Dynamic distribution group based on security group membership - part 2

I extended the recipient filter for a dynamic distribution group described in an earlier article.

As a short recap, the distribution group should have two kinds of members:

  1. Users where the Company field has a specific value
  2. Users that are members of a specific security group

But there was now a kind of user, where the Company field has this specific value, but the user must not be a member of the distribution group. It was not possible to put the user in its own organizational unit, because the distribution group includes all organizational unit.

So I extended the recipient filter to exclude users being member of an other security group:

            (MemberOfGroup -ne 'CN=my-other-group,OU=groups,DC=mycompany,DC=local')
                (Company -eq 'My company')
                (MemberOfGroup -eq 'CN=my-group,OU=groups,DC=mycompany,DC=local')

                    (RecipientType -eq 'UserMailbox')
                    (RecipientType -eq 'MailUser')

    -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))-and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox'))

The important (and new) part is (MemberOfGroup -ne 'CN=my-other-group,OU=groups,DC=mycompany,DC=local') -and …. It excludes users that are members of the security group named my-other-group. Again you have to address the group by its distinguished name and users must be direct members of the group.

Published on 2022-11-27, 13:13 +0000

Backup user for MySQL / MariaDB

Since I don't like the fact to use a superuser for that, I wanted to create a user for MySQL / MariaDB, that will be able just to read all databases and to back them up using AutoMySQLBackup or my own PowerShell script.

It works when the user has the following global privileges:


You can assign these privileges using the following SQL statement (assuming your user is called backup):


Published on 2022-11-06, 11:08 +0000

Joining a Synology DiskStation to a Windows domain

I tried to join a Synology DiskStation running DSM 6.2 to a Windows domain. But after entering the domain settings, I received the following error message:

Connection failed. Please check your network settings.

(In german: Verbindung fehlgeschlagen. Bitte überprüfen Sie Ihre Netzwerkeinstellungen.)

The strange thing was that I wasn't able to access the SMB settings in the Synology's control panel (found under File Sharing). The SMB checkbox wasn't ticked and I received the error message mentioned above.

The solution was to upgrade to DSM 7. This fixed all the problems and I could successfully join the DiskStation to the Windows domain. Thanks to the guys at serv-u Franzke for helping me to find the solution.

Published on 2022-10-26, 19:33 +0000

Cannot remove internal transport certificate in Exchange

I wanted to remove an old TLS certificate from our Exchange server. The old certificate was previously used for IIS and SMTP. I replaced the certificate with a new one, but I was not able to remove the expired one. I got the following error message:

A special Rpc error occurs on server [...]: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

(In german: Ein spezieller RPC-Fehler ist auf dem Server [...] aufgetreten. Das interne Transportzertifikat kann nicht entfernt werden, weil dies das Beenden des Microsoft Exchange Transportdiensts bewirken würde. Erstellen Sie ein neues Zertifikat, um das interne Transportzertifikat zu ersetzen. Das neue Zertifikat wird automatisch als internes Zertifkat eingesetzt. Anschließend können Sie das vorhandene Zertifikat entfernen.)

After doing some research, I found out I had to use the PowerShell cmdlet Enable-ExchangeCertificate, to make the new certificate become the new internal transport certificate.

Use the Exchange Admin Center or Get-ExchangeCertificate to get the new certificates thumbprint.

Now use Enable-ExchangeCertificate to replace the internal transport certificate (assuming the thumbprint is 98e0f19b89264facd8fb5dfed8ac60c7dd7fc859):

Enable-ExchangeCertificate -Thumbprint 98e0f19b89264facd8fb5dfed8ac60c7dd7fc859 -Services SMTP,IIS

Now you can remove the expired certificate.

Published on 2022-10-02, 16:44 +0000

Outlook cache mode and calendar items

Wanted to transfer some calendar items into the calendar of another Exchange mailbox. I thought I transferred everything until a user noticed that some items were missing. The user saw more items in the mailbox than me. The solution was to turn off the cache mode of Outlook. With cache mode disabled, I saw all items in the calendar.

Published on 2022-09-05, 19:26 +0000