Archive for February 2011

Exchange 2010 dynamic distribution lists using non-standard Active Directory attributes.   6 comments

Update 01/02/2017:

Just a quick note to point out that this still works with Exchange Server 2013 and 2016.


Hi again,

This is a very brief post about a topic I’d often thought about but only acted upon recently, and it’s to do with the creation of dynamic distribution lists in Exchange 2010 where the attributes you want to base the query on are not part of those made available through the OPath syntax. This often comes up where you already have useful data stored in Active Directory and do not wish to store redundant copies of it in the CustomAttribute attributes (data redundancy peeves me!).

Firstly, it’s important to note that you cannot manage dynamic distribution lists created in this manner through the EMC – they won’t even appear. You can’t truly manage them from the Powershell console either, as the property in question – LdapRecipientFilter, is deemed read-only. What you’re left with is having to manage this kind of dynamic distribution list directly from something like Users and Computers, AdsiEdit, LDP – or something of the nature where you can edit Active Directory¬†attributes directly.

Speaking of Active Directory attributes, these custom queries primarily revolve revolve two:

  • msExchQueryFilter: Holds the OPath syntax query;
  • msExchDynamicDLFilter: Holds the LDAP syntax query.

The first step in this process is straight foward enough. Use either the EMC or Powershell environments to create your dynamic distribution list. From my perspective, I don’t worry about what the user query component involves, as I’ll be changing this straight afterwards anyway. Just make sure things like your recipientContainer and organizationalUnit values are what you’d like them to be and leave it at that.

Next, open up the group in Adsiedit – or whatever your tool of choice is, so that you can see real Active Directory attributes (as opposed to the OPath aliases). Here, you want to clear the value from msExchQueryFilter so that it is null.

Next, edit the msExchDynamicDLFilter attribute, placing the LDAP syntax query you wish to run inside. Again, make sure you understand LDAP queries and put the correct value in here, as you’re not going to get any user friendly feedback as you might from either the EMC or Powershell environments.

Quick tip: LDP and Users and Computers are nice for the above phase, as with both of these you can construct your query and test it in them before you get to the point of pasting the query into msExchDynamicDLFilter, saving from using trial and error (which you shouldn’t be doing anyway) to get your distribution list working!

Technically, that’s all you need to do most of the time. I say most of the time because there’s one factor you need to remember, and it may lead to you having a few more steps to do.

As you no doubt remember, Exchange queries are executed against the global catalog (listening on port 3268) rather than LDAP (port 389). And as you no doubt also remember, the global catalog is only a partial set when compared against the data stored in Active Directory for a given object. What this means is that you may have to enable additional attributes to be stored in the global catalog before in order to utilise your desired dynamic distribution list. Don’t take this decision lightly, as the one of the considerations to keep in mind when working with the global catalog is to keep it lightweight.

If you do find that you pick an attribute to filter on – such as employeeType, that isn’t included in the global catalog by default, you can register schmmgmt.dll from the command line with:

regsvr32 schmmgmt.dll

After which you can add the Active Directory Schema MMC snap-in into a new MMC, navigate to the attribute you want to enable, and do so.

And now, the only thing left to do is make use of your new dynamic distribution list!

As I mentioned at the start, you won’t be able to manage it from the EMC at all, however you can manage all facets other than the query itself from Powershell. For the query itself, you are restricted to whatever Active Directory editing tool you prefer to maintain it.