Exchange 2010 – AcceptMessagesOnlyFromSendersOrMembers and multivalued property syntax

I would like to show you one experience with multivalued property syntax.

My colleague was not able to modify the Message Delivery Restriction, concretely the Accept Messages From of a MailUniversalSecurityGroup. He added an user, applied settings and faced error below:

11-06-2013 16-26-03









Microsoft Exchange Error
The following error(s) occurred while saving changes:

Couldn't find object "<identity>". Please make sure that it was spelled correctly or specify a different object.

It is known issue which could occur for more mailbox attributes declaring security boundaries regarding users or groups. Basically it means that we cannot extend the Access Control till it contains an invalid object (e.g. mail-disabled group). In our case the invalid object is <identity> from the error above and its removing is necessary. The invalid object is not visible via Exchange Management Console and we has to use Exchange Management Shell. The invalid object is gathered in AcceptMessagesOnlyFrom or AcceptMessagesOnlyFromDLMembers multivalued attributes or certainly in AcceptMessagesOnlyFromSendersOrMembers (because it contains all values from both previous attributes) – more Set-DistributionGroup.

I wanted to remove the invalid object by action @{Remove=”<value1>”, “<value2>”} (remove one or more values from a multivalued property) – more Modifying Multivalued Properties. But as can be seen below the action was not supported for AcceptMessagesOnlyFromSendersOrMembers attribute (possible bug) and it removed all existing values (hopefully only one) without warning (tested Exchange 2010 SP2, SP3)! The modification of multivalued attributes AcceptMessagesOnlyFrom and AcceptMessagesOnlyFromDLMembers seemed to work properly. So be careful to use the multivalued property syntax every time.

11-06-2013 20-28-12I had a few affected MailUniversalSecurityGroups and I wanted to change = remove invalid objects Obj1-2 from AcceptMessagesOnlyFromSendersOrMembers attribute anyway so here is my procedure.

$groups = Get-Distribution MojeSkupiny*
foreach ($group in $groups){ 
 $ValidObjects = $Group | %{$_.AcceptMessagesOnlyFromSendersOrMembers}|?{$ -notlike "*Obj1*" -and $ -notlike "*Obj2*"}
 $Group | Set-DistributionGroup -AcceptMessagesOnlyFromSendersOrMembers $ValidObjects

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s