Using MemberOf with -RecipientFilter

In the Do I Really Need to Upgrade my Filters blog post, Several folks posted a question/comment asking about MemberOf. In Exchange 2003, it was possible to build an EAP/AL/GAL/DDG filter that took into account group membership as a criteria for inclusion in the filter. My initial response was that it's not possible in Exchange 2007, but it turns out that's not true.

Quick step back to make sure we're all thinking of the same scenario here... I'm talking about this scenario:

  1. Create a group... let's call it "testgroup"
  2. Create some mailboxes/mailcontacts, etc... add them to the group.
  3. Create an addresslist... let's call it "testAL"
  4. Now, make the membership of this AL (ie, its 'RecipientFilter') conditional on the recipient objects being part of ("memberOf") the group "testgroup".

Hmm, you probably get an error on step 4. Or,even more likely, you can't figure out how to specify the filter.

What makes this a little hard is two things:

First, if you do "Get-Mailbox" or "Get-User" you don't see MemberOf as an exposed property on these presentation objects. This is by design, as doing the lookups on a AD back-link (MemberOf is an AD backlink) is very low performance and not really required for anything I'm aware of (since you can just get this info from the forward direction). That said, generally the strategy of checking the list of properties on the output presentation object is a good step to knowing what properties are filterable. In this case, such an assumption will let you down.

Note: Based on the number of requests we've received on this point, we're putting together the list of filterable properties right now for a future UE update. I'll plan to blog them here shortly so that you can have more info on what properties are filterable. - Done! Here's the blog post: https://blogs.technet.com/evand/archive/2007/02/19/filterable-properties-in-exchange-2007-rtm.aspx

Second, Even though MemberOf it *IS* filterable, if you try to use "MemberOf" as the name of the filterOnly property that represents the AD MemberOf schema entry, it fails. This is because the filterable property name is actually a little more verbose: MemberOfGroup. If you specify MemberOfGroup in the filter, it'll work great.

So, let's bring this all back together on MemberOfGroup and give an example:

[PS] D:\>$groupidentity = $(Get-DistributionGroup testgroup).Identity.DistinguishedName

[PS] D:\>$groupidentity

CN=testgroup,CN=Users,DC=domain,DC=com

[PS] D:\>Set-AddressList testAL -RecipientFilter "MemberOfGroup -eq '$groupidentity'"

[PS] D:\>Get-AddressList testAL

Name DisplayName RecipientFilter
---- ----------- ---------------
testAL testAL MemberOfGroup -eq 'domain.com/Users/testgroup'

Updated 2/14 - Talking with some folks after this post went live, it wasn't totally clear what I was doing just above with the $groupidentity variable. Excellent observation. Let's explain it:

MemberOfGroup filtering requires that you supply the full AD distinguished name of the group you're trying to filter against. This is an AD limitation, and it happens because you're really filtering this calculated back-link property from AD, not the simple concept of "memberOf" that we expose in Exchange.

So, rather than typing in the whole darn long DN, I just extracted it from the group object and dropped it into a variable that I could reuse in the RecipientFilter. Bravo PowerShell!