is there any way to create and configure dynamic groups via powershell script? I don't see any cmdlets in the management shell that address dynamic groups.
Want to comment on some of your thoughts above for the benefit of the community...
[LA] My last attempt seems to show the Quest tools are a bit buggy when managing the Exchange attributes as it corrupted the email configuration completely.
[JS] Is it buggy or does it just do exactly what you told it to do? :) i.e. no safety net
[LA] I'd previously found about a year or so ago that Quest does not always follow the exchange rules and can in fact create invalid configurations by adding duplicate SMTP addresses and I got them to build in new functionality to allow me to break the link between the mail attribute and the PrimarySMTP address in a similar way to ADU&C has no link.
[JS] Well, I mentioned to you the AR VA flag for following Exchange policy. Has this not always been there? This is supposed to force AR to observe the Exchange org's rules.
[LA] What I found was that if you set the mail attribute to a value the PrimarySMTP address is updated too...
[JS] Really? This is bad because ADUC doesn't work like that...and isn't supposed to. That may be one of the default AR policies at play...I agree, not a good design.
[LA] ...but they don't check if the email address you type in the mail attribute ( on the general tab ) is already in the directory.
[JS] Well, no. It makes sense though because 'mail' is not authoritative for the e-mail address. And indeed scary as it sounds, I have seen customers put other e-mail style values in here that have nothing to do with e-mail.
[LA] If you try to do the same on the email addresses tab then it won't let you add the duplicate proxyAddress. Strangely enough Exchange doesn't seem to like two objects in AD to have the same PrimarySMTP address :-)
[JS] And this is how I would expect it to work as the e-mail addresses tab is representing the Exchange side of things which is supposed to be authoritative for all things mail.
Want to comment on some of your thoughts above for the benefit of the community...
[LA] My last attempt seems to show the Quest tools are a bit buggy when managing the Exchange attributes as it corrupted the email configuration completely.
[JS] Is it buggy or does it just do exactly what you told it to do? :) i.e. no safety net
[LA] I'd previously found about a year or so ago that Quest does not always follow the exchange rules and can in fact create invalid configurations by adding duplicate SMTP addresses and I got them to build in new functionality to allow me to break the link between the mail attribute and the PrimarySMTP address in a similar way to ADU&C has no link.
[JS] Well, I mentioned to you the AR VA flag for following Exchange policy. Has this not always been there? This is supposed to force AR to observe the Exchange org's rules.
[LA] What I found was that if you set the mail attribute to a value the PrimarySMTP address is updated too...
[JS] Really? This is bad because ADUC doesn't work like that...and isn't supposed to. That may be one of the default AR policies at play...I agree, not a good design.
[LA] ...but they don't check if the email address you type in the mail attribute ( on the general tab ) is already in the directory.
[JS] Well, no. It makes sense though because 'mail' is not authoritative for the e-mail address. And indeed scary as it sounds, I have seen customers put other e-mail style values in here that have nothing to do with e-mail.
[LA] If you try to do the same on the email addresses tab then it won't let you add the duplicate proxyAddress. Strangely enough Exchange doesn't seem to like two objects in AD to have the same PrimarySMTP address :-)
[JS] And this is how I would expect it to work as the e-mail addresses tab is representing the Exchange side of things which is supposed to be authoritative for all things mail.
