Email Address Policy and OPATH filters

The other day, someone asked me a question. (get used to that sort of intro; I’m mining a lot of great blog post topics from questions running through my mailbox!)

This time, the question was something along the lines of “I’ve got an Exchange 2003 Recipient Policy where I created a custom LDAP filter to define the set of recipients. How do I ‘translate’ that into Exchange 2007 Email Address Policy so I can ‘upgrade’ the policy to be managed by Exchange 2007 directly?”.

Great question! I’m writing up a more detailed (and simultaneous more generic) explanation of the new recipient OPATH filtering behavior in Exchange 2007 for a blog post in the next few weeks. And, of course, there’s an OPATH filtering primer posted on the Wiki which demonstrates that the same OPATH concepts apply to Email Address Policy, Address List, Global Address List, and Dynamic Distribution Group RecipientFilter.

But back to the question at hand… they provided an LDAP filter and said… “now what”? Well, the key part of this exercise has two parts: 1) figure out what the filter is actually filtering, followed by 2) reconstruct the filter with OPATH syntax and set it on the object.

Basically the filter they provided was like this:

(&(&(|(&(&(objectCategory=user)(msExchHomeServerName=/o=ORG/ou=SITE/cn=Configuration/cn=Servers/cn=*)))(&(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList))(displayname=IT*)))))

On to step 1 — figuring out what this actually filters!

There’s a couple things you can do at this stage to help yourself out. You can copy and paste this filter into a “search” action in LDP (subtree, starting at the root) and see what it returns. At a high-level, this will at least help you to know what sort of things you’re looking for in your OPATH translation (you can tell if you’re way off after you’ve finished).

The more practical way of doing this is to paste it into notepad and break it out into indented lines so you can see the logical flow:

(&
  (&
(|
(&
(&
(objectCategory=user)(msExchHomeServerName=/o=ORG/ou=SITE/cn=Configuration/cn=Servers/cn=*)
)
)
(&
(|
(objectCategory=group)(objectCategory=msExchDynamicDistributionList)
)
(displayname=IT*)
)
)
)
)

Alright, that seems fairly easy... give or take.

Translated to English, it looks something like this:

    • All user-category objects that have home server in a particular admin group (this would only be mailbox objects in that AG)
  • AND

    • All (Groups OR Dynamic Distribution Groups) that start with a particular displayname wildcard

Great! So that’s a start. Now we at least know what we should expect to find if we do issue the LDAP search in LDP.

Next, on to part two… translating the logical filter we’ve just determined into OPATH syntax:

First, let’s diagram it loosely like above. Then we can go into the actual cmdlet syntax…

    • (ServerLegacyDN -like “/o=ORG/ou=SITE/cn=Configuration/cn=Servers/cn=*”)
  • -and

    • ( (RecipientType -eq “<one of several group recipient-types>” -or RecipientType -eq “DynamicDL”)
      • -and
    • ( DisplayName – like “IT*” ) )

Not so bad, really. Just swapping some filtering keywords and the LDAP style of syntax for the OPATH style.

So let’s say you want to set this new OPATH filter on an existing EAP, what cmdlet syntax do you use? Note that if you are setting this on an Exchange 2003 created EAP you will also be prompted to confirm that you want to upgrade the version of the object to Exchange 2007. You can suppress the confirmation (if you're doing it in a script, for instance) by using the -ForceUpgrade switch. This is optional, however, and is also not required for EAPs created by Exchange 2007 tools.  More importantly, note that the -ForceUpgrade switch does not automatically create the new filter for you. If you say "Set-EmailAddressPolicy MyE2k3Policy -ForceUpgrade", it will not do anything at all since you haven't supplied a filter (you've just told it not to prompt, and there was no prompt anyway).

This will be a “custom filter” created from the shell, since it doesn’t fall under the “precanned” filter options. This means you will create it using the “RecipientFilter” parameter and you’d end up with a long, but manageable, one-liner something like this:

Set-EmailAddressPolicy eap1 -RecipientFilter { (ServerLegacyDN -like "/o=ORG/ou=SITE/cn=Configuration/cn=Servers/cn=*" ) -or ( ( RecipientType -eq "MailEnabledUniversalDistributionGroup" –or RecipientType -eq "MailEnabledUniversalSecurityGroup" -or RecipientType -eq "MailEnabledNonUniversalGroup" -or RecipientType -eq "DynamicDL") -and ( DisplayName -like "IT*" ) ) }