Experience Exchange Sever

December 12, 2016


Filed under: Uncategorized — vijayarelangovan @ 11:51 am

I have been going through lot of changes in my career for past few years.  I have promised myself to start writing blogs again.  I’ll start posting it very soon


January 2, 2013

Script to help assign permisison to folders and subfolders

Filed under: Admin, E14 — vijayarelangovan @ 9:44 am

I thought that easy, when you have just 2 or 3 folders. How about 100 folder, it is still easy though if you know the script.

Get-MailboxFolderStatistics Mailboxname | where{ $_.folderpath -eq “/Foldername”) | Add-MailboxFolderPermission Mailbox -User Username -AccessRights “Level of access”

Unfortunately the above command won’t work. I found a script in a blog,

  1. Get-MailboxFolderStatistics Username – This gives the list of folders
  2. Filter a specific folder and it subfolder which needs access, where{ $_.folderpath.Contains(“//Foldername”)
  3. Assign permission Add-MailboxFolderPermission Mailbox -User Username -AccessRights “Level of access”

Putting al together

foreach( $Folder in (Get-MailboxFolderStatistics username | where{ $_.folderpath.Contains(“/Foldername”) -eq $true } ))
$FPath = “Mailbox Name:” + $Folder.folderpath.replace(“/”,”\”);
Add-MailboxFolderPermission Mailbox -User Username -AccessRights “Level of access”

  • Foreach is to help choose each folder and assign permission.
  • $FPath = “Mailbox Name:” + $Folder.folderpath.replace(“/”,”\”) – This is to get the complete path of the subfolder


May 10, 2012

Shared Mailbox Permission – Bug

Filed under: Admin, E14 — vijayarelangovan @ 5:04 pm

Recently i got into a situation where i had to streamline the permissions that are given to the shared mailbox.  So i’ve decided to do that in the following ways

1. Create a Shared mailbox
2. Create a group for the shared mailbox
3. Add the users to the Group who needs permission
4. Give permission to the Group on the shared mailbox

Everything went fine. Permissions are set. But users inside the group started reporting that they cannot see the folders in the shared mailbox.  So i’ve started to check all the permission and nothing seem to give a clue


I gave permission to a user on the shared mailbox – cool, folders shows up. Seems so wired. how can a user object works but not the Group. I just thought i can try adding the group from the outlook – perfect, folders shows up.


When you give permission to the shared mailbox throught powershell, you will experience the issue. Instead either give permission to the user object or add the group from the outlook.

Hope this was informative.


March 22, 2012

Deleting a particular email in Exchange 2010

Filed under: Admin, E14 — vijayarelangovan @ 12:46 pm

Recently I’ve encountered a scenario to delete a particular message with a certain subject. Which is no big deal

Export-Mailbox -TargetMailbox “To Mailbox to which you wanted to copy the mails” -TargetFolder ” To Delete” -SenderKeywords “Sender id” -SubjectKeywords ”Subject of the mail that you want to delete” –DeleteContent

The above command will search the Mail which matches the “Sender id” and “Subject.

Hmm. But the above command only applies to Exchange 2007 only. So what if you want to delete an email in Exchange 2010. I googled around and i came across reading lot things, but couldnt get to the bottom.

After an hour i’ve zeroed down to the following command

Get-Mailbox | Search-Mailbox -DeleteContent -SearchQuery “sub:Subject of the message”,from:”Senderemail address”

This will search all the mailbox in the organisation [ you can use -ResultSize unlimited to include more than 1000 users] for the mail that matches the subject and the sender email address. -DeleteContent will delete those emails.

Along with this, using -TargetMailbox “Mailbox” will copy the mails and summary of the Deletion.


February 2, 2012

Exchange Administrators Tools

Filed under: E14, Tools — Tags: — imkottees @ 6:21 pm

Below are some tools which each exchange administrator has to know:



The Exchange Pre-Deployment Analyzer

The Exchange Best Practices Analyzer

The Mailflow Troubleshooter

Remote Connectivity Analyzer

Message Tracking

Queue Viewer

Performance Troubleshooter

The Exchange Management tools



Network Monitor


Microsoft SPF Record Wizard



ExFolders (PFDavAdmin in Exchange 2010)

You can also find this article here.

February 1, 2012

Exchange Server version numbers and Schema upgrades

Filed under: Others — Tags: , — imkottees @ 3:51 am

Exchange Server version numbers and Schema upgrades:

Exchange Server

Version Numbers

Schema Upgrades

Exchange Server 2010 SP2  14.02.0247.005


Exchange Server 2010 SP1 14.01.0218.015


Exchange Server 2010 RTM 14.00.0639.021


Exchange Server 2007 SP3 8.3.0083.006

Exchange Server 2007 SP2 8.2.0176.002

Exchange Server 2007 SP1 8.1.0240.006


Exchange Server 2007 RTM 8.0.685.24 or 8.0.685.25


Exchange Server 2003 SP2 6.5.7638

Exchange Server 2003 SP1 6.5.7226

Exchange Server 2003 RTM 6.5.6944



Use this command to get the version number in Exchange Server 2007 and Exchange Server 2010:

Get-ExchangeServer | Format-Table Name, *Version*

For more details about the Schema Upgrades click here

This same post also you could find here

January 26, 2012

Roll Up 6 for Exchange Server 2007 SP3

Filed under: Exchange 2007 — Tags: — imkottees @ 7:39 pm

Earlier today Microsoft has been released roll up 6 for Exchange Server 2007 SP3.

For Exchange Server 2007 RU6 Download click here

For description of roll up 6 click here

Important issues which are resolved here are:

Note: Those who are running forefront security for exchange make sure that disabling the forefront before updating the roll up and enabling once it is done.

And also you could see this article here.

December 7, 2011

GAL Segregation in Exchange 2007

Note: This complete article wrote with reference of http://technet.microsoft.com/en-us/exchange/bb936719.aspx  please visit this page if you need more information in detail.

This article provides the information that you need to configure Microsoft Exchange Server 2007 with multiple address lists so different groups of users can have their own address list and secure those address lists so that groups of users can see only their specific address list.

Note: This is officially not supported in exchange 2007 but it does supported by Microsoft in exchange 2010 SP2 which was released yesterday. Before going with exchange 2010 I would like to try with exchange 2007 in my lab, finally did it.

Note: Please do not try this in exchange server 2010.  If you try to apply these steps in an Exchange 2010 environment, significant issues may occur, and it may not be possible to resolve these issues.

My Setup:

Existing domain:

Domain Name: Exmailservice.com

DC : Exch-dc-01

Exchange server 2007: Exch32-Srv-01 (all three roles installed)

New Domain:

Domain Name: Lab01.com

We consider here as the Exmailservice.com domain acquired Lab01.com, in Lab01.com there are no exchange server whereas exmailservice.com already has exchange server 2007 installed. So we are going to have linked mailbox concept here and then we will segregate the GAL for security reasons.

I’ve created forest truest between two domains and I’m able to create linked mailbox but when I logged into Lab01.com user also able to see the address list of Exmailservice.com domain as you can see here:

Before GAL segregation

Here I logged in using the Lab01 domain user(first user) who is also able to see the exmailservice.com address lists which is not recommend by our security team.

To achieve this we are going to follow the below steps:

1.      Configuring a Segregated Organization

2.      Adding a Segregated Company to the Environment

3.      Adding a New User to the Environment

4.      Post User Creation Steps


1. Configuring a Segregated Organization:

By default the users in exchange server 2007 can see all the address lists, you must create different address lists, GAL and offline address lists to separate them to appropriate users with the help of filter.

Preparing Your Environment for Segregated Exchange:

  • Set the dsHeuristics value
  • Create an Organizational Unit to contain all segregated virtual organization OUs
  • Modify permissions on the All Address Lists container
  • Delete the default Address Lists
  • Restrict Access to the Default Global Address List
  • Restrict Access to the Offline Address Lists container
  • Create a Security Group for all Hosted Groups

Set dsHeuristics Value:

  1. Open ADSIEdit.
  2. Expand CN=Configuration.
  3. Expand CN=Services.
  4. Expand CN=Windows NT.
  5. Select CN=Directory Service.
  6. Right click CN=Directory Service and click Properties.
  7. Select the attribute dsHeuristics.
  8. Set value to 001

Create an Organizational Unit to contain all segregated virtual organization OUs:

  1. Start Active Directory Users and Computers.
  2. In the left pane, right-click your domain (the very top object).
  3. Click New, and select Organizational Unit.
  4. Type Companies, and click OK.

Modify permissions on the All Address Lists container:

get-adpermission “All Address Lists” | Where {($_.User -like ‘NT AuthorityAuthenticated Users’) -and ($_.IsInherited -eq $false)} | Remove-ADPermission

confirm yes to apply this settings.

To delete default address lists please use below commands:

remove-addresslist “All Contacts”

remove-addresslist “All Groups”

remove-addresslist “All Rooms”

remove-addresslist “All Users”

remove-addresslist “Public Folders”


Restrict Access to the Default Global Address List:

To use the Exchange Management Shell to modify the security permissions on the Default 
Global Address Listfor the Authenticated Users group
Run following command:

Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" 
-AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True

Restrict Access to the Offline Address Lists Container:

To use the Exchange Management Shell to modify the security permissions on the Offline Address Lists Container for the Authenticated Users group

Please run the below commands one by one:

Step 1:

$container = “CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=Exmailservice,DC=com ”

Step 2:
remove-adpermission $container -user "NT AUTHORITYAuthenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'


$oabContainer = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft 
To verify this you can run this command:
Get-ADPermission $oabContainer -user "authenticated users"
The output should be like this:

Identity             User                 Deny  Rights

Offline Address L… NT AUTHORITYAuth… False ms-Exch-Download-OAB

Offline Address L… NT AUTHORITYAuth… False ListChildren

Offline Address L… NT AUTHORITYAuth… True  ReadProperty

Create a Security Group for all Hosted Groups:

If you already created this group manually using GUI please make sure that was Security group.

Please use below command to create a new security group:

New-DistributionGroup -Name "All Hosted Groups SG" -OrganizationalUnit "Exmailservice.com/Companies" 
-SamAccountName "AllHostedGroupsSG" -Alias "AllHostedGroupsSG" -Type "Security"
To remove the default permission run the below command:

Add-ADPermission -Identity "CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=Exmailservice,DC=com" -User "All Hosted Groups SG" 
-AccessRights GenericRead -Deny

Run below command:

Add-ADPermission -Identity “CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Exmailservice,DC=com” -User “All Hosted Groups SG” -AccessRights ReadProperty -Properties “Open Address List” -Deny

Note: You must modify the example DN to reflect the DN for your Address Lists container. Normally only the “DC” entries need to be modified if the Exchange installation was a “default” installation

2. Adding a Segregated Company to the Environment:

Create an Organizational Unit for the Company

  1. Start Active Directory Users and Computers.
  2. In the left pane, select the Companies OU.
  3. Right-click the Companies OU.
  4. Click New, and select Organizational Unit.
  5. Type  Lab01, and click OK.

    Create a new OU called companies

Adding a UPN Suffix:

Adding a new UPN suffix allows users of the new company to log on with a different UPN address than that used in the domain

  • Start Active Directory Domains and Trusts.
  • Right-click Active Directory Domains and Trusts (not your domain name) and select Properties.
  • ·         On the Alternative UPN Suffixes tab, type Lab01, click Add, and click OK


Modify the UPN Suffix attribute:

By modifying the upnSuffix attribute, you limit the domain dropdown list when creating new users in Active Directory. The list will only include the UPN of the original domain and the new suffix added below.

  • Open ADSIEdit.
  • Expand the Domain Naming Context.
  • Right click the OU and select Properties.
  • Select the upnSuffixes attribute and click Edit.
  • Enter the new company UPN suffix and click Add (Example: Lab01.com).
  • Click OK two times to close out of the properties.

Create a Security Group for the Users:


use powershell to create a security group:


  • New-DistributionGroup -Name “Lab01 SG” -OrganizationalUnit “Exmailservice.com/Companies/ Lab01” -SamAccountName “Lab01 SG” -Alias “Lab01 SG” -Type “Security”

    Create a new security group for Lab01 users

Run below command to member of all hosted groups sg:
  • Get-DistributionGroup -Name “All Hosted Groups SG” | Add-DistributionGroupMember -Member “Lab01 SG”


Making member of all hosted groups

Create a new accepted domain:


You must configure an accepted domain before that SMTP namespace can be used in an e-mail address policy.

MS recommends: Accepted domains are configured on computers that have the Hub Transport server role installed and on computers that have the Edge Transport server role installed. We recommend that you configure accepted domains only on the Hub Transport server role and then populate that data on the Edge Transport server by using the Edge Subscription process.

Use below command to create new accepted domain:

New-AcceptedDomain -Name "Lab01" -DomainName "Lab01.com" -DomainType Authoritative

Create a new accepted domain for Lab01 domain


After you configure the accepted domain, you must verify that a public Domain Name System (DNS) mail 
exchange (MX) resource record for that SMTP namespace exists and that the MX resource record references 
a server name and an IP address that is associated with the Exchange organization.

Create a new email address policy:

For a recipient to receive or send e-mail messages, the recipient must have an e-mail address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients (which include users, contacts, and groups) so they can receive and send e-mail.

Use below command to create new email address policy:

new-EmailAddressPolicy -Name "Lab01" -IncludedRecipients 'AllRecipients' -ConditionalCompany "Lab01" 
-Priority '1' -EnabledEmailAddressTemplates "SMTP:%g%s@Lab01.com"
Using company name for filtering the objects
Results of Lab01 domain users email address
Here we are filtering the recipients using their company name. In this scenario if the user company 
name is equal to Lab01 this address policy will apply to them.

As you can see in above figures if the company name is set to Lab01 their primary email address will be 
like in second picture.

Create a new address list:

Run the following command to create Lab01 address list:

New-AddressList -Name "Lab01 AL" -Container '' -IncludedRecipients 'AllRecipients' -conditionalcustomattribute1 "Lab01"

Modify the permissions on the address list:

Important: While failure to perform this step will not allow users from one company to see the users of another company, it will allow them to see the names of the address book entries for every company from within Outlook. This will mean that all segregated users will be aware of the names of the other segregated groups in the organization.


Run below commands to achieve this:

Get-AddressList "Lab01 AL" | Remove-ADPermission -User "Authenticated Users" -AccessRights genericread 
-ExtendedRights "open address list" -deny:$false

Get-AddressList "Lab01 AL" | Add-ADPermission -User "Lab01 SG" -extendedrights "open address list" 

Create a new Global Address List:


GALs define a set of rules for looking up users in a global address book—for example, by alias name, long name, group name, and so on. Use the following procedure to create a GAL for the organizational unit Lab01.

Run the following command:

New-GlobalAddressList -Name "Lab01 GAL" -RecipientFilter {(alias -ne $null -and company -eq "Lab01")}
Creating new GAL for Lab01 domain
Create a new offline address list:

To create an OAB that uses Web-based distribution for clients running Outlook 2007, run the following command:

New-OfflineAddressBook -Name "Lab01 OAB" -Server exch32-srv-01 -AddressLists " Lab01 AL " 
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)"
Create a new offline address list for Lab01 users
Note: If you configure OABs to use public folder distribution, but your organization does not have any 
public folder infrastructure, you will receive a warning or an error resembling the following: WARNING: 
Your organization does not have a public folder tree. Only Outlook 2007 or later can access offline 
address books from a web-based distribution point, if one is configured.

To create an OAB that uses public folder distribution for clients running Outlook 2003 or earlier, run the following command:

New-OfflineAddressBook -Name " Lab01 OAB" -Server exch32-srv-01 -AddressLists "Lab01 AL " 
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)" -publicfolderdistributionenabled $true

Modifying the offline address list permisssion: 

Use the following procedure to set the appropriate permissions on the Lab01 OAB. After you perform 
this   procedure, only users who are members of the Lab01 security group will be able to access the 
offline address list.

Get-OfflineAddressBook "Lab01 OAB" | Add-ADPermission -User ' Lab01 SG' -ExtendedRights 'ms-Exch-Download-OAB' -Deny:$false
Modifying the offline address list permisssion


3. Adding a new user into the environment:


  • create a mailbox  for new user

To use the Exchange Management Shell to add a single member to a distribution group

Run the following command for single user:

get-mailbox “second user” | add-distributiongroupmember -identity “Lab01 SG”

Adding single user into the environment

Run the following command for multiple users:

   get-mailbox -organizationalunit "Lab01" | add-distributiongroupmember -identity "Lab01 SG"

Modify the msExchUseOAB attribute:

Run the following command for single user:

set-mailbox "second user" -offlineaddressbook "Lab01 OAB"
Modify the msExchUseOAB attribute

Modify the msExchQueryBaseDN attribute:

Run the following command:To use the Exchange Management Shell to modify the msExchQueryBaseDN 
attribute  for multiple users

$user = ([ADSI]”LDAP://DC01:389/CN=second user,ou= Lab01,ou=companies,dc=exmailservice,dc=com”).psbase; $user.Properties[“msExchQueryBaseDN”].Value = “ou= Lab01,ou=companies,dc=Exmailservice,dc=com”; $user.CommitChanges();

Changing the msExchQueryBaseDN attribute via GUI:

Changing the msExchQueryBaseDN attribute

Modify the specific filter attribute:

Use one of the following procedures to modify the custom attribute that is used to identify the 
user(s)   of the virtual company (company inthis document’s examples).

For single user:

set-mailbox "seconduser" -company "Lab01"

For multiple users:

get-mailbox -organizationalunit "Lab01" | set-mailbox -company "Lab01"

4. Post user creation steps:

When the above user creation steps have been taken, the following processes must be run to update 
the Address List, GAL, OAB, and redistribute content and re-stamp files with the appropriate permissions:

·         Update Address List
·         Update Global Address List
·         Update Offline Address Book
·         Redistribute content and re-stamp files with new permissions

Use below commands to update all the address lists:

Update-addresslist "Lab01 AL"
Update-globaladdresslist "Lab01 GAL"
Update-offlineaddressbook "Lab01 OAB"
Update-FileDistributionService "exch32-srv-01" -type oab

Final result:
Final result
After login using the second user who is part of Lab01 domain we could only see the address list of those who is part of the same(Lab01.com) domain. 

Comparison between before GAL segregation and after GAL segregation:
Comparison between before GAL segregation and after GAL segregation

As you see here the above part of the figure shows address list of exmailservice domain which is not showing after our GAL segregation in the bottom of the figure.

I hope you would have enjoyed reading this, please give us your valuable feedback.

December 5, 2011

Exchange server 2010 SP2 is available

Filed under: Uncategorized — vijayarelangovan @ 4:00 pm

Exchange server SP2 is available for download – http://www.microsoft.com/download/en/details.aspx?id=28190

It includes the following features

Outlook Web App (OWA) Mini – OWA designed for low bandwidth
Cross-Site Silent Redirection for Outlook Web App
Hybrid Congfiguration Wizard – those who have combination or on-&-off premises Exchange server
Address Book Policies – For those who do hosting for different companies

And other customer requested fixes

October 20, 2011

Cannot view the certificate on the server – Resolved

Filed under: Uncategorized — vijayarelangovan @ 9:26 am

Few weeks back i have posted about an issue “Certificate Missing on the Server – BUG?” – http://wp.me/pM6aD-1Q.

I was just googling around without sucess and finally figured out that turned out to be a “Permission issue”. But how?

when we do Get-ExchangeCertificate, it pulls the list of certificate from the location “All Users Profile\Application Data\Microsoft\Crypto\RSA folder”.

So if you manually navigate to the location, you will find all the certificate installed on the server. You can double click one of them which you dont find it while running the get-exchangecertificate, it throws and error message saying “You dont have permission”

To make these certificate appears in the Get-ExchageCertificate, you have to do the following

Under the All Users Profile\Application Data\Microsoft\Crypto\RSA\S-1-5-18

Click on the advanced tab – owner tab – select administrator, it might shows “cant display the information”, therefore click on administrator and then apply
Add owner rights to administrator account
Now can view the security tab and summary tab
Under security lab – clicked on advanced , checked “allow inheritance”

But why it should be a permission issue though im an administrator?….

« Newer PostsOlder Posts »

Create a free website or blog at WordPress.com.