipient info in CA if you click the Comment and Audit History button, however we are finding that this list is almost always incomplete - we can validate this as we capture the raw enveloped journaled message or even the source message in outlook and compare the results in CA - guess what - they don't match...
We plan to open a call about this and will post if we can resolve.

David_Messeng1
Level 6
Drache - just spotted your last post. Isn't it the best typo yet? :) In EV if something misbehaves and I find a reg key for it I always set it even if it's just reiterating the (supposed) default behaviour. I think it was IncludeInheritedPermissions in CP2 that turned me on to this way of working with EV. Sad but true :-(.

David - you are getting there. Fantastic stuff dude.

Dino - oh no. A bug d'you think? The good news is that you ARE compliant for SOX et al at the data level. Your problem is not "this is the email, tell us who knew about it" - you can do that... it's the "tell us all the email xxx recieved" you can't do right? If it's a bug to fix or a hack to the indexes then it can all be made right can't it?!? I know nothing about CA. Have you tried DA instead? (I know nothing about DA either by the way!)

Suggest you put the call into Symantec and let us know how is goes? Unless Ghost, Dodo, Drache, etc know?



David
http://www.UDStech.com