Not too long ago, I got a support ticket to exclude a user account from a Dynamic Distribution group, I thought it should be a very straightforward task, but I was wrong. Edit the "Rule syntax" To only include users of type Member enter the following query: (user.objectId -ne null) and (user.userType -eq "Member") Using the new Group Writeback functionality in Azure AD Identity Man, Azure Analysis Services (AAS) Cube Roles: How to grant 2 levels of access, without having overlapping users, who thus get the lower level of access? This rule adds any user with proxy address that contains "contoso" to the group. Go to Groups. You can also perform Null checks, using null as a value, for example. Now before we configure this new feature, lets grab 3 different groups which we want to include in de memberOf statement in this example. It requires an Azure AD P1 license for each unique user who is a member of one of or more dynamic groups. I suspected that may be the case when I spotted Work Done till now:- The DDG was initially created using Exchange Management Shell. Heloo, PLZ Help This brings in a serious advantage for cloud features which dont support the use of nested groups (which I would never encourage you to use anyway). I quickly remember one of my friends once asked for my assistance on a related ticket while we were working as Support Engineer for Microsoft 356. I did some googling, found a few guides and documentation, most of the guides I saw were not explanatory enough, it seems all are some sought of copy-paste. @Danylo Novohatskyi : You can edit/update the attribute of the user from the source directory. Cloud Native New Year - Ask The Expert: Azure Kubernetes Services, Azure Static Web Apps : LIVE Anniversary Celebration. The following status messages can be shown for Last membership change status: If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the Overview page for the group. Sorry for the simple question, but how would I exclude a user called "test" were would i put that filter? Cow and Chicken within the All Dutch Users group. Posted in 3. The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way. What you'll want to do is find an attribute that either the user accounts have and the service accounts don't, or an attribute the service accounts have but the user accounts don't. Then you base your filter on this. In case anyone else comes across this thread; I had in my DDGExclude group a list of a couple of users I wanted excluded, as well as group containing people I wanted excluded, that I hoped not to have to add individually. This is an overall count though - the P1 license doesn't have to be assigned to the people you want to be included in dynamic groups, but the total member count of . David evaluates to true, Da evaluates to false. Azure AD - Group membership - Dynamic - Exclusion rule Archived Forums 41-60 > Azure Active Directory Question 0 Sign in to vote Hi all, I am trying to list devices in a group that have PC as management type and excepted a list of device name: (device.managementType -eq "PC") -and (device.displayName -notin ["DeviceA","DeviceF"]) When devices are added or removed from the organization in the future, the group's membership is adjusted automatically. You can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory (Azure AD), part of Microsoft Entra. You can use -any and -all operators to apply a condition to one or all of the items in the collection, respectively. Is there a way i can do that please help. Another question I usually get is How to remove or Exclude adevice from Azure Active Directory Dynamic Device Group. The following table lists all the supported operators and their syntax for a single expression. Select All groups, and select New group. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. You can only include one group for system-preferred MFA, which can be a dynamic or nested group. Find out more about the Microsoft MVP Award Program. Azure AD - Group membership - Dynamic - Exclusion rule. You can ignore anything after the "-and (-not(Name -like 'SystemMailbox{*'))" part, this will be added automatically. In this case, you would add the word "Exclude" to all the mailboxes you want to. A membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. Just one other question - we a Mail Contact we want to add - do you know the command for adding that in? You can see the dynamic rule processing status and the last membership change date on the Overview page for the group. Is it done in powershell ? With the service, you get: Easy group synchronization in Azure AD Dynamic filters for attribute-based group memberships AD groups for M365/MS Teams Security when assigning permissions Learn more about DynamicSync. The following are examples of properly constructed membership rules with multiple expressions: All operators are listed below in order of precedence from highest to lowest. ----------------------------------------------------------------------------------------------------------------------------------- -notcontains with a list of value ["",""] does not work : "cannot apply to operator '-notContains'". Single quotes should be escaped by using two single quotes instead of one each time. I think there should be a way to accomplish the first criteria, but a bit unsure about