About it being a universal group, what exactly does this do the query?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 23, 2006 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL A couple of items to look at for all issues like this: Is the group a universal group[1]? Are the users direct members of the group or in the group via nesting? Specifically here I would look at the filter in a cleaner format such as what adfind will give you with the -stats+ and -stats+only switches. Here is your query below against one of my test domains with the guests group specified. (& (mailNickname=*) (| (& (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) (! (memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com) ) (objectClass=user) (! (homeMDB=*) ) (! (msExchHomeServerName=*) ) ) (& (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ) ) (& (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=contact) ) (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D C=com) (objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat ion,DC=joe,DC=com) ) ) The filter is kind of messy. Under the OR (|) block you have 6 main components. The last four (easy ones) 3. Any Contacts 4. Any Dynamic DLs 5. Any Public Folders 6. Any groups All of those tied with the initial mailnickname mean Exchange enabled versions of each. Then the first one says give only user objects that aren't in the group specified and don't have homeMDB and msExchHomeServerName populated. This would be mail enabled users that are NOT in the group you are concerned about. Then the second one says give all users with homeMDB or msExchHomeServerName populated. This would be all mailbox enabled users period. If you want to set it so that if something is in that group, despite the object type, it won't be in the GAL you would want to pull the memberOf check out to the top level along with mailnickname. Maybe something like (& (mailNickname=*) (! (memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com) ) (| (& (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) (objectClass=user) (! (homeMDB=*) ) (! (msExchHomeServerName=*) ) ) (& (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ) ) (& (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=contact) ) (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D C=com) (objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat ion,DC=joe,DC=com) ) ) joe [1] Not important if a single domain forest. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Wednesday, December 20, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL Thanks, this got me closer to the correct query. It sure saved me a lot of tries, trying to get the query right using "(!attr=val)", instead of using (!(attr=val). I however did not get to managed to get it working completely. Even with the (!(attr=val) The query outputs exactly the same. The query below does perhaps look more complex than it in fact is. It is in fact the Default GAL from Exchange as it comes out of the box. I have been trying to filter out a certain group from appearing in this GAL. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 19, 2006 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL I didn't look it over completely to see what you are doing but noticed the (!attr=val) and wanted to comment on that specific piece... When making AL filters, Exchange is picky and if you put in a ! you need to do use long form of (!(attr=val)) and not (!attr=val). While AD will not have a problem with the filter, AD isn't interpreting that filter, Exchange is pulling everything from AD and doing the filtering itself. That is why ESM will show you one result and what you really get could be something completely different. I once got a crap answer from a Alliance Exchange PSS that someone made up about the RFC standards etc but that "reason" was, as I said, crap. It is just something you have to be aware of when working with those filters. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Filter out a certain group of users from the GAL I have been trying to filter out a certain group of users from the GAL, these users should not appear in the GAL. I have used the "!" sign but it looks simpler than it infact is. This is the Default GAL: (& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(& (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) I want to exclude people who are a member of a group called "XYZ Users" and thought about doing it with: (!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl) The complete query is now: (& (mailnickname=*) (| (&(objectCategory=person)(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(& (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) The above query outputs exactly the same objects as the first query, the one of the Default GAL. So somehow the group is not being filtered out. Probably just me overlooking something. Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx