I am creating an All Dynamic Distribution Group in Office 365 exchange online. I am doing this with Powershell. We will call this group AllTestGroup. Here is some information about the setup.
- Exchange Online
- On-Prem Active Directory
- Most mailboxes are associated with an on-prem ad user. (ADSync)
- A few mailboxes are cloud-only.
- There are no customattributes or extensionattributes found inside the ad users' account (Inherited the issue). It does however have msDS-CloudExtensionAttribute0-20. When you set one, it does not appear on the office 365 side. Plus when you try to add, we receive an azure active directory and exchange online error "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph)"
Here is what the client is needing/Requires:
- A single group that contains all UserMailbox
- No MailContacts
- Exclude Anyone inside this AD group "CN=AllExclusion,OU=SG,DC=Example,DC=Local"
- Exclude Anyone in this O365 Distribution Group: AllPRN@Example.org
- No Additional Costs
Here is the filter I have created for this:
(`
(RecipientType -eq 'UserMailbox') `
-and (-not(RecipientType -eq 'MailContact')) `
-and (-not(MemberOfGroup -eq 'CN=AllExclusion,OU=SG,DC=Example,DC=Local')) `
-and (-not(MemberOfGroup -eq 'AllPRN@Example.org')) `
-and (-not(Name -like 'SystemMailbox{*')) `
-and (-not(Name -like 'CAS_{*')) `
-and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) `
-and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) `
-and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) `
-and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) `
-and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) `
-and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) `
-and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')) `
-and (-not(RecipientTypeDetailsValue -eq 'GuestMailUser'))`
)
(Code Split up using ` mark to help readability.) Here is the problem I am facing. When I run the Get-DynamicDistributionGroupMemeber, I am still seeing the users inside the AllExclusion security Group. I am also seeing members of the AllPRN@example.org. For Example, Ellan Smith is inside the AllExclusion Security Group. She shows up on the list. To make sure I am completely synced up, I ran the Start-ADSyncSyncCycle - PolicyType Initial and Delta. I waited the 20 recommended minutes and tried again. Same results.
I feel like I am missing something small, but I don't know what that is.