David Szpunar: Owner, Servant 42 and Servant Voice

David's Church Information Technology

November 11th, 2009 at 1:03 pm

Exchange 2010: Moderation and Nested Bypass

A new feature of Microsoft  Exchange 2010 (yes it’s out, yes we’re using it now, and yes I’m jumping ahead with this post rather than talking about implementing it :-) is called Moderation. It’s pretty slick, you can basically take a mailbox or Distribution Group and make it moderated so emails sent to it are held and any number of moderators are notified that there is a message they should approve or reject, which they can do easily (from Outlook or OWA) and it’s taken care of from there by the system. The official Exchange blog has a great post with the basics of Moderation (UPDATE: Thanks to E.J. Dyksen, Microsoft Exchange Program Manager and the author of the linked post, the linked article has been corrected, per his comment on this post (I verified it was changed)) so I don’t go into more detail, suffice it to say that we’re already using it and it works!

However, there is a flag you can set on a moderated object that will allow a moderator for a “parent” group to moderate an email once regardless if subgroups also require modification. Think a moderated all-staff list that contains a moderated group for a specific department; by default both the all-staff moderator and the department list moderator would have to approve a message to all-staff before the department recipients would receive it. If you’d rather have some groups like all-staff set so whoever moderates a message to that group auto-approves any subgroups as well (this is precisely why I wanted it, although we don’t have moderated subgroups yet), that’s why they added the flag called “BypassNestedModerationEnabled” which you can set to true with PowerShell.

The problem is, the few places that talk about that flag online call it a completely different name! Sure you can do “get-help Set-DistributionGroup -full” to see all the options (there are many) or you can find the same help online, but it’s not easy to track down if you’re looking for the wrong setting name! The correct syntax to enable this moderation bypass on a group (from within the Exchange PowerShell console) is:

Set-DistributionGroup -Identity "[group name]" -BypassNestedModerationEnabled $true

However the Exchange Team’s official blog says in it’s moderation post, in the FAQ section where it mentions nested approvals (near the end of the post), “If you set the BypassModerationEnabled flag to $true on the parent group, any messages sent to that group will bypass moderation by child groups.” Close, but it’s actually the BypassNestedModeration flag. If you do some searching, you’ll find a TechNet article called Understanding Moderated Transport which, again near the end in the Handling Multiple Moderated Recipients section, says, “To do this, you set the AutoApproveNestedDLEnabled parameter of the moderated distribution group to $true.” Which provides an even farther-off version of the same thing! At least with the correct version, you can more easily look it up in the TechNet Set-DistributionGroup topic where is is correct!

It’s likely the incorrect articles were both correct at the time they were written, during beta and release candidate cycles of Exchange 2010, with the final flag name being changed in the generally available version that came out this past Monday. I don’t know for sure as the GA version is all I’ve run, but it seems a likely explanation given that the articles are almost a month (the TechNet one) and five months (the Exchange Team blog) old. But apparently I’m the first person to write about it outside of them (that Google knows about).

  • 1

    Hi Everyone,


    Good to know is GeoTrust SSL certificates are compatible with Exchange server 2010. You can read more about GeoTrust SSL certificates at ClickSSL.com

    GeopTrust ClikSSL Discount Coupon Code: CSGQ149

    Nill Smith on November 29th, 2009
  • 2

    Hi David,

    I’m the Program Manager in Exchange for the moderation feature (among others), and the author of the blog post cited.

    Thanks for the heads up on the typos and confusion. As you know, PowerShell parameters tend to be verbose, and we wrestled with the best name for this one. We did have a couple of names for this before settling on BypassNestedModerationEnabled, and docs/blog post seem to reflect that churn.

    I’ll make sure the original post is updated for accuracy, as well as the docs.

    Thanks for the great post about this piece of moderation!


    E.J. Dyksen on December 1st, 2009
  • 3

    Thanks for the comment E.J., I see the original article has been updated already! Thanks for being proactive and for taking the time to let me know. I’m enjoying the Moderation feature immensely! The only issue I’ve run into seems to be that as a Domain Admin/Exchange Admin, even if I remove myself as the list Manager and Moderator of an all-staff group we have, it’s not holding my emails for approval. Not sure what else to do but it’s not terribly hard to work around–and it works for everyone else at least :-)

    David Szpunar on December 3rd, 2009
  • 4

    I support a company with 30-40 employees some off site and some on site. Just wondering if I should setup an exchange server?

    I am just having trouble seeing the benefits and how it can make some of my administration tasks easier or non-existent.

    Paul Borgen on December 4th, 2009
  • 5

    I run an Exchange server with a similar employee count. I find it to be cost-effective, especially since we can get charity pricing on Exchange from Microsoft. If you have a virtualized environment, your actual hardware costs for running Exchange are much lower (or at least, are spread out across multiple servers). However, there are a lot of churches looking at using Google Apps as an alternative since it’s free for non-profits. There are certainly arguments for both. We’ve been running Exchange since long before Google Apps was an option.

    You may find some useful information at the Church IT Roundtable Google Apps vs. Exchange discussion page. Another option is to use Google Apps in “dual delivery” mode so email goes both to Exchange and Google Apps; this can be used as a backup if your Exchange server is down (although depending on the setup, incoming email won’t work while Exchange is down since it’s pointed at your Exchange server), or you can have some users on Exchange and some using Google Apps. This of course requires you to license and set up/maintain Exchange as well so it’s not as much of a cost saver as it is a backup (business continuity/disaster recovery) strategy or nice setup for people who like the Gmail interface more than they like Exchange.

    What are you using for email now? Once you get past the learning curve of Exchange 2010 (or 2007) or you have someone set it up for you, it really doesn’t require that much maintenance, especially if you put an antispam/antivirus filtering company (MXlogic, Postini, ExchangeDefender or Reflexion are all good examples) in front of them (note that I sell ExchangeDefender on the side and it can provide a web interface to your email when your server is down much like Google Apps can, in addition to the spam filtering–I like it a lot).

    David Szpunar on December 12th, 2009
  • 6

    So this needs to be set on the parent or the child?

    Rich on August 14th, 2012
  • 7

    Rich, it would be set on the parent I believe, though it’s been a while since I’ve looked at this…

    David Szpunar on August 18th, 2012