No announcement yet.

Active Directory search for Groups who can recive emails "Only From"

  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory search for Groups who can recive emails "Only From"

    Hi all,
    I'm asking for help since I need to find an LDAP script or any other that can help me find all the groups who can receive emails from cretin users only, I’m talking about distribution lists, there is a Tab called - Exchange General, and a checkbox under Message restrictions – “Only from” - I’ve attached a picture,
    I would like to know if I can run a search for the groups who have this option checked, or the other way around, search for "From everyone"

    Thank you.
    Attached Files

  • #2
    Re: Active Directory search for Groups who can recive emails "Only From"

    You can use DSQUERY.exe for this:

    To obtain the right filter for mailEnbled groups, you can use "Saved Queries" in ADUC. And copy the query string from it

    Where 'mailnickname=*' is meaning "MailEenabled"

    Next, you must findout what the Attribute is that is representing the radio button "Only From".
    This site can help with that:
    • If the radiobutton “Only from” is ticked then the "input box for mailadresses" will be activated. The content of this box will be written in this case to the attribute "authOrig" (and then empties "unauthOrig" automatically when saving the changes).
    • The radiobutton “From everyone exept” activates also this "input box for mailboxes". But the content will now be written to the attribute "unauthOrig" (and empties "authOrig" when saving).
    • If the "input box for mailadresses" is empty, then the radiobutton will be switched back automatically to "From every one" when saving.

    So, in your case you have to query for non_empty authOrig attributes of every mailEnabled group.

    You can modify the filter a bit, change 'mailnickname=*' to 'authOrig=*'.

    Where 'authOrig=*' is meaning this attribute is not empty, then you know the group is mailEnabled AND has 'receiving restrictions'.

    Next use adsiedit.msc to get the names of the attributes you want to export.
    (Or use the "Active Directory Explorer" to find the names. This tool is basically ADSI Edit on steroids)

    Finally here is the command line
    cmd /c dsquery.exe * -limit 0 -filter "(&(authOrig=*)(objectCategory=group))" -attr name authOrig> c:\RestrictedMailEnabledGroups.txt
    That was the easy way.
    But you can also get the same (or nicer) results using a vbscript;

    ' RestrictedMailEnabledGroups.vbs
    ' Remco Simons [nl] 2007
    Const col1 = 60  '<--- max. characters used in Groupnames
    Const ForAppending = 8
    'on error resume next  'not in use any more
    Set rootDSE = GetObject("LDAP://RootDSE")
    DomainContainer = rootDSE.Get("defaultNamingContext")
    Set conn = CreateObject("ADODB.Connection")
    conn.Provider = "ADSDSOObject"
    conn.Open "ADs Provider"
    ldapStr = "<LDAP://" & DomainContainer & ">;(&(authOrig=*)(objectCategory=group));adspath;subtree"
    Set rs = conn.Execute(ldapStr)
    While Not rs.EOF
      strItem = Empty
      Set FoundObject = GetObject (rs.Fields(0).Value)
      ObjectName = Trim(Mid(FoundObject.Name,4))
      intSpaces = col1 - Len(ObjectName)
      If intSpaces < 1 then intSpaces = 1
     If Not IsEmpty(FoundObject.authOrig) then
      For Each OnlyFromObj in FoundObject.GetEx("authOrig")
        'If Err.number then Exit For  'not in use any more
        Set objItem = GetObject("LDAP://"& OnlyFromObj)
        If NOt IsEmpty(Mid(,4)) Then _
         strItem = Mid(,4) &"; "& strItem
      'If Err.number then   'not in use any more..
      '  Err.Clear
      '  Set objItem = GetObject("LDAP://"& FoundObject.authOrig)
      '  If NOt IsEmpty(Mid(,4)) Then _
      '   strItem = Mid(,4)
      '  If Err.number then msgbox err.description
      'End If
     End If
      sResults = ObjectName & Space(intSpaces) & strItem & vbNewLine & sResults
     Set objFSO = CreateObject("Scripting.FileSystemObject")
     Set objShell = CreateObject("Wscript.Shell")
     sOutTmp = objShell.ExpandEnvironmentStrings("%temp%\" & objFSO.GetTempName)
    With objFSO.OpenTextFile(sOutTmp, ForAppending, True)
     .Write("Group Name" & Space(50) & "Accept messages Only From" & vbNewLine & _ 
    "-----------------------------------------------------------------------------------------------"& _
               vbNewLine & sResults)
    End With '***
     objShell.Run "WordPad " & sOutTmp, 3, True
     objFSO.DeleteFile(sOutTmp) 'deletes the temp-file from disk
    Set objShell = Nothing
    Set objFSO = Nothing

    related articles:
    - listing all users and their email address. (using dsquery.exe or csvde.exe)
    - LDAP query - find all mailboxes that has 'forwarding to'
    - LDAP search strings samples
    - Search in :
    Last edited by Rems; 13th November 2007, 18:45. Reason: added "related articles"

    This posting is provided "AS IS" with no warranties, and confers no rights.


    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts


    • #3
      Re: Active Directory search for Groups who can recive emails &quot;Only From&quot;

      Thank you, you've helped me greatly!