How to filter disabled accounts out of Dynamic Distribution Groups/Lists?
As far as I understand it, OPATH does not support bitwise and/or flags, so excluding disabled accounts from dynamic distribution lists is impossible, unless I am missing something super simple.
Many have found what they believe to be a valid solution by using -not(UserAccountControl -eq 'AccountDisabled, NormalAccount') in their filter, but this only equates to "anything NOT with a UserAccountControl value of 514 (integer)". Simply
adding "password does not expire" option on the account breaks that filter even if the account is disabled.
Further, it appears anytime you create an OPATH filter, Exchange does create an LDAP equivalent filter that can be read, however it seems you cannot directly edit the LDAPRecipientFilter. If I could, I could put in the necessary bitwise operation needed
for this, e.g. (!UserAccountControl:1.2.840.113556.1.4.803:=2), but it doesn't seem possible.
Unfortunately I cannot rely on the ExchangeUserAccountControl flag as that relates to just hiding from Address Lists, and I have disabled accounts that need to be in the GAL. Further I have active mailboxes for disabled AD accounts so I cannot use IsMailboxDisabled.
Is this by design? If so I don't understand why. Are there any options (even with Exchange 2013)?
Hi Simon. Thanks for your response.
I'm not sure what additional information I can provide that I have not already regarding the my suggestion/requirement, short of re-stating my original query.
With Exchange 2003, we could simply exclude disabled accounts from dynamic distribution lists via the use of an LDAP filter that used bitwise logic against the UserAccountControl attribute, e.g.
(!UserAccountControl:1.2.840.113556.1.4.803:=2)
With Exchange 2007, direct LDAP queries were deprecated in favor of OPATH. Unfortunately as a result, we can no longer filter out disabled accounts because OPATH does not support bitwise logic -xor -xand, etc. Because of this we can no longer
effectively use the UserAccountControl flags to exclude disabled accounts. We can use this attribute by specifying explicit combinations of flags, e.g.
UserAccountControl -ne 'AccountDisabled, NormalAccount'
But because this attribute is a culmination of bits representing many different account options, there are a large number of combinations of values that could include Disabled Accounts whereby a filter such as above would NOT work. E.g. simply adding
an option to not expire the password on the account renders the filter above invalid.
Currently our only option is to use workarounds which are not very effective (e.g. using a different attribute to store information about disabled accounts and filter on that instead). As accounts can be disabled simply with a right-click in ADUC,
enforcing the use of an additional attribute is not effective.
I would like to understand why OPATH excludes this functionality, e.g. is it a design decision? Or is it simply an oversight? Further I'd like to see this functionality added.
Similar Messages
-
Dynamic Distribution Group via csv file and Recipient Filter
Hello,
I am trying to create powershell command that will read a CSV file for "Name" and "Dept" and create a Dynamic Distribution Group based on the following Recipient Filter.
Import-CSV Dist.csv | ForEach-Object {New-DynamicDistributionGroup -Name $_.Name -RecipientFilter {((((((Department -like $_.Dept) -and (RecipientType -eq 'UserMailbox'))) -and (UserAccountControl -ne 'AccountDisabled, NormalAccount'))) -and (-not(Name -like
'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')))}
I keep getting an error that "Missing closing '}" in statement block Char:314. I added a "}" at the end of the command but then the command fails to read the .csv file.
Assistance would be greatly appreciated to determine what I am missing. I have over 100 Dynamic Distribution list to create.
CheersYou're definitely missing a closing curly bracket.
You have a lot of superfluous parentheses in that expression. You could certainly simplify it.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Create new dynamic distribution group as filter office location
Hi
I want to create new dynamic distribution group as filter office location. So I would like to request you please suggest the script through Power shell or graphical interface.
In case you need more clarification please revert back.
Regards
Md Ehteshamuddin khanIf you don't use OUs to separate your users and use the 'Office' field in Active Directory you can create Dynamic lists for this property as well.
