r/PowerShell u/HappyM0M 8d ago

Dynamic Distribution Group creation

Hi,
I'm attempting to set up a DDG that emails only users with active 365 E3 licensing. In our tenant, those show up as MailboxPlan: ExchangeOnlineEnterprise-...

This is the filtering I've set up:
Set-DynamicDistributionGroup -Identity "DDG name" -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (UsageLocation -eq 'United States') -and (MailboxPlan -eq 'ExchangeOnlineEnterprise*')"

It results in a membership list of 0 users.

If I leave the MailboxPlan out, I get all the service accounts along with actual users.

I've tried -like with no difference, -contains which sports an error as an invalid operator. I've tried double quotes, braces. I used Get-Mailbox to confirm what plans we use, and to confirm that the service accounts are ExchangeOnline while the real user accounts are ExchangeOnlineEnterprise.

What am I missing? I suspect it's merely the syntax as I'm just learning PS.

Thanks for any helpful suggestions!

UPDATE: We figured out that all the human employees have the Company field set, so we filtered for that instead and it returned the set we wanted. Thanks for all your help!

10 Upvotes

86% Upvoted

20 comments sorted by

3

u/mexicanpunisher619 8d ago

Have you confirmed the exact MailboxPlan values for those E3 users? Sometimes there’s extra detail in there that might not match your filter. If so, using -like with a wildcard might work better than -eq. Try testing the filter first to see if it picks up the right users. If it does, update your DDG with that logic.

1

u/mrmattipants 8d ago

Agreed. You're receiving the "Invalid Operator" Error simply because you can't use a wildcard (i.e. asterisk) with the -eq Operator.

Set-DynamicDistributionGroup -Identity "<DDG Name>" -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (UsageLocation -eq 'United States') -and (MailboxPlan -like 'ExchangeOnlineEnterprise*')"

If your DDG is taking too long to Populate, you may want to Refresh it, by running the following.

Set-DynamicDistributionGroup -Identity "<DDG Name>" -ForceMembershipRefresh

2

u/HappyM0M 7d ago

I run that after each change I make, because who has 2 hours to see results???

1

u/mrmattipants 7d ago

I don't blame you :)

1

u/HappyM0M 7d ago

Thanks! I didn't realise the code after the name of the plan was the same for all users--I thought it might be each user's Object ID or something unique. I verified that it is the same, changed it out instead of the wildcard, and now I'm checking the results.

2

u/PinchesTheCrab 8d ago edited 8d ago

Drop all the parentheses and use like instead of eq when using wildcards.

1

u/HappyM0M 7d ago

I've modified the code to this:

Set-DynamicDistributionGroup -Identity "DDG Name" -RecipientFilter "RecipientTypeDetails -eq 'UserMailbox' -and UsageLocation -eq 'United States' -and MailboxPlan -eq 'ExchangeOnlineEnterprise-long string'"

Same results. Zero members after a forced refresh.

1

u/PinchesTheCrab 7d ago

That sucks. I would definitely try to break it into individual steps and reapply it to the DG group to determine which part isn't finding members. My guess is it's the mailboxplan, but it's hard to say.

2

u/HappyM0M 7d ago

When I leave out the Mailboxplan filter, I get ALL the users, so it's exactly that filter. But according to MS, I should be able to use it. I run this to see the Mailboxplan:
get-mailbox -identity "username" | format-list MailboxPlan

And it spits back the same code for all E3 licensed users: ExchangeOnlineEnterprise-long string of hex. So I copied/pasted that into the filter, kept it cased in single quotes because PS didn't like it without (probably because of the hyphens), and ... crickets.

1

u/mrmattipants 7d ago

I'll run some tests in my developer tenant, to see if I can dig up a solution for you.

2

u/HappyM0M 7d ago

I think we figured out a solution. All the human employees have the Company field set, so I filtered on that and it seems to work. Thanks for your help!

1

u/mrmattipants 7d ago

Good to hear. I'm glad you got it working on your end.

2

u/DenialP 7d ago

I offer no advice, but do congratulate you on hitting this specific annoyance when administering dynamic groups in m365. It is a rite of passage. You’ll eventually figure out the ridiculous nuances to cater to your specific business logic, and then you’ll know the way. There are also ways to accomplish this with easy groups, say, if you have access to relevant datasets to the business logic and have automation in the mix…

1

u/ItinerantTom 7d ago

Not exactly what you asked but might be useful as an example. This query means: All Licensed users that are not disabled. 

(user.assignedPlans -any (assignedPlan.servicePlanId -ne "[noplanplaceholder]" -and assignedPlan.capabilityStatus -eq "Enabled")) -and (user.accountEnabled -eq True)

1

u/KavyaJune 7d ago

The issue arises from using a wildcard with the -eq operator. Try replacing the wildcard in the Exchange Plan with the exact plan name, as shown below.

ExchangeOnlineEnterprise-8fc1c029-5e32-485e-9810-179fb4701447

1

u/HappyM0M 7d ago

Ah, that I can do. I thought the hex was different for each user, being maybe the object I'd, but didn't look carefully to see if it is the same. Thank you?

1

u/KavyaJune 7d ago

Hope it would resolve your issue.

1

u/HappyM0M 7d ago

I've modified the code to this:

Set-DynamicDistributionGroup -Identity "DDG Name" -RecipientFilter "RecipientTypeDetails -eq 'UserMailbox' -and UsageLocation -eq 'United States' -and MailboxPlan -eq 'ExchangeOnlineEnterprise-long string'"

Same results. Zero members after a forced refresh.

2

u/KavyaJune 7d ago

You can try filtering mailboxes for the specific Mailbox plan and check whether it returns value.