Recipe5.2.Creating a Mailbox for an Existing User

Recipe 5.2. Creating a Mailbox for an Existing User

Problem

You have an existing account that isn't mailbox-enabled; you need to create a mailbox for it.

Solution

Using a graphical user interface

1. Log on to any machine in your domain that has the Exchange management tools installed.

2. Open the ADUC snap-in (Users and Computers.msc).

3. Locate the account for which you want to create a mailbox.

4. Right-click the target account and choose the Exchange Tasks command.

5. The Exchange Task Wizard will appear. (You may see a welcome page first; if so, click Next to move past it.)

6. From the Available Tasks window, choose Create Mailbox and click Next.

7. On the Create Mailbox page (see Figure 5-1), fill in the alias you want the mailbox to have, then select a server and mailbox store from the drop-down listings. Note that you may not be able to easily move the user's mailbox later, depending on your organization and site configuration, so choose carefully. Click Next.

8. The Task in Progress window will briefly appear, then you'll see a completion page that indicates whether the mailbox creation succeeded or not. Click Finish.

Figure 5-1. The Create Mailbox page

Using a command-line interface

Use exchmbx with the -cr switch to specify the server, storage group, and mailbox database where you want the user's mailbox to be created:

> exchmbx -b <userDN> -cr <server>:<storageGroup>:<mailboxDatabase>

Using VBScript

' This code adds a mailbox in the first MDB on the server to an  ' existing user object ' ------ SCRIPT CONFIGURATION ------ strDCName = "<DC>"    '  e.g., "batman" strUserName = "CN=<userCN>"        ' e.g., "Random User" ' ------ END CONFIGURATION ------ ' get the default and config NC names Set oIADS = GetObject("LDAP://RootDSE") strDefaultNC = oIADS.Get("defaultnamingcontext") strConfigNC = oIADS.Get("configurationNamingContext")  strContainer= "/CN=Users," & strDefaultNC Set objContainer = GetObject("LDAP://" & strDCName & strContainer) ' find the target user Set oIADSUser = GetObject("LDAP://" & strUserName & ",CN=Users," & strDefaultNC) Set oMailBox = oIADSUser ' Open the Connection. Set oConnection = CreateObject("ADODB.Connection") set oCommand = CreateObject("ADODB.Command") Set oRecordSet = CreateObject("ADODB.Recordset") oConnection.Provider = "ADsDSOObject" oConnection.Open "ADs Provider" ' Build the query to find the private MDBs. Use the first one if any are found. strQuery = "<LDAP://" & strConfigNC & _     ">;(objectCategory=msExchPrivateMDB);name,adspath;subtree" oCommand.ActiveConnection = oConnection oCommand.CommandText = strQuery Set oRecordSet = oCommand.Execute If Not oRecordSet.EOF Then     oRecordSet.MoveFirst     firstMDB = CStr(oRecordSet.Fields("ADsPath").Value) Else     firstMDB = "" End If ' create the mailbox oMailbox.CreateMailbox firstMDB oIADSUser.SetInfo WScript.Echo "Created mailbox for " & strUserName

Discussion

Creating a mailbox for an account that already exists is relatively straightforward; actually, Microsoft only supports using ADSI or the CDOEXM CreateMailbox method to create the mailbox. That's because mailbox creation actually has four distinct phases:

1. The user account is created and enabled. You can do this manually or with an ADSI script. At this point, the user can log on and work, but he doesn't have access to his own mailbox because it doesn't exist yet.

2. An administrator mailbox-enables the account. The two methods shown above are logically equivalent; the most important aspect of these methods is that both of them ensure that the msExchMailboxSecurityDescriptor attribute on the account is correctly filled in. This attribute contains a partial copy of the security descriptor that's stored as part of the mailbox data in the Exchange mailbox database. If the descriptor isn't set properly, the user won't be able to access mail and public folder data. (A side effect of this relationship is that you can only change ACEs on the mailbox by changing them in the store; any changes you make to the AD attribute will be overwritten by the store's copy of the ACL.)

3. When the Recipient Update Service runs, it stamps several additional properties on the user object. At this point, the user is completely mailbox-enabled, but there's not actually a mailbox in the database yet.

4. When a user logs on to the mailbox, or when someone sends mail to that mailbox, Exchange will create it.

The reason you need to understand this process is timing. Until step 4, the user can't log on to the mailbox because it hasn't been created. For that reason, many organizations want to automate their mailbox provisioning by setting the security descriptor and other attributes manually; that way, instead of waiting for steps 3 and 4 to finish, users can log on and use their mailboxes immediately after creation. (Actually, these scripts normally send mail to the users as part of the setup process, so step 4 really does occur.) MS KB 304935 describes the somewhat involved process required to set mailbox rights on a newly created mailbox; it's far simpler and safer to let the RUS and store do the work instead, so that's the approach we present here.

See Also

Recipe 5.1 for creating a user and mailbox together, MS KB 313420 (How To Add a Mailbox to an Existing User Account in Exchange 2000 Server), MS KB 275636 (Creating Exchange Mailbox-Enabled and Mail-Enabled Objects in Active Directory), MS KB 327079 (How to programmatically create a mailbox for an existing user in the Active Directory by using CDOEXM), MS KB 304935 (How to set Exchange 2000 mailbox rights at the time of mailbox creation), and MSDN: IMailboxStore::CreateMailbox; exchmbx documentation at joeware.net