Exchange 2010 Dynamic Distribution Group - RecipientContainer ignored
Maybe someone will be able to help me with this... I am trying to create DDGs for my organization but it seems the "RecipientContainer" is being ignored. I have reorganized AD to include a top level OU called "Active Employees"
and within that are sub-OUs for each department. I also have a top level OU for "Disabled Accounts" and users in those OUs are ending up on my DDG. Is this a known issue with Exchange 2010?
First I had created the DDG in EMC and everything looked good. I set the Recipient Container on the Filter tab by using the browse button and selecting mydomain.local\Active Employees, and then selected "Users with Exchange Mailboxes".
On the Conditions tab I left everything blank and when I clicked on Preview it returned the list of users I expected to see. After sending a test email and receiving an NDR from an email contact (not on the preview list) I realized something was
wrong.
At this point I found out how to query the group members using the shell and saw that all users in the entire domain were being put into the group. To resolve this I added a Condition for Company name and then tediously updated the field for each user
in AD. After querying the group from the shell again the results looked a little better - it was actually only pulling users with the correct "Company" in AD. The problem is it still seems to be ignoring the RecipientContainer parameter
and querying the entire domain instead of my Active Employees OU.
I have reproduced the same results whether creating the DDG from EMC or from the Shell. When I try to use the Set-DynamicDistributionGroup cmdlet to update the recipient container it warns me that the commad was successful but nothing has been modified.
This was supposed to be a simple solution for keeping our distribution groups up to date - maybe I should've known better...
November 18th, 2013 9:25pm
Hi
DaveB3786,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
tnsfl@microsoft.com
November 20th, 2013 5:48am
Dave thanks for posting the request on the Forum.
Can you check the get-dynamicdistributiongroup | fl and check do you see the recipient container.
Also make sure that recipient container shows some thing like "ou=active employees,dc=domain,dc=local
How many domain controllers do you have ?
Please make sure that all the Domain controllers are replicated with the changes.
November 20th, 2013 6:56am
There are 3 domain controllers and all have replicated the AD changes I have made. I have been struggling with this on and off for a few weeks so it has been quite a while since I reorganized AD. Dcdiag looks good on all 3.
I did run Get-DynamicDistributionGroup | fl and I see the RecipientContainer in the results. It is not formatted as you suggest and instead displays as "mydomain.local/Active Employees". I tried to run Set-DynamicDistributionGroup "My Group"
-RecipientContainer "OU=Active Employees,DC=mydomain,DC=local" but again received the warning "the command completed successfully but no settings of
My Group have been modified.
When I run Get-DynamicDistributionGroup | fl it shows the same results, RecipientContainer = mydomain.local/Active Employees". I still can't figure out why users in "mydomain.local/Disabled Accounts" are being added to the group.
I decided to try and create a test group from the shell. This is supposed to be a simple group. After creating this group I tested the recipient list via the shell and am back to square one, where all mailbox users in the entire domain is being
added to the group, not just users withing the "Active Employees" OU. I can once again include the "Company" filter in the group to cut down the number of recipients but this still pulls users from other OUs if they have a matching Company.
[PS] C:\Windows\system32>New-DynamicDistributionGroup -Name "Dynamic Test Group" -RecipientContainer "mydomain.local/Active Employees" -IncludedRecipients "MailboxUsers" -OrganizationalUnit "mydomain.local/Distribution Groups and Mailboxes/Dynamic" -Alias
"testdynamicgroup"
Is there no way to make dynamic groups that only require a user have a mailbox and be in an OU? Could the fact that no users are directly in the "Active Employees" OU be the problem? There are sub-OUs within Active Employees and those contain
all the users I want in my group. But this wouldn't explain why users in mydomain.local/Disabled are being added...
Thanks for the help.
November 20th, 2013 3:21pm
Hello Dave,
Thanks for the reply of my post. I did some testing in my lab and I was also able to repro it.
I was able to find out why this is happening
I would request you to run the following command and create another test group
New-DynamicDistributionGroup -Name "Dynamic Test Group1" -RecipientContainer "Active Employees" -IncludedRecipients "MailboxUsers" -OrganizationalUnit "mydomain.local/Distribution Groups and Mailboxes/Dynamic" -Alias "testdynamicgroup1"
I had the same issue the reason it was going was because of the domain name in my lab.
