locked
Dynamic Distribution List - exclude disabled accounts RRS feed

  • Question

  • Hi,

     

    I've used the script below to create a dynamic distribution list. Although when one of my users sends to this list, it includes disabled accounts. All my disabled accounts are in their own OU "domain.local/users/disabled". I thought UserAccountControl -ne '2' would exlude disabled accounts but it isn't exluding all of them, my user got a failed delivery receipt for about 7 users. I checked all of these and they are disabled and in the disabled OU. An easy work around would be to exclude that OU, is this possible without moving the OU out of the Users OU? Or is there anything else I can check?

     

    New-DynamicDistributionGroup -name "New List " -OrganizationalUnit "domain.local/users " -RecipientContainer "domain.local/lists " -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -eq " 4th floor PLL") -and (UserAccountControl -ne '2'))}

    Tuesday, June 22, 2010 3:53 PM

Answers

  • This filter worked for me:

     

    New-DynamicDistributionGroup -name "New List " -OrganizationalUnit "domain.local/users " -RecipientContainer "domain.local/lists " -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -eq " 4th floor PLL") -and -not(UserAccountControl -like 'AccountDisabled') )}


     


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    • Edited by Shay Levi Thursday, June 24, 2010 8:55 AM typo
    • Marked as answer by Mervyn Zhang Friday, June 25, 2010 7:27 AM
    Wednesday, June 23, 2010 8:02 AM

All replies

  • A quick work around would be to change the disabled user's office ;)

    Let me see if I can find any information on the recipientfilter.....

    Karl


    http://unlockpowershell.wordpress.com
    -join("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})
    Tuesday, June 22, 2010 7:17 PM
  • Check out "ExchangeUserAccountControl"

    -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -eq " 4th floor PLL") -and (ExchangeUserAccountControl -ne 'AccountDisabled'))}

    Not sure if that will help?

    Karl


    http://unlockpowershell.wordpress.com
    -join("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})
    Tuesday, June 22, 2010 7:32 PM
  • I can't test this right now, but UserAccountControl is a bitmask of ADS_USER_ENUM values, so you wouldn't be able to use -eq.  You'll probably want something like

     

    (-not (UserAccountControl -band 2))

     

    Which does a bitwise AND to see if the ADS_UF_ACCOUNTDISABLE bit is set.

    Wednesday, June 23, 2010 1:49 AM
  • This filter worked for me:

     

    New-DynamicDistributionGroup -name "New List " -OrganizationalUnit "domain.local/users " -RecipientContainer "domain.local/lists " -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -eq " 4th floor PLL") -and -not(UserAccountControl -like 'AccountDisabled') )}


     


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    • Edited by Shay Levi Thursday, June 24, 2010 8:55 AM typo
    • Marked as answer by Mervyn Zhang Friday, June 25, 2010 7:27 AM
    Wednesday, June 23, 2010 8:02 AM
  • Thanks for the suggestions, I'll give those a try.
    Thursday, June 24, 2010 3:49 PM
  • I managed to work it out. The user account control property has to be like the following. This will exclude disabled accounts:

     

    -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -like "*PLL") -and (UserAccountControl -ne 'AccountDisabled, NormalAccount'))}

    • Proposed as answer by Stugg Friday, May 31, 2013 6:26 PM
    Tuesday, June 29, 2010 8:15 AM
  • I managed to work it out. The user account control property has to be like the following. This will exclude disabled accounts:

     

    -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -like "*PLL") -and (UserAccountControl -ne 'AccountDisabled, NormalAccount'))}

    What happens when you have accounts that have other properties that affect UserAccountControl, such as DoNotExpirePassword option?  In these cases this filter would fail because the UserAccountControl would read something like "AccountDisabled, NormalAccount, DoNotExpirePassword"  

    In these cases, I believe UserAccountControl -notlike '*AccountDisabled*' would be more appropriate.  With that said, I can't get any variation of this filter to work in my Exchange 2007 SP3 environment at all.  It's as if I cannot use the UserAccountControl to filter anything.  At least I have no means of previewing the recipients if such a filter is applied.

    Friday, May 23, 2014 9:01 PM
  • This filter worked for me:

     

    New-DynamicDistributionGroup -name "New List " -OrganizationalUnit "domain.local/users " -RecipientContainer "domain.local/lists " -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Office -eq " 4th floor PLL") -and -not(UserAccountControl -like 'AccountDisabled') )}


     


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar

    Are you sure this works?  Given many accounts have multiple UserAccountControl flags, wouldn't you have to use wildcards with the -like operator??

    At any rate I've tried this and it does not seem to work for me in my 2007 SP3 environment.  I've even tried with wildcards.

    Friday, May 23, 2014 9:03 PM
  • I have done more testing with this and have confirmed the proposed solution does not work.

    In order to use -like, you must use wildcards.  Unfortunately using -like with OPATH filters, EMS actually tries to convert what you have typed into an actual UserAccountControl flag, which is an integer/bit value.  As such you cannot use -like at all.

    You could use -not (UserAccountControl -eq 'AccountDisabled, NormalAccount'), which will translate to any useraccountcontrol flag that is NOT 514, but this completely ignores any other possible combinations of UserAccountControl flags.

    Unfortunately it seems OPATH does not support bitwise and/or operations so this will be impossible to query for UserAccountControl in the filter without specifying any and all possible combinations of "AccountDisabled" with all other possible UserAccountControl flags (e.g. password never expires).

    Why would MS exclude something like this?!

    Friday, October 24, 2014 8:31 PM
  • I had some DDLs set up this way, but the problem I found with it is that when you try to view the membership using
    Get-Recipient -filter $DDL.recipientfilter

    I get an error:
    Cannot bind parameter 'Filter' to the target. Exception setting "Filter": ""ExchangeUserAccountControl" is not a recognized filterable property. For a complete list of filterable properties see the command help

    looks like the 'ExchangeUserAccountControl' parameter works for DDL filters, but not for the Get-Recipient cmdlet.

    Now I'm looking for either an alternative way to check membership, or an alternative way to exclude disabled accounts.

    Wednesday, March 7, 2018 11:09 AM