Another issue with Query-based Distribution Groups - when admins create these, typically using a GUI - there's no obivious way of excluding disabled user accounts. Even if you enter the ldap filter manually using Custom Search, it's easy to forget about excluding disabled users.
End result: users sending mail to QBDGs complain about getting NDRs from disabled users.
To prevent this, you need to change the ldap filter of the QBDG and insert a bit-wise filter (MS KBA 269181) for the userAccountControl attribute, which indicates, amongst other things, whether a user account is enabled or disabled. Here's how you do it.
If you used Custom Search to manually enter the ldap filter when creating the QBDG:
1. Start AD Users & Computers console, locate the group | Properties | click Customize | go to the Advanced tab.
2. insert this in your filter:
The modified filter looks like this:
If you used the GUI to create the filter, you will need to make this change using ADSIEdit.
1. Start ADSIEdit and locate the QBDG | Properties
2. Modify the msExchDynamicDLFilter attribute as shown in the above example.
End result: users sending mail to QBDGs complain about getting NDRs from disabled users.
To prevent this, you need to change the ldap filter of the QBDG and insert a bit-wise filter (MS KBA 269181) for the userAccountControl attribute, which indicates, amongst other things, whether a user account is enabled or disabled. Here's how you do it.
If you used Custom Search to manually enter the ldap filter when creating the QBDG:
1. Start AD Users & Computers console, locate the group | Properties | click Customize | go to the Advanced tab.
2. insert this in your filter:
(!userAccountControl:1.2.840.113556.1.4.803:=2)
So if your earlier filter looked something like:(&(objectClass=user)(homeMDB=*)(department=Finance))
The modified filter looks like this:
(&(objectClass=user)(homeMDB=*)(department=Finance)
(!userAccountControl:1.2.840.113556.1.4.803:=2))
If you used the GUI to create the filter, you will need to make this change using ADSIEdit.
1. Start ADSIEdit and locate the QBDG | Properties
2. Modify the msExchDynamicDLFilter attribute as shown in the above example.
Labels: AD/LDAP, Administration
4 Comments:
Seen this article: http://technet.microsoft.com/en-us/library/aa996205.aspx
Where they used this: (msExchUserAccountControl=2) to exclude disabled users as well. It also works.
Anyone understand what the difference is?
Thanks. - Matt
@Matt,
UserAccountControl is an AD attribute which provides a lot of information (that is, can have many values such as account disabled, locked out, password not required..). It's a bitmask, so the weird-looking format More details about UserAccountControl.
msExchUserAccountControl is a simpler attribute used by Exchange to determine whether to use the objectSID (if account enabled) or the msExchMasterAccountSID (when account is disabled). It has only 2 values:
0 = enabled
2 = disabled
More info in KB 296479: XADM: Requirements for Disabling the Recipient Update Service
This does not work for Exchange 2003. You cannot directly modify the filter that I can tell. Only select fields from pull down.
@Mark: As noted in the post, if you used Custom Search to manually type the filter, you can edit it. If you used the GUI and selected fields from the drop-down, you'll have to use ADSIEdit to edit the filter.
Sorry, don't have a box with Exchange 2003 around to provide more details.
Post a Comment
Links to this post:
Create a Link
<< Home