Query-based Distribution Groups and Disabled Users

Another issue with Query-based Distribution Groups - when admins create these, typically using a GUI - there's no obivious way of excluding disabled user accounts. Even if you enter the ldap filter manually using Custom Search, it's easy to forget about excluding disabled users.

End result: users sending mail to QBDGs complain about getting NDRs from disabled users.

To prevent this, you need to change the ldap filter of the QBDG and insert a bit-wise filter (MS KBA 269181) for the userAccountControl attribute, which indicates, amongst other things, whether a user account is enabled or disabled. Here's how you do it.

If you used Custom Search to manually enter the ldap filter when creating the QBDG:
1. Start AD Users & Computers console, locate the group | Properties | click Customize | go to the Advanced tab.
2. insert this in your filter:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

So if your earlier filter looked something like:

(&(objectClass=user)(homeMDB=*)(department=Finance))

The modified filter looks like this:

(&(objectClass=user)(homeMDB=*)(department=Finance)
(!userAccountControl:1.2.840.113556.1.4.803:=2))

If you used the GUI to create the filter, you will need to make this change using ADSIEdit.
1. Start ADSIEdit and locate the QBDG | Properties
2. Modify the msExchDynamicDLFilter attribute as shown in the above example.