TechShizz | All posts tagged 'Exchange 2010'

Mailbox Auto Mapping

Auto mapping happens when a user has full access to a mailbox. This can be disabled by using the following EMS command:


Add-MailboxPermission -Identity -User -AccessRights FullAccess -AutoMapping:$false

It can also be edited from the MsExchDelegateListLinked attribute in ADSI Edit which contains the CN of the users to assign it to:


Receive Connectors in Exchange 2010

A receive connecter acts as a logical gateway used to listen for inbound connections of certain specifications to receive mail.


You could set up a receive connector for just one Protocol, or from a range of IP addresses and therefore we can have multiple receive connectors that receive mail of different origins.

Hub Transport Node

  • Client connector is used to receive from non MAPI clients
  • Default is used for connections from other Hub Transport servers.


In the properties of these receive connectors we can specify the following:


The FQDN that the connector will listen on

Turn on/off Protocol logging (for troubleshooting)

Maximum message receive size

Protocol Logging Level


Specify IP addresses the connector listens on IPv4/v6

Specify IP addresses the connector listens on IPv4/v6

The authentication method when a connection is made. If this is not secured/configured properly, it may be possible for email to  be relayed from our server without permission. (Open Relay).

Authentication Tab

Permission Groups - Which groups of users or computers can connect to this connector.


Client Connector Permissions

Permission Groups


Default Connector Permissions


Permission Groups

Role Based Access in Exchange



Role groups or Management  Role groups are the groups that we see in the Active Directory "Microsoft Exchange Security groups" OU.

To see a list of Management Roles:




This lists all management roles, which are collections of commands. For example:


Let's look at Databases: To look at what commands makes up the Databases Managemet role we can run:


Get-ManagementRoleEntry "Databases\*"


Create a custom role from an existing role by using the following:


New-ManagementRole -name "Distribution G Admins" -Parent "Distribution Groups"


This command creates a new Management role called "Distribution G Admins" and populates it with the ability to use all the powershell commands that the "Distribution Groups" 


To remove a management role entry, we can do this to strip the existing temple down to what access we want to give. You would use:


Remove-ManagementRoleEntry "Distribution G Admins\Remove-Distributiongroup"


If for some reason this group needs a permission from another Management role we first need to create a Role Group, which contains both ManagementRoleEntry's that we need. 

Because we created this Management role from the Distribution Groups Role, we cant immediately add the role entries from other roles.


So to create a New Role Group which in this example will contain Distribution group and Transport Rule group role entries:


New-RoleGroup "Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -members rbulloc


This creates a group visible in AD with the other Role Groups


To remove a role group


Remove-RoleGroup "Distros and Transports"


If we want to Create a role group, and scope it so that the users in that group can only administer users/mailboxes in a specific OU (in this example this will be the "Liverpool" OU) we can use the following command:


New-RoleGroup "Liverpool Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -RecipientOrganizationalUnitScope "contoso.local/Liverpool"




To see which Management Roles make up a management group and also to see it's scope you need to query using this command:


Get-ManagementRoleAssignmet | Select Name


Find the roles you're looking for:


Then run:


Get-ManagementRoleAssignment "MANAGEMENTROLENAME" | fl



This shows the Scope.

Transport Rules

We can create a transport rule to do many different actions to the scoped mail type.


For example we can add a disclaimer to all email that leaves the organization.


Transport Rule Actions are applied when the messages match the conditions but no exceptions.


For a full list of actions type


Get-TransportRuleAction | FL


The output may be different depending on if this is run on the Hub Transport or the Edge Transport Server.



The following command creates the transport rule TransportRuleExample, which adds Kim Akers to the

recipients of any email messages sent to Mark Harrington except for messages that are sent by the external user


New-TransportRule –Name TransportRuleExample –SentTo "Mark Harrington" –AddToRecipients

"Kim Akers" –ExceptIfFrom



Active Directory stores transport rules that are configured on Hub Transport servers so

that these transport rules are accessible to all Hub Transport servers in the organization

through Active Directory replication.


Transport rules that are configured on Edge Transport servers are stored in Active Directory Lightweight Directory Services (AD LDS) - Rules configured on one Edge Transport server do not automatically replicate to other Edge Transport servers in an Exchange organization.

Edge server transport rules apply to all types of message, cannot expand distribution group membership, cannot access Active Directory attributes, and cannot inspect or modify IRM-protected message content.

Installation of Edge Transport Role


Edge transport usually sits in the DMZ

Is NOT a member of the Domain.

Has an IP address and the DNS suffix is specified.

Has AD LDS Installed (and working)

Has .NET Framework 3.5 Installed

Tcp Port Sharing service set to Automatic Startup

Open port 50636 Bothways between the Hub Transport and Edge Transport servers.




To Configure the prerequisites run the following PowerShell command:


Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS, -Restart




Run the Exchange DVD and select to run the