How to do your top Exchange Server 2003 recipient tasks in Exchange Server 2007


In Exchange 2003, Active Directory Users and Computers (ADUC) was the place to go for recipient management. This was frustrating to some, as it was a management environment totally separate from the Exchange system management console. In Exchange 2007, this recipient management functionality has been integrated back into the Exchange management tools, both in Exchange management shell and in Exchange management console.

So, without further delay, the top 5 ADUC activities:

1. Creating a new mailbox

The most common activity by Exchange administrators in Exchange 2003 ADUC was to create a new mailbox (new user with mailbox properties). Note that included in this scope is taking an existing non-mailbox-enabled user and adding mailbox properties to it.

This administrator action is very easily accomplished in Exchange 2007 using the new Exchange management console or the Exchange management shell. We'll focus here on both the new and the enable case for Mailbox only, although the pattern is nearly identical for the other recipient objects (DistributionGroup, MailContact, etc).

In the image above, you can see that the new Exchange 2007 recipient management GUI is integrated directly into the Exchange 2007 management console.

Step1: The red arrow in the image above indicates the action in the action pane to create a new mailbox.

Step2: The second page of the New Mailbox wizard allows you to create a new user or select an existing user. In order to create a "New User", you must have the appropriate AD permissions to create a user object (such as Windows Account Operator). Creating a mailbox on an "Existing User" requires only that you be granted Exchange Recipient Administrator permissions - facilitating split permissions scenarios where one group is responsible for creating users and another for creating mailboxes.

If you choose to mailbox-enable an "Existing User", you will then be able to select the user to enable from a GUI picker like the below:

Note that only users which are not already configured for mail or mailbox properties will be shown in this picker. Also, if you are creating a User Mailbox, only AD-enabled users will be shown (likewise, if you are creating a Resource mailbox or Linked Mailbox, only disabled user accounts will be shown).

In Exchange 2007 management shell, the new and enable cases were covered in Jared's "Recipient Management One-liners" post the other day, so I won't revisit them here.

2. Modifying properties on a mailbox

Once you've created a new mailbox, it is likely you will want to manage some properties on this recipient object. Exchange 2007 recipient management tools allow you to manage both the Exchange property set and some portions of the Windows/AD property set, as permissions granted to your user account allow (Exchange Recipient Administrator role for the Exchange property sets and Windows Account Operator for the AD property set - see Ross' Property Sets post for more details on these property sets).

This administrator action is very easily accomplished in Exchange 2007 using the new Exchange management console or the Exchange management shell. We'll focus here on the "properties" case for Mailbox only, although the pattern is nearly identical for the other recipient objects (DistributionGroup, MailContact, etc).

In the image above, the red arrow points to the "Properties" action in the action pane. With the mailbox you wish to edit selected, you can click on "Properties" to review and change the properties on a mailbox object.

From these property pages you can review or modify various user or mailbox-related properties such as name, displayname, mailbox quotas, etc.

In Exchange 2007 management shell, various "set" cases were covered in Jared's "Recipient Management One-liners" post the other day, so I won't revisit them here.

3. Configuring "Exchange Features" on a mailbox

Once you've created a new mailbox, it is likely you will want to manage the status and settings of some Exchange Mailbox features. In Exchange 2003 these were called "Exchange Features" and include configuring the various mobile services and protocols available to access a mailbox.

This administrator action is very easily accomplished in Exchange 2007 using the new Exchange management console or the Exchange management shell. We'll focus here on the "Exchange Activesync" case only, although the pattern is similar for the other mailbox features.

After opening up mailbox properties, as above and switching to the Mailbox Features tab in the GUI, various mailbox features are listed. Some features allow access to feature-specific properties, while some features allow enable/disable action.

In the case of "Exchange ActiveSync" feature, the option is available to enable/disable the feature for this mailbox, as well as to review or modify the properties of the feature for this mailbox.

Within the properties dialog, you can configure this mailbox to have an ActiveSync policy applied:

In Exchange 2007 management shell, various "set" cases (including configuring mailbox features) were covered in Jared's "Recipient Management One-liners" post the other day, so I won't revisit them here.

4. Moving mailboxes

Moving mailboxes between mailbox databases or servers is a common activity using Exchange 2003 ADUC. In Exchange 2003, it could be challenging to select the correct set of users to move, particularly if the criteria were complex (for instance, all mailboxes in a certain distribution group, or all mailboxes with a particular custom attribute set).

This administrator action is very easily accomplished in Exchange 2007 using the Exchange management console or the Exchange management shell.

In the image above, the red arrow points to the "Move Mailbox..." action in the action pane. You can select multiple mailboxes to be moved in one action, and you can use the "Create Filter" feature of the recipient workcenter to help you select the correct mailbox or mailboxes to move.

At the Exchange management shell, even more extensive filtering is possible. The Move-Mailbox cmdlet will directly take a pipelined input of mailbox objects to be moved, so any filtered output from Get-Mailbox can be used to feed a Move-Mailbox action as a simple one-liner.

For example, if I wanted to move all mailboxes with CustomAttribute1 set to "Executive", I could run the following one-liner:

Get-Mailbox -Filter { CustomAttribute1 -eq 'Executive' } | Move-Mailbox -TargetDatabase MyTargetMDB

5. Checking for or changing email addresses on a mailbox/mail-enabled object

Another common task for ADUC is to check for email addresses or change them on a particular recipient object. In Exchange 2003, this was commonly done immediately after creating a mailbox or mail-enabled object, to see if the Recipient Update Service (RUS) had processed the object yet. Since Exchange 2007 eliminates the RUS (will be covered separately) in favor of immediate email address provisioning, it may not be as necessary in Exchange 2007.

Even so, there may be times where it is useful to inspect the email addresses stamped onto a mailbox or mail-enabled recipient. And, of course, there may be times where you need to change the application of Email Address Policy for a particular mailbox/mail-enabled recipient and control their email addresses directly.

After opening up mailbox properties, as above and switching to the Mailbox Features tab in the GUI, the current email addresses are listed.

The red arrow in the image above indicates the checkbox where you can enable or disable Email Address Policy for this mailbox. If the checkbox is checked (the default state), the mailbox will fall under Email Address Policy control and some options are disabled. If unchecked, you will be able to control all aspects of the mailbox email address assignment.

Removing the legacy ADUC extensions

You may have noticed from my examples above or while using the Exchange 2007 Beta2 console that there are no longer any legacy ADUC extensions installed on Exchange 2007 servers or admin-only consoles. These extensions have been deprecated for Exchange 2007 to consolidate recipient management into a single, updated management interface.

This was done for a number of reasons:

- Attack the cost of managing users (add/delete/modify) by introducing automation. Since the Exchange 2007 recipient management tools are built on top of Powershell cmdlets, we were able to introduce automation and a powerful bulk management solution. In a Radicati study of Exchange 2003, the second highest administrative labor cost was managing users (second only to managing rich clients!)

- Truly support the split-permissions model where an Exchange Administrator can do everything relevant to Exchange within one console.

- Simplify the management of the GAL and recipient types from the Exchange console - only the objects and attributes that pertain to Exchange are shown.

- Make recipient types explicit, rather than implicit. Exchange 2007 has 13 different explicit recipient types and having these types differentiated makes it easier to manage recipients, lowering labor costs.

The downside is that customers who today use ADUC to do non-exchange related user management along with their mailbox management may need to use two tools. This may equate to a retraining cost. To help mitigate training costs, a custom Exchange 2007 console snap-in can be created to only show the recipient configuration node and its children (none of the organizational or server management nodes) - see below for details!

For many customers who today use ADUC for recipient management, two tools will not be necessary as the most common recipient management activities are available in the new management toolset (as shown above).

Creating a Recipient Management only console

As mentioned above, it is possible to create a custom console snap-in which has only the Recipient node of the console available in a few easy steps. This custom console can be used to isolate visibility of the additional management capabilities of the Exchange 2007 management console from recipient management focused administrators or helpdesk.

Step 1: Open MMC.exe directly (no snap-ins added)

Step 2: Add the Exchange Snap-in to this empty MMC console

Step 3: Select the Recipient Configuration node. Right click and choose "New Window from Here"

Step 4: Under File->Options, configure the Console mode and options to "lock it down", as desired.

Step 5: Save this custom MMC to an MSC file. This MSC file can be used to launch your new "Recipient Management Only" console!

- Evan Dodds

Comments (12)
  1. Matt Lathrum says:

    Is there a way to programmatically check or uncheck the "Automatically update e-mail addresses based on email address policy" box?

  2. Evan Dodds says:

    You can set or unset this checkbox programatically by toggling the boolean like: "Set-Mailbox MyMailbox -EmailAddressPolicyEnabled:$true" (or $false to uncheck it).

  3. Kevin says:

    I would like to ask about one of big headaches with Exchange/Active Directory 2003 and how it is handled in Exchange 2007. The "Disable user account/master account SID" situation.

    We have a split permission model where most user management is dispersed through the organisation at the local IT level. The Exchange management is only handled by a single central group.

    Accounts are disabled by the local IT areas for one reason or another, and then reenabled in some case the next day. When the account is disabled by the local IT the mailbox stops working and whenever an email is sent to the mailbox our logs fill with error 9548 "Disabled user /O=BLAH/OU=BLAH/CN=RECIPIENTS/CN=SMITHB does not have a master account SID".

    We have a tool call NOMAS.exe that "fixes" these problems but I wish we could just go back to the 5.5 model of the mailbox continuing to function even if the account is disabled. Or at least an option to choose which way we would be affected [mail stops when account disabled v’s mail continues even if account disabled]!

    How is this recipient task performed in Exchange Server 2007?

  4. leelo7 says:

    Kevin, Have you had a look at 916783 to fix your issue in Exch 2003 SP2?

  5. Timothy says:

    That KB is a great headache saver, but the question remains.  What is the behavior in 2007?  Will we need a hotfix to get email while a user is disabled or will it work out of the box?

  6. Exchange says:

    Timothy,

    This will work out of the box with Exchange Sever 2007.

  7. Brian says:

    We just expire accounts when we need the mailbox to continue to function, then disable them when we don’t need the mailbox anymore.  

    I do have a question about the recipient policies though.  Of course, we can receive mail for multiple domains with policies applied to the appropriate users… and we can set one of the other domains to primary so the users can send as that domain.  However, there is no simple way to allow the users to choose which domain they are sending from on a particular email (e.g. in Outlook).  Is there going to be any functionality in Ex2k7/Outlook 2007 to handle this without having to kluge something?  My company has been on an acquisition spree and this is becoming more of an issue every day – would be a *really* useful thing to be able to do when necessary.

  8. Exchange says:

    Brian,

    The "From" addressing is a client (Outlook for example) function, not server function… so it is not something that would be implemented on the server side on a per email basis in the way that you describe. I am not aware of it being present in OL 2007 from what I have seen though.

  9. Petri says:

    Is this really the final decision ? Currently our user administrators have multiple tools for managing our users (which is sad, yes). And now, you are asking us to implement ONE tool more for them ?

    Do you have authority fight between AD team; who is managing the users in AD ?;-)

  10. manuel says:

    How do you handle multiple users with the gui? in exchange 2003 it was possible to chosse multiple users – and email enable all of them. how will this be done in the ex2007 gui?

  11. Anonymous says:

    I have previously listed the progress we’ve been making in posting ITPro focused Systems Management blog

  12. Anonymous says:

    Microsoft Exchange Server 2007 is bound to shake up the Active Directory world as we know it. After my

Comments are closed.

Skip to main content