Active Directory and Distribution Groups with Office 365

active-directorygroupsmicrosoft-office-365powershellscripting

I have a O365 with Exchange, and a local AD.

I want to manage distribution groups and distribution groups members via PS scripts (that will run by scheduled task), that look users' AD attributes (don't know which attributes right now).

The script will be hosted in the local AD.

So If I want to manage distribution groups (DG), I can use PS to connect to my O365, and then manage DG. But I don't know If i'll be able to check AD users' attributes from a PS Session on O365 ?

So I'm wondering what is the best way to handle this.

Can I just manage DG from the AD without the need to connect to O365 Exchange ?

This means that I create AD Group, enable mail, and put users I want, in. Then, the replication will synchronize AD Group with O365 (with DirSync if I'm right).

Do these groups will be see as "Distribution Group" in O365 Exchange view ? And people will be able to email these DG ?
Or Do I have to do some stuff in O365 Exchange side ?

To be clear, question is : Can I create a DG from local AD server in PS (Create-Group), by setting the mail address (and others attributes I dont now yet), and then Exchange will see it as a good DG and I'll be able to send email to it ?

Feel free to ask for more details if needed. hope I'm clear enough.

Best Answer

This means that I create AD Group, enable mail, and put users I want, in. Then, the replication will synchronize AD Group with O365 (with DirSync if I'm right).

That's pretty much it, yes. There's plenty of resources out there covering the installation and setup of DirSync, and you may refer to this table of attributes that are synced from on-premises AD to Office 365. You can manually trigger a sync of dirsync by opening DirSyncConfigShell and running Start-OnlineCoexistenceSync

So you can create a DG on-premises, set the Mail and ProxyAddresses attributes and then DirSync will create a synchronised DG in O365. This group will show up in the ECP > Groups, the same as a group which is created online. However, since the group was created on-premises it must be managed on-premises (as the sync is one-way). Trying to alter the attributes online will give you:

The action 'Set-DistributionGroup', 'PrimarySmtpAddress', can't be performed on the object 'IT-team' because the object is being synchronized from your on-premises organization.

There is no need to mail-enable the DG, as DGs are mail-enabled by default at creation.

To be clear, question is : Can I create a DG from local AD server in PS (Create-Group), by setting the mail address (and others attributes I dont now yet), and then Exchange will see it as a good DG and I'll be able to send email to it ?

Broadly yes. You'll have to use a PS cmdlet that actually exists though, ie New-ADGroup and specify -GroupCategory Distribution

Related Solutions

Windows Active Directory – Command Line to List Users in a Group

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Dynamic Distribution Lists per-group

I will tell you the way i have done this on my Exchange 2010, hoping it will also work for your Exchange 2013.

You absolutely need Powershell (Exchange Management Shell) to create the DDL :

New-DynamicDistributionGroup -Name "group1_DDL" -RecipientFilter {MemberOfGroup -eq "CN=Group1,OU=myOU,DC=domain,DC=local"} -RecipientContainer "OU=Users,OU=Account,DC=domain,DC=local"

Main points here are :

You need to use the OPATH filter attribute MemberOfGroup :

For this value you need to put the full DN of your AD Group.

You need to specify the RecipientContainer parameter :

This is the full DN where your AD users are stored.

Some explanations :

You need to use OPATH Filters for the RecipientFilter so that you can use the MemberOfGroup attribute. The standard memberOf attribute exposed by Exchange will not work because you need a calculated back-link property from AD :

MemberOfGroup filtering requires that you supply the full AD distinguished name of the group you're trying to filter against. This is an AD limitation, and it happens because you're really filtering this calculated back-link property from AD, not the simple concept of "memberOf" that we expose in Exchange.

OPATH Filters are supported for the RecipientFilter parameter :

https://technet.microsoft.com/en-us/library/bb125127(v=exchg.150).aspx

RecipientFilter : The RecipientFilter parameter filters the mail-enabled recipients used to build the dynamic distribution group. [...] The RecipientFilter parameter uses OPath syntax to query Active Directory and filter recipients.

http://exchangepedia.com/blog/2007/02/memberof-attribute-can-now-be-used-in.html :

Unlike LDAP filters, the actual attribute name - memberOf is not used in OPATH filters. The filterable property name for OPATH filters is MemberOfGroup.

By default (means not specified), the RecipientContainer will be the standard Users DN : CN=Users,DC=domain,DC=local. So when Exchange performs its query to determine membership, it can only see members that are in this OU. This is the reason why you need to specify the OU where your AD Users are actually stored.

Finally, here is the link to the ressource that makes me able to make this work, and from i get most of the reference above : https://exchangemaster.wordpress.com/tag/recipientcontainer

Best Answer

Related Solutions

Windows Active Directory – Command Line to List Users in a Group

Dynamic Distribution Lists per-group

Related Topic