The Office field, which stores its information in the physicalDeliveryOfficeName attribute of the object, can be referenced to create a list by using this PowerShell command:
New-DynamicDistributionGroup -Name <LIST NAME> -RecipientFilter {office -eq '<OFFICE NAME OR LOCATION>'} -RecipientContainer '<LOCATION OF USERS ALLOWED IN THE LIST>' -OrganizationalUnit '<LOCATION OF WHERE LIST WILL BE STORED IN ACTIVE
DIRECTORY' -Alias 'LIST ALIAS'
Tested and verified with Exchange 2010 -
How to view members of Dynamic Distribution Group via Outlook client?
Hello,
Is it possible to view the members of a DDG via the outlook cliënt (exchange 2010 SP1 + Outlook 2010)? For a normal Distribution Group I can see who are the members by viewing it's properties but not for a Dynamic Distribution Group....
Thnx RemcoThe members of a DDG are calculated when someone sends a message to it and might not be the same eight seconds before the message of three seconds after it. Simply trying to look at the membership from
Outlook does not enumerate the potential membership and anyway, even if you could there's every chance that the membership could change in the period of time between looking at the membership and actually crafting the message.
"Remco Tiel" wrote in message
news:39415e3a-af02-4dde-bcc4-cc7334233e55...
Hello,
Is it possible to view the members of a DDG via the outlook cliënt (exchange 2010 SP1 + Outlook 2010)? For a normal Distribution Group I can see who are the members by viewing it's properties but not for a Dynamic Distribution Group....
Thnx Remco
Mark Arnold, Exchange MVP.
If I open a new email in outlook 2010, and I click on the TO: button, it brings up the Global Address List. If I use the Drop Down under "Address Book" I can select the Dynamic Distribution List and the members are show in the main window.
That being said, I notice that two of the three that I'm using didn't get updated until I went in and edited it, and walked through the wizard without making any changes. Then they got updated. One of the three was up to date without me doing
anything, which is what I thought the whole point of Dynamic Distribution Lists was?
Was this in a Exchange 2010 server environment? -
Regarding Dynamic distribution Group filtering! - URGENT HELP
Hello Friends,
We have some employess in our company having primary SMTP address as
[email protected] as well as [email protected] as alias name.
I want to create Dynamic distribution group using recipient filter option.. I have tried various option.. nothing is worked out. can you please someone help on how to do this?
NOTE: I can able to filter using EMC filter : using "emailadresses" + "contains" @company2.com.......
KarthickYour requirement is unclear. reply back with what you are actually looking for!
if you want to use -RecipientFilter to Create/Manage Dynamic Distribution Groups then below are the few links which has the information about the values that you may use for -RecipientFilter
Filterable properties for the -RecipientFilter parameter
Filters
in recipient Shell commands
Using
PowerShell to Manage Dynamic Distribution Groups and Recipient Filters in Exchange Server
Create
Dynamic Distribution Groups Using Customised Filters
M.P.K ~ ( Exchange | 2003/2007/2010/E15(2013)) ~~ Please remember to click “Vote As Helpful" if it really helps and "Mark as Answer” if it answers your question, “Unmark as Answer” if a marked post does not actually answer your question. ~~ This
Information is provided is "AS IS" and confers NO Rights!! -
Edit existing Dynamic Distribution Group
I'm running Exchange 2007 RTM
I have an existing Dynamic Distribution Group "All Staff" - here's the filter taken from 'Properties'
(&(!cn=SystemMailbox{*})(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))))
My question is it possible to EDIT the group to exclude a user? If so how?You can edit the dynamic distribution list in EMS and add to the recipient an exclusion based on a value of an attribute (for example a CustomAttribute).
first get your current recipient filter with
Get-DynamicDistributionGroup dl_dyn_test | fl recipientfilter
in this example the filter is set to include everything with a CustomAttribute11 value of "plop":
((((((((CustomAttribute11 -eq 'plop') -and (Alias -
ne $null))) -and (-not(Name -like 'SystemMailbox{*'
)))) -and (-not(Name -like 'CAS_{*')))) -and (-not(
Name -like 'SystemMailbox{*')) -and (-not(Name -lik
e 'CAS_{*')))
lets say we want to exclude the recipients with a CustomAttribute12 value "flop"; we would have to add "-and (-not(CustomAttribute12 -eq 'flop'))" to our filter, making it:
((((((((((((((CustomAttribute11 -eq 'plop') -an
d (-not(CustomAttribute12 -eq 'flop')))) -and (
Alias -ne $null))) -and (-not(Name -like 'Syste
mMailbox{*')))) -and (-not(Name -like 'CAS_{*')
))) -and (-not(Name -like 'SystemMailbox{*'))))
-and (-not(Name -like 'CAS_{*')))) -and (-not(
Name -like 'SystemMailbox{*')) -and (-not(Name
-like 'CAS_{*')))
We can write this back to our existing DynDL with the following command:
Get-DynamicDistributionGroup dl_dyn_test | Set-DynamicDistributionGroup -recipientfilter {<recipientfilter>}
!!! do not forget the "{}" around the filter value !!!
So our command becomes:
Get-DynamicDistributionGroup dl_dyn_test | Set-DynamicDistributionGroup -recipientfilter {((((((((CustomAttribute11 -eq 'plop') -and (-not(CustomAttribute12 -eq 'flop')) -and (Alias -ne $null))) -and (-not(Name -like 'SystemMailbox{*')))) -and (-not(Name -like 'CAS_{*')))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')))}
After this executes you can use the previous command again to read the value of recipientFilter attribute and verify the change. You can check that the DynDL is working properly by clicking on the Preview button on the Filter tab in the DynDL properties
window in EMC, and verifyng that the excluded recipients are not present in the list. -
Exchange 2007 - Edit Dynamic Distribution Group
Hello everyone,
I would like to edit a dynamic distribution group, the only way possible it seems is through the command shell. In the EMC on the properties of the dynamic distribution group on the Filter tab, I copied the data in the Recipients Filter box and edited it
to what I needed.
But how do I now apply it to the dynamic distribution group?
Thanks!If you are editing the filter directly, I would recommend using the Exchange Management Shell. You can also fallback to editing the group using ADSIEDIT.MSC as this information is stored on the AD object properties.
Once you have the edits completed, be sure to test your changes. If done improperly, it could cause issues
http://blogs.technet.com/b/dblanch/archive/2010/10/12/there-s-something-about-2007-dynamic-distribution-groups.aspx -
Dynamic Distribution Group - RecipientContainer ignored
When i set the container in powershell and confirm that the setting took I then run the preview filter. It is for sure pulling from out side the OU that I set in the container parm.
Any help on this issue?
Proactive security not reactive, lets make it happen.Hi,
From your description, you set the RecipientContainer when you create the dynamic distribution group, but actually it doesn't work. If I have misunderstood your concern, please let me know. In your case, I recommend you take your time to post the cmdlet
you use for my further research.
Best regards,
Amy Wang
TechNet Community Support -
Create Dynamic Distribution Groups Using Customized Filters
I am looking to create a new Dynamic Distribution List.
Example:
DL - United States Users ([email protected])
In AD we have the 'Office' field filled accordingly, which contains the attribute USCA___ or USIL (US,California,etc or US, Illinois,etc).
I was wanting to try creating these using this command/script;
New-DynamicDistributionGroup -Name "DL - United States Users" -RecipientFilter {(RecipientType -eq 'UserMailbox') -and (Office -eq 'USCA*')(Office -eq 'USIL*')}
Assistance here please:
1. What needs to be added in that line so that only certain users can email to it, rejecting all others (i.e. The Helpdesk or Corporate Communications)
2. Is there a way to specify the SMTP address you want it to use?
3. Is there a way to have it only add mailboxes that are enabled in AD so disabled mailbox user accounts wont be added?
Thanks in advance everyone.Hi,
We can use the following command to create a Dynamic distribution group:
New-DynamicDistributionGroup -Name "DL - United States Users" -RecipientFilter {(RecipientType -eq 'UserMailbox') -and (Office -like
'US, California' -or (Office -like 'US, Illinois')) -and (UserAccountControl -ne 'AccountDisabled, NormalAccount')}
Then as what ED says, we can use the Set-DynamicDistributionGroup cmdlet with AcceptMessagesOnlyFrom or
AcceptMessagesOnlyFromDLMembers parameter to specify certain users who can send email messages to this dynamic distribution group. And use PrimarySMTPAddress parameter to specify the primary return SMTP email address for the distribution group.
Hope it helps.
Thanks,
Winnie Liang
TechNet Community Support -
Upgrading Dynamic Distribution Groups
We're nearing our upgrade/migration from 2007 to 2013 and am at the stage where all users have moved off 2007. We wanted to unplug 2007 for a couple of weeks to see what would happen and within 24 hours noticed that email sent to a dynamic distribution
group was not being sent, but not received. After a day of scratching our heads we plugged 2007 back in and a few minutes later the emails came booming in.
We did create a DDG on 2013 and notice it is not manageable from 2007 so there is something that gets upgraded.....just what though?
So my question is how do I upgrade the existing dynamic distribution groups from 2007 to 2013?Hi,
From your description, I recommend you check if your dynamic distribution group has the Exchange 2007 Server configured as ExpansionServer.
Get-DynamicDistributionGroup -Filter {Expansionserver -ne $null} | ft Name,Expansionserver -AutoSize
If yes, I recommend you clear that setting using the following cmdlet:
Get-DynamicDistributionGroup -Filter {Expansionserver -ne $null} | Set-DistributionGroup -ExpansionServer $null
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support -
Help with dynamic distribution group exclusion
Hi all,
Having a strange trouble with a dynamic distribution group filtering on the user being a member of a particular group
Recipient Filter is:
((((((((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')))) -and (MemberOfGroup -ne 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local'))) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')))
If I make a preview of this distribution list I get expected result. Users included in ExcludeFromMoitorigList group don't appear. But they continue receive emails sent to dynamic distribution group.
Any help is much appreciatedI'm not sure what all of the settings you are adding are for, but operating under the assumption that they are necessary, try this:
((((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')) -and (-not(MemberOfGroup -eq 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local')))) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))
If that doesn't work, try this:
((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')) -and (-not(MemberOfGroup -eq 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local')) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))
FYI, the reason for those suggestions is because I got this working on Exchange 2013 running on Server 2012 Datacenter by taking the existing RecipientFilter and adding the -not MemberOfGroup section, but noticed that all of this was then duplicated:
-and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))
As such, I re-created it without that, and that's what I've done with your string. I also changed the -ne to a -not(-eq) and in the second example, got rid of some extra parenthesis that I'm not sure you need.
Also, note that in my working scenario, I used this command and put the filter I was setting where I have indicated <filter> (I left the double quotes in the command):
Set-DynamicDistributionGroup -Identity <Group> -RecipientFilter "<filter>" -
Dynamic Distribution Group set conditions by importing text file?
Exchange 2010 SP2.
I created a dynamic distribution group via the EMC. We have populated AD with ExtenstionAttribute1 and ExtensionAttribute2. I have created the ddg with custom attribute1 value = employee. What I need to do now is populate custom attribute
2 = 00-0001, 00-0002, and so on. There are about 300 of these numbers I need to add. I have them in a text file or csv file. Instead of adding them one by one in the EMC, is there a way to import them via powershell to the existing ddg?
The ddg is called All Management Employees.If they go from 00-0001 to 00-0300, you could just add them as follows:
Set-DynamicDistributionGroup <group name> -RecipientFilter "(CustomAttribute1 -eq 'employee') -and (CustomAttribute2 -like '00-0*')"
However, if you have additional items like this (such as 00-0350, etc), you may need to use the following:
Set-DynamicDistributionGroup <group name> -RecipientFilter "(CustomAttribute1 -eq 'employee') -and ((CustomAttribute2 -like '00-00*') -or (CustomAttribute2 -like '00-01*') -or (CustomAttribute2 -like '00-02*') -or (CustomAttribute2 -eq '00-00300')"
Now, if your numbering isn't sequential and it can't be, you would need to add them individually - which may make your search filter unusable, in which case, you may need to create several dynamic groups and add them to a parent group. -
Create/Edit "Custom Attributes" in Dynamic Distribution Groups
Hi,
I wanna create a Dynamic Distribution Group based on the users "title" and "company".
I've noticed that there are 15 "Custom Attributes" that I can edit in someway, I guess via PowerShell?
So what is the easiest way to accomplice this?Hi,
Agree with the above suggestion, you can also bulk change the custom attributes:
Get-Mailbox -ResultSize Unlimited -Database Execs | Set-Mailbox -CustomAttribute1 “title”
http://dougg.co.nz/2012/05/01/bulk-setting-exchange-2010-custom-attributes/
to Edit Custom Attributes:
get-mailbox -filter {customattribute1 -eq ""} | set-mailbox -customattribute1 = "<value>"
And here is a reference about Create/Edit "Custom Attributes" in Dynamic Distribution Groups:
http://windowsitpro.com/exchange-server-2010/exchange-2010-sp2-value-custom-attributes
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
Best regards,
Angela Shi
TechNet Community Support -
Dynamic Distribution Groups - Message Delivery Restrict to Security Group
Hi,
I have created a dynamic distribution group and want to restrict mail delivery to only accept messages from members of a security group. How do I achieve this?
The idea is the DDG's are set with their criteria and if anyone leaves/joins the relevant SG then they will have permission to send to those DDG's.
Thanks in advance.Hi ,
In exchange management console it is very simple to provide the access.Please follow steps.
1.Open the Exchange Management Console (EMC)
2.Locate the distribution list .
3.Right-click on it and select Properties
4.Open the Mail Flow Settings tab
4.Select Message Delivery Restrictions
5.Then select the option only senders in the following list and add the DL that you would like to provide access to send email to that group.
Thanks & Regards S.Nithyanandham -
Create dynamic distribution group from 2 or more OU ?
How I can create Dynamic distribution group from 2 or more OU ?
I tried modified solution from this post:
http://social.technet.microsoft.com/Forums/office/en-US/11a338b9-dbca-4378-9cda-4590a5b8d0f7/exclude-specific-ou-or-user-from-dynamic-distribution-groups?forum=exchangesvrgenerallegacy
but I'm not sure will this work.Hi,
I have some tests in my environment using Exchange 2013. I use the following cmdlet to create a dynamic distribution group through multiple OUs, but it can't work as I expect.
New-DynamicDistributionGroup -Name "Users with mobile phones" -Alias "usermobile" -RecipientFilter{(((recipienttype -eq 'usermailbox') -and (MobilePhone -ne $null) -and ((RecipientContainer -eq 'contoso.com/users') -or (RecipientContainer -eq 'contoso.com/test
OU'))) )}
Actually, we have a dedicated support team regarding the Microsoft Scripts. I recommend you ask your question on our Microsoft Scripts forum which is staffed by more experts specializing in this kind of problems. Thanks for your understanding.
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=scripting
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support
Maybe you are looking for
-
Any opinions on if I should repair my old powerbook or just buy a new one?
Alright, here's the situation. I have a Tipowerbook 867 (upgraded to 512 ram) that's a bit over two and a half years old. Over this two plus year period, I have used this powerbook quite a lot, pretty much every single day for several hours at a mini
-
What is solution? Uninstall/Reinstall?
-
Microsoft office crashes when trying to print
Hi, upgraded my Mac from Maverick to Yosemite and now my Excel, Word, Powerpoint randomly crash when i try to print (doesnt matter if i try to print to an actual printer or make it into a pdf.). At the beginning I noticed that especially it happened
-
Can I use java script with iWeb?
I am quite pleased with iWeb for my web requirements, commercial and private, but I need to insert java script and don't know how or if iWeb accepts it.
-
Getting ready for Leapard Installation
I have a USB2 external hard drive and would like to do a clean install of Leapard (when it arrives). My question is what is the best way to copy all my data, applications etc to the external drive, install the new OSx (Leapard)then restore the data/f