TechShizz | All posts tagged 'Exchange 2010'

Edge Server Address Rewriting

Address rewriting on an Edge Transport server requires that address rewriting agents

be enabled. To enable the inbound and outbound transport agents, run the following EMS


Enable-TransportAgent –Identity "Address Rewriting Inbound agent"

Enable-TransportAgent –Identity "Address Rewriting Outbound agent"

Role Based Access in Exchange



Role groups or Management  Role groups are the groups that we see in the Active Directory "Microsoft Exchange Security groups" OU.

To see a list of Management Roles:




This lists all management roles, which are collections of commands. For example:


Let's look at Databases: To look at what commands makes up the Databases Managemet role we can run:


Get-ManagementRoleEntry "Databases\*"


Create a custom role from an existing role by using the following:


New-ManagementRole -name "Distribution G Admins" -Parent "Distribution Groups"


This command creates a new Management role called "Distribution G Admins" and populates it with the ability to use all the powershell commands that the "Distribution Groups" 


To remove a management role entry, we can do this to strip the existing temple down to what access we want to give. You would use:


Remove-ManagementRoleEntry "Distribution G Admins\Remove-Distributiongroup"


If for some reason this group needs a permission from another Management role we first need to create a Role Group, which contains both ManagementRoleEntry's that we need. 

Because we created this Management role from the Distribution Groups Role, we cant immediately add the role entries from other roles.


So to create a New Role Group which in this example will contain Distribution group and Transport Rule group role entries:


New-RoleGroup "Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -members rbulloc


This creates a group visible in AD with the other Role Groups


To remove a role group


Remove-RoleGroup "Distros and Transports"


If we want to Create a role group, and scope it so that the users in that group can only administer users/mailboxes in a specific OU (in this example this will be the "Liverpool" OU) we can use the following command:


New-RoleGroup "Liverpool Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -RecipientOrganizationalUnitScope "contoso.local/Liverpool"




To see which Management Roles make up a management group and also to see it's scope you need to query using this command:


Get-ManagementRoleAssignmet | Select Name


Find the roles you're looking for:


Then run:


Get-ManagementRoleAssignment "MANAGEMENTROLENAME" | fl



This shows the Scope.

Email Address Policies - Exchange 2010

We can use Email Address Policies to control how email addresses should be created for given conditions.


For example if users have HR in their department attribute we could make a policy apply to them.

Email address policies - Condiotions


The next step allows us to specify what domain to append to their email address, and what format the email address will be created in.


Email address policies - Address Format


We can create new policies that will apply to certain OU's in AD.




To apply a policy to add an SMTP address to users through the exchange for an additional domain we can create a policy.


We enter this variable to a custom attribute


%1g - 1 Character of the Given Name

%1s - 1 Character of the Surname




So for John Smith: -

Mailbox Auto Mapping

Auto mapping happens when a user has full access to a mailbox. This can be disabled by using the following EMS command:


Add-MailboxPermission -Identity -User -AccessRights FullAccess -AutoMapping:$false

It can also be edited from the MsExchDelegateListLinked attribute in ADSI Edit which contains the CN of the users to assign it to:


Get X500 addresses

To get X500 addresses from users in a domain:


Get-ADUser -SearchBase "OU=SBSUsers,OU=Users,OU=MyBusiness,dc=Mydomain,dc=local" -Filter * -Properties SamAccountName,legacyExchangeDN | Select-Object SamAccountName,legacyExchangeDN | Export-CSV C:\UserExport.csv -NoTypeInformation