the second. If a user or device satisfies a rule on a group, they're added as a member of that group. With the above in mind, all you need is a simple: -or (PrimarySmtpAddress -eq "mail@external.com"), @Pn1995This PowerShell did not work for me, C:\Windows\system32> Get-DynamicDistributionGroup | fl Freedom,RecipientFilter, RecipientFilter : ((((RecipientType -eq 'UserMailbox') -or (RecipientType -eq 'MailUser'))) -and (-not(Name -like'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and(-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and(-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq'SupervisoryReviewPolicyMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'GuestMailUser'))), I inputted the user I want to exclude and it gave an error, by is this intended?. you cannot create a rule which states memberOf group A cant be in Dynamic group B). In Azure AD's navigation menu, click on Groups. This forum has migrated to Microsoft Q&A. I am trying to list devices in a group that have PC as management type and excepted a list of device name: Can I exclude a group of devices also or instead? The -not operator can't be used as a comparative operator for null. Nov 22nd, 2016 at 9:32 AM. The rule builder supports the construction of up to five expressions. Requirement:- Exclude external/guest users from the dynamic distriburtion list as we dont want external users to receive confidential/internal emails. The last step in the flow is to add the user to the group. As you can see Salem, Pradeep and Jessica have been excluded from the DDG. I'm excited to be here, and hope to be able to contribute. A security group is a Group Type within AAD, while a Dynamic User is a Membership Type (see screenshot below). Thanks for leveraging Microsoft Q&A community forum. Yes, in PowerShell, via theSet-DynamicDistributionGroup cmdlet. Scroll down a little bit and create a group. Get the filter first: Get-DynamicDistributionGroup | fl Name,RecipientFilter. That didn't work and I had to add the users individually to the DDGExclude group after all for them to be excluded. . On the profile page for the group, select Dynamic membership rules. Search for and select Groups. Please advise. On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud. Sharing best practices for building any app with .NET. The formatting can be validated with the Get-MgDevice PowerShell cmdlet: The following device attributes can be used. When a string value contains double quotes, both quotes should be escaped using the ` character, for example, user.department -eq `"Sales`" is the proper syntax when "Sales" is the value. You could then apply with a set of policies to the group. October 25, 2022, by Choose a membership type for users or devices, then select Add dynamic query. With this new functionality any group type is supported (Security & Microsoft 365), there currently are however a few limitations: Now we know the limitations, lets check how this feature works! For example, can I make a rule that says Include all users but NOT members of examplegroupname'? In the group, the filter now shows as ((((RecipientType -eq 'UserMailbox') -and (-not(MemberOfGroup -eq 'DC=DDGExclude')))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox'))), The outcome of all of this being that the email still goes to everyone with a mailbox, Any help as to what I have done wrong here is greatly appreciated. This is especially helpful when it comes to features which dont support the use of nested groups. So currently, our dynamic membership rules look like this for each of the groups that corresponds with each of the values that could exist in ExtensionAttribute3: Is there some kind of rule or way to exclude membership based on the user having membership to another group? However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups. If you want to add these members as well include these nested groups into your memberOf statement as well. Group owners without the correct roles do not have the rights needed to edit this setting. You can use rules to determine group membership based on user or device properties In Azure Active Directory (Azure AD), part of Microsoft Entra. You won't be able to exclude based on security group membership. Logical operators can also be used in combination. Adding Exclusions to a Dynamic Distribution Group in Office 365 and Exchange June 19, 2015 stevenwatsonuk It does not currently seem possible to add exclusions via the Office 365 portal however straight forward to do via powershell. R dynamic data frame names in Loop; Add new column with name of max column in data frame; Reorganize list into dataframe using dplyr; Comparing Column names in R across various data frames; django. This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute. You can't have both users and devices as group members. how to edit attribute and how to add value to organization user? Extension attributes and custom extension properties must be from applications in your tenant. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. The_Exchange_Team As far as Azure AD is concerned, those are simply "user" objects and there's nothing that distinguishes them from a regular Joe. Sign in to the Azure AD admin center with an account that is in the Global administrator, Intune administrator, or User administrator role in the Azure AD organization. You can only include one group for system-preferred MFA, which can be a dynamic or nested group. AnoopisMicrosoft MVP! The total length of the body of your membership rule can't exceed 3072 characters. Change Membership type to Dynamic User. To start, log in to Azure as a Global Admin. how about if you need to exclude more than 6 devices? Examples: Da, Dav, David evaluate to true, aDa evaluates to false. Can you do the reverse of this? April 08, 2019, by Can you make sure the single quotes arent copied over with incorrect grammar, copy and pasting could make it ugly. Press question mark to learn the rest of the keyboard shortcuts. Click Add. Users who are added then also receive the welcome notification. In the Rule Syntax edit please fill in the following ' Rule Syntax ': Exchange Online; On-Prem Active Directory; Most mailboxes are associated with an on-prem ad user. For details on permissions, see Set permissions for managing members and content. memberOf when Country equals Netherlands). Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box: The rule builder might not be able to display some rules constructed in the text box. They can be used to create membership rules using the -any and -all logical operators. Some default queues are created at the initialization process and are used by the IFS Connect Framework for the above purposes while any new queue can be created and configured by using the Message Queue feature in Setup IFS Connect client feature. AAD Dynamicmembership advancedrules are based on binary expressions. Thanks Pim it must have been that, because I tried again earlier in the week and it worked fine! Operators on same line are of equal precedence: The following example illustrates operator precedence where two expressions are being evaluated for the user: Parentheses are needed only when precedence doesn't meet your requirements. The correct way to reference the null value is as follows: A group membership rule can consist of more than one single expression connected by the -and, -or, and -not logical operators. You can create a group containing all users within an organization using a membership rule. Select All groups and choose New group. Creating the new Azure AD Dynamic Group with memberOf statement. Bonus Flashback: March 3, 1969: Apollo 9 launched (Read more HERE.) The rule builder supports up to five expressions. includeTarget: featureTarget: A single entity that is included in this feature. , In the text you have a wrong GUID in the all UK Users that dosent meet the screenshots. I am doing this with Powershell. NOTE: As mentioned earlier only direct members of the included groups are include, so members of nested groups arent added. Users and devices are added or removed if they meet the conditions for a group. The group I want excluded is called DDGExclude and the rule I applied the following filter . That will be a bit more complicated as you already have a clause in there that only includes User mailboxes. This rule can't be combined with any other membership rules. I would like exclude Jessica and Pradeep from this Dynamic Distribution Group, and be using Set-DynamicDistributionGroup. Read it carefully to understand how to fix the rule. If you want to compare the value of a user attribute against multiple values, you can use the -in or -notIn operators. I promise they will be worth waiting for! hmmmm scroll to the the check it . This whereby the three IDs mentioned are the ObjectIDs of the groups which you want to include as members in this dynamic security group. Azure AD Dynamic Groups are populated with users or devices based on specific criteria defined in attribute based rules. You can see these group in EAC or EMS. I had to remove the machine from the domain Before doing that . For examples of syntax, supported properties, operators, and values for a membership rule, see Dynamic membership rules for groups in Azure Active Directory. If you want to change the conditions of DDG, there is no any "Exclude" buttons. You can use any other attribute accordingly. We have a dynamic distribution list setup on Office365 that includes everyone with exchange mailboxes We want to EXCLUDE a couple of people from this list. Thanks a lot for your help, Yop We probably shouldnt expect these functionalities to support the use of nested groups this as the memberOf functionality in dynamic groups solves this issue for you. Default Batch Queue (BATCH1): Once finished hit ' Add dynamic quer y'. Hi, You might see a message when the rule builder is not able to display the rule. Best practices and the latest news on Microsoft FastTrack, The employee experience platform to help people thrive at work, Expand your Azure partner-to-partner network, Bringing IT Pros together through In-Person & Virtual events. Then either create a new team from this group(after giving Azure AD time to update). Sorry for my late reply and thank you for your message. For that, I will use three groups: Each group contains one member in my example which is: 1. and not exclude. ----------------------------------------------------------------------------------------------------------------------------------- Create a new group by entering a name and description on the Group page. There are three types of