• 1. London, UK
  • 2. New York, NY
  • 3. Sydney, Australia
  • 4. Melbourne, Australia
  • 5. Moscow, Russia
  • 6. Singapore
  • 7. Paris, France
  • 8. Chicago, IL
  • 9. Hong Kong
  • 10. Houston, TX

Friday, January 13, 2006


Query-based Distribution Groups and Disabled Users

Posted by Bharat Suneja at 6:33 PM
Another issue with Query-based Distribution Groups - when admins create these, typically using a GUI - there's no obivious way of excluding disabled user accounts. Even if you enter the ldap filter manually using Custom Search, it's easy to forget about excluding disabled users.

End result: users sending mail to QBDGs complain about getting NDRs from disabled users.

To prevent this, you need to change the ldap filter of the QBDG and insert a bit-wise filter (MS KBA 269181) for the userAccountControl attribute, which indicates, amongst other things, whether a user account is enabled or disabled. Here's how you do it.

If you used Custom Search to manually enter the ldap filter when creating the QBDG:
1. Start AD Users & Computers console, locate the group | Properties | click Customize | go to the Advanced tab.
2. insert this in your filter:


So if your earlier filter looked something like:


The modified filter looks like this:


If you used the GUI to create the filter, you will need to make this change using ADSIEdit.
1. Start ADSIEdit and locate the QBDG | Properties
2. Modify the msExchDynamicDLFilter attribute as shown in the above example.

Labels: ,


December 7, 2007 1:52 PM
Blogger - Matt said...

Seen this article: http://technet.microsoft.com/en-us/library/aa996205.aspx

Where they used this: (msExchUserAccountControl=2) to exclude disabled users as well. It also works.

Anyone understand what the difference is?

Thanks. - Matt

August 5, 2008 1:53 PM
Blogger Bharat Suneja said...


UserAccountControl is an AD attribute which provides a lot of information (that is, can have many values such as account disabled, locked out, password not required..). It's a bitmask, so the weird-looking format More details about UserAccountControl.

msExchUserAccountControl is a simpler attribute used by Exchange to determine whether to use the objectSID (if account enabled) or the msExchMasterAccountSID (when account is disabled). It has only 2 values:
0 = enabled
2 = disabled

More info in KB 296479: XADM: Requirements for Disabling the Recipient Update Service

August 12, 2009 11:11 AM
Blogger Mark said...

This does not work for Exchange 2003. You cannot directly modify the filter that I can tell. Only select fields from pull down.

August 12, 2009 11:16 AM
Blogger Bharat Suneja said...

@Mark: As noted in the post, if you used Custom Search to manually type the filter, you can edit it. If you used the GUI and selected fields from the drop-down, you'll have to use ADSIEdit to edit the filter.

Sorry, don't have a box with Exchange 2003 around to provide more details.


Post a Comment

Links to this post:

Create a Link

<< Home