Page 1 of 2

365 EWS Impersonation

Posted: Fri Jul 13, 2018 6:09 am
by Shelltastic
When trying to create code for EWS Impersonation, I am running into an issue with the -RecipientRestrictionFilter parameter.

Using the following code in my program;

$ScopeName = $textbox5.Text
$GroupDN = $textbox6.Text
New-ManagementScope -Name:$ScopeName -RecipientRestrictionFilter:{memberofgroup -eq $GroupDN}

This code executes successfully, however when I go check the management scope in 365 the RecipientFilter is not set, which is the $GroupDN variable above.

When I run the code manually from a shell, it works as expected. The following code is what I use for the manual method;

New-ManagementScope -Name "NameOfScope" -RecipientRestrictionFilter:{memberofgroup -eq "CN=TestGroup,OU=TestOU1,OU=US,OU=GIT,DC=domain,DC=com"}

It appears there is something about the $GroupDN variable it does not like. Any help is greatly appreciated.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 6:22 am
by jvierra
New-ManagementScope -Name $ScopeName -RecipientRestrictionFilter "memberofgroup -eq $GroupDN"

Forget the colons and use quotes not {}. Only quotes will cause variable substitution.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 6:38 am
by Shelltastic
Thanks for the response jvierra.

The syntax requires those characters, the command cannot be run without them. I did try your suggestion just so I could show you the error, I have attached a screenshot of the error for your reference.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 6:45 am
by jvierra
Then it requires the following:

New-ManagementScope -Name $ScopeName -RecipientRestrictionFilter "memberofgroup -eq '$GroupDN'"
or
New-ManagementScope -Name $ScopeName -RecipientRestrictionFilter {memberofgroup -eq '$GroupDN'}

MS implementation of filter clauses can be screwy at times.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 7:15 am
by Shelltastic
Yea, they definitely are tricky at times. So the top option you mentioned above won't work because we need the brackets, however I tried the 2nd option, which yields something slightly different. It looks like it tried to read it, but only took part of it. I have attached a screen shot of the output.

The "RecipientRestrictionFilter" attribute should be set to the DN of the group as I posted in my above comments, looks like it only took a part of it for some reason. It's now setting it to 'DC=$groupdn'.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 9:50 am
by jvierra
Your quotes cannot be like that. Think about it. You must use double quotes to expand the variable.
Read the following very carefully. https://blogs.technet.microsoft.com/eva ... entfilter/

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 10:57 am
by Shelltastic
I was using your suggestion from your previous post, think about how I am asking for help. So if you recommend something within reason, I am going to try it. Go back and look at your previous post where you literally typed the following line yourself;

New-ManagementScope -Name $ScopeName -RecipientRestrictionFilter {memberofgroup -eq '$GroupDN'}

See how you used single quotes? That is why I tried it that way. I know the usage of double quotes, I was just being open to someone else's suggestion.

FYI, even when using double quotes it still yields the same result as I posted in my screen shot above. It only takes 'DC=$groupdn'.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 11:56 am
by jvierra
The following is the required format:
New-ManagementScope -Name $ScopeName -RecipientRestrictionFilter "memberofgroup -eq '$GroupDN'"

Notice double quotes and NOT {}. Single quotes on the inside. Please read the link I posted above.

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 12:22 pm
by jvierra
I just ran your code with my modifications. It works as intended.

PS D:\scripts> $x='jsmith'
PS D:\scripts> New-ManagementScope -Name TestScope -RecipientRestrictionFilter "memberofgroup -eq '$x'"

Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter ServerFilter
---- -------------------- --------- ------------- --------------- ------------
TestScope RecipientScope False MemberOfGroup -eq 'DC=jsmith'

Re: 365 EWS Impersonation

Posted: Fri Jul 13, 2018 12:39 pm
by Shelltastic
If that is the output, then it is not working correctly. Sure the command is executing successfully, but that is not a correct recipient filter. I am not sure your experience with EWS Impersonation, but the output of the "RecipientFilter" command should not just be "DC=$groupdn", it should reflect the group distinguished name, as I have entered it above, something like this;

CN=Object1,OU=EmailList,OU=US,OU=GIT,DC=domain,DC=com

Not just DC=$groupdn. It is only taking that part of the code for some reason.

If I were to run the command manually, from a powershell console, then go back and run the Get-ManagementScope command, it would reflect the entire group DN, or else the membership will not work.

I have attached a screen shot of a working setup for your reference. That is what it needs to look like for a working scenario. Notice how the RecipientFilter attribute is reflecting correctly.