• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3169
  • Last Modified:

Powershell script for setting msExchQueryBaseDN attribute for all users in an OU.

I am in need of a Powershell script which can set the msExchQueryBaseDN attribute for all users inside of an Organizational Unit.

 I am aware of Admodify but in this instance I need a Powershell script.

 I found Dgoldman's site (link pasted below) which provides the syntax but I have been unable to get it to work.  

The script is using the "Get-mailbox" command which implies it must be run in Exchange Management Shell.  If I run it in Exchange Management Shell "userName*" is not recognized.  I have tried "-identity" but it still did not work.  

Others have seemed to have success with his script so it must be something I am doing.

http://blogs.msdn.com/dgoldman/archive/2009/01/08/how-to-set-the-msexchquerybasedn-via-powershell.aspx

get-mailbox userName* -resultsize unlimited | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "OU=YourOU,DC=company,DC=com";$obj.setinfo()}
0
advserver
Asked:
advserver
  • 9
  • 8
  • 3
1 Solution
 
Alan HardistyCo-OwnerCommented:
You can use the following to set the msExchQueryBaseDN attribute, or use Admodify
$user = ([ADSI]"LDAP://server:389/CN=Username,OU=OU_NAME,DC=internaldomain,DC=local").psbase; $user.Properties["msExchQueryBaseDN"].Value="OU=OU_NAME,DC=internaldomain,DC=local"; $user.CommitChanges();
Change the items in italics to reflect your environment and job done.
Admodify download - http://www.computerperformance.co.uk/ScriptsGuy/ADModify_2.1.zip
 
0
 
advserverAuthor Commented:
Thank you very much.  I had used that previously but that is only for a specific user and not an entire organizational unit.
I need it to edit all users in a specific OU.
 I would use ADmodify but the requirement is for this to take place in a script so that it is an automated process after users are created.  
0
 
Alan HardistyCo-OwnerCommented:
I'm not aware that you can do this on all users in a given OU.  What is stopping you doing this after creating a single user?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
advserverAuthor Commented:
The link pasted in the post has been referenced by multiple sites and it provides the syntax for doing so.  I have just been unable to get it to work properly.

The request is for this process to be automated so that manual changing of the attributes for each user created does not have to take place.

Every user in the OU which this script will apply to will need the attribute so instead of having to call from CSV the script will just run against the OU each time a user is created.

0
 
Alan HardistyCo-OwnerCommented:
What error do you get when you try to run the command because username does not appear to be a valid parameter on Exchange 2007?
0
 
advserverAuthor Commented:
Username does not work.  

All usernames in the OU start the same.  If use the first portion of the username followed by * or if I don't have a username in there at all I receive the following errors:

 The following exception occurred while retrieving member "msExchQueryBaseDN": "
Unknown error (0x80005000)"
The following exception occurred while retrieving member "setinfo": "
Unknown error (0x80005000)"
0
 
Alan HardistyCo-OwnerCommented:
Tried and tested and working happily:
get-mailbox -OrganizationalUnit "OU=OU_Name,DC=InternalDomain,DC=local" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "OU=OU_Name,DC=InternalDomain,DC=local";$obj.setinfo()}
 
0
 
advserverAuthor Commented:
I am still receiving the same errors.  

For the LDAP command I have tried what is pasted below and using "LDAP://DC:389/OU...." and still received the same errors from my previous post.

Do you see anything wrong below?

get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local" | Foreach { $dn = "LDAP://OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "CN=Stores,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=test,DC=domain,DC=local";$obj.setinfo()}
0
 
Alan HardistyCo-OwnerCommented:
Try this instead:
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "CN=Stores,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=test,DC=domain,DC=local";$obj.setinfo()}
Are you sure about the path for the MSExchQueryBaseDN attribute?
0
 
Alan HardistyCo-OwnerCommented:
I would probably put this as I don't think you MSExchQueryBaseDN Attribute is correct as you are not restricting to an address list, but an OU in ADSI
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local";$obj.setinfo()}
0
 
Chris DentPowerShell DeveloperCommented:

Your code there is a bit confused.

Take this bit:

  $dn = "LDAP://OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local" + $_.distinguishedname;

You're concatenating a distinguishedName with another distinguishedName, that road won't lead anywhere good :)

It always helps to break it up a bit. It will fit on one line if you must, but white space makes it a lot easier to see what's going on.

Perhaps this is what you're after (although I haven't tested it).

Chris

$OU = "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local"
$QueryBase = "CN=Stores,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=test,DC=domain,DC=local"

Get-Mailbox -Organizationalunit  $OU | Foreach {
  # Fetch the user associated with this mailbox
  $User = [ADSI]"LDAP://$($_.DistinguishedName)"  
  $User.Put("msExchQueryBaseDN", $QueryBase)
  $User.SetInfo()
}

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

QueryBase in the snippet above should be altered according to Alan's directions. I never bother playing with it and have nothing to check against here, I'm sure Alan knows better.

Chris
0
 
advserverAuthor Commented:
The MSExchQueryBaseDN Attribute is correct as it is the DN of the address list of which I am wanting to restrict the user to.  

I tried your post before where you have the LDAP blank and that worked!  
0
 
advserverAuthor Commented:
I apologize Chris as I did not refresh to see your post(s).

Alan's post with the code pasted below worked for me without error.

get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "CN=Stores,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=test,DC=domain,DC=local";$obj.setinfo()}

Thank you very much!
0
 
Chris DentPowerShell DeveloperCommented:

Good :)

Chris
0
 
Alan HardistyCo-OwnerCommented:
The msexchquerybasedn attribute is set to restrict queries on a DN value so that it only returns the users in that DN.

Trying to set the attribute to point to an address list is completely incorrect.

Run the admodify and use the check box to verify you are using the correct attribute - I guarantee that if you point to the address list it will fail.

@chris-dent - Thanks
0
 
Alan HardistyCo-OwnerCommented:
I may have to eat my words regarding the address list:

http://support.microsoft.com/kb/817218

Never seen it set that way before ; )
0
 
advserverAuthor Commented:
Actually it is completely correct and it works perfectly.  

http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx#msExchQBDNConfig
msExchQueryBasedDN Configuration
Microsoft Outlook Web Access (OWA) users may use the Find names feature to view users, including those who are not located in the same organizational unit. To limit the scope of a directory service search available to Outlook Web Access users, you must set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. This can be set to the distinguishedname (DN) of the OU or an address list containing the correct group of users.
0
 
Alan HardistyCo-OwnerCommented:
Well you have your answer and I learned that you can set the attribute to an address list, so we are both winners!

Glad you are sorted and thanks for the points.

Alan
0
 
advserverAuthor Commented:
Sounds good!  Thanks for the help!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 9
  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now