Administering query-based distribution groups
Query-based distribution group is a type of distribution group introduced in Exchange Server. The difference from the usual distribution group is that members of a query-based group are not statically placed into it. Email is propagated among the members of the group, but only among those of them who is currently in the state to comply with the specified LDAP query of this distribution group.
You can create a query-based distribution group as follows: in the console tree, right-click the container where you want to add the group, select New | Query-based Distribution Group, and then follow the instructions in the wizard. The following figure shows the step of the wizard where you can set up a query.
Figure 17: Administering query-based distribution groups
On this page, you can choose between predefined filters and custom filter. If select Custom filter, click Customize to configure the filter. This displays the Custom Search window where you can specify your search criteria.
You can manage a query-based distribution group in much the same way as you do with regular distribution groups: right-click the group and then select a command on the shortcut menu.
Steps for creating a query-based distribution group
To create a query-based distribution group
- In the console tree, right-click the folder in which you want to add the group, and select New | Query-based Distribution Group.
- In Query-based Distribution Group name, type a name for the group, and then click Next.
- The box under Apply filter to recipients in and below displays the folder to search for recipients. Click Change to select the folder that contains the recipients you want the group to include.
The query returns only recipients in the selected folder and its sub-folders. To get the results that you want, you may have to select a parent folder or create multiple queries.
- Under Filter, do one of the following:
- Click Include in this query-based distribution group, and then click each item you want to include in the criteria for membership in the query-based distribution group. The following criteria are pre-defined:
- Users with Exchange mailbox
- Users with external e-mail addresses
- Groups that are mail-enabled
- Contacts with external e-mail addresses
- Public folders that are mail-enabled
- Click Customize filter and then click Customize to create your own criteria for the query.
- Click Next to see a summary of the query-based distribution group you are about to create.
- Click Finish to create the query-based distribution group. The new query-based distribution group is displayed in the details pane.
- Right-click the query-based distribution group you just created and click Properties.
- On the Preview tab, click Start to view the query results and verify that the correct recipients are included in the group.
- A query-based distribution group provides the same functionality as a standard distribution group, but instead of specifying static user memberships, a query-based distribution group allows you to use an LDAP query to dynamically build membership in the distribution group (for example “All full-time employees in my company”).
- When creating a query-based distribution group, it is a good practice to use the Preview option. If the LDAP filter string contains bad formatting or incorrect LDAP syntax, the query-based distribution group does not work as expected: When a user sends mail to such a group, the user receives a non-delivery report (NDR). The Preview tab helps prevent you from constructing an incorrect query. Use the Preview tab to verify the validity and expected results of the query.
- The Preview option is useful not only for query validation, but also to determine how long it takes a query to run. Based on this time, you can decide whether to divide the query into smaller queries for better performance.
Administering dynamic (rule-based) groups
Active Roles provides the capability to automatically keep group membership lists up to date, eliminating the need to add and remove members manually. To automate the maintenance of group membership lists, Active Roles employs the following features:
- Rule-based mechanism that automatically adds and removes objects to groups whenever object attributes change in Active Directory.
- Flexible membership criteria that enable both query-based and static population of groups.
In Active Roles, rules-based groups are referred to as dynamic groups. The groups that have no membership rules specified are referred to as basic groups. Any security or distribution group can be converted to dynamic group by adding membership rules.
You can create a dynamic group by managing a basic group as follows: right-click the group, click Convert to Dynamic Group, select a rule type, and then configure a rule. For details, see “Steps for Adding a Membership Rule to a Group” in the Active Roles Administration Guide.
When you convert a basic group to a dynamic group, the group loses all members that were added to the group when it was basic. This is because the membership list of a dynamic group is entirely under the control of membership rules.
Once membership rules are added to a group, the group only includes the objects that comply with the membership rules. Active Roles overrides any changes made directly to the membership list by any administrative tool.
|NOTE: In the Active Roles console, dynamic groups are marked with this icon: . Also, a special note on the General tab makes it possible to distinguish between dynamic groups and basic groups when using administrative tools other than Active Roles.|
For dynamic groups, the Properties dialog box includes the Membership Rules tab. The Members tab for a dynamic group cannot be used to manage the membership list. It is only used to display a list of group members.
You can return a dynamic group to basic state as follows: right-click the group and click Convert to Basic Group. Then, click Yes to confirm the conversion. This operation removes all membership rules from the group. The group membership list remains intact as of the time of the conversion.
For more information about dynamic groups, refer to the “Dynamic Groups” chapter in the Active Roles Administration Guide or Active Roles Help.
Using temporal group memberships
By using temporal group memberships, you can manage group memberships of objects such as user or computer accounts that need to be members of particular groups for only a certain time period. This feature of Active Roles gives you flexibility in deciding and tracking what objects need group memberships and for how long.
This section guides you through the tasks of managing temporal group memberships in the Active Roles console. If you are authorized to view and modify group membership lists, then you can add, view and remove temporal group members as well as view and modify temporal membership settings on group members.