PowerShell Script to Exclude Group Members from O365 Dynamic Distribution List

exchangeonlinemicrosoft-office-365powershell

I am creating an All Dynamic Distribution Group in Office 365 exchange online. I am doing this with Powershell. We will call this group AllTestGroup. Here is some information about the setup.

Exchange Online
On-Prem Active Directory
Most mailboxes are associated with an on-prem ad user. (ADSync)
A few mailboxes are cloud-only.
There are no customattributes or extensionattributes found inside the ad users' account (Inherited the issue). It does however have msDS-CloudExtensionAttribute0-20. When you set one, it does not appear on the office 365 side. Plus when you try to add, we receive an azure active directory and exchange online error "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph)"

Here is what the client is needing/Requires:

A single group that contains all UserMailbox
No MailContacts
Exclude Anyone inside this AD group "CN=AllExclusion,OU=SG,DC=Example,DC=Local"
Exclude Anyone in this O365 Distribution Group: [email protected]
No Additional Costs

Here is the filter I have created for this:

(`
    (RecipientType -eq 'UserMailbox') `
    -and (-not(RecipientType -eq 'MailContact')) `
    -and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=SG,DC=Example,DC=Local')) `
    -and (-not(MemberOfGroup -eq '[email protected]')) `
    -and (-not(Name -like 'SystemMailbox{*')) `
    -and (-not(Name -like 'CAS_{*')) `
    -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) `
    -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'GuestMailUser'))`
)

(Code Split up using ` mark to help readability.)
Here is the problem I am facing. When I run the Get-DynamicDistributionGroupMemeber, I am still seeing the users inside the AllExclusion security Group. I am also seeing members of the [email protected]. For Example, Ellan Smith is inside the AllExclusion Security Group. She shows up on the list. To make sure I am completely synced up, I ran the Start-ADSyncSyncCycle – PolicyType Initial and Delta. I waited the 20 recommended minutes and tried again. Same results.

I feel like I am missing something small, but I don't know what that is.

Best Answer

This is a unique situation. I was trying to pull from the local AD when I should have been pulling from the Azure AD. In this line:

-and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=SG,DC=Example,DC=Local')) `

I am targeting the DN name for allexclusion from the local AD. I need to get the DN for Azure AD. The reason for this is because exchange online is pointing to azure not the local ad. If this was a local on-prem exchange, this would work, but this isn't. To get the DN you will need to run this command:

(Get-DistributionGroup AllExclusion).DistinguishedName

The DN will be much larger. It will look something like this:

CN=AllExclusion,OU=Example.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR##A###,DC=PROD,DC=OUTLOOK,DC=COM

Thus your exclusion will look something like this:

-and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=Example.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR##A###,DC=PROD,DC=OUTLOOK,DC=COM'))

Here is what the final Recipient Filter looks like:

(
    (RecipientType -eq 'UserMailbox') `
    -and (RecipientType -ne 'MailContact') `
    -and (MemberOfGroup -ne 'CN=AllExclusion,OU=Example.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR##A###,DC=PROD,DC=OUTLOOK,DC=COM') `
    -and (Name -notlike 'SystemMailbox{*') `
    -and (Name -notlike 'CAS_{*') `
    -and (RecipientTypeDetailsValue -ne 'MailboxPlan') `
    -and (RecipientTypeDetailsValue -ne 'DiscoveryMailbox') `
    -and (RecipientTypeDetailsValue -ne 'PublicFolderMailbox') `
    -and (RecipientTypeDetailsValue -ne 'ArbitrationMailbox') `
    -and (RecipientTypeDetailsValue -ne 'AuditLogMailbox') `
    -and (RecipientTypeDetailsValue -ne 'AuxAuditLogMailbox') `
    -and (RecipientTypeDetailsValue -ne 'SupervisoryReviewPolicyMailbox') `
    -and (RecipientTypeDetailsValue -ne 'GuestMailUser')`
)

Related Solutions

Powershell – Exclude email address/recipient from Exchange 2010 dynamic distribution group

You can exclude a specific user from a DD group with the Set-DynamicDistributionGroup commandlet. Specifically with the -RecipientFilter option.

Example: Set-DynamicDistributionGroup -Identity MadeUpName -RecipientFilter {((RecipientType -eq 'UserMailbox') -and -not(Name -like 'Journal User'))}

Note that this example is just with recipient type = userMailbox. You can get the current recipientFilter of your DD group and modify it however from powershell.

(get-DynamicDistributionGroup -Identity MadeUpName).RecipientFilter

Powershell 2: Add multiple members to distribution group with one call

I'm not sure why you don't want to use a loop construct; that's kinda one of the major features of PS. A simple:

Import-CSV FileName.csv | ForEach {Add-DistributionGroupMember -Identity "GROUP-NAME" -Member $_.Name}

would easily do the trick. Failing that, though, there's no cmdlet to do exactly what you want. You could do a

Remove-DistributionGroup GROUP-NAME; New-DistributionGroup -Name GROUP-NAME -Members memberlist

but that's a little cheesy.

Best Answer

Related Solutions

Powershell – Exclude email address/recipient from Exchange 2010 dynamic distribution group

Powershell 2: Add multiple members to distribution group with one call

Related Topic