Restoring Exchange 2013 Distribution Group Members With No Backups

Had a small issue this Monday morning trying to restore almost 100 membership entries to a Distribution Group that was accidentally removed by our help-desk.

Initially I thought I would just check the AD security logs for a list of members that were deleted, but it turns out we don’t have logs going back before the weekend when the deed was done. Something I need to look into separately!

Before going down the route of restores just to view a Distribution Group, I thought I’d see if I could piece together the recipients from the Exchange logs. I thought that if I could find a trace of an email sent to the Distribution Group before the deletions, it might also contain a list of the recipients within the Distribution Group itself. It did, and it worked out pretty well, if a little long winded (but still quicker than the restore option!).

So first, we need to get the MessageID of an email that was sent to the Distribution Group a few days before the deletion. Below is the final command I used in the Exchange Management Shell, which is just a bit of gradual filtering to find a particular mail, specifying a date range and subject string:

Get-MessageTrackingLog -Recipients <DistributionGroupEmail> -Start "10/12/2019" -End "12/12/2019" -MessageSubject "<SubjectLine>" | select MessageID

With the MessageID we can see the recipients as originally selected by the sender. Ideally you’ll have found a mail that was sent to the Distribution Group only, no other recipients. In my case that wasn’t possible, so I took a record of all the additional individual email recipients so I could filter them out later:

Get-MessageTrackingLog -MessageId 1575643784989.41331@domain.com

Once you’ve made a record of that (if necessary), you can get a full list of all recipients with the below, which expands the Distribution Group to reveal the individual recipients within:

$all_recipients = Get-MessageTrackingLog -MessageId 1575643784989.41331@domain.com | select -ExpandProperty recipients

My results contained a number of duplicate users. We can create a new list of only unique names with the following:

$unique_recipients = $all_recipients | sort | Get-Unique

The final step is to import all these users into the target Distribution Group, which you can do with the following:

$unique_recipients | ForEach {Add-DistributionGroupMember -Identity "<Name of Distribution List>" -Member $_}

In my case, I needed to remove a few duplicates, which I did manually since there were so few.

Did I do this the hard way? Potentially! If there is a quicker way, please let me know, but it was a useful exercise anyway, and highlighted a few issues in our environment along the way in terms of logging and backups.