Solved

How to setup a recipient policy using group membership

Posted on 2010-09-10
13
674 Views
Last Modified: 2012-05-10
My goal is to setup a recipient policy (mailbox mgr) to delete emails from certain accts based on group membership - However when creating the filter, filtering group memebership never works - I can get filter and recipient policy to work using OU and single users - AD is structured in a way where I dont want to move accts to a spefiic OU and I dont want to create multiple policies to achieve (1) goal -

Can someone please inform me the correct steps to achieve this goal

I read something about "memberof" was not an attribute and is only discovered "on the fly" when queired which if true would be a reason but there has to be a way -



0
Comment
Question by:SHAX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
13 Comments
 
LVL 5

Expert Comment

by:michael_b_smith
ID: 33649522
This issue, the problems, and solutions are discussed here: http://support.microsoft.com/kb/304516

This is a feature of Exchange 2007/2010, by the way. It's easy to do there.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33649553
ok - what version of exchange are you using ?
0
 

Author Comment

by:SHAX
ID: 33649836
Exchange 2003
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:SHAX
ID: 33649951
Yes, Michael B - that is the same link I referenced in my original post - It appears the only way to have this work is to query the GC - I am not sure how to query GC - Any help is greatly appreciated -
0
 
LVL 5

Expert Comment

by:michael_b_smith
ID: 33650977
Sorry, your original post must be a different question. Your question above doesn't reference the KB article I listed.

I think the KB article is very clear. If you are going to use a group in your filter, then every time that the group membership changes, you must force a rebuild of that Recipient Policy.

I suspect you may be misinterpreting the statement "you must query against a group catalog". It doesn't alter my statement above. The "you must query against a group catalog" means that the server hosting the Recipient Update Service for a particular Active Directory domain must be a GC server. And, of course, if you only have a single Active Directory domain in your forest (like 99%+ of the world), then it doesn't matter whether you query a regular DC or a GC.
0
 

Author Comment

by:SHAX
ID: 33663680
I think we are saying the same thing - but your right i did not list the KB but was referring to the same article when I spoke of "memberof was not an attribute and is only discovered "on the fly" when queried" in orginal post -

At this point I'll need to research on how one goes about querying the GC in order to achieve goal -
0
 
LVL 5

Expert Comment

by:michael_b_smith
ID: 33664190
As I said above: The "you must query against a group catalog" means that the server hosting the Recipient Update Service for a particular Active Directory domain must be a GC server.
0
 

Author Comment

by:SHAX
ID: 33666846
can you offer any help where to find help on how I can query against the group??
0
 
LVL 5

Accepted Solution

by:
michael_b_smith earned 250 total points
ID: 33667205
As the KB says:

[1]  set your Recipient Update Service for the active directory to point to a group catalog server.

[2] build a recipient policy from the Advanced tab and specify the full distinguishedName of the group

[3] each time you update the group rebuild the recipient policy.

That's really it.
0
 

Author Comment

by:SHAX
ID: 33674746
Thank you Michael b smith

Question 1 - recipient update services are already in place pointed to a group catalog server (our PDC), if I rebuild, do I rebuild both and does a rebuild cause issues if done during business hours?

Question 2 - attached is a screenshot of the recipient policy using the advanced tab, my question is how or what is easiest way to write an ldap query to show members of the security group users are apart? -

Sorry for the confusion
Ldap.doc
0
 

Author Comment

by:SHAX
ID: 33701054
I got the ldap query to work w/ nested OU's but even after altering the group it does appear a rebuild of the recipient policy is needed - although running the query returns new members, the report generated from the system attendant does not reflect the newest memebers mailbox - I even ran "update now" on the recipient update service w/ no luck -

I am somewhat hesitant about "rebuilding" the RUS not knowing which of the (2) to run or what the implications are when doing this like exchange performance, etc
0
 

Author Comment

by:SHAX
ID: 33701310
i have recipient policy set to update constantly - a litte slow but avoids the rebuld -
0
 

Author Closing Comment

by:SHAX
ID: 33701329
rebuild is not necessary and found ldap query myself -
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question