I've blogged about OPATH filters before [read previous post "Adventures with OPATH: some annoyances if you're used to LDAP"], and one of the annoyances was the the fact that it wasn't possible to use the memberOf attribute to pick up (or exclude) members of certain groups from all the stuff that uses OPATH filters such as EmailAddressPolicies, Address Lists, and Dynamic Distribution Groups.
Evan Dodds has some good news today - it seems this did get included in RTM!
Things to know before you start using memberOf attribute in filters
Before you set out to use it in your OPATH filters, consider the following:
It's generally not advisable to use the memberOf attribute to filter stuff, because it's a back-linked attribute. (Nevertheless, in many situations, the use of this attribute to filter recipients is inevitable). Using back-linked attributes is not very efficient from an AD perspective, and thus best avoided if possible. So what are back-linked attributes? If you answered "an attribute that's not a forward-linked attribute" you wouldn't be too off the mark :)
Jokes aside, back-linked attributes like memberOf only get generated when they are accessed. In other words, they are not stored in the AD object you're accessing. For instance, the memberOf attribute of a user/contact/group is generated from the member attribute of groups. Does the low-performance part make more sense now?
Unlike LDAP filters, the actual attribute name - memberOf is not used in OPATH filters. The filterable property name for OPATH filters is MemberOfGroup.
Like LDAP filters, you need to specify the distinguishedName of the group you want to use. For example:
This is great news, and a big help for folks who need to use group memberships in a recipient filter.
Evan Dodds has some good news today - it seems this did get included in RTM!
Things to know before you start using memberOf attribute in filters
Before you set out to use it in your OPATH filters, consider the following:
It's generally not advisable to use the memberOf attribute to filter stuff, because it's a back-linked attribute. (Nevertheless, in many situations, the use of this attribute to filter recipients is inevitable). Using back-linked attributes is not very efficient from an AD perspective, and thus best avoided if possible. So what are back-linked attributes? If you answered "an attribute that's not a forward-linked attribute" you wouldn't be too off the mark :)
Jokes aside, back-linked attributes like memberOf only get generated when they are accessed. In other words, they are not stored in the AD object you're accessing. For instance, the memberOf attribute of a user/contact/group is generated from the member attribute of groups. Does the low-performance part make more sense now?
Unlike LDAP filters, the actual attribute name - memberOf is not used in OPATH filters. The filterable property name for OPATH filters is MemberOfGroup.
Like LDAP filters, you need to specify the distinguishedName of the group you want to use. For example:
"MemberOfGroup -eq 'CN=Sales,OU=Distribution Groups,DC=e12labs, DC=com'"
Evan just blogged about this - read more about it on his blog, including his example that shows you how to get the distinguishedName of a group in a variable, and uses the variable in the recipient filter.This is great news, and a big help for folks who need to use group memberships in a recipient filter.
Labels: AD/LDAP, Administration, Exchange Server 2007, Exchange Shell, GAL/Address Lists
3 Comments:
I am trying to creat a new EAP but I keeps on failing. What am I doing wrong?
[PS] C:\>new-emailaddresspolicy -name "Pilot E12 Corporate" -enabledprimarysmtpt
emplate smtp:%1g%[email protected] -RecipientFilter "MemberOfGroup -eq 'CN=E12 User
s,OU=Groups,OU=000,OU=Campuses,DC=cec,DC=root,DC=careered,DC=com'" -Priority 110
I get the error:
New-EmailAddressPolicy : Parameter set cannot be resolved using the specified n
amed parameters.
At line:1 char:23
+ new-emailaddresspolicy <<<< -name "Pilot E12 Corporate" -enabledprimarysmtpt
emplate smtp:%1g%[email protected] -RecipientFilter "MemberOfGroup -eq 'CN=E12 Use
rs,OU=Groups,OU=000,OU=Campuses,DC=cec,DC=root,DC=careered,DC=com'" -Priority 1
10
Please help,
Ammo
Worked for me (with group DN, AcceptedDomain and EAP name substituted for mine). What's the highest priority EAP in your Org? Try changing priority to something higher than that (e.g. if existing EAP is 1, make this 2).
try "smtp:%1g%[email protected]"
Post a Comment
Links to this post:
Create a Link
<< Home