Exchange 2007 Administration : Users, Groups and Mailboxes

$db="SERVER\Mailbox Database"
$upndom="mydomain.com"
$users=import-csv $args[0]

function SecurePassword([string]$plainPassword)
{
$secPassword=new-object System.Security.SecureString
Foreach($char in $plainPassword.ToCharArray())
{
$secPassword.AppendChar($char)
}
$secpassword
}

foreach ($i in $users)
{ 

$sp = SecurePassword $i.password
$upn = $i.Firstname + "@" + $upndom
$display = $i.FirstName + " " + $i.LastName
New-Mailbox –Password $sp –Database $db -UserPrincipalName $upn –Name $i.FirstName 

   –FirstName $i.FirstName –LastName $i.LastName –OrganizationalUnit $i.OU 

}

set-mailbox -id $upn -PrimarySmtpAddress $upn –ProhibitSendQuota 150MB 

   –IssueWarningQuota 120MB –ProhibitSendReceiveQuota unlimited 

   -domaincontroller firstdc.mydomain.com

set-user -id $upn -Company "My Company" -Department $i.Department 

   -domaincontroller firstdc.mydomain.com

Add-MailboxPermission -Identity $upn -AccessRights FullAccess 

   -User "Peter Van Eeckhoutte" -domaincontroller firstdc.mydomain.com

Add-ADPermission -Identity $i.FirstName 

   -User "Peter Van Eeckhoutte" -ExtendedRights Receive-As -domaincontroller firstdc.mydomain.com

$alias = $(read-host alias)

Next, run the statistics :

Get-MailboxFolderStatistics $alias | FT FolderPath,ItemsInFolder,@{label="FolderSize (KB)";

   expression={$_.FolderSize.ToKB()} }

Get-MailboxStatistics $alias | FT ItemCount,StorageLimitStatus,@{label="TotalItemSize (KB)";

  expression={$_.TotalItemSize.Value.ToKB()} },@{label="TotalItemSize (MB)";

  expression={$_.TotalItemSize.Value.ToMB()} },LastLogonTime

The script requires one parameter : the mailbox user name.

You can modify the script to show a list of top 10 mailboxes (size in MB, sort by size descending):

Get-Mailbox | Get-MailboxStatistics | sort-object -descending TotalItemSize | 

   Select-Object -first 10| FT DisplayName,@{label="TotalItemSize (MB)";

   expression={$_.TotalItemSize.Value.ToMB()}}

If you want to see all mailboxes that are larger than 100MB, use

Get-Mailbox | Get-MailboxStatistics | where {$_.TotalItemSize –gt 100000000} | sort-object 

  -descending TotalItemSize | FT DisplayName,@{label="TotalItemSize (MB)";

   expression={$_.TotalItemSize.Value.ToMB()}}

See if you can access a database or mailbox over MAPI, test mail flow

You can use the Test-MAPIConnectivity cmdlet to test connectivity to either a database or mailbox :

Test-MAPIConnectivity (will connect to all of the databases)

Test-MAPIConnectivity “Peter Van Eeckhoutte” (will connect to that user’s mailbox)

This cmdlet will show latency and error level as wel.

If you want to test message latency, you can run a mail test by using the Test-MailFlow cmdlet. By default, without parameters, it will connect to the local server. If you want to use additional test parameters, you can use the following command : Test-MailFlow ThisServer –TargetMailboxServer TargetServer (only works between Exchange 2007 servers). You can also use the same cmdlet to test mailflow to an email address by using the –TargetEmailAddress parameter

Using AD groups and creating dynamic groups

You can use existing AD security groups as Exchange distribution lists by mail-enabling a group. This allows you to keep management of the group in AD and use the updated group as distribution list at the same time. The only requirement is that you use Universal groups. Since you can use Universal groups for setting permissions, it is advised to use Universal groups and add users and/or Global/Local groups to the Universal group. The enable-DistributionGroup cmdlet allows you to mail-enable that group : enable-DistributionGroup -id “AD Group” -DisplayName “Your Group” –Alias “Alias” and Set-DistributionGroup –id “Your Group” –PrimarySmtpAddress group@domain.com to further configure the group.

If you don’t have the proper groups set up, or want to select members of a distribution list based on specific AD attributes as opposed to using an existing group, you can create a dynamic group. This basically allows you to create a group that will dynamically populate the members based upon certain criteria. Once the group is created, its contents are kept up to date automatically. You just need to make sure to keep the AD object attributes updated. Suppose you have properly filled out the “Department” field in AD, and you want to create a distribution group for all people in the Marketing department that will stay up to date, and store the group under the “Mailgroups” OU, you can use the following command : New-DynamicDistributionGroup -Name “Marketing Users” -ConditionalDepartment “Marketing” –OrganizationalUnit “domain.com/Mailgroups” -IncludedRecipients AllRecipients If you want to create a Dynamic DistributionGroup based on OU membership, you’ll have to use Powershell (because you cannot select that option via the GUI). Suppose you want to put all users from the Sales OU into a Group and store that group under “Mailgroups”, you should use the following command : New-DynamicDistributionGroup -Name “Sales Users” -RecipientContainer “domain.com/Sales” -IncludedRecipients AllRecipients -OrganizationalUnit “domain.com/Mailgroups”

Keep in mind : in order to become part of a Dynamic Group, the object must be either a user with Exchange mailbox, a user with an external email-address, a resource mailbox, a contact with external e-mail address or a mail-enabled group. Regular AD objects without mailbox, but with an email address set will NOT become part of the group.

Note : Dynamic Distribution Groups will show up as “Query-based Distribution Groups” in AD. See http://technet.microsoft.com/en-us/library/bb125256.aspx and http://technet.microsoft.com/en-us/library/aa996561.aspx for more info on Dynamic Distribution Groups.

To view the members of a Dynamic Distribution Group, you’ll need to use these 2 cmdlets :

$MarketingDepartment = Get-DynamicDistributionGroup -Identity “Marketing Department”

Get-Recipient -Filter $MarketingDepartment.RecipientFilter (or Get-Recipient -RecipientFilter $MarketingDepartment.RecipientFilter in 2007 SP1)

Set a mailbox quota for certain users :

Suppose you want to set a mailbox quota for all users in the Sales OU : Get-Mailbox –OrganizationalUnit “domain.com/Sales” | Set-Mailbox -ProhibitSendQuota 100Mb

If you want to set a quota for all members of the “Marketing” Active Directory group, you’ll need Quest’s Free “Quest Active Roles Management Shell for AD” Powershell cmd-lets. Download the free cmd-lets from http://www.quest.com/powershell/ .

Make the cmd-lets available through the Add-PSSnapin Quest.ActiveRoles.ADManagement powershell command and use the following command : get-qadgroupmember -Identity “Marketing” | Set-Mailbox –Identity {$_.Name} -ProhibitSendQuota 100Mb

Access to other mailboxes

If a user tries to open the Inbox of another mailbox, he (or she) will get “Cannot display the folder. The inbox folder cannot be found”

This means that the user does not have access to the Inbox. By default, nobody has access to a mailbox except the owner of that mailbox. (Not even Exchange Organization Admins have access to individual mailboxes). If you want to get/grant access to a mailbox, a folder in a mailbox, … you have multiple options :

– Ask the user to right click the folder in Outlook and use “Change sharing permissions” to grant access.

– Second option is to grant access to the entire mailbox via Powershell. You need to have Exchange Organization Administrator rights to be able to perform this task .

In the following example, I want try to grant “Peter Van Eeckhoutte” Full Access to the mailbox of “Administrator” :

(If you want to do this on all mailboxes, you need to use this command :

Possible AccessRights options are : FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermission, ChangePermission, ChangeOwner. You can specify multiple permissions by separating them with a comma. Additionally, you can review the permissions using the get-MailboxPermission cmdlet. (See http://technet.microsoft.com/en-us/library/bb124097.aspx )

Result of the cmdlet : still no access ! Why ? Because you really need other permissions as well. Keep in mind : FullAccess does not include “SendAs” or “ReceiveAs”.

By the way : Although the “SendAs” option is available under “Add-MailboxPermission”, you cannot use it here to grant real SendAs access. You need to use the Add-ADPermission cmdlet instead. (See http://technet.microsoft.com/en-us/library/aa998291.aspx) add-adpermission “mailbox” -user “domain\user” -ExtendedRights “Send As”. If you want to allow a user to be able to Send emails “on behalf”, use the Set-Mailbox cmdlet :

Does this solve our access problem ? No. You need to have “ReceiveAs” access in order to be able to open the mailbox in the first place.

When you grant a user the Full Access permission to a mailbox, that user has full access to only the mailbox for which the permissions are applied. With the Full Access permission, the user can open and read the contents of the mailbox. However, the user cannot send as that mailbox without additional permissions. When you grant a user Receive As permission to a mailbox database, that user can log on to all mailboxes within that database, but is not able to send e-mail messages from those mailboxes. Also, if you grant Receive As permission at the storage group level, the specified user can log on to all mailboxes within all databases in the storage group. For example, you may want to grant access to the mailbox database for mobile access or for legal review. See http://technet.microsoft.com/en-us/library/aa996343.aspx

In short : If you need access, you need to run 2 cmdlets :

Add-MailboxPermission “Mailbox” -User “Trusted User” -AccessRights FullAccess    => on user/mailbox level

Add-ADPermission -Identity “Mailbox Store” -User “Trusted User” -ExtendedRights Receive-As     => on mailbox database level or even on Store level. Suppose you want to grant “Peter Van Eeckhoutte” access to the mailbox database that holds the mailbox of Administrator, run :

[PS] C:\>Get-MailboxDatabase
Name Server StorageGroup Recover
---- ------ ------------ -------
Mailbox Database APOLLO First Storage Group False 

[PS] C:\>Add-ADPermission -Identity "Mailbox Database" -User "Peter" 

   -ExtendedRights Receive-As
Identity User Deny Rights
-------- ---- ---- ------
APOLLO\First Stor... CORELAN\peter False Receive-As

After changing the ACL, you need to wait for the Information Store to pick up the change. If you want the change to become active immediately, you need to restart the Microsoft Exchange Information Store Service : restart-service MSExchangeIS

Alternatively you can run the Add-MailBoxPermission and use adsiedit to change the remaining permissions on the mailbox object (see http://www.webservertalk.com/archive128-2007-4-1876971.html and http://support.microsoft.com/kb/822676)

Allow users to recover items, even when items were removed from “Deleted Items” or removed using a “Hard Delete”

See : http://support.microsoft.com/kb/246153/en-us. Modify the registry on the client computer that is running Outlook : go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Options Add a REG_DWORD value called DumpsterAlwaysOn and set the value to 1

(Re)start Outlook client. Click Deleted Item Recovery on the Tools menu. A list of items that have been hard deleted during the retention time set on the server is displayed

Set deleted item and deleted mailbox retention on the server

(http://technet.microsoft.com/en-us/library/bb125266.aspx) By default, deleted items remain available for recovery for 14 days, mailboxes remain available for 30 days. If you want to specify how long deleted items or deleted mailboxes remain available for recovery or re-assigment (in case of mailboxes) on the server, go to the properties of the Mailbox database and go to the “limits” tabsheet. Additionally, you can use the set-mailboxDatabase cmdlet : set-mailboxDatabase <database_name> -ItemRetention 14.00:00:00 and set-mailboxDatabase <database_name> -MailboxRetention 30.00:00:00

How to manually defrag an Exchange database ?

First, dismount the database. Next, run eseutil /D drive:\path\to\file from a Dos prompt.

Other interesting parameters : /p : reserve the temp database (= do not perform an inplace defrag). /tpath_to_db : set temporary database path (if you don’t want to use the current folder)

Keep in mind, the administrative maintenance task will defrag the databases automatically, so you only need to do this when you think the database is fragmented and the maintenance tasks did not do a good job 🙂

(See KB 328804)

Importing from and exporting to pst files

If you want to export a mailbox to a pst file, you can use the “Get-Mailbox | Export-Mailbox –PSTFolderPath <path to folder where data will be exported>” cmdlet (this example exports all mailboxes, but you can filter and export specific mailboxes as well). Importing a pst into a mailbox is as easy as running Get-Mailbox | Import-Mailbox –PSTFolderPath <path to folder with <alias>.pst files to import>

You can specify a start and end date as parameters to the Import-Mailbox cmdlet.

Importing and exporting requires that you run the cmdlets from a computer that has Outlook installed.

You can still use the exmerge utility as well, but you’ll need to run it from a client that has Outlook installed.

---

Similar/Related posts:

Free tool – Free POP3 Collector Exchange 2007 : Powershell script to select optimal database for a new mailbox Exchange 2007 Administration : Setup and Delegation Outlook 2007 unable to download Offline Address Book – error 0X8004010F and 0X80190194 Dynamic Distribution Lists not working as expected (0 recipients during mail routing)