Powershell to exclude Group Members from Dynamic Distribution List O365

David

4/1/23, 3:55 PM

I am creating an All Dynamic Distribution Group in Office 365 exchange online. I am doing this with Powershell. We will call this group AllTestGroup. Here is some information about the setup.

Exchange Online
On-Prem Active Directory
Most mailboxes are associated with an on-prem ad user. (ADSync)
A few mailboxes are cloud-only.
There are no customattributes or extensionattributes found inside the ad users' account (Inherited the issue). It does however have msDS-CloudExtensionAttribute0-20. When you set one, it does not appear on the office 365 side. Plus when you try to add, we receive an azure active directory and exchange online error "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph)"

Here is what the client is needing/Requires:

A single group that contains all UserMailbox
No MailContacts
Exclude Anyone inside this AD group "CN=AllExclusion,OU=SG,DC=Example,DC=Local"
Exclude Anyone in this O365 Distribution Group: [email protected]
No Additional Costs

Here is the filter I have created for this:

(`
    (RecipientType -eq 'UserMailbox') `
    -and (-not(RecipientType -eq 'MailContact')) `
    -and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=SG,DC=Example,DC=Local')) `
    -and (-not(MemberOfGroup -eq '[email protected]')) `
    -and (-not(Name -like 'SystemMailbox{*')) `
    -and (-not(Name -like 'CAS_{*')) `
    -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) `
    -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')) `
    -and (-not(RecipientTypeDetailsValue -eq 'GuestMailUser'))`
)

(Code Split up using ` mark to help readability.) Here is the problem I am facing. When I run the Get-DynamicDistributionGroupMemeber, I am still seeing the users inside the AllExclusion security Group. I am also seeing members of the [email protected]. For Example, Ellan Smith is inside the AllExclusion Security Group. She shows up on the list. To make sure I am completely synced up, I ran the Start-ADSyncSyncCycle - PolicyType Initial and Delta. I waited the 20 recommended minutes and tried again. Same results.

I feel like I am missing something small, but I don't know what that is.

793

0 + 0

powershell

microsoft-office-365

exchangeonline

Score:1

Server

David

4/1/23, 9:34 PM

This is a unique situation. I was trying to pull from the local AD when I should have been pulling from the Azure AD. In this line:

-and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=SG,DC=Example,DC=Local')) `

I am targeting the DN name for allexclusion from the local AD. I need to get the DN for Azure AD. The reason for this is because exchange online is pointing to azure not the local ad. If this was a local on-prem exchange, this would work, but this isn't. To get the DN you will need to run this command:

(Get-DistributionGroup AllExclusion).DistinguishedName

The DN will be much larger. It will look something like this:

CN=AllExclusion,OU=Example.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR##A###,DC=PROD,DC=OUTLOOK,DC=COM

Thus your exclusion will look something like this:

-and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=Example.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR##A###,DC=PROD,DC=OUTLOOK,DC=COM'))

Here is what the final Recipient Filter looks like:

(
    (RecipientType -eq 'UserMailbox') `
    -and (RecipientType -ne 'MailContact') `
    -and (MemberOfGroup -ne 'CN=AllExclusion,OU=Example.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR##A###,DC=PROD,DC=OUTLOOK,DC=COM') `
    -and (Name -notlike 'SystemMailbox{*') `
    -and (Name -notlike 'CAS_{*') `
    -and (RecipientTypeDetailsValue -ne 'MailboxPlan') `
    -and (RecipientTypeDetailsValue -ne 'DiscoveryMailbox') `
    -and (RecipientTypeDetailsValue -ne 'PublicFolderMailbox') `
    -and (RecipientTypeDetailsValue -ne 'ArbitrationMailbox') `
    -and (RecipientTypeDetailsValue -ne 'AuditLogMailbox') `
    -and (RecipientTypeDetailsValue -ne 'AuxAuditLogMailbox') `
    -and (RecipientTypeDetailsValue -ne 'SupervisoryReviewPolicyMailbox') `
    -and (RecipientTypeDetailsValue -ne 'GuestMailUser')`
)

0 + 0

Joy Zhang

4/2/23, 5:40 AM

Thanks for your sharing:) You could mark the final solution as best answer if someone encounters the same issue, they could find the solution quickly.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Powershell to exclude Group Members from Dynamic Distribution List O365

TH: Powershell เพื่อแยกสมาชิกกลุ่มออกจากรายการการแจกจ่ายแบบไดนามิก O365

RO: Powershell pentru a exclude membrii grupului din lista de distribuție dinamică O365

RU: Powershell для исключения членов группы из динамического списка рассылки O365

VI: Powershell để loại trừ Thành viên nhóm khỏi Danh sách phân phối động O365

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.