Managing User Accounts and Mail Features

With Exchange Server 2007, Exchange Management Console and Exchange Management Shell are the only administration tools you need to manage mailboxes, distribution groups, and mail contacts. You can use these tools to create and manage mail-enabled user accounts, mailbox-enabled user accounts, and mail-enabled contacts. The sections that follow examine techniques that you can employ to manage user accounts and the Exchange features of those accounts.

LOS 3-1-A-b

Domain administrators can create user accounts and contacts using Active Directory Users And Computers. If any existing user accounts need to be mail-enabled or mailbox-enabled, you perform these tasks using the Exchange management tools. If existing contacts need to be mail-enabled, you also perform this task using the Exchange management tools.

Finding Existing Mailboxes, Contacts, and Groups

In Exchange Management Console, you can view current mailboxes, contacts, and groups by following these steps:

1. Start Exchange Management Console by clicking Start, pointing to All Programs, selecting Microsoft Exchange Server 2007, and clicking Exchange Management Console.

2. As shown in Figure 7-1, expand the Recipient Configuration node by double-clicking it.

3. Select the related Mailbox, Distribution Group, or Mail Contact node, as appropriate for the type of recipient with which you want to work.

4. By default, the Exchange Management Console displays only the recipients in the current domain or organizational units. To view recipients in other domains or organizational units, right-click the Recipient Configuration node, and then select Modify Recipient Scope. Use the options provided to configure the scope to use, and then click OK.

5. By default, the maximum number of Exchange recipients you can view at any time is limited to 1,000. You can change the maximum number of recipients to display by right-clicking the Recipient Configuration node or the subnode you want to work with, and then selecting Modify The Maximum Number Of Recipients To Display. Type the number of recipients to display, and then click OK.

Figure 7-1: Access the Recipient Configuration node to work with mailboxes, distribution groups, and mail contacts.

Creating Mailbox-Enabled and Mail-Enabled User Accounts

You need to create a user account for each user who wants to use network resources. The following sections explain how to create domain user accounts that are either mailbox-enabled or mail-enabled and how to add a mailbox to an existing user account. If a user needs to send and receive e-mail, you'll need to create a new mailbox-enabled account for the user or add a mailbox to the user's existing account. Otherwise, you can create a mail-enabled account.

Understanding Logon Names and Passwords

Before you create a domain user account, you should think for a moment about the new account's logon name and password. You identify all domain user accounts with a logon name. This logon name can be (but doesn't have to be) the same as the user's e-mail address. In Windows domains, logon names have two parts:

• User name The account's text label

• User domain The domain where the user account exists

For the user williams whose account is created in http://adatum.com, the full logon name for Windows is williams@adatum.com.

User accounts can also have passwords and public certificates associated with them. Passwords are authentication strings for an account. Public certificates combine a public and private key to identify a user. You log on with a password interactively. You log on with a public certificate using a smart card and a smart card reader.

Although Windows displays user names to describe privileges and permissions, the key identifiers for accounts are security identifiers (SIDs). SIDs are unique identifiers that Windows generates when you create accounts. SIDs consist of the domain's security ID prefix and a unique relative ID. Windows uses these identifiers to track accounts independently from user names. SIDs serve many purposes; the two most important are to allow you to easily change user names and to allow you to delete accounts without worrying that someone could gain access to resources simply by recreating an account with the same user name.

When you change a user name, you tell Windows to map a particular SID to a new name. When you delete an account, you tell Windows that a particular SID is no longer valid. Afterward, even if you create an account with the same user name, the new account won't have the same privileges and permissions as the previous one because the new account will have a new SID.

Creating and Managing Mail-Enabled User Accounts

Mail-enabled users are defined as custom recipients in Exchange Server. They have an Exchange alias and an external e-mail address, but do not have an Exchange mailbox. All e-mail messages sent to a mail-enabled user are forwarded to the remote e-mail address associated with the account.

Mail-enabled users are not listed as such in the Recipient Configuration node of Exchange Management Console. The only way to manage mail-enabled users is through Exchange Management Shell. You can list all mail-enabled users by typing get-mailuser at the Exchange Management Shell prompt.

You can create a new mail-enabled user account using the New-MailUser cmdlet. Sample 7-1 shows the syntax and usage. When prompted, provide a secure password for the user account.

Sample 7-1: New-MailUser cmdlet syntax and usage

 Syntax New-MailUser -Name 'DisplayName' -Alias 'ExchangeAlias' -ExternalEmailAddress 'EmailAddress' -UserPrincipalName 'logonName@domain' -OrganizationalUnit 'OrganizationalUnit' Usage New-MailUser -Name 'Frank Miller' -Alias 'frankm'  -ExternalEmailAddress 'mailto:frankm@hotmail.com'  -UserPrincipalName 'mailto:frankm@cpandl.com'  -OrganizationalUnit 'http://cpandl.com' 

LOS 3-1-A-c

The syntax and usage are entered on multiple lines for ease of reference. You must enter the command-line values for a cmdlet on a single line.

You can mail-enable an existing user account using the Enable-MailUser cmdlet. Sample 7-2 shows the syntax and usage. For the identity parameter, you can use the user's display name, logon name, or user principal name.

Sample 7-2: Enable-MailUser cmdlet syntax and usage

 Syntax Enable-MailUser -Identity 'Identity' -ExternalEmailAddress 'EmailAddress' Usage New-MailUser -Identity 'Frank Miller'  -ExternalEmailAddress 'mailto:frankm@hotmail.com' 

You can manage mail-enabled users in several ways. You can add mailboxes to mail-enabled user accounts as you would with any other account. If a user account should no longer be mail-enabled, you can disable mail forwarding using the Disable-MailUser cmdlet, as shown in Sample 7-3. If you no longer need a mail-enabled user account, you can permanently remove it from Active Directory using the Remove-MailUser cmdlet, as shown in Sample 7-4.

Sample 7-3: Disable-MailUser cmdlet syntax and usage

 Syntax Disable-MailUser -Identity 'Identity' Usage Disable-MailUser -Identity 'Frank Miller' 

Sample 7-4: Remove-MailUser cmdlet syntax and usage

 Syntax Remove-MailUser -Identity 'Identity' Usage Remove-MailUser -Identity 'Frank Miller' 

Creating New Domain User Accounts with Mailboxes

In Exchange Management Console, you can create a new user account with a mailbox by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration and then select the related Mailbox node.

   Note

   If you want to create the user account in a domain other than the current one, you'll first need to set the scope for the Mailbox node, as discussed previously in "Finding Existing Mailboxes, Contacts, and Groups."

2. Right-click the Mailbox node, and then select New Mailbox. This starts the New Mailbox wizard.

3. Click Next twice to accept the default selections on the Introduction page (to create a user mailbox) and the User Type page (to create a new user account).

4. On the Mailbox Information page, shown in Figure 7-2, the Organizational Unit text box shows where in Active Directory the user account will be created. By default, this is the Users container in the current domain. As you'll usually need to create new user accounts in a specific organizational unit rather than the Users container, click Browse. Use the Select Organizational Unit dialog box to choose the location in which to store the account, and then click OK.

5. Type the user's first name, middle initial, and last name in the text boxes provided. These values are used to create the Name entry, which is the user's display name.

6. As necessary, make changes to the Name text box. For example, you might want to type the name in LastName FirstName MiddleInitial format or in FirstName Mid-dleInitial LastName format. The full name must be no more than 64 characters.

7. In the User Logon Name text box, type the user's logon name. Use the drop-down list to select the domain with which you want to associate the account. This sets the fully qualified logon name.

8. The first 20 characters of the logon name are used to set the pre-Windows 2000 logon name, which must be unique in the domain. If necessary, change the pre-Windows 2000 logon name.

9. Type and then confirm the password for the account. This password must follow the conventions of your organization's password policy. Typically, this means that the password must be at least six characters in length and must use three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.

10. If you want to ensure that the user changes the password at next logon, select the User Must Change Password At Next Logon check box. Click Next.

11. As shown in Figure 7-3, the Exchange alias is set to the user's logon name by default. You can change this value by entering a new alias. The Exchange Management Console uses the alias to set the user's e-mail address.

    Note

    Technically, the default value for the Exchange alias is set to the pre-Windows 2000 logon name, which is normally the same as the user logon name. However, if you change the pre-Windows 2000 logon name, the default Exchange alias will be set to the value you enter.

12. If you have configured multiple Mailbox servers with an information store, use the Server drop-down list to specify the server on which you want to store the mailbox.

13. If you have configured several storage groups, use the Storage Group drop-down list to specify the storage group that should be used.

14. If you have configured several mailbox databases, use the Mailbox Database drop-down list to specify the mailbox database that should be used.

15. Click Next, and then click New to create the account and the related mailbox. If an error occurs during account or mailbox creation, the Exchange Management Console will create neither the account nor the related mailbox. You will need to correct the problem and repeat this procedure.

16. Click Finish. For all mailbox-enabled accounts, an SMTP e-mail address is configured automatically. You can also add additional addresses of the same type. For example, if Brian Johnson is the company's human resources administrator, he might have the primary SMTP addresses of brianj@adatum.com and an alternate SMTP address of resumes@adatum.com.

17. Creating the user account and mailbox isn't the final step. Next, you might want to do the following:

    • q Add detailed contact information for the user, such as business phone number and title.

    • q Add the user to security and distribution groups.

    • q Associate additional e-mail addresses with the account.

    • q Enable or disable Exchange features for the account.

    • q Modify the user's default delivery options, storage limits, and restrictions on the account.

Figure 7-2: Configure the user's domain settings.

Figure 7-3: Configure the user's Exchange mailbox.

In Exchange Management Shell, you can create a user account with a mailbox using the New-Mailbox cmdlet. Sample 7-5 provides the syntax and usage. When prompted, enter a secure password for the new user account.

Sample 7-5: New-Mailbox cmdlet syntax and usage

 Syntax New-Mailbox -Name 'DisplayName' -Alias 'ExchangeAlias'  -OrganizationalUnit 'OrganizationalUnit' -Database 'Database'  -UserPrincipalName 'LogonName' -SamAccountName 'prewin2000logon'  -FirstName 'FirstName' -Initials 'Initial' -LastName 'LastName'   -ResetPasswordOnNextLogon <$false|$true>  Usage New-Mailbox -Name 'Shane S. Kim' -Alias 'shanek'    -OrganizationalUnit 'http://cpandl.com/Engineering'    -Database 'Corpsvr127\First Storage Group\Engineering'    -UserPrincipalName 'mailto:shanek@cpandl.com' -SamAccountName 'shanek'    -FirstName 'Shane' -Initials 'S' -LastName 'Kim'   -ResetPasswordOnNextLogon $true 

Adding Mailboxes to Existing Domain User Accounts

You don't have to create an Exchange mailbox when you create a user account. If a user needs a mailbox later, you can create the mailbox by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

   Note

   If you want to create the user account in a domain other than the current one, you'll first need to set the scope for the Mailbox node, as discussed previously in "Finding Existing Mailboxes, Contacts, and Groups."

2. Right-click the Mailbox node, and then select New Mailbox. This starts the New Mailbox wizard. Click Next on the New Mailbox page to accept the default action to create a user mailbox.

3. On the User Type page, select Existing User, and then click Browse. This displays the Select User dialog box.

4. In the Select User dialog box, shown in Figure 7-4, select the user account you want to mailbox-enable, and then click OK. User accounts for the current domain are listed by name, organizational unit, and recipient type. An account listed as Mailbox user already has an Exchange mailbox.

   LOS 3-1-A-d

   An account listed as User or Mail-Enabled doesn't yet have an Exchange mailbox. You'll need to change the scope, as discussed previously, if you don't see the contact you want to use.

5. Click Next. On the Mailbox Settings page, the Exchange alias is set to the logon name by default. You can change this value by entering a new alias. The Exchange alias is used to set the user's e-mail address.

6. If multiple Mailbox servers are configured with an information store, use the Server drop-down list to specify the server on which the mailbox should be stored.

7. If several storage groups are configured, use the Storage Group drop-down list to specify the storage group that should be used.

8. If several mailbox databases are configured, use the Mailbox Databases drop-down list to specify the mailbox database that should be used.

9. Click Next, and then click New to create the mailbox for the selected user account. If an error occurs during mailbox creation, the mailbox is not created. You will need to correct the problem and repeat this procedure.

10. Click Finish.

Figure 7-4: Find the user account you want to mailbox-enable.

In Exchange Management Shell, you can add a mailbox to a user account using the Enable-Mailbox cmdlet. Sample 7-6 provides the syntax and usage.

Sample 7-6: Enable-Mailbox cmdlet syntax and usage

 Syntax Enable-Mailbox -Identity 'UserIdentity'  -Alias 'ExchangeAlias'   -Database 'Database'  Usage Enable-Mailbox -Identity 'http://cpandl.com/http://Engineering.com/Frank Lee'    -Alias 'frankl'    -Database 'Corpsvr127\First Storage Group\Engineering'  

Setting or Changing the Display Name and Logon Name for User Accounts

All user accounts have a display name, a logon name, and a pre-Windows 2000 logon name. These names can be different from the mailbox name and mailbox alias used by Exchange Server.

