Archives 2007

New Article on PST import and export with Exchange 2007 SP1

Hi,

Whilst investigating an issue with PST import in Exchange 2007 on a forum I moderate I took the opportunity to write the article linked below:

http://www.mmmug.co.uk/files/10/doc/entry1885.aspx

It covers the prerequisites for importing and exporting data from Exchange mailboxes using the new Import-Mailbox and Export-Mailbox PST commands.

It also looks at the commands themselves and gives some examples of use.

Hope it is of interest.

Cheers

Nathan


Upcoming MMMUG Events

Hi,

This post is just an overview of the MMMUG events in January and February 2008.

?

Here are the details of the January MMMUG meeting.

This event will be held in London at the MS offices near Victoria.?

Ben Appleby from MCS will be back to talk us through all things backup and recovery.

The session will take a detailed look at the System Center Data Protection Manager platform in relation to Exchange and will delve into the concept of VSS backups be that software or hardware snapshots.

The meeting will be held on Wednesday 23rd January.

?

To sign up see the thread here:

http://www.mmmug.co.uk/forums/thread/1862.aspx

?

?

Here are the details of our February MMMUG meeting.

This event will be held in London at the MS offices near Victoria.

This month we have our most popular speaker back! Yes; Jason Langridge will be with us this time talking all about Window Mobile device management. Jason will cover the recently announced System Center Mobile Device Manager 2008 and enhancements to Exchange 2007 Service Pack 1.?? Jason will run through all the options and let us know what is the best route for management.

Jason will also share the roadmap for Windows Mobile.

The meeting will be held on Wednesday 27th February.

?

To sign up see the thread here:

http://www.mmmug.co.uk/forums/thread/1863.aspx

?

?

I look forward to seeing you there!

Cheers

Nathan


Upcoming Windows IT Pro Exchange seminars

Hi,

?

I guess some of you may already know about this, but I think it is worth posting.

I good friend of mine, Mark Arnold will be presenting the first of a series of Exchange focused online seminars by Penton Media (Windows IT Pro)

Here is some more info:

“Mark Arnold, the presenter of our first eLearning event on Exchange 2007, coming up January 28,2008. It is taking place at 12:00 pm EST – a little late at night your time, but definitely a good reason to stay up! 🙂

This is the first event of the new Mastery series just launched by Windows IT Pro. Mark Arnold is the speaker for this launching event and it is going to be full of very useful information on Exchange 2007, more particularly on storage issues. Mark will also be available for questions the day of the event and after by email. We’ll also have archived versions of the sessions.

The URL for the event is: http://www.windowsitpro.com/go/elearning/masteringexchange2007

?

So if you are interested, take a look at the URL above.

?

Cheers

Nathan


November meeting slides and Exchange HealthChecks

Hi,

As promised I have uploaded the slides from the November session where we discussed best practice and configuration required after Exchange 2007 deployment.

http://www.mmmug.co.uk/files/14/november_2007_slides/entry1844.aspx

?

For more information on Exchange Health Checks see Doug Gowans blog post here:

http://blogs.msdn.com/douggowans/archive/2007/06/06/run-your-own-exchange-server-health-check.aspx

?

Hope they are useful.

Cheers

Nathan


Finally another Unified Comms (SAN) Certificate Provider

As any of you will know who have played with Exchange or OCS 2007 you need to get your certificates right when you start!

This invariably means the use of a certificate with Subject Alternative Names (SAN). Until recently there have been on three places to purchase these online, and whilst you could create your own that caused the usual trusted root problems.

So you will be pleased to know that GoDaddy, one of the better cheap certificate providers has now started providing these certs!

Take a look here for more info:

https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039

?

Cheers

Nathan


December MMMUG Meeting

Hi,

Here are the details of our December MMMUG meeting.

This event will be held in London at the new MS offices near Victoria.?This month?Russ Kirk (Grey Convergence), Neil Johnson and Keith Hanna (both from Microsoft) will lead the session.

The session will give a detailed introduction to the concept of Unified Messaging in Exchange 2007. We will then show how to set this up and discuss pros and cons of Exchange UM verses other UM solutions.

The meeting will be held on Thursday 13th December. Directions to the venue can be found below.

The meeting will be a mixture of PowerPoint and Discussions so there will be plenty of time to run through your questions.

The agenda for the meeting will be as follows: (although I may tweak the timings slightly)

18:15 – 18:40????????????Arrival

18:40 – 18:45 ???????????Introduction to speakers and?the aims of the group

18:45 – 19:30????????????1st session; Russ, Neil and Keith, Introducing Exchange UM

19:30 – 19:50????????????Food!

19:50?- 20:45????????????2nd session; Russ, Neil and Keith, Demonstrating the configuration of UM and Discussion of Competitors.

20:45 – 21:00????????????Q and A; Summing up and suggestions?for future meetings.

21:00????????????????????????The End!

If you?are interested in attending the December MMMUG meeting please sign up by posting in the?thread here.

?

http://www.mmmug.co.uk/forums/thread/1700.aspx

?

For Directions to the London location please see the link below:

http://www.microsoft.com/uk/about/map-london.mspx

Thanks and looking forward to meeting you all!

Nathan


November MMMUG Meeting

Hi,

Here are the details of the November MMMUG meeting.

This event will be held in London at the new MS offices near Victoria.?This month?Doug Gowans?from MCS and I will be leading the session.

We will be discussing what steps must be undertaken after installing Exchange to get to a fully serviceable install. We will then show how this can be automated from the command line.

The meeting will be held on Wednesday 28th November. Directions to the venue can be found below.

The meeting will be a mixture of PowerPoint and Discussions so there will be plenty of time to run through your questions.

The agenda for the meeting will be as follows: (although I may tweak the timings slightly)

18:15 – 18:40????????????Arrival

18:40 – 18:45 ???????????Introduction to speakers and?the aims of the group

18:45 – 19:30????????????1st session; Nathan Winters, Dimension Data?and Doug Gowans, MCS; Exchange 2007 from the Commands Line.

19:30 – 19:50????????????Food!

19:50?- 20:45????????????2nd session; Nathan Winters, Dimension Data?and Doug Gowans, MCS; Chalk and Talk discussion about what make a good Exchange 2007 install.

20:45 – 21:00????????????Q and A; Summing up and suggestions?for future meetings.

21:00????????????????????????The End!

If you?are interested in attending the November MMMUG meeting please sign up by posting in the thread here.

For Directions to the London location please see the link below:

http://www.microsoft.com/uk/about/map-london.mspx

Thanks and looking forward to meeting you all!

Nathan


Making sense of Mailbox Access in Exchange 2003

Delegates, shared folders, and sending mail as somebody else.

?

I?m currently working on an Exchange 2003 deployment that has 1800 staff and 50,000 student mailboxes.

?

We have had so many generic requests for what has come to be known simply as ?Delegate Access? that I?ve put a guide together for the project, and hopefully it will be of some use to other people so I thought I?d share it.

?

Let me start by taking a step backwards.??

?

Outlook 2003 and Exchange 2003 are only 30% of the solution.

?

People, Process, Technology. I know it?s a clich?, but it?s very true. Out of the box Outlook and Exchange can do some very clever things, but unless you put a bit of thought into what you are trying to achieve, then no amount of ticked boxes or level of granular permission is guaranteed to work for you.

?

The Internet is full of custom guides on how to set up delegate access to mailboxes, and various ways to open other user?s folders, or open additional mailboxes.

?

What we have struggled to find for this project is less technical and more business oriented guidance on when each of the various options is best used, and what the main differences between them are.

In the Beginning

?

Everything in a Microsoft world depends on principle based security. A security principle is an Active Directory object with a security identifier or SiD. Microsoft recognises three security principles, the user, the computer and the security enabled group. These are the only three Active Directory objects that have SiD?s, and these are the only objects that can be assigned security tokens. A security token is used to allow or restrict access to resources based on Access Control Entries (ACE?s) stored in Access Control Lists (ACL?s)

?

Way back in 1993 Microsoft decided that a username and password uniquely identified an individual, and today with Active Directory a mailbox is simply an extension of a user object. It?s owned by the uniquely identified individual.

?

I digress a little bit here but it becomes relevant in the whole delegate access mailbox conversation because many requests for delegate access evolve from an attempt to implement role based security. For example, on Monday the helpdesk support function is performed by Joe, on Tuesday it?s performed by Fred, on Wednesdays it?s either Joe or Fred, and John actually does the role all week.

?

So we have multiple people, multiple unique usernames, but with a desired public perception of a function, not an individual. There are countless examples, admissions, enquiries, complaints etc.

?

Now this can be achieved in some cases by creating a ?Helpdesk? username and a ?Helpdesk? mailbox and simply having the helpdesk staff log into this mailbox, but more often than not people turn to shared folder access or delegated permissions as a solution.

?

Anything we can do with Exchange and Outlook to solve this problem or address this need is a principle based security approach to a role based security requirement, and as such it usually requires a little thought from the user in question as to exactly what they are trying to achieve, and what the best way to do that would be.

?

I haven?t mentioned resource mailboxes where the mailbox calendar is used to establish free/busy information for meeting rooms or equipment. These are a bit more mainstream once you get your head around the fact that you now need a user object called ?Meeting Room 1? that never actually log?s in, but that does have a shared calendar.

?

So, history lesson out of the way, what options do we have.

Granting Access to Shared Folders

?

Each mailbox contains a set of folders. Out of the box these include Calendar, Contacts, Drafts, Inbox, Junk Mail, Notes, Sent Items, Tasks and a few others, and obviously any folders that have been created by the mailbox owner or any plug-in or add-on components such as AV, Archive, or Anti-Spam software.

?

Each one of these folders is an object, owned by the mailbox owner. You can verify this by opening DSA.MSC, and selecting a user object with a mailbox. Right click and select Properties, go to the Exchange Advanced tab and select Mailbox Rights…

?

The mailbox rights include the SELF object, which is allowed full mailbox access

?

As the owner of the mailbox, you have the rights to share any of your folders, exactly the same way you would folders on your local hard disk.

?

You simply right click, Properties and use the Permissions tab to assign granular permissions to the folder.

?

There are several levels of pre-defined permissions you can set most of which are pretty self explanatory, but just note for the minute the following, Reviewer, Author, Editor. I?ll come back to these in a second.

?

What you are doing here is modified the ACE?s on your folder ACL?s to grant or deny users granular access to your mailbox folders based on their Security Identifiers.

Gaining Access to Shared Folders

?

There are two ways to gain access to folders once permissions have been granted to you. You either use File, Open, Other User?s Folder… if you want temporary access one of the six default folders which are Calendar, Contacts, Inbox, Journal, Notes, or Tasks.

?

Or you Open these additional mailboxes: from the Advanced tab, of the mailbox properties. You either get to this by right clicking on the mailbox root and selecting Properties for ?Mailbox ? Declan Conroy?, or you go thru the more long winded Tools, Account Settings…, Change…, More Settings…, Advanced

?

In order to be able to open an additional mailbox, you must have a minimum of reviewer access to the top level mailbox folder itself. This differs from File, Open, Other User?s Folder… where you are opening a folder within the mailbox to which you have been granted specific access.

?

What have we got so far.

?

For varying levels of granular permission, ranging from Reviewer thru to Owner, we can grant access to any folder within any mailbox, and have other users either temporarily open these individual folders (File, Open, Other User?s Folder…) or automatically open all of the shared folders to which they have permissions each time they open outlook using Open these additional mailboxes:

Delegate Access, Send-on-Behalf-of

?

So what is delegate access all about then?

?

Well, like it says on the Delegate Access tab from the Tools, Options… menu delegate access goes a step further than shared access, in that it grants send on behalf rights to the mailbox delegate. To be more accurate, it populates the publicDelegates attribute of the AD user object for the user who is delegating access to his/her mailbox.

?

You can verify this by looking up your user object in ADSIEDIT.MSC under the domain partition and right clicking it to get Properties. Tick the box to Show only attributes that have values and scroll down till you see publicDelegates.

?

This attribute is a multi-valued attribute that will contain the DN of every object you have assigned delegate access to.

?

Interesting point to note, the following attribute called publicDelegatesBL is a list of the DN?s of all the user objects who have delegated access to you.

?

You can use the following AD search to list all of the users?in a domain who have delegated mailbox access and the mailboxes they have delegated access to: (The line has been word wrapped for readability)

LDIFDE.EXE -F DELEGATES.TXT -D “DC=DOMAIN,DC=COM”
-L NAME,PUBLICDELEGATES,PUBLICDELEGATESBL
-R “(|(PUBLICDELEGATES=*)(PUBLICDELEGATESBL))”

?

The publicDeleagetes attribute values can been seen in AD users and computers. Open DSA.MSC and find your user object. Right click and select Properties. Clicking on the Exchange General tab and open Delivery Options… Your delegates are listed under Grant this permission to: in the send of behalf box

?

A blog for another day, but don?t modify the user attribute properties using ADSIEDIT.MSC, bad things will happen….

?

OK, so back to Outlook. There are a couple of things here. There are only six folders listed by the delegate access wizard when you click Tools, Options …, Delegates, Add. These are the same six folders you can gain access to using File, Open, Other User?s Folder…

?

There are only three levels of permissions you can grant directly via the delegate access wizard, Reviewer, Author and Editor. You will find many references to shared folder permissions on the Internet and Microsoft documentation that list and describe the various granular permissions that can be assigned, and most of these descriptions are accompanied by the rather vague references that this permission (Does not apply to delegates.) All this simply means is that you can only assign one of the three levels of permissions above via the delegate access wizard.

It doesn?t quite hang together

?

?

I have to be honest I don?t think the various options hang together well. Here?s why.

?

When you use the delegate access wizard, you are limited to six folders, and three permissions. These folders don?t include the top level mailbox, and the permissions don?t include Owner.

?

So your mailbox delegate can gain temporary access to your inbox, and can send mail on your behalf. (Interesting point to note here, if you?grant no access to any of the folders via the delegate access wizard (set them all to None) the publicDelegates attribute is still populated, but the user you have delegated to has no access to your inbox, so even though they are authorised to send mail on your behalf they have no access to your inbox to actually do it. That?s just odd.

?

The answer really is on the tab, if you use the delegate access wizard, you are granting people the authority to send on your behalf!

?

What delegate access doesn?t do is allow your delegates to Open these additional mailboxes: as the top level mailbox folder permissions aren?t modified by the wizard.

?

Now in most cases I?ve come across, if you are granting send on behalf rights to somebody they will usually want to spend a lot of time in your Inbox, and as such temporary access using File, Open, Other User?s Folder… just isn?t the best way to work.

?

So to craft a working solution you have to assign delegate access for everybody that you may want to send mail on your behalf in order to populate the publicDelegates attribute, and then manually, granularly set folder permissions at the top level mailbox folder, and also Sent Items and any other folder that is not one of the default six, so that they can automatically and permanently access your mailbox thru Open these additional mailboxes:

?

Worth pointing out, if you set the top level mailbox folder permissions to Owner for one of your delegates he or she can then Open these additional mailboxes: and once logged in to his/her own mailbox have the option to right click on your mailbox in his/her profile folder list, access the permissions tab and modify folder permissions for other people.

?

Finally, unless you grant a minimum of Reviewer access at the top level ?Mailbox -? to your delegates there is no point in granting any shared access permissions to any mailbox folder other than the default six. Without top level Reviewer permissions the only access to the shared or delegated folders is via File, Open, Other User?s Folder… and File, Open, Other User?s Folder… is hardcoded to only list these six folders.

Making some kind of sense of the options

?

To make some sense of the various options available in shared folder access, delegate mailbox access, open other user?s folder, open additional mailboxes, and send-on-behalf-of, here?s what we came up with.

????????? Resource mailboxes. If you want to use a resource mailbox, either for a meeting room, or a piece of equipment you simply need to create the resource mailbox and change the default permissions on the Calendar to something like Author, which allows people to create and read appointments, and delete their own appointments.

??????Anybody can now use File, Open, Other User?s Folder… or use a Free/Busy search to book an appointment in the diary for the resource mailbox. (There are two other options for shared calendars in Exchange 2003, which are Public Folders and Moderated Public Folders, but if you want to use automatic free/busy searches you need to use the resource mailbox)

You may want to restrict the Author permissions based on security group membership, and the options here are limitless, in terms of granting certain groups Author and other groups Reviewer etc

?

????????? Shared or departmental calendars. If you want to more easily use a resource mailbox as a departmental or shared calendar you then need to add Reviewer permission for the department security group to the top level ?Mailbox –? folder so that department staff can Open these additional mailboxes: and have more permanent access to the calendar. This also applies to any other folder, but I can?t think of any folder apart from Calendar that really requires a mailbox of its own.

?

????????? Delegated mailboxes. There isn?t really any call for shared access to a mailbox unless you need to send mail on behalf of somebody. I?m sure there are situations out there where this is being done, but from a business logic or work flow perspective if you can?t respond to the mail that?s arriving what use is reading it?

In this situation you have to jump thru all the hoops. Delegate the access to the default six, then manually modify the permissions on any remaining folders including the top level ?Mailbox –? so that your delegates can use the Open these additional mailboxes:

Finally

?

It?s worth pointing out that the delegate access wizard doesn?t do any kind of enumeration or checking of permissions.

?

You can get into trouble very fast. In a situation where you remove delegate access using the wizard, users can still File, Open, Other User?s Folder… or even Open these additional mailboxes: because the wizard does not undo any granular permissions that you have set manually on other folders.

?

You also will come across a situation where you reapply permissions via the wizard and they will overwrite any you had manually specified at the folder level.

?

There is a lot you can do, but most of the complexity is in deciding what solution fits what purpose and then maintaining some control over it.

?

I haven?t touched on Send-as, I?ve restricted the options to those at the users fingertips and in my case Send-as violates an e-mail policy that mandates all outbound e-mail must be attributable to the sender, and I?m sure there are dozens of questions about specifics that I haven?t covered but hopefully my many hours of experimentation and Googling will save somebody else some time.

?

?Declan

?