Please consider donating: https://www.corelan.be/index.php/donate/


2,663 views

Exchange 2007 Administration : Policies and limits

Exchange 2007 offers a set of features that allow for centralized management of policies and limitations. These policies and limitations should help to setup and control mail flow, mailbox sizes, compliance (retention) and so. You’ll need an Enterprise CAL for most of the functionalities that are explained in this post.

Managed Folder Mailbox policies

Every Exchange mailbox has a set of default folders (Inbox, Junk E-Mail, etc). You can centrally manage settings that should be applied to all or some individual mailboxes. Centrally means that you can only create these settings on an organizational level.
Suppose you want to delete all emails in the Junk E-Mail folder that are older than 3 days. Depending on your setup, you’ll need 3 or 4 steps to complete this process.
First of all, you need to create a "managed content settings" definition. Next, you need to combine the managed content setting into a policy. This policy needs to be assigned to a mailbox or database. And finally (if that is not the case yet), you need to activate the Records Management on the server, in order to apply the policies to the mailboxes/databases.

  1. Create Managed Content Settings

    Open the Exchange Management Console and go to "Organization Configuration" – "Mailbox"

    Open the "Managed Default Folders" tabsheet

    Right click the managed default folder and choose "New Managed Content Settings"

    Fill out the name for your managed content setting (e.g. "Remove Junk E-Mails older than 3 days"). Choose the message type (All Mailbox content), enable the "Length of retention period (days)" and set the number of days to 3. Choose when the retention period starts and set the action to take at the end of the retention period.

    Click "Next"

    If you want to enable journaling, then enable journaling and select the mailbox to forward copies to. Click "Next" to continue

    Click "New" to create the content settings.

    Right-click the "Junk E-Mail" folder again, and choose properties. You can fill out a message that will be displayed when the folder is viewed in Outlook/Outlook Web Access.

    You can get a list of all settings by running the Get-ManagedContentSettings cmdlet.

  2. Turn the setting into a policy

    Open the "Managed Folder Mailbox Policy" tabsheet. Right-click and choose "New Managed Folder Mailbox Policy"

    Provide a name for the mailbox policy (e.g. "Junk E-Mail policy").

    Click the "Add" button and select the managed folder that contains the settings definition that was created under step 1. If you have multiple folders with multiple settings, you can combine them into one policy.

    By the way : you can also create custom managed folders, and create a managed content setting for the custom managed folder as well, and then include this folder in the policy. You can create a list of all managed folders by using the Get-ManagedFolder | FT Name, Description cmdlet.

    Just keep in mind that you can only apply one policy to a mailbox, so you need to create a good set of settings and combine those into a policy.

    You can get a list of policies by running Get-ManagedFolderMailboxPolicy

  3. Assign the policy to mailboxes

    Open the "Recipient Configuration", and select the mailbox that needs to get the policy.

    Right-click the mailbox, choose "properties" and go to the "Mailbox Settings" tabsheet.

    Select "Messaging Records Management" and click "Properties".

    Enable "Managed folder mailbox policy" and use the Browse button to browse to your policy. As you can see, you can only specify one policy per user, so you’ll have to combine all settings into one policy.

    If you want to apply the policy to all mailboxes at once, you can use the Get-Mailbox | Set-Mailbox -ManagedFolderMailboxPolicy "Policy Name" cmdlet. This command is interactive and cannot be scripted using –force, so you’ll have to press "Y" (or "A") if you want to policy to be applied.

    You can see all applied policies by running get-mailbox | FT Name,ManagedFolderMailboxPolicy

    You can assign a policy to a mailbox at creating time as well.

  4. Activate Messaging Records Management

    Open the "Server Configuration" tree, select the server that contains the mailboxes with a policy in the "Server Configuration" pane, right click and choose properties. Go to the "Messaging Records Management" and set the Schedule to "Use Custom Schedule". Use the Customize button to specify the times when the engine must run in order to process the policy settings. I would recommend to run this 1 to 3 times per day, depending on the number of mailboxes that need to be processed.

    Now wait until the schedule kicks in, or force the application of the policy by running Start-ManagedfolderAssistant cmdlet on the server that needs to be activated (or specify the name of the server if you want to run it against a remote server). If you want to run the policy on just one mailbox, you can use Start-ManagedFolderAssistant -Mailbox "user"

If you open Outlook or OWA, and go to the folder that has a policy applied to it (and has a comment too), you’ll see the comment that was provided during the configuration of your policy.

Note : Managed Default folders : In the process of creating your own Managed Default folder, you have to select the type of folder from a list. You can only specify one default folder per type, so pay attention to selecting the right type, or create and use Managed Custom folders instead.

Managing Custom Folders

As stated above, you can pretty much use the same Managed Folder policy functionalities for managed custom folders. One of the nice things of custom folders is that you can set a "Storage Limit" when creating a new custom folder.

© 2007, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories