In a previous column, I outlined how Westminster College automated our Active Directory account creation process. One of the key components in that process is the query-based distribution group.
Unfortunately, our "out of the box" query-based distribution groups did not meet one critical need: student life staff inclusion on lists.
In order to help keep an ear to the ground, our student life staff watches the e-mail traffic that hits the various distribution lists. For example, it's useful for our residential life office to know when a particular resident assistant (RA) plans to hold a floor meeting.
Since RAs usually send these meeting notices to their building's query-based distribution group, if student life staff (in this case, the residential life office staff) are members of that list, it makes the tracking process that much simpler.
Because of the way we built our query-based distribution groups--the groups are based on information we populated into some extended attribute fields in Active Directory--adding staff to all of the individual lists by way of the main query is not possible.
Further, it's not possible to directly add members to a query-based distribution list using GUI tools, such as Active Directory Users and Computers. If a particular user account isn't brought into the new group via the LDAP query that is built, the user account won't be included in the new group.
The aforementioned LDAP query is the key. At Westminster, we manually created a distribution list named DL-Staff-Notice and added the members of the student life staff that needed to be included on all of the query-based groups. We then manually modified the LDAP query for each of the query-based distribution groups to include the secondary distribution group that we created.
So, to create a distribution group for our dorm named Scott Hall, our logic went something like this:
"Include all of the AD accounts for which extendedAttribute9 starts with 'Scott Hall' AND include the group named DL-Staff-Notice"
The LDAP query string looks like this:
(&(!cn=SystemMailbox{*})(| (&(objectCategory=user)
(extensionAttribute9=Scott Hall*))
(&(objectcategory=group)(cn=DL-Staff-Notice)) ) )Writing an LDAP string isn't the easiest task in the world, but once you figure it out, it's possible to create much more granular and useful query-based distribution groups.