Powershell script for setting msExchQueryBaseDN attribute for all users in an OU.
I am in need of a Powershell script which can set the msExchQueryBaseDN attribute for all users inside of an Organizational Unit.
I am aware of Admodify but in this instance I need a Powershell script.
I found Dgoldman's site (link pasted below) which provides the syntax but I have been unable to get it to work.
The script is using the "Get-mailbox" command which implies it must be run in Exchange Management Shell. If I run it in Exchange Management Shell "userName*" is not recognized. I have tried "-identity" but it still did not work.
Others have seemed to have success with his script so it must be something I am doing.
http://blogs.msdn.com/dgoldman/archive/2009/01/08/how-to-set-the-msexchquerybasedn-via-powershell.aspx
get-mailbox userName* -resultsize unlimited | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQuery
I am aware of Admodify but in this instance I need a Powershell script.
I found Dgoldman's site (link pasted below) which provides the syntax but I have been unable to get it to work.
The script is using the "Get-mailbox" command which implies it must be run in Exchange Management Shell. If I run it in Exchange Management Shell "userName*" is not recognized. I have tried "-identity" but it still did not work.
Others have seemed to have success with his script so it must be something I am doing.
http://blogs.msdn.com/dgoldman/archive/2009/01/08/how-to-set-the-msexchquerybasedn-via-powershell.aspx
get-mailbox userName* -resultsize unlimited | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQuery
ASKER
Thank you very much. I had used that previously but that is only for a specific user and not an entire organizational unit.
I need it to edit all users in a specific OU.
I would use ADmodify but the requirement is for this to take place in a script so that it is an automated process after users are created.
I need it to edit all users in a specific OU.
I would use ADmodify but the requirement is for this to take place in a script so that it is an automated process after users are created.
I'm not aware that you can do this on all users in a given OU. What is stopping you doing this after creating a single user?
ASKER
The link pasted in the post has been referenced by multiple sites and it provides the syntax for doing so. I have just been unable to get it to work properly.
The request is for this process to be automated so that manual changing of the attributes for each user created does not have to take place.
Every user in the OU which this script will apply to will need the attribute so instead of having to call from CSV the script will just run against the OU each time a user is created.
The request is for this process to be automated so that manual changing of the attributes for each user created does not have to take place.
Every user in the OU which this script will apply to will need the attribute so instead of having to call from CSV the script will just run against the OU each time a user is created.
What error do you get when you try to run the command because username does not appear to be a valid parameter on Exchange 2007?
ASKER
Username does not work.
All usernames in the OU start the same. If use the first portion of the username followed by * or if I don't have a username in there at all I receive the following errors:
The following exception occurred while retrieving member "msExchQueryBaseDN": "
Unknown error (0x80005000)"
The following exception occurred while retrieving member "setinfo": "
Unknown error (0x80005000)"
All usernames in the OU start the same. If use the first portion of the username followed by * or if I don't have a username in there at all I receive the following errors:
The following exception occurred while retrieving member "msExchQueryBaseDN": "
Unknown error (0x80005000)"
The following exception occurred while retrieving member "setinfo": "
Unknown error (0x80005000)"
Tried and tested and working happily:
get-mailbox -OrganizationalUnit "OU=OU_Name,DC=InternalDomain,DC=local" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQuery
get-mailbox -OrganizationalUnit "OU=OU_Name,DC=InternalDomain,DC=local" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQuery
ASKER
I am still receiving the same errors.
For the LDAP command I have tried what is pasted below and using "LDAP://DC:389/OU...." and still received the same errors from my previous post.
Do you see anything wrong below?
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,
For the LDAP command I have tried what is pasted below and using "LDAP://DC:389/OU...." and still received the same errors from my previous post.
Do you see anything wrong below?
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would probably put this as I don't think you MSExchQueryBaseDN Attribute is correct as you are not restricting to an address list, but an OU in ADSI
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,
Your code there is a bit confused.
Take this bit:
$dn = "LDAP://OU=Store Users,OU=QAStores,DC=test,
You're concatenating a distinguishedName with another distinguishedName, that road won't lead anywhere good :)
It always helps to break it up a bit. It will fit on one line if you must, but white space makes it a lot easier to see what's going on.
Perhaps this is what you're after (although I haven't tested it).
Chris
$OU = "OU=Store Users,OU=QAStores,DC=test,DC=domain,DC=local"
$QueryBase = "CN=Stores,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=test,DC=domain,DC=local"
Get-Mailbox -Organizationalunit $OU | Foreach {
# Fetch the user associated with this mailbox
$User = [ADSI]"LDAP://$($_.DistinguishedName)"
$User.Put("msExchQueryBaseDN", $QueryBase)
$User.SetInfo()
}
QueryBase in the snippet above should be altered according to Alan's directions. I never bother playing with it and have nothing to check against here, I'm sure Alan knows better.
Chris
ASKER
The MSExchQueryBaseDN Attribute is correct as it is the DN of the address list of which I am wanting to restrict the user to.
I tried your post before where you have the LDAP blank and that worked!
I tried your post before where you have the LDAP blank and that worked!
ASKER
I apologize Chris as I did not refresh to see your post(s).
Alan's post with the code pasted below worked for me without error.
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,
Thank you very much!
Alan's post with the code pasted below worked for me without error.
get-mailbox -organizationalunit "OU=Store Users,OU=QAStores,DC=test,
Thank you very much!
Good :)
Chris
The msexchquerybasedn attribute is set to restrict queries on a DN value so that it only returns the users in that DN.
Trying to set the attribute to point to an address list is completely incorrect.
Run the admodify and use the check box to verify you are using the correct attribute - I guarantee that if you point to the address list it will fail.
@chris-dent - Thanks
Trying to set the attribute to point to an address list is completely incorrect.
Run the admodify and use the check box to verify you are using the correct attribute - I guarantee that if you point to the address list it will fail.
@chris-dent - Thanks
I may have to eat my words regarding the address list:
http://support.microsoft.com/kb/817218
Never seen it set that way before ; )
http://support.microsoft.com/kb/817218
Never seen it set that way before ; )
ASKER
Actually it is completely correct and it works perfectly.
http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx#msExchQBDNConfig
msExchQueryBasedDN Configuration
Microsoft Outlook Web Access (OWA) users may use the Find names feature to view users, including those who are not located in the same organizational unit. To limit the scope of a directory service search available to Outlook Web Access users, you must set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. This can be set to the distinguishedname (DN) of the OU or an address list containing the correct group of users.
http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx#msExchQBDNConfig
msExchQueryBasedDN Configuration
Microsoft Outlook Web Access (OWA) users may use the Find names feature to view users, including those who are not located in the same organizational unit. To limit the scope of a directory service search available to Outlook Web Access users, you must set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. This can be set to the distinguishedname (DN) of the OU or an address list containing the correct group of users.
Well you have your answer and I learned that you can set the attribute to an address list, so we are both winners!
Glad you are sorted and thanks for the points.
Alan
Glad you are sorted and thanks for the points.
Alan
ASKER
Sounds good! Thanks for the help!
$user = ([ADSI]"LDAP://server:389/CN=Username,OU=OU_NAME,DC=internaldomain,DC=local").psbase; $user.Properties["msExchQu
Change the items in italics to reflect your environment and job done.
Admodify download - http://www.computerperformance.co.uk/ScriptsGuy/ADModify_2.1.zip