memberOf Attribute can now be used in OPATH filters!

by Bharat Suneja

I’ve blogged about OPATH filters before [read previous post “Adventures with OPATH: some annoyances if you’re used to LDAP“], and one of the annoyances was the the fact that it wasn’t possible to use the memberOf attribute to pick up (or exclude) members of certain groups from all the stuff that uses OPATH filters such as EmailAddressPolicies, Address Lists, and Dynamic Distribution Groups.

Evan Dodds has some good news today – it seems this did get included in RTM!

Things to know before you start using memberOf attribute in filters
Before you set out to use it in your OPATH filters, consider the following:

1 It’s generally not advisable to use the memberOf attribute to filter stuff, because it’s a back-linked attribute. (Nevertheless, in many situations, the use of this attribute to filter recipients is inevitable). Using back-linked attributes is not very efficient from an AD perspective, and thus best avoided if possible. So what are back-linked attributes? If you answered “an attribute that’s not a forward-linked attribute” you wouldn’t be too off the mark :)

Jokes aside, back-linked attributes like memberOf only get generated when they are accessed. In other words, they are not stored in the AD object you’re accessing. For instance, the memberOf attribute of a user/contact/group is generated from the member attribute of groups. Does the low-performance part make more sense now?

2 Unlike LDAP filters, the actual attribute name – memberOf is not used in OPATH filters. The filterable property name for OPATH filters is MemberOfGroup.

3 Like LDAP filters, you need to specify the distinguishedName of the group you want to use. For example:

“MemberOfGroup -eq ‘CN=Sales,OU=Distribution Groups,DC=e12labs, DC=com'”

Evan just blogged about this – read more about it on his blog, including his example that shows you how to get the distinguishedName of a group in a variable, and uses the variable in the recipient filter.

This is great news, and a big help for folks who need to use group memberships in a recipient filter.

{ 3 comments… read them below or add one }

Ammo September 5, 2007 at 11:17 am

I am trying to creat a new EAP but I keeps on failing. What am I doing wrong?

[PS] C:\>new-emailaddresspolicy -name “Pilot E12 Corporate” -enabledprimarysmtpt
emplate smtp:%1g%[email protected] -RecipientFilter “MemberOfGroup -eq ‘CN=E12 User
s,OU=Groups,OU=000,OU=Campuses,DC=cec,DC=root,DC=careered,DC=com'” -Priority 110

I get the error:
New-EmailAddressPolicy : Parameter set cannot be resolved using the specified n
amed parameters.
At line:1 char:23
+ new-emailaddresspolicy <<<< -name "Pilot E12 Corporate" -enabledprimarysmtpt
emplate smtp:%1g%[email protected] -RecipientFilter “MemberOfGroup -eq ‘CN=E12 Use
rs,OU=Groups,OU=000,OU=Campuses,DC=cec,DC=root,DC=careered,DC=com'” -Priority 1
10

Please help,
Ammo

Reply

Bharat Suneja September 5, 2007 at 1:37 pm

Worked for me (with group DN, AcceptedDomain and EAP name substituted for mine). What’s the highest priority EAP in your Org? Try changing priority to something higher than that (e.g. if existing EAP is 1, make this 2).

Reply

Anonymous December 29, 2009 at 5:46 am

try "smtp:%1g%[email protected]"

Reply

Leave a Comment

Previous post:

Next post: