Exchange 2010

Exchange Online Mail Enabled Security Groups

One of the things I’ve found out while migrating to Exchange Online was around access to shared mailboxes, and having to alter my methods slightly.

For Exchange On-Prem (Exchange 2010), whenever I created a shared mailbox I would control access with a security group. If the mailbox was called “Finance”, then I’d have an Active Directory Security Group called “Finance Mailbox Full Access” and give that group full access to the mailbox. Then, I’d add the staff that needed access to that group – meaning it was easier to track and manage who had access to what, particularly with nested group support so I could add a whole department in.

The extra win on this approach was around applying logic to the groups. When someone joined or left Finance, the user management process would ensure the user was added to a group for Finance. That would then feed into all the access that Finance were granted through the groups that single group was inside – and it works great. 

The good news is that this is still possible going to Exchange Online, my nested and automated systems can continue to work. However, some changes were required to make this work.

Firstly, any security group that is going to be added to an Exchange Online mailbox for access must be mail enabled. This goes against my personal best practice as I liked complete seperation of security groups and email groups, because I didn’t want to deal with scenarios where ‘All Finance need this resource, but I don’t want them to get the emails about the same resource’. Still, having a descriptive security group name should avoid that happening. 

This leads to another catch – to mail enable a security group, it has to be ‘universal’. In turn, that means every other group that those groups are inside also need to be universal.

For me this was easy, since all my security groups were cleanly in a single OU, and there was no impact to me on changing them to universal (check this for yourself though!)

Get-ADGroup -SearchBase 
“ou=Security Groups,ou=ABC,dc=com” | Set-ADGroup -GroupScope DomainLocal

After that, ,ail enabling an existing security group is easy with the PowerShell command:

Enable-DistributionGroup

I was actually able to mail enable all my Security Groups that granted mailbox access at once, by getting all the groups and filtering them down to only ones that contained the word ‘Mailbox’

Get-Group -resultsize unlimited | where {$_.name -like “mailbox“} | Enable-DistributionGroup

You’ll also need to mail enable any groups inside the groups, and you should be able to work this out based on the above commands.

Keep in mind you’ll probably want to hide all these groups from the address book so users can’t see them – in Exchange 2010 the GUI lets you mass select and change this option, but it’s also easy to do from PowerShell (but you’d need to 


Get-Group -resultsize unlimited | where {$_.name -like “mailbox“}| Set-DistributionGroup –HiddenFromAddressListsEnabled:$true

Note that if you use PowerShell to give a non mail-enabled Security Group access to a mailbox, it will appear in the Exchange admin center, but it won’t work. As far as EAC knows, it has no members because it’s not mail enabled. I found this out the hard way!

Coping with Infinite Email

Automatic Deletion of Deleted Items with Retention Policies

Exchange 2010 and 2013 have an option called “Retention Policies”. I’ll base the below on what I see for Exchange 2010, but most of not all should apply to 2013 also.

Retention Policies are useful if you need to keep your user’s mailboxes clean, as well as trying to avoid a Deleted Items folder with every single email the employee has received in their time with the company. You can work out what the company agrees with for what can and can’t be auto deleted, and save a lot of money on space for both live information and backups.

The Retention Policies are made up of “Retention Policy Tags” and these tags “control the lifespan of messages in the mailbox” as quoted by one of the wizards that you configure this in mailbox. The Retention Policy is then targeted at the mailboxes you want to apply these settings to.

Gandalf-You-Shall-Not-Pass-Ian-McKellenMaybe not this wizard.

It’s worth noting that a mailbox can only have one Retention Policy linked to it, so you need to plan overlapping settings accordingly.

So, what can a Retention Policy Tag do? You give it a ‘Tag Type’ which is either a folder in someone’s mailbox (e.g. Deleted Items) or every other folder that isn’t an inbuilt folder. From that definition of what folder the tag is on, you can either set an age limit for all items in that folder, or set the items to never age.

deleted items

The Age limit is a number in days. This number actually means something different depending what Tag Type was targeted. For an email in the Deleted Items folder, it’s based on the date the item was deleted by stamping it at the time of deletion. There’s some caveats around that, so refer to this chart on TechNet which lays out how the Retention Age is calculated.

There’s also a Default Archive and Retention Policy (called MRM Policy in Exchange 2013) that is applied to all mailboxes that have no other policy applied, if archiving is enabled (remember that can only be one). So if you have simple requirements, use this policy. For more complex requirements, you’ll need multiple policies and either manual management of mailboxes to apply the right policy, or use a script that’s run at regular intervals.

Once you’re set up, the policies are enforced by the Managed Folder Assistant. This runs on an Exchange server, which is controlled from the service Microsoft Exchange Mailbox Assistants. This used to be schedule based (Exchange 2010 pre-SP1) but SP1 onward and Exchange 2013, this is an always running throttled process. It’ll do it when it’s the ‘right time’ based on several criteria and checks. If you want to know the specifics, read this from TechNet.

To check that the policy has applied, you can go to the properties of the folder of the mailbox in question (for me it’s Deleted Items) and you’ll see the policy listed:

deleted items 2

You can also look at the individual emails to see both the retention policy applied, and when the email will expire. This is what I see from Outlook 2010:

deleted items 3

If you want to process a particular mailbox right now because you’ve just configured something, you can use the PowerShell command:

Start-ManagedFolderAssistant -Identity “guyinaccounts”

If you want to do more than a single mailbox, you’ll need to pipe it. Again, more details here on TechNet. The Event Viewer on your Exchange server should tell you how it went, but from some of the information I’ve read, a Retention Policy that’s only just been targeted to a mailbox can take up to 48 hours to actually recognise and start processing. For me it took more than a few hours before I could see the policies on my emails.

One last point, when you first create and apply a policy is when Exchange will start tagging emails. For my example, I set it to 60 days Delete and Allow Recovery, on the Deleted Items. This caused all exisiting deleted items that went back a few years to get marked for deletion 60 days from when I applied the policy. It won’t go back and instantly delete your older items.

Powershell for Resource Information in Exchange 2010

Hi,

I came up against an issue today, where the person looking after calendar bookings for some newly created rooms (which was a resource) in Exchange 2010, could not see a lot of the information on the appointments. The subject had changed from whatever the person booking had written to their own name and the comments were missing. Coming from Exchange 2007 I hadn’t seen this before, but delved into the ‘Resource Inforamtion’ tab on one of the rooms. Rather quickly I realised this was happening by design, and the default options from Exchange:

Resource Information

 

So, for my scenario I wanted to remove most of these options, as we wanted the people with full access to the calendar to be able to see these things. I can understand having this disabled by default, as it’s really a business decision to make on who should see what. For me, I wanted to have the appointment unaltered which means removing “Delete attachments”, “Delete comments”, “Delete subject”, “Delete non-calendar items” and “Add the organizer’s name to the subject” (this one is just for less confusion, and you can still see the organiser from the attendees on the appointment itself). “Remove the private flag on an accepted meeting” I’d rather keep, if someone’s actually marking the meeting as private there’s hopefully a good reason.

Anyway, changing these options works perfectly, but doing it on a mass scale isn’t fun via the GUI. Powershell time!

I want to change this for all my Room Resources. First, you can get your list of Room Resources with this command:

Get-Mailbox -RecipientTypeDetails RoomMailbox

After confirming you see the results that you expect, you can pipe that into a command to turn off the required options. As a single command it would be this:

Set-CalendarProcessing -identity “Roomname” -DeleteAttachments $false -DeleteSubject $false -DeleteComments $false -DeleteNonCalendarItems $false -AddOrganizerToSubject $false

And merging the two together will be (dropping the -identity):

Get-Mailbox -RecipientTypeDetails RoomMailbox | Set-CalendarProcessing -DeleteAttachments $false -DeleteSubject $false -DeleteComments $false -DeleteNonCalendarItems $false -AddOrganizerToSubject $false

That’s it. All your rooms will now have the options you want. There’s a great article on MSExchange that covers this and a lot more: http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/resource-mailboxes-exchange-2010-part4.html and also has a table of the options on this screen and the relevant powershell parameter.

Good luck!