From: Mike F on
How do I properly configure a filter rule for an Exchange (2003) recipient
policy so that it only applies to a specific OU? I want users created
within 1 OU to have a recipient policy applied to it. That policy will only
apply to users in that OU so it will have a higher priority than the default
recipient policy.



I've created such a policy and the syntax looked like this, where OU is
Tampa but the policy never applied to users in the OU.

(&(ou>="")(name=Tampa*))



I found this http://msdn.itags.org/exchange-server/157858/ which says you
can't do what I'm trying to do so I created a security group in that OU,
added the users to it, then configured the policy to apply to that security
group. I don't have the syntax handy, but what I did didn't work.





I may be able to find further answer here
http://msexchangeteam.com/archive/2005/04/20/403953.aspx, but if anyone has
a good suggestion here I'd really appreciate it.



Thanks!

From: Rich Matheisen [MVP] on
On Thu, 17 Jun 2010 09:43:41 -0500, "Mike F" <m(a)m.com> wrote:

>How do I properly configure a filter rule for an Exchange (2003) recipient
>policy so that it only applies to a specific OU?

You don't.

>I want users created
>within 1 OU to have a recipient policy applied to it. That policy will only
>apply to users in that OU so it will have a higher priority than the default
>recipient policy.

The OU isn't a property of the user.

>I've created such a policy and the syntax looked like this, where OU is
>Tampa but the policy never applied to users in the OU.
>
>(&(ou>="")(name=Tampa*))

And where did you find the "ou" property value in a user's set of
properties?

>I found this http://msdn.itags.org/exchange-server/157858/ which says you
>can't do what I'm trying to do so I created a security group in that OU,
>added the users to it, then configured the policy to apply to that security
>group. I don't have the syntax handy, but what I did didn't work.
>
>I may be able to find further answer here
>http://msexchangeteam.com/archive/2005/04/20/403953.aspx, but if anyone has
>a good suggestion here I'd really appreciate it.

Pick a property that's common to all mail-enabled objects and populate
it with a unique value that you can use in a LDAP query. There are 15
"Custom Attribute" properties (extensionAttribute1 -
extensionAttribute15) that you can use for this.
---
Rich Matheisen
MCSE+I, Exchange MVP
From: Mike F on
Can you give a sample of an attribute and how I may write an LDAP query to
pick only the user of 1 OU? I would think that attribute is set after the
user is created which would mean the recipient policy doens't apply when the
user is created - is that correct? Would I have to reapply the policy once
the user attribute is set?



"Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message
news:stel16l8e2h2meo4qvn781fhps0g700866(a)4ax.com...
> On Thu, 17 Jun 2010 09:43:41 -0500, "Mike F" <m(a)m.com> wrote:
>
>>How do I properly configure a filter rule for an Exchange (2003) recipient
>>policy so that it only applies to a specific OU?
>
> You don't.
>
>>I want users created
>>within 1 OU to have a recipient policy applied to it. That policy will
>>only
>>apply to users in that OU so it will have a higher priority than the
>>default
>>recipient policy.
>
> The OU isn't a property of the user.
>
>>I've created such a policy and the syntax looked like this, where OU is
>>Tampa but the policy never applied to users in the OU.
>>
>>(&(ou>="")(name=Tampa*))
>
> And where did you find the "ou" property value in a user's set of
> properties?
>
>>I found this http://msdn.itags.org/exchange-server/157858/ which says you
>>can't do what I'm trying to do so I created a security group in that OU,
>>added the users to it, then configured the policy to apply to that
>>security
>>group. I don't have the syntax handy, but what I did didn't work.
>>
>>I may be able to find further answer here
>>http://msexchangeteam.com/archive/2005/04/20/403953.aspx, but if anyone
>>has
>>a good suggestion here I'd really appreciate it.
>
> Pick a property that's common to all mail-enabled objects and populate
> it with a unique value that you can use in a LDAP query. There are 15
> "Custom Attribute" properties (extensionAttribute1 -
> extensionAttribute15) that you can use for this.
> ---
> Rich Matheisen
> MCSE+I, Exchange MVP

From: Rich Matheisen [MVP] on
On Thu, 17 Jun 2010 19:58:16 -0500, "Mike F" <m(a)m.com> wrote:

>Can you give a sample of an attribute

Sure. How about "extensionattribute1"?

>and how I may write an LDAP query to
>pick only the user of 1 OU?

If you put, say, "XX1" into extensionAttribute1 then the query would
be: extensionattribute1=xx1

>I would think that attribute is set after the
>user is created

That's not necessarily true. You can create the user without creating
the mailbox. Then you can populate the property and afterwards create
the mailbox.

>which would mean the recipient policy doens't apply when the
>user is created - is that correct?

Depends. See above.

>Would I have to reapply the policy once
>the user attribute is set?

If you populate the attribute after you create the mailbox, yes. But
how would using the OU work if you moved the user to a different OU
after creating the mailbox?
---
Rich Matheisen
MCSE+I, Exchange MVP
From: Mike F on
The goal of having the correct recipient policy apply at the time the user
is created is reduce steps and error when creating a user.

There are 3 different sister companies that have users in different
countries, not joined to the domian, that will be using Outlook Anywhere
(RPC over HTTPS)to gain access to their mailboxes. Their email address
domains for each of the companies are all different and this is what I'm
trying to control when the user is setup. I can go back into the user
account and modify the email addresses to make them what they need to be
manually, but I fear either a recipient policy being reapplied or an admin
making an error when editing the email addresses manually (or forgetting to
do that).

Given this extra info, do you have a recommended way to create the user,
having the correct recipient policy apply to them based on something done
when creating the user (if not what OU they're in or group membership since
those don't apparently work)?

Thanks!



"Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message
news:o2pl16l6fjmeddvhl03spjkehemvcpm2j7(a)4ax.com...
> On Thu, 17 Jun 2010 19:58:16 -0500, "Mike F" <m(a)m.com> wrote:
>
>>Can you give a sample of an attribute
>
> Sure. How about "extensionattribute1"?
>
>>and how I may write an LDAP query to
>>pick only the user of 1 OU?
>
> If you put, say, "XX1" into extensionAttribute1 then the query would
> be: extensionattribute1=xx1
>
>>I would think that attribute is set after the
>>user is created
>
> That's not necessarily true. You can create the user without creating
> the mailbox. Then you can populate the property and afterwards create
> the mailbox.
>
>>which would mean the recipient policy doens't apply when the
>>user is created - is that correct?
>
> Depends. See above.
>
>>Would I have to reapply the policy once
>>the user attribute is set?
>
> If you populate the attribute after you create the mailbox, yes. But
> how would using the OU work if you moved the user to a different OU
> after creating the mailbox?
> ---
> Rich Matheisen
> MCSE+I, Exchange MVP