Forcing External Out of Office Replies to ‘My Contacts Only’
My current organization is somewhat of a service provider. As a financial co-op, we provide many services to the banks that actually own us — one of which is IT infrastructure services. This means that we design, implement and support everything from Active Directory, to Exchange, to AD FS and everything in between. As such, we often get requests that come out of left field, such as this one.
Before I landed in this position, they were not allowing Out of Office (OOF) messages to go out to external senders. When dealing with the public, I feel that external OOF replies are a very important part of customer relations.
They asked if this function could be ‘scoped’ to where our associations could choose whether or not they wanted this function. The answer is yes, and it’s really quite simple. A very simple Powershell script can accomplish this and was talked about below:
The next ask was whether or not we could ‘force’ Outlook to only let them pick the option to send those OOF replies to people in their contacts list. They felt this would be more secure. Initially, I did not think this was an option as there’s seemingly no way to control it with GPO or registry hack. That’s when I stumbled across a post from way back in 2012:
Disable "Anyone outside my organization" in Outlook/Exchange 2010
We had a requirement in our organization recently to disallow sending auto replies (formerly know as out-of-office…
There, he explained how to go about doing this. I tried it in my dev environment and sure enough, it worked. When I went to do this in production, though, I found a few issues that prevented this from working when dealing with a larger set of mailboxes. First, I ran into a Powershell MaxEnvelopeSize error. This fix was simple, just issue the following command where the remote Powershell command is run:
Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 2048
This allowed the command to run, but another problem cropped up. The error was “Pipelines cannot be executed concurrently”.
I did some fiddling with the script and instead of trying to run it as-is from the site above, I did a query for the mailboxes that met the criteria and stored them into a variable, then ran a foreach loop against those to set the appropriate value, thereby scoping their external OOF replies only to deliver if the sender was in their contacts.
This is the final script that works for me:
I run this script via task scheduler at noon and 5pm every day, hoping to catch people that may try to change the external audience during the day. It can be run more often, but in large environments, this may be an expensive query.
I do the first query by OU, since my AD is broken up that way. You can use any way you like that will grab the mailboxes you are looking to process.