Recipient objects in Exchange 2000 and Exchange Server 2003 fall into some fairly basic categories, most of which are based on underlying Active Directory concepts. The first, and arguably most important, distinction is between objects that can be used to log on and those that cannot. The former are known as security principals because they contain a security identifier (or SID) and a few other attributes necessary for authenticating the principal's credentials against Active Directory. User accounts are security principals; contacts and distribution groups are not. The next important distinction to draw is between objects that are mail-enabled and those that are mailbox-enabled. Mail-enabled objects have at least one email address associated with them. A contact (what old Exchange 5.5 hands would call a "custom recipient") is a great example: it exists in the directory, and it has an email address, but it doesn't have a mailbox associated with it. Several classes of object can be mail-enabled. However, only user and InetOrgPerson objects can generally be mailbox-enabled; whenever you see that term applied, it means that the object has an Exchange mailbox associated with it. (There are a few other object types, including recipient policies, public folders, and site replication service objects, that can be mailbox-enabled by Exchange, but we won't be treating them as recipients in this chapter.) For objects that represent people, we have three general classes to think about:
Of course, people aren't the only things we can represent: we can aggregate lots of people into group objects. Microsoft has long advocated using groups for permission assignment, and Windows 2000 and Windows 2003 support a variety of group scopes that we'll mostly ignore here (including local, global, and universal groups). However, there are two group types that have a direct bearing on Exchange: security groups and distribution groups. In Exchange 5.5, you could assign permissions to objects using a distribution list (DL). In Exchange 2000 and later, you can't exactly do this, because distribution groups aren't security principals. Security groups are principals, so they can be used for access control. Both of these group types may be mail-enabled, so you can duplicate the distribution behavior of an ordinary Exchange 5.5 DL by creating a mail-enabled distribution group, or you can create a security group and mail-enable it to provide both access control and ease of mailing to all the group members from a single address. Exchange will convert distribution groups to security groups under some circumstances, as described in Chapter 10 of the Exchange 2000 Resource Kit. Because of these distinctions, it can be confusing to talk about objects without using the correct set of adjectivesif we say "We created a user account for Joe," it's not clear whether we also meant that we created a mailbox for him unless we say so. The recipes in this chapter cover creating and removing mailboxes and email addresses for mail- and mailbox-enabled objects, as well as creating, removing, and modifying various object types. The ExchMbx ToolJoe Richards, one of the technical reviewers for this book, has written a terrific command-line tool called ExchMbx, available from JoeWare.net (http://www.joeware.net/win/free/tools/exchmbx.htm). This tool allows you to mail-enable users, groups, and contacts, remove Exchange attributes from selected objects, and do a number of other interesting and useful things. Best of all, it can be used with the JoeWare adfind utility so that you never have to type another long user DN on a command linefeed adfind your search criteria, then pipe its results to exchmbx and you're golden. |