Adventures with OPATH filters in Exchange 2007 and some annoyances if you’re used to LDAP

by Bharat Suneja

If you’ve deployed or have been testing Exchange Server 2007, you must have certainly crossed paths with OPATH. OPATH is a querying language, somewhat similar to SQL. It is used to filter objects in PowerShell. OPATH filters replace the LDAP filters for EmailAddressPolicies (equivalent of Recipient Policies), Address Lists/GAL, and Dynamic Distribution Groups (aka “Query-Based Distribution Groups”) in Exchange Server 2007.

There are some good posts about OPATH on the Exchange team blog, including the introductory post OPATH recipient filtering for Exchange Server 2007 by Evan Dodds. (Evan has more on his blog).

If you achieved some degree of expertise, or familiarity, with LDAP filters in Exchange Server 2003/2000 and Active Directory, it’s going to be difficult to fall in love with OPATH. It is meant to make things easier for administrators, and it certainly will for many. However, it still feels like a version 1.0 product that has its limitations.

I will mention a scenario here that illustrates this limitation. It is very common for Exchange 2003/2000 users to use group membership as a basis to apply Recipient Policies, or filter Address Lists/GAL. Some admins also use group memberships to create consolidated Query-based Distribution Groups. OPATH filters cannot use the memberOf attribute, so group membership cannot be used in any filters!

In fact, OPATH filters do not expose all recipient attributes that can be used in LDAP filters, making the transition from LDAP filters in previous versions to OPATH not as straightforward as one would have liked.

There are other inconsistencies as well. For instance, though Exchange shell commands will understand which Store you’re referring to by using the syntax ServerName\Storage Group Name\Store Name(or simply Store Name if it’s a unique Store, or Storage Group Name\Store Name if it’s a unique Storage Group name), OPATH filters will not. They still require the distinguishedName of the Store.

In this scenario, a user’s trying to apply Journaling to a particular Store, but the requirement is to locate the journaling mailbox on the same Store, and exclude that mailbox from journaling. The good news – Exchange Server 2007 has enhanced journaling that will let you meet such requirements. You can journal based on group memberships. The solution seems to be an easy one: create a Dynamic Distribution Group that picks up all mailboxes on that Store, except the journaling mailbox.

Using LDAP filters, this would look like:

(&(objectClass=user)(mailNickname=*)(homeMDB=distinguishedName of Store)(!name=JournalMailbox))

– where JournalMailbox is the name of the journaling mailbox. The filter picks up all users that have their homeMDB – the distinguishedName of a mailbox Store – pointing to a particular mailbox Store, and exclude the user called JournalMailbox.

Using a PowerShell command with an OPATH filter to create this Dynamic Distribution Group:

New-DynamicDistributionGroup “Group Name” –organizationalUnit “ou=Distribution Groups, DC=E12Labs, DC=com” -RecipientContainer “dc=e12labs,dc=com” –RecipientFilter {(RecipientType –eq ‘UserMailbox’ –and database –eq “CN=Mailbox Database, CN=First Storage Group, CN=InformationStore, CN=E12Postcard, CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups, CN=E12Labs, DC=com” –and –not name –like “JournalMailbox”)}

For a while, I kept feeding the identity of the mailbox database – “E12POSTCARD\First Storage Group\Mailbox Database” – but couldn’t get any combination thereof to work. This format is commonly used in Exchange shell commands, e.g. to list all mailboxes on that mailbox Store:

Get-MailboxDatabase “E12Postcard\First Storage Group\Mailbox Database” | get-mailbox

What I liked about using OPATH filters in the shell: it automatically modifies your filter to exclude System Mailbox and CAS_ mailbox.

Next, how do you preview which users are being picked up by this filter? Exchange Server 2003/2000, and AD Users & Computers (in Windows Server 2003) let you preview which recipients are picked up when you create a LDAP filter. There’s no equivalent of the preview feature in Exchange shell. Not a problem, let’s head over to the Exchange console to preview, you say.

In the console | Dynamic Distribution Group properties | Filter tab shows you the filter used, and the fact that it was a custom filter created using PowerShell. No Preview button here. On the Conditions tab – which is used to select from the ”precanned” filter conditions, the Preview button is grayed out – possibly because this is a custom filter.

What are the ways to test whether the group picks up the right users/mailboxes, and more importantly in this case – since we’re going to use this group to apply enhanced journaling, whether it excludes the JournalMailbox?

Perhaps using the Saved Queries feature in AD Users & Computers console would be a good idea! Dynamic Distribution Groups save the filter in two attributes – 1) msExchQueryFilter attribute holds the OPATH filter that you may have entered in the shell when creating the group, and 2) msExchDynamicDLFilter attribute holds the LDAP filter. The shell converts your OPATH filter to the familiar LDAP filter syntax that we’re used to and stores it in this attribute. Previewing the group is now as simple as copying the group’s msExchDynamicDLFilter attribute, and pasting it into Saved Queries in ADUC, you think.

However, this may not work in some conditions. Here’s the particular one that I came across. Exchange Server 2007 does create one Administrative Group called Administrative Group (FYDIBOHF23SPDLT). (In case you’re wondering, the latter string in the brackets can be decoded to Exchange12Rocks – read “The Secret Decoder Ring – The Hidden Truth in the Exchange 2007 Admin and Routing Group Names” on the team blog for more details ). All Exchange Server 2007 servers reside in this single Administrative Group.

When converting the filter, the shell actually changed the brackets ( and ) to what look like their ASCII codes – \28 and \29, so it looks like Exchange Administrative Group \28FYDIBOHF23SPDLT\29. It took me a little while to figure this out, and make the necessary change in Saved Queries. Once this was done, I could preview the recipients picked up by the Dynamic Distribution Group.

That’s a good workaround, albeit a little painful one if you weren’t aware of some of these quirks. Making the Preview feature i
n Exchange console work with custom queries would have made things a lot easier, and that’s on my wishlist for SP1. Additionally, a shell equivalent (of Preview) will be quite welcome since custom queries can only be used from the shell.

Another value-add would be ability to use LDAP filters and have the shell convert these to OPATH filters, just as it does the OPATH to LDAP filter conversion. This would make things a lot easier for folks used to or familiar with LDAP filters.

Meanwhile, it would be great to have these quirks and workarounds documented. Something like a Guide to OPATH Filters if you’re used to LDAP.

Update 5/30/2007: After the post was published, I found the ability to view Dynamic Distribution Group “membership” – or rather the recipients returned by its query, using the shell was included in the product documentation – “How to View Members of a Dynamic Distribution Group“.

{ 2 comments… read them below or add one }

cheap computers October 18, 2009 at 2:08 am

This would make things a lot easier for folks used to or familiar with LDAP filters.


Anonymous January 18, 2014 at 12:16 am

Do you know of a way to create a exchange 2010 dynamic distribution list that will query the AD attribute : division ?

division seems to be a non queryable attribute in AD. (by exchange 2010)


Leave a Comment

Previous post:

Next post: