TechShizz | All posts tagged 'Exchange 2010'

Transport Rules

We can create a transport rule to do many different actions to the scoped mail type.


For example we can add a disclaimer to all email that leaves the organization.


Transport Rule Actions are applied when the messages match the conditions but no exceptions.


For a full list of actions type


Get-TransportRuleAction | FL


The output may be different depending on if this is run on the Hub Transport or the Edge Transport Server.



The following command creates the transport rule TransportRuleExample, which adds Kim Akers to the

recipients of any email messages sent to Mark Harrington except for messages that are sent by the external user


New-TransportRule –Name TransportRuleExample –SentTo "Mark Harrington" –AddToRecipients

"Kim Akers" –ExceptIfFrom



Active Directory stores transport rules that are configured on Hub Transport servers so

that these transport rules are accessible to all Hub Transport servers in the organization

through Active Directory replication.


Transport rules that are configured on Edge Transport servers are stored in Active Directory Lightweight Directory Services (AD LDS) - Rules configured on one Edge Transport server do not automatically replicate to other Edge Transport servers in an Exchange organization.

Edge server transport rules apply to all types of message, cannot expand distribution group membership, cannot access Active Directory attributes, and cannot inspect or modify IRM-protected message content.

Role Based Access in Exchange



Role groups or Management  Role groups are the groups that we see in the Active Directory "Microsoft Exchange Security groups" OU.

To see a list of Management Roles:




This lists all management roles, which are collections of commands. For example:


Let's look at Databases: To look at what commands makes up the Databases Managemet role we can run:


Get-ManagementRoleEntry "Databases\*"


Create a custom role from an existing role by using the following:


New-ManagementRole -name "Distribution G Admins" -Parent "Distribution Groups"


This command creates a new Management role called "Distribution G Admins" and populates it with the ability to use all the powershell commands that the "Distribution Groups" 


To remove a management role entry, we can do this to strip the existing temple down to what access we want to give. You would use:


Remove-ManagementRoleEntry "Distribution G Admins\Remove-Distributiongroup"


If for some reason this group needs a permission from another Management role we first need to create a Role Group, which contains both ManagementRoleEntry's that we need. 

Because we created this Management role from the Distribution Groups Role, we cant immediately add the role entries from other roles.


So to create a New Role Group which in this example will contain Distribution group and Transport Rule group role entries:


New-RoleGroup "Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -members rbulloc


This creates a group visible in AD with the other Role Groups


To remove a role group


Remove-RoleGroup "Distros and Transports"


If we want to Create a role group, and scope it so that the users in that group can only administer users/mailboxes in a specific OU (in this example this will be the "Liverpool" OU) we can use the following command:


New-RoleGroup "Liverpool Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -RecipientOrganizationalUnitScope "contoso.local/Liverpool"




To see which Management Roles make up a management group and also to see it's scope you need to query using this command:


Get-ManagementRoleAssignmet | Select Name


Find the roles you're looking for:


Then run:


Get-ManagementRoleAssignment "MANAGEMENTROLENAME" | fl



This shows the Scope.

Mailbox Auto Mapping

Auto mapping happens when a user has full access to a mailbox. This can be disabled by using the following EMS command:


Add-MailboxPermission -Identity -User -AccessRights FullAccess -AutoMapping:$false

It can also be edited from the MsExchDelegateListLinked attribute in ADSI Edit which contains the CN of the users to assign it to:


Create an Edge Subscription

  1. Ensure DNS resolution between the Hub > Edge and Edge >Hub.
  2. On the Edge server run: New-EdgeSubscription -FileName "C:\Edge.xml"
  3. Transfer the file created to the Hub Transport server
  4. On the Hub t, Go to Organization Config > Hub Transport > Edge Subscriptions(tab) > New Edge Subscription.
  5. Specify the location of the file transferred in step 3.
  6. Click new to create the subscription and click finish. 

Configure POP and IMAP

To enable IMAP and POP3, the services need to be configured on the exchange server.

Enable IMAP and POP3 Service></p>

<p style=

They need to be started and set to start up automatically. 


Once this is done you cant go to the Server Configuration\Client Access node to configure. 


You can configure all the settings on these properties dialog boxes for each service

from the EMS by using the Set-POPSettings or Set-IMAPSettings cmdlets


You can test that these services are working correctly by using these EMS commands: