none
Another AcceptMessagesOnlyFrom issue

    Question

  • Let me start by saying that I have already spent most of the day reading articles on issues similar to mine but not exactly, so here goes the backstory for my situation.  In my organization, we have automatic processes that create and terminate user accounts and mailboxes.  When someone leaves, the mailbox is disabled and the user account is moved to a terminated OU.  If the user was added to the AcceptMessagesOnlyFrom permission on Distribution Groups, it still shows up in PowerShell but not in the EMC.  The DL has to be edited with PowerShell to remove the terminated accounts.  There are several thousand DL's in the organization so searching them individually would be a huge task.  I have tried to search based on the -ExpandProperty AcceptMessagesOnlyFrom, but the result I get is an entry for each of the accounts assigned to this property.  

    The query I was using is "Get-DistributionGroup -Resultsize unlimited | select samaccountname -ExpandProperty AcceptMessagesOnlyFrom | Out-File -FilePath c:\acceptmail.txt -encoding ascii"

    The repeating output is in this format:

    AcceptMessagesOnlyFrom : {Domain.local/_Terminations/UserName}
    IsDeleted              : False
    Rdn                    : CN=DistributionGroupName
    Parent                 : Domain.local/_Terminations/
    Depth                  : 5
    DistinguishedName      : CN=UserName,OU=_Terminations,DC=Domain,DC=local
    IsRelativeDn           : False
    DomainId               : Domain.local
    ObjectGuid             : 00000000-0000-0000-0000-000000000000
    Name                   : UserName

    How can I search for any account listed in the AcceptMessagesOnlyFrom field that resides in the _terminations OU and subsequently remove that account while leaving the active accounts in the list?


    Tuesday, April 18, 2017 9:49 PM

All replies

  • Hi,

    If users in that OU, then it's quite simple to use script to remove users in OU Terminations from AcceptMessagesOnlyFrom for all distribution groups. Here is that script

    $Users = Get-User -OrganizationalUnit _Terminations
    Foreach ($User in $Users){
    $Identity = $User.Identity
    Get-DistributionGroup | Set-DistributionGroup -AcceptMessagesOnlyFrom @{remove="$Identity"}
    }

    Since those users are mail disabled, then use this script instead.

    $Users = Get-User -OrganizationalUnit _Terminations
    Foreach ($User in $Users){
    Enable-Mailbox $User.name
    $Identity = $User.Identity
    Get-DistributionGroup | Set-DistributionGroup -AcceptMessagesOnlyFrom @{remove="$Identity"}
    Disable-Mailbox $User.name -Confirm:$false
    }

    Note: It's better to schedule this script in Non-Working time. If there are too many users in that OU, it might be executed for some time.


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 19, 2017 9:38 AM
    Moderator
  • I never thought of approaching it from that angle since there are close to 100,000 objects in the terminations OU.  It seemed that searching the distribution groups for terminated users was the way to go.  Also, I don't believe you have to mail enable the terminated account to remove it from the property.  I have been removing the deleted ones individually by putting the good accounts in a .txt file and storing it as a variable, then setting the property from that list.  I'll try it out and let you know how it goes.
    Wednesday, April 19, 2017 1:37 PM
  • Ok, waiting for good news.

    Actually, I tried to remove mail disabled user account from AcceptMessagesOnlyFrom, but failed with this error. I must mail enable this user account, then remove this user mailbox from AcceptMessagesOnlyFrom.

    By the way, the following command will help you to find the distribution groups for terminated users quickly.

    Get-DistributionGroup | ?{$_.AcceptMessagesOnlyFrom -like "Domain.local/_Terminations*"} | Fl Name,AcceptMessagesOnlyFrom


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 20, 2017 2:03 AM
    Moderator
  • Ok, from your first reply, I wanted to see how many there were without taking action so I modified your query to:  

    $Users = Get-User -OrganizationalUnit _Terminations
    Foreach ($User in $Users){
    $Identity = $User.Identity
    Get-DistributionGroup -resultsize unlimited -OrganizationalUnit "Domain.local/Groups/Distribution Groups" |?{$_.AcceptMessagesOnlyFrom -like "$Identity"}
    }

    I ran it about 9am yesterday.  It's still running...  This may not be uncommon because our AD engineer says he has scripts that take 4 days to run.

    There's no way I'll get approval to mail enable each of those accounts just to remove them from this property on the DL.  There is a possibility we continue to address them on a case by case basis.

    Thursday, April 20, 2017 2:23 PM
  • This query at least gave me a good list of DL's with terminated users.

    Get-DistributionGroup -resultsize unlimited | ?{$_.AcceptMessagesOnlyFrom -like "domain.local/_Terminations*"} | Ft -auto Name,AcceptMessagesOnlyFrom >> c:\terms.txt

    • Edited by Aridaen Thursday, April 20, 2017 2:28 PM
    Thursday, April 20, 2017 2:27 PM

  • There's no way I'll get approval to mail enable each of those accounts just to remove them from this property on the DL.  There is a possibility we continue to address them on a case by case basis.

    If there's no way, then you need to go to ADUC and find each distribution group that listed in terms.txt. And edit 'authOrig' attribute for each of them.

    'authOrig' attribute restricts senders to send message to specified distribution group.

    If you need help to use script to remove terminated users from AcceptMessagesOnlyFrom, please share the results in terms.txt, I will try to create a script.


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 21, 2017 2:21 AM
    Moderator