Exchange Server 2007 recipient management one-liners

Published Sep 05 2006 04:17 PM 15.5K Views

A few days ago, we posted blog The new Exchange 2007 Management Console overview and Recipient Management in Exchange 2007 - Overview giving an overview of the completely updated GUI management console and recipient management in Exchange 2007.

This blog post covers common recipient management scenarios in Exchange Server 2007 using Exchange Management Console ("console"), and the one-liners behind the scenes - single-line commands in Exchange Management Shell ("shell" or "EMS based on Windows PowerShell") executed to achieve the thing. Now the console exposes one-liners for each wizard after successful completion.

As detailed in the above two blogs, the console organizes the left navigation tree into four work centers. The Recipient Configuration work center node is used for recipient management. Underneath which you will see various recipient type nodes: mailbox, distribution group, mail contact, and disconnected mailbox.

Below sections illustrate console GUI walk through and one-liners for common scenarios, which are categorized into provisioning, change management, bulk management and reporting.


Scenario: Create a new mailbox

Mailbox types include MailboxUser, ConferenceRoomMailbox, EquipmentMailbox, SharedMailbox, LinkedMailbox and LegacyMailbox. Except mailboxes of type SharedMailbox which can be managed only in the shell and LegacyMailbox which is for interoperability with Exchange 2000/2003 and has limited management in Exchange 2007, other mailbox types can be managed through both the console GUI and shell command line.

Administrators can create a new mailbox by creating a new user and mailbox-enabling it in one step, or by mailbox-enabling an existing user. The GUI walk through below illustrates the experience of creating a new mailbox using the "New Mailbox" wizard.

GUI walk through:

Select the "New Mailbox..." option from the context menu or action pane of the Recipient Configuration node to launch the "New Mailbox" wizard.

In the wizard pages, administrators can select to create a new user and mailbox-enable it in one step, or mailbox-enable an existing user, specifying any necessary mailbox information including mailbox type during the process.

Note that in this first example you can see two great tips on using the powershell:
1) You can enter less than the full parameter name, so long as it's unique (ie - "org" parameter actually is used to specify "OrganizationalUnit" in this example)
2) Any parameters you don't enter in the commandline, but which are required for the cmdlet to complete, will be prompted for (ie - "Password" in this example).

Shell one-liners:

# Create a new mailbox-enabled user
new-Mailbox -alias testmbx -name TestMailbox -database "Mailbox Database" -org Users -UserPrincipalName
# Create a new resource mailbox (Conference Room or Equipment)
New-Mailbox -alias testresmbx -name TestResourceMailbox -database "Mailbox Database" -org Users <-Room | -Equipment>  -UserPrincipalName
# Create a shared mailbox

new-Mailbox -alias testsharedmbx -name TestSharedMailbox -database "Mailbox Database" -org Users -shared -UserPrincipalName
# Create a new linked mailbox

New-Mailbox -alias testlinkedmbx -name TestLinkedMailbox -database "Mailbox Database" -org Users -LinkedMasterAccount -LinkedDomainController userdomain-dc-01 -UserPrincipalName

# Mail-enable an existing user as a user mailbox
Enable-Mailbox logondisableduser -database "Mailbox Database"
# Mail-enable an existing (AD logon-disabled) user as a resource mailbox (Conference Room or Equipment)

Enable-Mailbox logondisableduser <-Room | -Equipment> -database "Mailbox Database"
# Mail-enable an existing (AD logon-disabled) user as a linked mailbox

Enable-Mailbox logondisableduser -database "Mailbox Database" -LinkedMasterAccount -LinkedDomainController userdomain-dc-01

Note that for both of these linked mailbox examples (new and enable), it is quite likely you will also require the "-LinkedCredential" parameter to specify a credential to be used to do the lookup in the user domain.

Change Management

Administrators can move, enable/disable, remove or change mailbox settings for an existing mailbox through the console or the shell. Below section illustrates the GUI walk through and one-liners for common scenarios of change management.

Scenario: Move / Disable / Remove mailboxes

GUI walk through:

There is a context menu for each mailbox to move, disable or remove the mailbox.