You can set contact information for a user account by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. On the User Information tab, use the following text boxes to set the user's display name and logon name:

   • q First Name, Initials, Last Name Sets the user's full name.

   • q Name Sets the user's display name as seen in logon sessions and in Active Directory.

     Note

     The Simple Display Name text box sets the display name used by systems that cannot interpret all the characters in the regular display name. As the Simple Display Name text box only accepts ASCII characters, this ensures the name is displayed correctly in all versions of the Exchange management interfaces.

4. Click OK to save your changes.

Setting or Changing Contact Information for User Accounts

You can set contact information for a user account by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. On the User Information tab, use the Web Page text box to set the URL of the user's home page, which can be on the Internet or the company intranet.

4. Click the Address And Phone tab. Use the text boxes provided to set the user's business address or home address. Normally, you'll want to enter the user's business address. This way, you can track the business locations and mailing addresses of users at various offices.

   Use the Phone Numbers text boxes to set the user's primary business telephone, pager, fax, home telephone, and mobile telephone numbers.

   Note

   You need to consider privacy issues before entering private information, such as home addresses and home phone numbers, for users. Discuss the matter with your human resources and legal departments. You might also want to get user consent before releasing home addresses.

5. Click the Organization tab. As appropriate, type the user's title, company, department, and office.

6. To specify the user's manager, select the Manager check box, and then click Browse. In the Select Recipient User Or Contact dialog box, select the user's manager and then click OK. When you specify a manager, the user shows up as a direct report in the manager's account. Click Apply or OK to apply the changes.

Changing a User's Exchange Server Alias and Display Name

Each mailbox has an Exchange alias and display name associated with it. The Exchange alias is used with address lists as an alternative way of specifying the user in the To, Cc, or Bcc text boxes of an e-mail message. The alias also sets the primary SMTP address associated with the account.

Tip

Whenever you change the Exchange alias, a new e-mail address can be generated and set as the default address for SMTP. The previous e-mail addresses for the account aren't deleted. Instead, these remain as alternatives to the defaults. To learn how to change or delete these additional e-mail addresses, see the section of this chapter entitled "Adding, Changing, and Removing E-mail Addresses."

To change the Exchange alias and mailbox name on a user account, complete the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. On the General tab, the first text box sets the mailbox name. Change this text box if you'd like the mailbox to have a different display name.

4. The Alias text box sets the Exchange alias. If you'd like to assign a new alias, enter the new Exchange alias in this text box. Click OK.

Adding, Changing, and Removing E-mail Addresses

When you create a mailbox-enabled user account, default e-mail addresses are created. Any time you update the user's Exchange alias, a new default e-mail address can be created. However, the old addresses aren't deleted. They remain as alternative e-mail addresses for the account.

To add, change, or remove an e-mail address, follow these steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. On the E-mail Addresses tab, shown in Figure 7-5, you can use the following techniques to manage the user's e-mail addresses:

   • q Create a new SMTP address Click Add. Enter the SMTP e-mail address, and then click OK.

   • q Create a custom address Click the small arrow to the right of the Add button, and then select Custom Address. Enter the e-mail address, and then enter the e-mail address type. Click OK.

     Tip

     Use SMTP as the address type for standard Internet e-mail addresses. For custom address types, such as X.400, you must manually enter the address in the proper format.

   • q Edit an existing address Double-click the address entry. Modify the settings in the Address dialog box, and then click OK.

   • q Delete an existing address Select the address, and then click the Remove button.

Figure 7-5: Configure the e-mail addresses for the user account.

LOS 3-1-A-e

You can't delete the primary SMTP address without first promoting another e-mail address to the primary position. Exchange Server uses the primary SMTP address to send and receive messages.

Setting a Default Reply-To Address for a User Account

Each e-mail address type has one default reply address. This e-mail address sets the value of the Reply To text box. To change the default reply address, follow these steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. Click the E-mail Addresses tab. Current default e-mail addresses are highlighted with bold text. E-mail addresses that aren't highlighted are used only as alternative addresses for delivering messages to the current mailbox.

4. To change the current default settings, select an e-mail address that isn't highlighted, and then click Set As Reply.

Changing a User's Web, Wireless Service, and Protocol Options

When you create user accounts with mailboxes, global settings determine the Web, wireless services, and protocols that are available. You can change these settings for individual users at any time by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. Click the Mailbox Features tab. As shown in Figure 7-6, configure the following Web, wireless services, and protocols for the user:

   • q Outlook Web Access Permits the user to access the mailbox with a Web browser.

   • q Exchange ActiveSync Allows the user to synchronize the mailbox and to browse wireless devices.

   • q Unified Messaging Allows the user to access unified messaging features, such as the voice browser.

   • q MAPI Permits the user to access the mailbox with a Messaging Application Programming Interface (MAPI) e-mail client.

4. Select an option, and then click Enable or Disable, as appropriate, to change the status. If an option has configurable properties and you want to change the properties, select the option, and then click Properties. Click OK.

Figure 7-6: You change wireless service and protocol options for users in the Properties dialog box for each user.

Requiring User Accounts to Change Passwords

Group Policy settings typically require users to periodically change their passwords. Sometimes, you may have to ensure a user changes his or her password the next time he or she logs on. For example, if you have to reset a user's password and you give him or her the password over the phone, you may want the user to change the password the next time he or she logs on.

You can set a user account to require the password to be changed on next logon by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node and then select the related Mailbox node.

2. Double-click the mailbox entry for the user with which you want to work.

3. On the Account tab, select the User Must Change Password At Next Logon check box. Click OK.

You can use the Set-User cmdlet to perform the same task, following the syntax shown in Sample 7-7.

Sample 7-7: Requiring user password change

 Syntax Set-User -Identity 'UserIdentity' -ResetPasswordOnNextLogon <$false|$true>  Usage SetUser -Identity 'Frank Lee' -ResetPasswordOnNextLogon $true 

Deleting Mailboxes from User Accounts

When you disable a mailbox for a user account using the Exchange management tools, you permanently remove all Exchange attributes from the user object in Active Directory and mark the primary mailbox for deletion. Exchange Server then deletes the mailbox according to the retention period you set on the account or on the mailbox database. Because you only removed the user account's Exchange attributes, the user account still exists in Active Directory.

In Exchange Management Console, you can delete a mailbox from a user account and all related Exchange attributes by right-clicking the mailbox and selecting Disable. When prompted to confirm this action, click Yes.

You can use the Disable-Mailbox cmdlet to delete mailboxes while retaining the user accounts as well. Sample 7-8 shows the syntax and usage.

Sample 7-8: Disable-Mailbox cmdlet syntax and usage

 Syntax Disable-Mailbox -Identity 'UserIdentity' Usage Disable-Mailbox -Identity 'Frank Lee' 

Deleting User Accounts and Their Mailboxes

When you delete a user account and its mailbox using the Exchange management tools, you permanently remove the account from Active Directory and mark the primary mailbox for deletion. Exchange Server then deletes the mailbox according to the retention period you set on the account or on the mailbox database.

After you delete an account, you can't create an account with the same name and have the account automatically retain the same permissions as the original account. This is because the SID for the new account won't match the SID for the old account. However, that doesn't mean that after you delete an account, you can never again create an account with that same name. For example, a person might leave the company only to return a short while later. You can create an account using the same naming convention as before, but you'll have to redefine the permissions for that account.

Because deleting built-in accounts could have far-reaching effects on the domain, Windows doesn't let you delete built-in user accounts. In Exchange Management Console, you can remove other types of accounts and the mailboxes associated with those accounts by right-clicking the mailboxes and selecting Remove. When prompted to confirm this action, click Yes.

LOS 3-1-A-f

Because Exchange security is based on domain authentication, you can't have a mailbox without an account. If you still need the mailbox for an account you want to delete, you can disable the account using Active Directory Users And Computers. Disabling the account in Active Directory prevents the user from logging on, but you can still access the mailbox if you need to. To disable an account, right-click the account in Active Directory Users And Computers, and then select Disable Account. If you don't have permissions to use Active Directory Users And Computers, ask a domain administrator to disable the account for you.

You can use the Remove-Mailbox cmdlet to delete user accounts as well. Sample 7-9 shows the syntax. By default, the –Permanent flag is set to $false and mailboxes are retained in a disconnected state according to the mailbox retention policy. If you set the –Permanent flag to $true, the mailbox is removed from Exchange.

Sample 7-9: Remove-Mailbox cmdlet syntax and usage

 Syntax Remove-Mailbox -Identity 'UserIdentity'  [-Permanent <$false|$true>]  Usage  Remove-Mailbox -Identity 'Frank Lee'   Remove-Mailbox -Identity 'Frank Lee' -Permanent $true