Using MemberOf with -RecipientFilter

  • Artigo

In the Do I Really Need to Upgrade my Filters blog post, Several folks posted a question/comment asking about MemberOf. In Exchange 2003, it was possible to build an EAP/AL/GAL/DDG filter that took into account group membership as a criteria for inclusion in the filter. My initial response was that it's not possible in Exchange 2007, but it turns out that's not true.

Quick step back to make sure we're all thinking of the same scenario here... I'm talking about this scenario:

  1. Create a group... let's call it "testgroup"
  2. Create some mailboxes/mailcontacts, etc... add them to the group.
  3. Create an addresslist... let's call it "testAL"
  4. Now, make the membership of this AL (ie, its 'RecipientFilter') conditional on the recipient objects being part of ("memberOf") the group "testgroup".

Hmm, you probably get an error on step 4. Or,even more likely, you can't figure out how to specify the filter.

What makes this a little hard is two things:

First, if you do "Get-Mailbox" or "Get-User" you don't see MemberOf as an exposed property on these presentation objects. This is by design, as doing the lookups on a AD back-link (MemberOf is an AD backlink) is very low performance and not really required for anything I'm aware of (since you can just get this info from the forward direction). That said, generally the strategy of checking the list of properties on the output presentation object is a good step to knowing what properties are filterable. In this case, such an assumption will let you down.

Note: Based on the number of requests we've received on this point, we're putting together the list of filterable properties right now for a future UE update. I'll plan to blog them here shortly so that you can have more info on what properties are filterable. - Done! Here's the blog post: https://blogs.technet.com/evand/archive/2007/02/19/filterable-properties-in-exchange-2007-rtm.aspx

Second, Even though MemberOf it *IS* filterable, if you try to use "MemberOf" as the name of the filterOnly property that represents the AD MemberOf schema entry, it fails. This is because the filterable property name is actually a little more verbose: MemberOfGroup. If you specify MemberOfGroup in the filter, it'll work great.

So, let's bring this all back together on MemberOfGroup and give an example:

[PS] D:\>$groupidentity = $(Get-DistributionGroup testgroup).Identity.DistinguishedName

[PS] D:\>$groupidentity

CN=testgroup,CN=Users,DC=domain,DC=com

[PS] D:\>Set-AddressList testAL -RecipientFilter "MemberOfGroup -eq '$groupidentity'"

[PS] D:\>Get-AddressList testAL

Name DisplayName RecipientFilter
---- ----------- ---------------
testAL testAL MemberOfGroup -eq 'domain.com/Users/testgroup'

Updated 2/14 - Talking with some folks after this post went live, it wasn't totally clear what I was doing just above with the $groupidentity variable. Excellent observation. Let's explain it:

MemberOfGroup filtering requires that you supply the full AD distinguished name of the group you're trying to filter against. This is an AD limitation, and it happens because you're really filtering this calculated back-link property from AD, not the simple concept of "memberOf" that we expose in Exchange.

So, rather than typing in the whole darn long DN, I just extracted it from the group object and dropped it into a variable that I could reuse in the RecipientFilter. Bravo PowerShell!

Comments

  • Anonymous
    January 01, 2003
    Preserving Nickname Cache in Exchange Migrations Apple challenges Microsoft Exchange Google to Replace

  • Anonymous
    January 01, 2003
    Ryan - sorry you had this experience of struggling with MemberOfGroup and EAP! Although this filtering works fine with DDG and GAL/AL, it's true that using MemberOf filters with Email Address Policies does not work in all cases with Exchange 2007 RTM. This is a bug that will be fixed in SP1. Sorry for the hassle! Evan

  • Anonymous
    January 01, 2003
    Evan Dodds posted a very good reference kind of post on his blog - talking about what the filterable...

  • Anonymous
    February 13, 2007
    Thanks much for including memberOf attribute in OPATH filters - this will take care of a lot folks who do use group memberships to apply policies. Cheers! Bharat

  • Anonymous
    February 14, 2007
    Another handy tip! Can't wait for that list of filterable properties - but will it also list the search methods for those (e.g. some don't allow a wildcard search).

  • Anonymous
    March 12, 2007
    Evan, thanks for this information.  I've been waiting anxiously to see if Address Lists can be based on AD group membership and it's great to see that they can. Having seen it in action now, I do have one query.  When are the address lists "generated"?  I can force them to "Apply" manually at any time obviously - but how is this taken care of automatically? I've only just added some address lists based on the MemberOf attribute, but since changing a few users from one group to another the address lists are not changing based on the new group membership (not yet anyway).  If I force an "Apply", they work fine. Will this ever happen automatically?  I haven't left it for hours so maybe it will.  If so what service is doing it, and what schedule does it run on? If they aren't updated automatically, does that mean every address list doesn't automatically update, regardless of the filter it is based on?

  • Anonymous
    April 04, 2007
    After several  hours with Microsoft support, this does not appear to be supported or possible.  In our Exchange 2007 environment, everything appears to be setup correctly, but the Email Policies never actually get applied to our users.  Looks like we have to use Custom Attributes or some other solution instead of group memberships. Maybe Microsoft can correct this in future service packs, but as of right now, even Microsoft Support could not get it to work.