Can you please create the above and check. Also it is a good practice to add additional filter like company or customattribute.
http://technet.microsoft.com/en-us/library/bb125127(v=exchg.150).aspx
For the parameters you can check the above TechNet article.
Waiting to hear from you.
November 21st, 2013 5:29am
Thanks for the suggestion but unfortunately using only the OU name gives me the exact same results. At this point I have determined that it just will not work for what I am trying to do. I have been able to reproduce every single step on another
Exchange 2010 server in a different domain. Even if I specify a condition such as Company the RecipientContainer gets ignored.
Either I'm doing something wrong or this simply does not work as it should. I'd appreciate any other suggestions you may have but I think I might just have to build all my groups statically and call it a day. I can't believe how difficult it
is to make such a simple group (Are you in xyz OU? Do you have a mailbox? Join the group!).
November 21st, 2013 8:25pm
Hello Dave,
Thanks for the post. Let me tell you how I was able to go ahead and resolve the issue in my lab.
I had created a OU called Enabled users
Then I created Two different Child Ou's : Disabledusersou1 and DisabledUsersou2
So if I open the ADUC my OU would look something like this
EnabledUsers
Disbaledusersou1
Disbaledusersou2
Now I Had created users on all the above Ou's. When I created a Dynamicdistributiongroup with the recipientcontainer as EnabledUsers, it picked up users even from Disabledusersou1 and Disabledusersou2. Then I set the
customattribute1 to test in the DynamicDistributiongroup.
Then I went ahead and ran the following command
Get-mailbox | {$_.Organizationalunit -like "domain.local\EnabledUsers"}
The above command listed only the users from the enabledusers Ou. Now the next step was to go ahead and add the customattribute1 to test on the Users in the EnabledUsers OU. So I ran the following command
Get-mailbox | {$_.Organizationalunit -like "domain.local\EnabledUsers"} | set-mailbox -customattribute1 test
After I ran the above command. I waited for the AD replication. Once the Ad was replicated, I went ahead and did a Preview in the DynamicDistributiongroup and only found users from the EnabledUsers.
I even confirmed by sending an email to the dynamicdistributiongroup with a delivery receipt. I got the receipt for all the users in the EnabledUsers OU.
Waiting to hear from you
November 22nd, 2013 3:34am
Thanks. That is not quite how AD is structured in my situation. It is more like this:
mydomain.local
Active Employees
- Department A
- Department B
Disabled Accounts
- Department A
- Department B
And even when I put "Active Employees" as the RecipientContainer users within Disabled Accounts OUs are added to the group too. If I use EMC, open the Dynamic Group properties, go to the Conditions tab, and click the Preview button the recipient
list looks correct. No one in "Disabled Accounts" is in the list. I have found based on numerous forum posts about problems with DDGs that the true way to see the recipients is to use the shell and the following commands:
$TEST = Get-DynamicDistributionGroup "Test Dynamic Group"
Get-Recipient -RecipientPreviewFilter $TEST.RecipientFilter > TestResults.txt
In the text file you have the list of users that would've been included if I had sent a message, including users in the "Disabled Accounts" and other top level OUs other than "Active Employees". Maybe that helps clarify the problem.
It does only select mailbox users, which is a start, but it is pulling from the whole domain instead of the OU specified for RecipientContainer.
-
Edited by
DaveB3786
Friday, November 22, 2013 4:06 AM
November 22nd, 2013 4:03am
Thanks. That is not quite how AD is structured in my situation. It is more like this:
mydomain.local
Active Employees
- Department A
- Department B
Disabled Accounts
- Department A
- Department B
And even when I put "Active Employees" as the RecipientContainer users within Disabled Accounts OUs are added to the group too. If I use EMC, open the Dynamic Group properties, go to the Conditions tab, and click the Preview button the recipient
list looks correct. No one in "Disabled Accounts" is in the list. I have found based on numerous forum posts about problems with DDGs that the true way to see the recipients is to use the shell and the following commands:
$TEST = Get-DynamicDistributionGroup "Test Dynamic Group"
Get-Recipient -RecipientPreviewFilter $TEST.RecipientFilter > TestResults.txt
In the text file you have the list of users that would've been included if I had sent a message, including users in the "Disabled Accounts" and other top level OUs other than "Active Employees". Maybe that helps clarify the problem.
It does only select mailbox users, which is a start, but it is pulling from the whole domain instead of the OU specified for RecipientContainer.
-
Edited by
DaveB3786
Friday, November 22, 2013 4:06 AM
November 22nd, 2013 4:03am
Thanks. That is not quite how AD is structured in my situation. It is more like this:
mydomain.local
Active Employees
- Department A
- Department B
Disabled Accounts
- Department A
- Department B
And even when I put "Active Employees" as the RecipientContainer users within Disabled Accounts OUs are added to the group too. If I use EMC, open the Dynamic Group properties, go to the Conditions tab, and click the Preview button the recipient
list looks correct. No one in "Disabled Accounts" is in the list. I have found based on numerous forum posts about problems with DDGs that the true way to see the recipients is to use the shell and the following commands:
$TEST = Get-DynamicDistributionGroup "Test Dynamic Group"
Get-Recipient -RecipientPreviewFilter $TEST.RecipientFilter > TestResults.txt
In the text file you have the list of users that would've been included if I had sent a message, including users in the "Disabled Accounts" and other top level OUs other than "Active Employees". Maybe that helps clarify the problem.
It does only select mailbox users, which is a start, but it is pulling from the whole domain instead of the OU specified for RecipientContainer.
-
Edited by
DaveB3786
Friday, November 22, 2013 4:06 AM
November 22nd, 2013 4:03am
Thanks for the reply Dave. Can you also run the second command which I had given you ?
Get-mailbox | {$_.Organizationalunit -like "domain.local\Active Employess\Department1"} | set-mailbox -customattribute1 test
Get-mailbox | {$_.Organizationalunit -like "domain.local\Active Employess\Department2"} | set-mailbox -customattribute1 test
and also add the condition customattribute1 to test on the dynamicdistributiongroup "test distribution group".
Thanks in advance.
November 23rd, 2013 4:20am
Doing that would not change the fact that the RecipientContainer is ignored. I have already proven that using one of these attributes results in only users with that attribute being added to the group, but they can be from any OU in the entire domain
so long as the attribute matches. I tried this with Company already. In fact I have read that the RecipientContainer field not working is a known issue when using a custom attribute, but it is supposed to work for the "precanned" ones, such as
Company, but it doesn't.
In your example I would be changing one of these attributes for all user mailboxes within the OU I specified - although that may be the only way to end up making this work, it does not mean that the RecipientContainer value ever works... Thank you
for the suggestion and hopefully you see my point.
November 23rd, 2013 7:00pm
I am having the same Issue!
August 7th, 2014 4:49pm
Same issue here... With Exchange 2013 CU7
Would appreciate further Microsoft input on this one
April 21st, 2015 10:51am
Hello,
This seems to be a problem in Exchange 2013 as well. I'm running the following command
New-DynamicDistributionGroup -Name "Office Staff - WI" -Alias "Office_Staff_WI" -RecipientContainer "company.private/Employees/Midwest/Wisconsin" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Title -eq 'Front
Office Coordinator'))}
The last OU of the -recipientcontainer flag is being ignored (Wisconsin), and it is instead using Midwest as the last container.
The behavior is replicated when I use East/Delaware, and the -recipientcontainer ignores Delaware, and just uses East.
Any help would be greatly appreciated.
June 4th, 2015 10:45am
This could be down to the maximum number of OUs:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/7401392f-a822-4a97-8a8b-a17adf16549e/ecp-not-retrieving-all-my-ous-when-creating-new-mailboxes?forum=exchangesvradmin
June 5th, 2015 7:41am
The problem I am having is with inconsistency and determining what recipients are members of the Dynamic Distribution Group.
Example.
I created a new DynamicDistributionGroup called DDGTest2.
The Filter tab on its properties is set to container domain.com/company, and the following specific types are selected:
"Users with Exchange mailboxes"
"Users with external e-mail addresses".
If I click Conditions tab, nothing is checked.
When I click "Preview" at the bottom of the Conditions tab, all the intended mailboxes appear accordingly, no issues here.
Now if I run the Powershell commands:
$ddg2 = Get-DynamicDistributionGroup "DDGTest2"
Get-Recipient -RecipientPreviewFilter $ddg2.RecipientFilter | select Name,OrganizationalUnit > DDG2_Recipients.txt
and open the text file output, there are mailboxes from all over AD, not just inside the specified filter container "domain.com/company" but shows recipients from all different OUs within the "domain.com".
So why does the "Preview" button show, say, about 250 recipients, while the powershell cmdlet reveals nearly 1,000 recipients.
-
Edited by
JGQ85
5 hours 2 minutes ago
July 14th, 2015 10:25pm
The problem I am having is with inconsistency and determining what recipients are members of the Dynamic Distribution Group.
Example.
I created a new DynamicDistributionGroup called DDGTest2.
The Filter tab on its properties is set to container domain.com/company, and the following specific types are selected:
"Users with Exchange mailboxes"
"Users with external e-mail addresses".
If I click Conditions tab, nothing is checked.
When I click "Preview" at the bottom of the Conditions tab, all the intended mailboxes appear accordingly, no issues here.
Now if I run the Powershell commands:
$ddg2 = Get-DynamicDistributionGroup "DDGTest2"
Get-Recipient -RecipientPreviewFilter $ddg2.RecipientFilter | select Name,OrganizationalUnit > DDG2_Recipients.txt
and open the text file output, there are mailboxes from all over AD, not just inside the specified filter container "domain.com/company" but shows recipients from all different OUs within the "domain.com".
So why does the "Preview" button show, say, about 250 recipients, while the powershell cmdlet reveals nearly 1,000 recipients.
-
Edited by
JGQ85
Wednesday, July 15, 2015 2:25 AM
July 15th, 2015 2:24am
I'm not sure I follow. I think you may be missing the point (or maybe I am). Regardless of how you are previewing the user list, sending an email to a DDG configured this way results in the email being delivered to basically the whole domain,
not a single OU. The recipients that get the email message addressed to the DDG is a much bigger list than when you preview the group members using the GUI.
July 15th, 2015 9:58am
I'm not sure I follow. I think you may be missing the point (or maybe I am). Regardless of how you are previewing the user list, sending an email to a DDG configured this way results in the email being delivered to basically the whole
domain, not a single OU. The recipients that get the email message addressed to the DDG is a much bigger list than when you preview the group members using the GUI.
From what I understand, the recipients that get the e-mail sent to a Distribution Group should be the recipients that exist within the OU that the "Recipient container" option is set to.
While it is blank in the screenshot, I have it set to a particular OU I browsed to on my domain.
If I click one tab over to "Conditions" and click "Preview" at the bottom, it will show me about 200 recipients.
If I then go into Powershell and run the aforementioned commands for get-recipient against the DDG, without specifying an OU, it will return mailboxes from all over the domain.
If I append the -OrganizationalUnit to the Get-recipient cmdlet accordingly, as to match the OU specified for the "recipient container" on the DDG properties, then it will return the same 200 recipients we see in the "Preview" GUI.
If that is intended, that is fine, due to the nature of powershell. Just thought it is slightly confusing compared to getting "members" of a "normal" distribution group.
-
Edited by
JGQ85
17 hours 23 minutes ago
July 15th, 2015 10:05am
Right, but if you actually send an email to the DDG who is the email sent to? All over the domain, based on my experience.
July 15th, 2015 10:07am
Right, but if you actually send an email to the DDG who is the email sent to? All over the domain, based on my experience.
So are you saying a Dynamic Distribution Group, no matter how it's configured, whenever you send an e-mail to it, everyone in the Exchange environment will receive the e-mail?
What exactly is the point of a Dynamic Distribution Group, then? Are you saying you can't specify a select group of users according to the OU they're in to only receive the e-mail?
-
Edited by
JGQ85
17 hours 10 minutes ago
July 15th, 2015 10:18am
The only way I got it to work the correct way was when specifying a "Condition", such as Company, Job Title, etc. When I tried to make what I thought would be the simplest DDG ever, "users with mailboxes in X OU", the frustration
started and led to me creating this original post. Because I would've manually had to go and set the Company, or Job Title attribute, or other on every user I decided creating a traditional static DG was the easiest solution for us.
-
Edited by
DaveB3786
16 hours 50 minutes ago
July 15th, 2015 10:32am
The only way I got it to work the correct way was when specifying a "Condition", such as Company, Job Title, etc. When I tried to make what I thought would be the simplest DDG ever, "users with mailboxes in X OU", the frustration
started and led to me creating this additional post. Because I would've manually had to go and set the Company, or Job Title attribute, or other on every user I decided creating a traditional static DG was the easiest solution for us.
Ok so sounds like we had two slight different issues.
Did you have an OU specified in the Filter, and any checkboxes checked?
For mine, I haven't specified any conditions. One one DDG I specified an exclusion per this article (http://benddiscount.com/2012/10/25/exchange-2010-excluding-mailboxes-from-dynamic-distro-groups/).
Where I went to one recipient and put the word "exclude" in their CustomAttribute10 field.
Then for the test DDG, I issued the command:
Set-DynamicDistributionGroup -Identity "DDGTest" -RecipientFilter { ((RecipientType -eq 'UserMailbox') -and (CustomAttribute10 -ne 'exclude')) }
This indeed excluded the person's mailbox that had "exclude" in their CustomAttribute10, but as you've read, my confusion started when I was getting far more recipients in the powershell query than I was showing in the "Preview" button.
From what I understand at this point, the "Preview" button is what shows the accurate recipient list. Specifying the "-OrganizationalUnit" with the Get-Recipient cmdlet is needed for the powershell query to match the preview list.
As for whether it works in reality, the best thing to do is send a test e-mail. Have test mailboxes outside of the OU and see if they get the e-mail sent to the DDG, and if your test mailboxes
inside the specified OU do get the email sent to the DDG.
July 15th, 2015 10:42am
I think the powershell command results are who the email to the DDG will actually be sent to. This was my entire frustration because the preview button in the GUI looked perfect, but then when sending a test message it went to everyone in the
domain with a mailbox, instead of the one OU I specified. If you use a custom attribute in your filter then it does actually look at RecipientContainer too, and the custom attribute, but if you only try to filter the group by saying users with mailboxes
in X RecipientContainer, that container filter seems to be totally ignored. This is why I gave up on this. After 1.5 years and an Exchange 2013 release where the problem still exists it looks to me like MS will never fix it.
July 15th, 2015 10:47am
I think the powershell command results are who the email to the DDG will actually be sent to. This was my entire frustration because the preview button in the GUI looked perfect, but then when sending a test message it went to everyone
in the domain with a mailbox, instead of the one OU I specified. If you use a custom attribute in your filter then it does actually look at RecipientContainer too, and the custom attribute, but if you only try to filter the group by saying users
with mailboxes in X RecipientContainer, that container filter seems to be totally ignored. This is why I gave up on this. After 1.5 years and an Exchange 2013 release where the problem still exists it looks to me like MS will never fix it.
If you run an export of it like so:
$DDG = Get-DynamicDistributionGroup -Identity "Your DDG Name"
Get-Recipient -OrganizationalUnit "domain.com/OU" -RecipientPreviewFilter $DDG.Recipient Filter | Select Name,OrganizationalUnit | Export-Csv DDG_Recipients.csv
And open the .csv file output, does it show the same users that are shown when you click "Preview" button in the GUI?
July 15th, 2015 11:17am
I deleted my test group a year ago so I can't try it again now, but as I recall the CSV exports I tried (your cmdlets look the same) would pull users from any OU regardless of my RecipientContainer filter. I came to the conclusion that it is simply
broken and I wasn't about to wait for MS to fix it, so I moved back to traditional DGs.
July 15th, 2015 11:38am
I deleted my test group a year ago so I can't try it again now, but as I recall the CSV exports I tried (your cmdlets look the same) would pull users from any OU regardless of my RecipientContainer filter. I came to the conclusion that it
is simply broken and I wasn't about to wait for MS to fix it, so I moved back to traditional DGs.
I'd give it another try. Just create a new Dynamic Distribution Group. Leave default settings and just go to Filter and chose a specified OU.
Check the same check boxes as shown here, then try it again.
July 15th, 2015 12:27pm
Hi Dave,
"I think the powershell command results are who the email to the DDG will actually be sent to. "
I would say this is not entirely correct if you use OU based filterting in the DDG.
If you use -RecipientContainer with some OU. Then PowerShell and Preview might give separate results, that's what I tried to explain and JGQ85Serenity explained nicely with an example.
Now, if you think, the 'preview' is showing correct results, but when you send a test email to DDG it doesn't respect the 'previewed list' instead sends it all over to the domain.
Please share the DDG details here, so that I can test and confirm the results.
As per my experience DDG works very well including limiting the users based on OUs.
Updating the list might sometimes take
July 16th, 2015 12:40am