properties that can be used to construct a membership rule. There's two way to do this using the Exchange Online powershell modules. In Microsoft Intune, create a dynamic device group called WhiteGlove Computers with a query for a WhiteGlove Group Tag. or add a new custom attribute to the user's card. On the Group page, enter a name and description for the new group. Here is some information about the setup. You can also create a rule that selects device objects for membership in a group. This rule adds B2B guest users and member users to the group. Groups in Azure AD, but I cannot see my Dynamic All_Staff Dist. Sign in to the Azure AD admin center with an account that is in the Global administrator, Intune administrator, or User administrator role in the Azure AD organization. Hey guys, I have all of my O365 licenses allocated via ExtensionAttribute3 that is synced from Active Directory to Azure AD. More info about Internet Explorer and Microsoft Edge, https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal, https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping, https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions, https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized. Hey mate, not sure what the goals is here, but there are some limitations: Exclude members of specific group from dynamic group, Re: Exclude members of specific group from dynamic group. However, just like other groups, Groups admins always have all permissions to manage dynamic groups and change membership queries. Examples for Office 365 shown below. Nothing in the RLS documentation mentions a restriction in terms of Membership Type, so AAD Security Groups with Dynamic Users should work for RLS. Save my name, email, and website in this browser for the next time I comment. Doesn't mean it's not possible, you simply need to add another group, but be careful not to interfere with the existing filter. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); This site uses Akismet to reduce spam. As you can see above, Salem has been excluded, hence we have existing rule, so we want to exclude Pradeep and Jessica. Exclude a Device from Azure AD Dynamic Device Group It's impossible to remove a single device directly from the AAD Dynamic device group. Get the filter first: Get-DynamicDistributionGroup | fl Name,RecipientFilter Then append the additional inclusion/exclusion criteria as needed. You can ignore anything after the "-and (-not (Name -like 'SystemMailbox {*'))" part, this will be added automatically. Here's an example of a rule that uses an extension attribute as a property: Custom extension properties can be synced from on-premises Windows Server Active Directory, from a connected SaaS application, or created using Microsoft Graph, and are of the format of user.extension_[GUID]_[Attribute], where: An example of a rule that uses a custom extension property is: Custom extension properties are also called directory or Azure AD extension properties. Set-DynamicDistributionGroup -Identity all_staff -RecipientFilter { ( (RecipientType -eq 'UserMailbox') -and -not (MemberOfGroup -eq 'DDGExclude'))} In the group, the filter now shows as . I dont know the result and whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. On Intune the device ownership is represented instead as Corporate. Seems to break at that point. Spot on; got my my DN; entered that in my rule and it looks like we have a winner. This feature requires an Azure AD Premium P1 license or Intune for Education for each unique user that is a member of one or more dynamic groups. Azure AD provides a rule builder to create and update your important rules more quickly. It works, just not able to find some documentation on this. My advice for you would be to use this functionality for these circumstances and once Microsoft has reduced the maximum update window for Dynamic Groups to a lower amount as 2,5 hours I would even advice you to get rid of your nested groups and instead use the memberOf functionality in Azure AD Dynamic groups. There doesn't seam a option in the GUI - do we need to run some kind of powershell? When using extensionAttribute1-15 to create Dynamic Groups for devices you need to set the value for extensionAttribute1-15 on the device. The "If Yes" section can stay empty. What are some of the best ones? After LastPass's breaches, my boss is looking into trying an on-prem password manager. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized. Ive got a dynamic group to auto add new devices to a profile which works. Lets say I want to exclude my second user, bear in mind i have an existing rule now, do you still remember the name? If the rule builder doesn't support the rule you want to create, you can use the text box. user.memberof -any (group.objectId -notin [my-group-object-id]). A rule with a single expression looks similar to this example: Property Operator Value, where the syntax for the property is the name of object.property. When trying to create an exclusion rule (i.e., leave out explicit members of a specific security group), I get the following syntax error: Dynamic membership rule validation error: Wrong property applied. Combine the two rule at onceb. To remove all filter and set to UserMailbox (users with Exchange mailboxes) use below, If you have queries or clarification please use the comment section or ping me olusola@exabyte.com.ng, Office 365 Engineer / MCT / IT Enthusiast / Android Developer, Get-Recipient -Filter (Get-DynamicDistributionGroup exec).RecipientFilter, Set-DynamicDistributionGroup -Identity exec -RecipientFilter ((RecipientType -eq UserMailbox) -and (Alias -ne Jessica)), ((((RecipientType -eq 'UserMailbox') -and (Alias -ne 'Jessica'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox'))), PS C:\WINDOWS\system32> Get-DynamicDistributionGroup -Identity exec | fl Name,RecipientFilter, Set-DynamicDistributionGroup -Identity exec -RecipientFilter (RecipientType -eq UserMailbox) -and (Alias -ne , PS C:\WINDOWS\system32> Set-DynamicDistributionGroup -Identity exec -RecipientFilter "(RecipientType -eq 'UserMailbox') -and (Alias -ne 'Pradeep')", PS C:\WINDOWS\system32> Get-Recipient -Filter (Get-DynamicDistributionGroup exec).RecipientFilter, PS C:\WINDOWS\system32> Set-DynamicDistributionGroup -Identity exec -RecipientFilter "(RecipientType -eq 'UserMailbox')-and (Alias -ne 'Salem')", ((((RecipientType -eq 'UserMailbox') -and (Alias -ne 'Salem'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox'))), ((((RecipientType -eq 'UserMailbox') -and (Alias -ne 'Salem'), Then the complete cmdlet is, take note of the bolded text, PS C:\WINDOWS\system32> Set-DynamicDistributionGroup -Identity exec -RecipientFilter "((((RecipientType -eq 'UserMailbox') -and (Alias -ne 'Salem')-and (Alias -ne 'Jessica')-and (Alias -ne 'Pradeep'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')))", Set-DynamicDistributionGroup -Identity exec -RecipientFilter "((RecipientType -eq 'UserMailbox'). You need to exclude certain objects explicitely in the include rule, but as for Devices, the documentet memberof attribute does not work in the syntax. As described in the limitations (last bullet) this is unfortunately today not possible. Dynamic membership is supported for security groups and Microsoft 365 Groups. Now verify the group has been created successfully. I just published Create a Dynamic Azure AD Group with all Teams Phone Standard Licensed Users https://lnkd.in/ejydQTgh #MSTeams #TeamsPhone #AzureAD [GUID] is the stripped version of the unique identifier in Azure AD for the application that created the property. You can edit the dynamic membership rules of the group "All users" to exclude Guest users. As example you will be able to create Dynamic-Group-A with the members of Security-Group-X and Security-Group-Y. Press J to jump to the feed. Next, pick the right values from the dynamic content panel. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. By accepting all cookies, you agree to our use of cookies to deliver and maintain our services and site, improve the quality of Reddit, personalize Reddit content and advertising, and measure the effectiveness of advertising. Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box: The rule builder might not be able to display some rules constructed in the text box. Every user is given something for ExtensionAttribute3 as the result of onboarding software I have nothing to do with. How to use Exclude and Include Azure AD Groups - Intune Include Excluded Azure AD Group Anoop C Nair 9.79K subscribers Subscribe 1 Share 513 views 5 years ago #SCCM #Intune and IT Pro. Thanks for leveraging Microsoft Q&A community forum. 1. I realized I messed up when I went to rejoin the domain @Vasil Michevthanks, i'm new to powershell so apologize for this but I haven't seamed to be able to get this to. I also cannot see dynamic distribution group in my lab. You can filter using customattributes. Part of Microsoft Azure Collective 0 Would like to create a dynamic group in Azure AD that has the following criteria: Only include individual user accounts (no service accounts) who are actually employees of our company. Quick break down , we have Set-DynamicDistributionGroup -Identity exec nothing special here, we are trying to use the Set-DynamicDistributionGroup to modify the property of a Dynamic distribution group and the group identity is exec, -RecipientFilterCustom filter to specify the conditions, The first condition being (RecipientType -eq UserMailbox), specifying that recipient type equals UserMailbox, with and operator connecting both expression (Alias -ne Jessica); Alias not equal Jessica, You can also use DisplayName as in (DisplayName -ne Jessica Cage), When the Dynamic Distribution Group (DDG)is view from the GUI, we have, Here is the trick, all DDG has a filter rule, to get the rule via PowerShell use Get-DynamicDistributionGroup -Identity exec | fl Name,RecipientFilter, If you are patient to compare what I got from the Powershell cmdlet and what I copied from the GUI it is exact the same. When the manager's direct reports change in the future, the group's membership is adjusted automatically. is there a way to exclude users from a group (Group A) from a dynamic Group (Group B)? - Would you/anyone be able to advise of the correct Powershell query to find out the OU of this group? if so what is the actually command? I believe this is right Ive copied the ObjectID from the sub-group and pasted it in as required, enclosed by square brackets and single quotes. The "All users" rule is constructed using single expression using the -ne operator and the null value.