Published: 19.Mar 2020
Categories:

How to filter out disabled user accounts in DDL recipient filter

I did create a few Dynamic Distribution Lists (DDLs) for a customer today. His request was to filter out disabled accounts.

If you google it, you will find something like this everywhere:

-not(userAccountControl -eq 'AccountDisabled, NormalAccount')
Code language: JavaScript (javascript)

For some reason this was not working for me, even if I tried a few variations of this "switch".

So I took a look on Microsoft documentation about DDLs (I was looking for -RecipientFilter option).

It's explained what it is on a Microsoft website, but in this case the important part is:

Property is a filterable property. For filterable properties, see Filterable properties for the RecipientFilter parameter.

So, on that "Filterable properties.." website I searched for: UserAccountControl,
where the value of this property is:

For valid values, see the Remarks section in User-Account-Control attribute. You need to convert the hexadecimal values to decimal. Most of the text values won't work as described (even if you remove ADS_UF and all underscores).

So, in order to get this working, I need to use a decimal value of UserAccountControl attribute from AD ... right ? Right !

You can check the value in AD in Attributes of AD object (on some user account).

Active Directory - User Access Control attributes

Possible values are:

Property FlagHex valueDecimal value
NORMAL_ACCOUNT0x0200512
Disabled Account0x0202514
Enabled, Password Not Required0x0220544
Disabled, Password Not Required0x0222546
Enabled, Password Doesn’t Expire0x1020066048
Disabled, Password Doesn’t Expire0x1020266050
Disabled, Password Doesn’t Expire & Not Required0x1022266082

All possible values for UserAccountControl:

Property FlagHex valueDecimal value
SCRIPT0x00011
ACCOUNTDISABLE0x00022
HOMEDIR_REQUIRED0x00088
LOCKOUT0x001016
PASSWD_NOTREQD0x002032
PASSWD_CANT_CHANGE0x004064
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128
TEMP_DUPLICATE_ACCOUNT0x0100256
NORMAL_ACCOUNT0x0200512
Disabled Account0x0202514
Enabled, Password Not Required0x0220544
Disabled, Password Not Required0x0222546
INTERDOMAIN_TRUST_ACCOUNT0x08002048
WORKSTATION_TRUST_ACCOUNT0x10004096
SERVER_TRUST_ACCOUNT0x20008192
DONT_EXPIRE_PASSWORD0x1000065536
Enabled, Password Doesn’t Expire0x1020066048
Disabled, Password Doesn’t Expire0x1020266050
Disabled, Password Doesn’t Expire & Not Required0x1022266082
MNS_LOGON_ACCOUNT0x20000131072
SMARTCARD_REQUIRED0x40000262144
Enabled, Smartcard Required0x40200262656
Disabled, Smartcard Required0x40202262658
Disabled, Smartcard Required, Password Not Required0x40222262690
Disabled, Smartcard Required, Password Doesn’t Expire0x50202328194
Disabled, Smartcard Required, Password Doesn’t Expire & Not Required0x50222328226
TRUSTED_FOR_DELEGATION0x80000524288
Domain controller0x82000532480
NOT_DELEGATED0x1000001048576
USE_DES_KEY_ONLY0x2000002097152
DONT_REQ_PREAUTH0x4000004194304
PASSWORD_EXPIRED0x8000008388608
TRUSTED_TO_AUTH_FOR_DELEGATION0x100000016777216
PARTIAL_SECRETS_ACCOUNT0x0400000067108864

Property flag descriptions

  • SCRIPT – The logon script will be run.
  • ACCOUNTDISABLE – The user account is disabled.
  • HOMEDIR_REQUIRED – The home folder is required.
  • PASSWD_NOTREQD – No password is required.
  • PASSWD_CANT_CHANGE – The user cannot change the password. This is a permission on the user’s object. For information about how to programmatically set this permission, visit the following Web site:http://msdn2.microsoft.com/en-us/library/aa746398.aspx
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED – The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT – This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT – This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT – This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT – This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT – This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD – Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT – This is an MNS logon account.
  • SMARTCARD_REQUIRED – When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION – When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED – When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY – (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED – (Windows 2000/Windows Server 2003) The user’s password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION – (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client’s identity and authenticate as that user to other remote servers on the network.
  • PARTIAL_SECRETS_ACCOUNT – (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

So as we have that information, the final "switch" will looks like this:

(UserAccountControl -eq '512') -or (UserAccountControl -eq '544') -or (UserAccountControl -eq '66048')
Code language: JavaScript (javascript)
Microsoft Exchange Shell - Set-DynamicDistributionList

And whole basic cmdlet:

Set-DynamicDistributionGroup -identity "<Group Name>" -RecipientFilter {((Company -eq 'NAME') -and (RecipientType -eq 'UserMailbox') -and ((UserAccountControl -eq '512') -or (UserAccountControl -eq '544') -or (UserAccountControl -eq '66048')))}

Note:
I include only enabled account in this "switch". I do not exclude disabled accounts with " -not " switch, that's because I tried that and it wasn't working for me.

4.7 3 votes
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
J B
J B
2 hours ago

Thank you so much!

PowerAddict.net - Lubomir Goban  ---  Find me on - 
LinkedIn
1
0
Would love your thoughts, please comment.x
()
x