Shell one-liner:

# Move an individual mailbox
Move-Mailbox testmbx -targetdatabase "Mailbox Database"
# Move all mailboxes stored on a server to a target mailbox database
Get-Mailbox -server testserver | Move-Mailbox -targetdatabase "Mailbox Database"
# Disable one individual mailbox
Disable-Mailbox testmbx
# Disable all mailboxes stored on a server
Get-Mailbox -server testserver | Disable-Mailbox
# Remove one individual mailbox-enabled user
Remove-Mailbox testmbx
# Remove all mailbox-enabled users stored on a server
Get-Mailbox -server testserver | Remove-Mailbox

Scenario: Set storage quotas on a mailbox

GUI walk through:

Shell one-liner:

# Set storage quotas
Set-Mailbox testmbx -UseDatabaseQuotaDefaults:$False -IssueWarningQuota 90MB -ProhibitSendQuota 95MB -ProhibitSendReceiveQuota 100MB

Scenario: Set delivery options on a mailbox

GUI walk through:

Shell one-liner:

# Set a mailbox to forward mail to another recipient and recipients limits
Set-Mailbox testmbx -DeliverToMailboxAndForward:$True -ForwardingAddress -RecipientLimits 10

Scenario: Add a new e-mail address to a mailbox

GUI walk through:

Shell one-liner:

$mbx = get-Mailbox testmbx;
$mbx.EmailAddresses += "";
$mbx | set-Mailbox

Note that since this mailbox in the image above is configured to "Automatically Update" based on E-mail Address Policy (recipient policy), you will not be able to modify the primary SMTP e-mail address or replace all configured e-mail addresses on the object. You can, however, add additional SMTP secondary e-mail addresses.

Scenario: Configure mailbox permissions

Permission settings are advanced user cases which are available only at the shell command line, except "Send on behalf" permission which can be granted in the console (in the Mail Flow Setting tab of the mailbox property pages).

Shell one-liner:

# Grant "Send on behalf" permission
Set-Mailbox testmbx -GrantSendOnBehalfTo jaredz
# Grant "Send-As" permission
Add-ADPermission testmbx -ExtendedRights Send-As -user jaredz
# Grant full mailbox access permission
Add-MailboxPermission testmbx -AccessRights FullAccess -user jaredz

Scenario: Enable ActiveSync, OWA, MAPI, UM, IMAP and POP features on a mailbox

ActiveSync, OWA, MAPI and UM features can be enabled/disabled and configured through the console or the shell. IMAP and POP features can be enabled/disabled in the shell command line. The GUI below indicates the location in the GUI to enable/disable and configure ActiveSync, OWA, and MAPI features. Although UM properties are available in this location, enable/disable of UM for a mailbox is available as an wizard launched from an action in the mailboxes recipient workcenter.

GUI walk through:

Shell one-liner:

set-CASMailbox testmbx -MobileSyncEnabled:$True -OWAEnabled:$True -MAPIEnabled:$True -PopEnabled:$True -ImapEnabled:$True
Enable-UMMailbox testmbx -UMMailboxPolicy testumpolicy -Extensions 12345

Scenario: Policy support for a mailbox

Policies allow administrators to apply the same settings to all recipients associated with a respective policy. There are Unified Messaging, Managed Folder, and ActiveSync mailbox policies. Recipient policies used in Exchange 2003 still exist but are now called E-mail Address Policy (and which will be covered in other blog posts rather than here). The GUI below illustrate settings the Managed Folder Mailbox policy for a mailbox.

GUI walk through:

Shell one-liner:

set-Mailbox testmbx -ManagedFolderMailboxPolicy "Inbox JunkEmail Policy" -RetentionHoldEnabled:$True -StartDateForRetentionHold "6/1/2006 2:37:06 AM" -EndDateForRetentionHold "6/2/2006 2:37:06 AM"

Bulk Management

Bulk management includes bulk provisioning, change management and reporting. Though the console is straightforward for individual object management, the shell enables powerful and flexible bulk management using one-liners.

Scenario: Bulk create mailboxes based on a CSV file

Shell one-liner:

The following one-liner creates mailboxes for all team members listed in an Avalanche.csv file, which contains NHL Avalanche team roster information with the following column format:
    Pos,No,Player,Age,Ht,Wt,Born,Exp,Birth City
$password = Read-Host "Enter password" -AsSecureString
import-csv Avalanche.csv | foreach {new-mailbox -alias "avalanche$($_.No)" -Name $_.Player -password $password -database "Mailbox Database" -org Users -UserPrincipalName "avalanche$($_.No)"}

Scenario: Bulk create a number of (nn) storage groups with one message database for each storage group

Shell one-liner:

1..<nn> | foreach {new-StorageGroup SG_$_ -server <server> | new-MailboxDatabase MBDB}

Scenario: Bulk create a number of (nn) mailboxes for a mailbox database

Shell one-liner:

$password = Read-Host "Enter password" -AsSecureString
1..<nn> | foreach { new-Mailbox -alias "user$_" -name "User $_" -password $password -database "Mailbox Database" -org Users -UserPrincipalName "user$" }

Scenario: Bulk change mailbox settings

Shell one-liner:

# Change the department name on all mailboxes
Get-Mailbox | Set-User -department "New Dept"

# Change the department name on mailboxes where the user's name contains string "jared"
Get-Mailbox *jared* | Set-User -department "New Dept"

# Change the department name on mailboxes stored on the specified database
Get-Mailbox -database "Mailbox Database" | Set-User -department "New Dept"

# Set storage quota for all mailboxes in an office (using $OfficeName variable)
$OfficeName = "Boston"
get-mailbox -filter {office -eq $OfficeName } | set-Mailbox -UseDatabaseQuotaDefaults:$false -IssueWarningQuota 800MB -ProhibitSendQuota 900MB -ProhibitSendReceiveQuota 1GB


Scenario: Export Get-* cmdlet output to a CSV file

Shell one-liner:

# Export information of all mailboxes to a CSV file
get-mailbox | export-csv export.csv

# Export storage quota of all mailboxes in an office (using $OfficeName variable)
$OfficeName = "Boston"
get-mailbox -filter {Office -eq $OfficeName } | select name,office, *quota | sort name | export-csv export.csv

Scenario: View mailbox statistics for all mailboxes on the current server, including storage size

Shell one-liner:

get-MailboxStatistics | select DisplayName, TotalItemSize, TotalDeletedItemsize, DatabaseName | format-table

- Jared (Ji-Chao) Zhang 

Not applicable
When creating a new mailbox user, you can even specify the password as part of the Powershell command.  This does require you to specify a password beforehand and store it as a secure string.  I blogged about this a couple weeks ago.

MSH rocks!
Not applicable
Thanks Ben for that nice post~. Yes, if any parameter including password is mandatory for the cmdlet but not specified in the cmdline, it will be prompted for. Password can also be specified beforehand to store it as a secure string (variable $password), and then use it in the cmdline:
$password = Read-Host "Enter password" -AsSecureString
Some examples are in the Bulk Management scenarios.
Not applicable
When MAPI access is disabled what happens with the ADMIN access or Extended MAPI access to that mailbox? IS still disabled? What is the API that services need to use to perform mailbox services on this kind of mailbox. Right now we install Extended MAPI and use a service login,... Is this changing completely?
Not applicable
Is it possible to give one account full rights on all mailboxes similar to exchange service a/c rights in 5.5 ?
Not applicable

Generally, this is how you do it:

get-mailboxdatabase server1db1 | add-adpermission -user someuser -accessRights <rights> -extendedrights <exrights>

To get more details on parameters, please search the E2007 documentation:
Not applicable
confusing add permission one-liner: what's the difference between add-mailboxpermission and add-adpermission? In the Beta 2 doc, "receiveas" permission is allowed to set by add-mailboxpermission but it is not the case when I run the command. add-adpermission seems to work but difficult to tell.

Is there a place that describes what rights are regular and what are extended?

Is there an easy way to set "receiveas" permission for all mailboxes as in Exchange 2003? I need to do this for a Windows service account.

Also the printout of one liner is ugly, how can I expand those "..." due to the space limit such as

exchange2007.loca... EXCHANGE2007Exch... {ReadProperty}

What the hell "..." after EXCHANGE2007Exch is supposed to be?

Thanks for your help
Not applicable
Hshen -

Difference between AD permission and Mailbox permission is where the permission is stored (and, indirectly, on what object you're setting the permission). AD permission cmdlet sets permissions on AD objects. Mailbox permission cmdlet sets permissions on "store mailbox" objects inside the information store. There's a bit of overlap, however, because some of the permissions are AD permissions until the StoreMailbox object is provisioned in the information store, at which point they become read-only in the AD and are managed from the store object at that point forward.

As for extended vs regular rights in AD - the easy way to think of this is that generally the extended rights are the special things that are unique to an object (and are added for that object as part of its schema). So things that are particular to mailbox objects are going to be extended rights, while the common AD permissions for the mailbox object will be regular rights.

I believe you can still set ReceiveAs at the store object like you could in E2k3 to grant rights to all mailboxes in that store. I've not confirmed this, so please correct me (anyone) if this is no longer the case.

You can manage the output formatting of anything in EMS very effectively. The easiest way is to override the default "table" formatting that is causing this truncation with a "list" formatting that will show the whole property with a line wrap. Just "pipe" the output to "format-list" (or "fl") like "Get-AdPermission ADobject | fl" and you'll get a more verbose output that won't truncate.
Not applicable
Thanks for your response. piping to fl is really helpful.

I cannot find a way to grants rights to all mailboxes in Exchange 2007. I am specially interested in granting the "Receive As" right to a Windows Service account for all mailboxes so that the information there can be retrieved and indexed by a search engine.

"add-mailboxpermission myserviceaccount -user A -accessrights receiveas", the way to grant "Receive As" according Beta 2 help, simply does not work. Also this command can handle only one mailbox per execution.

"add-adpermission myserviceaccount -user A -extendedrights receive-as" seems to work as I get an entry in get-appermission for the "receive-as". Again, this command can handle only one mailbox per execution. So a more complex script is required to loop all mailboxes and grant the "receive as" right one by one. Is there a tutorial about this new monad scripting stuff?

Thanks again.
Not applicable
Hi hshen,

The Beta 2 help lists the commands incorrectly and this is fixed for RTM.  Here are the commands you may want to use (depends on the situation):

To use the Exchange Management Shell to grant full access permissions for a particular mailbox, run the following command to add the permission directly to the mailbox:
Add-MailboxPermission "Mailbox" –User "Trusted User" –AccessRights FullAccess

To use the Exchange Management Shell to grant receive as permissions for a mailbox database (and thus allow access into all mailboxes within the database), run the following command to add the permission to the mailbox store:
Add-ADPermission –Identity “Mailbox Store” –User “Trusted User” –ExtendedRights Receive-As

I hope this helps.

Not applicable
Thanks! So if the mailbox is in "First Storage Group", I should do
Add-ADPermission -Identity "First Storage Group" -user "myaccount" -ExtendedRights Recieve-As, right?

Not applicable
Yes if your goal is for myaccount to have access to all mailboxes that are contained wtihin the databases that are associated with "first storage group".

Note: you may have to refine the identity value to something like -identity "server-namefirst storage group" if the name of the storage group is not unique within the org.

Not applicable
really helps. Thanks
Not applicable

A few days ago, we posted blog Exchange Server 2007 recipient management one-liners&amp;nbsp;covering common...
Not applicable
I have previously listed the progress we've been making in posting ITPro focused Systems Management blog
Not applicable
Not applicable
Microsoft Exchange Server 2007 is bound to shake up the Active Directory world as we know it. After my
Not applicable
Good afternoon.
I need to configure a forward mailbox of the one user for two different users.

Anybody can help me?
Version history
Last update:
‎Jul 01 2019 03:17 PM
Updated by: