I found this out through a few hours of testing, the %USERNAME% variable is not available in LDAP queries. Now if you test out the setting you put in place, whether it is a registry key or file, will not be made. This will ensure the %USERNAME% variable used is actually that of the logged on user. Now that the LDAP targeting object is set, be sure to set the GPP option “Run in logged-in user’s security context” to “Enabled”. The binding value is autmatically set to the default LDAP: and the Attribute value can be left blank. The Username addition limits the query to the currently logged on user. Ensuring the username value is part of the query is important, otherwise, the query will return all mailboxes on 2010 and will always have a result. I also put in the %USERNAME% so that the query will return a value IF the mailbox is on 2010 and the current username returns as a value. Notice the filter will apply only if the LDAP query “returns a value”. Below is a screen shot of the first settings that I implemented into the filter. Now let’s edit our GPP targeting settings. Afterwards save and close the query.Īfterwards you should be able to Refresh (“F5”) the newly created Search Query and see if you have any user accounts in the right hand screen.
If you edit the Search Query you can paste in the modified Query in the Advanced window. This will look for user account, with Exchange 2010 mailboxes, and the SAM account with my username. (&(objectCategory=user)(objectClass=user)(msExchVersion=44220983382016)(sAMAccountName=DMaloney*)) Now let’s modify the query with the values we want to use. (&(objectCategory=user)(objectClass=user)(distinguishedName=TEMP)(userPrincipalName=TEMPUSER*)) The filter is limited to User objects with the distinguishedName ‘TEMP’ and the userPrincipalName ‘TEMPUSER*’ Looking at this LDAP filter, we can see what is happening. Copy out the query and paste it into Notepad. This is the filter we will use, with slight modification, in the GPP targeting configuration. Now you should have a query displayed in the “New Search” window. I also filled in temporary “VALUES” that I replaced later. Either way works, you’ll have to decide what is best for your environment. Eventually, I switched to the sAMAccountName value. I also select LogonName, for the time being to be added to the query as well, to limit the query to certain usernames. For the time being I selected DistinguishedName. Unfortunately the MsExchVersion is not displayed so we will have to select another value and manually change the query down the road. Now we can pick from most of the attributes the Active Directory Users and Computers snap-in is aware of. Select the Fields dropdown and then select User options. Now we need to select some fields for our query. Click the Find drop down menu and select Custom Search. This will give us a clean LDAP filter to use. In the New Query window, type in the name and description and then click on the Define Query button.
Open Active Directory Users and Computers and Right Click on the “Saved Queries” node, Select New, and Select Query as shown below. I found some handy posts about using “Search Folders” in the Active Directory Users & Computer Snap-in to build a query.
Below are the steps I followed:īuilding the LDAP query wasn’t as bad as I thought it would be. Building a valid LDAP query and getting it to work with GPP was difficult because I am not an LDAP guru. Using an LDAP query I should be able to target specific group policy settings only to users with mailboxes on Exchange 2010. The value of an Exchange 2010 mailbox is “44220983382016” which correlates to “0.10 (14.0.100.0)” as the ExchangeVersion value from the “get-mailbox USERNAME | Select Name,ExchangeVersion” Exchange powershell command. Microsoft increments this value with every version of Exchange. It turns out the easiest way to determine if a user is on Exchange 2010, without using powershell, is by an LDAP query against the “msExchVersion” attribute on the user object in Active Directory. Group Policy Preferences (“GPP”) targeting does not support powershell queries so I had to come up with another method of selecting only users with mailboxes on 2010 using the tools available in GPP targeting. Hopefully the techniques I used will be helpful to others looking to do the same.Ī client needed to apply Current User registry keys only to users with mailboxes running on Exchange 2010 as part of their Exchange 2003 to Exchange 2010 migration. Microsoft’s own documentation on the topic is rather lacking, you can find it here. A lack of information on the web about actually implementing LDAP filters led to this post. I recently had to assist a client with GPO development for applying various registry keys using LDAP filters for Group Policy Preferences targeting.
0 kommentar(er)
