[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1087
  • Last Modified:

Old recipient policy works. Getting LDAP error with new ones.

We currently have a recipient policy that gives any new accounts a
"username@company.com" address.

We are also in the process of setting up exchange accounts for
each of our remote sites- each of which has a separate OU according
to location.

What I'm trying to do is set up a recipient policy for each location / OU, so that
when accounts are created within an OU, they get given a  "username@location1.company.com"
email address.  Location1, location2 etc correspond to the name of each OU.

This is failing to occur- each account within an OU is receiving an email address- but in the
original format i.e. without the "location".  It looks like the only recipient policy being applied is the
original.

I have tried moving the new recipient policies up the priority list but this doesn't fix
the problem.

The only event of note in the exchange server's Application log is the following:

=========================
Source: MSExchangeAL
Category: LDAP Operations
Event ID: 8270

Description:

LDAP returned the error [41] Object Class Violation when importing the transaction
dn: <GUID=D5C596F7E29149489074A3C6F8293984>
changetype: Modify
mail:s517280@location1.company.com
textEncodedORAddress:c=US;a= ;p=XXXXXXX;o=YYYYYYYY;s=x517280;
proxyAddresses:X400:c=US;a= ;p=XXXXXXX; o=YYYYYYYY;s=x517280;
: SMTP:s517280@location1.company.com
msExchPoliciesIncluded:add:{2FCA45D0-BE49-4D02-B781-E2F1DD7BF14C},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
objectGUID:D5C596F7E29149489074A3C6F8293984
-
 DC=ZZZZZZ,DC=ZZZZZZ

=========================

...the addresses provided in the error i.e. "@location1..." correspond to what I'm trying to set in the
recipient policies that aren't working.  Note: Selecting "Apply this policy now" for whatever policy doesn't
work.

Our environment is:
      - Windows server 2003
      - Exchange server 2003 SP1.

I have searched on this error without too much luck.  Any help appreciated.
0
farfo
Asked:
farfo
  • 2
1 Solution
 
aa230002Commented:
Recipient Policies doesnt work on OU or Group Membership. You need an alternative here like an attribute which will identify all users from one particular location.

Please have a look at this KB from MS ->
Cannot use an organizational unit or the location of an account for recipient policy
http://support.microsoft.com/kb/296112/en-us

Thanks,
Amit Aggarwal.
0
 
farfoAuthor Commented:
Thanks Amit- you were spot on.  It really surprises me though that you can't create recipient policies based
on the OU in which an account is created- I thought OUs would have been a prime candidate for this sort of thing.

What I'll most likely do now is create a template within each OU that has the name of the town in the
Office attribute, and work the recipient policies around that.  It won't be saving me too much work though-
as I could probably add @townname.company.com to the template to get a similar result.  

Ah well- if you've got any other suggestions I'd be happy to hear them.

Thanks again.
0
 
aa230002Commented:
You have a good plan, you can also use tools like Ldifde or ADmodify or some scripts to update one particular attributie like Office as you said and populate it with the location and then you can use this attribute to identify all users from a particular location and apply recipient policies.

similarly, Recipient policies doesnt work on Group Membership or anyother attribute that the RUS is responsible for. Just for your info, here is the related KB ->

The address list or the recipient policy filter is not applied when it is based on group membership or an attribute that the Recipient Update Service is responsible for.
http://support.microsoft.com/kb/304516

Thanks,
Amit Aggarwal.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now