Bitwise OR Operator for RecipientFilter
Is there a way to apply a bitwise OR to OPATH Recipient Filter? I would like to be able to filter disabled accounts out of some dynamic distribution lists that I have, and as far as I know, the only way to do this is to bitwise OR the value of object's userAccountControl attribute with the ACCOUNTDISABLE constant (0x0002). According to http://technet.microsoft.com/en-us/library/bb738157%28EXCHG.80%29.aspx this attribute is filterable with OPATH, but it does no good without bitwise operators. I tried [PS] C:\Windows\system32>New-DynamicDistributionGroup -Name Test -RecipientFilter {((UserAccountControl -bor 2) -eq 0)} but PowerShell says: New-DynamicDistributionGroup : Cannot bind parameter 'RecipientFilter' to the target. Exception setting "RecipientFilter": ""-bor" is not a valid operator. For a list of supported operators see the command help. "((UserAccountControl -bor 2) -eq 0)" at position 22." At line:1 char:57 + New-DynamicDistributionGroup -Name Test -RecipientFilter <<<< {((UserAccountControl -bor 2) -eq 0)} + CategoryInfo : WriteError: (:) [New-DynamicDistributionGroup], ParameterBindingException + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.Exchange.Manage ment.RecipientTasks.NewDynamicDistributionGroup
January 5th, 2010 5:55pm

Unfortunately the RecipientFilter only supports logical operators and not binary operators. So, what you are trying to do is unfortunately not very easy. No function calls either so you can't do something like UserAccountControl.ToString().Contains("AccountDisabled") -ne 0.I think the only way to get the desired effect is to use logical operators with all permutations of flags that do not contain account disabled. e.g. RecipientFilter { (UserAccountControl -eq "NormalAccount" ) -or (UserAccountControl -eq "NormalAccount, DoNotExpirePassword") -or (UserAccountControl -eq "DoNotExpirePassword, CannotChangePassword") etc. }Hopefully I am wrong though and there is a better solution.
Free Windows Admin Tool Kit Click here and download it now
January 6th, 2010 12:29am

Maybe you could explore some workarounds. For example, if your user accounts are disabled because they are resource mailboxes you could use IsResource to filter them out. Alternatively, if you have standard mailboxes associated with disabled accounts, perhaps they are hidden from address lists (HiddenFromAddressListsEnabled) , or perhaps have the description attribute stamped with something? Tony
January 6th, 2010 3:30am

Actually, this is exactly what I was trying to avoid. The mailboxes are disabled because the associated users are no longer allowed to log in, however, they still occasionally receive mail from third parties that someone will still need access to. Removing the users from address lists prevents other users from opening those mailboxes in Outlook, so that won't work either. I had thought of using one of the "Custom Attributes," but it seems like a crappy way of doing things. I'd rather simply disable the account and have it no longer receive mail from these groups.
Free Windows Admin Tool Kit Click here and download it now
January 6th, 2010 5:20pm

Yeah, using a custom attribute field is what I thought of as well. The real problem here is that UserAccountControlFlags is just an enum and not a more sophisticated type, and there is no logical operator to do what we need here. It would be nice to just say (UserAccountControl -contains AccountDisabled). As is, some of the filterable properties aren't very useful because of similar limitations. Anyway, to do what you want to do I think you will have to wind up tagging the accounts that are disabled and shouldn't be on dynamic groups but still need to receive email. Either a custom attribute or display name or something else.
January 6th, 2010 7:53pm

Ok, a couple of further thoughts. I think you can still open mailboxes in Outlook if they are hidden from address lists by entering the legacyExchangeDN value of the desired mailbox-enabled user. Or at least this used to work. Mind you, it's a bit of kludge as users are not going to be able to find this value for themselves. Another workaround would be to use a standard (i.e. non-dynamic) distribution group and manage the membership through a script that runs according to a schedule. That way you're free from the OPATH limitations and can use the bitwise control to filter out the disabled accounts. Tony
Free Windows Admin Tool Kit Click here and download it now
January 6th, 2010 10:13pm

I will check into opening a mailbox by legacy DN; I didn't know that was a possibility. If that is possible, that would be sufficient. I really would rather use HiddenFromAddressListsEnabled anyway, that way people can't accidentally send mail to a disabled account by selecting it from the GAL. The second option really defeats the purpose of dynamic distribution lists. If that's the way we have to perform "advanced" tasks like this, then DDLs might as well be removed from the enormity that is the Exchange codebase. I'll try opening mailboxes by legacy DN; and if that doesn't work, I suppose I could have a script update a Custom Attribute based on the UserAccountControl flags and change the OPATH query to exclude boxes based on that. I'll post back with the solution.
January 8th, 2010 12:34am

Opening mailboxes by legacy DN still works in Outlook 2007/Exchange 2007. I will mark Tony's post as the answer, since it technically solved my problem. Neil, thank you so much for your input, I have voted your responses as helpful. Thanks for your help. It would be nice to see a feature like this in a future release of Exchange. That or give us back the ability to use regular LDAP queries.
Free Windows Admin Tool Kit Click here and download it now
January 8th, 2010 7:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics