The most basic aspect of administering any messaging and collaboration is configuring the vast and varied settings that relate to recipients. First, the user account must be “mailbox enabled,” which means we need to create a mailbox on the mailbox database for the user account. To do this, we need to use the Enable-Mailbox cmdlet. This is illustrated here:
Enable-Mailbox -Identity nwtraders\MyNewUser -Database "mailbox database"
When this command is run, you will get a prompt back that is shown here. It tells you the name of the user account, the alias assigned, the server name on which the mailbox database resides, and any quota restrictions applied to the account.
Name Alias ServerName ProhibitSendQuota ---- ----- ---------- ----------------- MyNewUser myNewUser smbex01 unlimited
Tip | You cannot mailbox-enable a user account that is disabled. Although this may seem to make sense, keep in mind that often network administrators will create a group of user accounts, and then leave them all disabled for security reasons. Then, when the user calls into the Help desk, the accounts are enabled. In this case, use a single script that logonenables the user account and at the same time mailbox-enables the user. |
If you want to create the user and the mailbox at the same time, then you can use the New-Mailbox cmdlet. This cmdlet, as you might expect, has a large number of parameters owing to the need to supply values for first name, last name, display name, mailbox name, user principal name (UPN) name, and many other optional parameters. An example of using this cmdlet to create a user named MyTestUser2 is shown here:
New-Mailbox -Alias myTestUser2 -Database "mailbox database" ` -Name MyTestUser2 -OrganizationalUnit myTestOU -FirstName My ` -LastName TestUser2 -DisplayName "My TestUser2" ` -UserPrincipalName MyTestUser2@nwtraders.com
After you run the cmdlet, you will notice that it prompts for the password. It does this because the password parameter is defined as a secureString datatype. If you try to force the password in the command by hard-coding the password as an argument, such as: -password “P@ssword1”, you will get an error that says “cannot convert type string to type secureString.” This error is shown in Figure 9-1.
Figure 9-1: You cannot convert a string into a secure string
The solution to the above error is to not supply the password argument. In which case, the command will pause, and Windows PowerShell will prompt for the password for the user account. This behavior is shown here in Figure 9-2.
Figure 9-2: The New-Mailbox cmdlet prompts for the password
If we put the command in a script, then it will be easier to create the user, the mailbox, and the password. To do this, we use the ConvertTo-SecureString cmdlet to convert a plain text string into an encrypted password that will be acceptable to Exchange 2007. ConvertTo-SecureString has two arguments that will enable us to do this; the first argument is the asPlainText argument. This tells the ConvertTo-SecureString cmdlet we are supplying a plain text string for it to convert. Because this is not a normal operation, we must also supply the force argument. After we have a secureString for the password, we can supply it to the password argument. This is illustrated in the NewMailboxAndUser.ps1 script.
NewMailboxAndUser.ps1
$password = ConvertTo-SecureString "P@ssW0rD!" -asplaintext -force New-Mailbox -Alias myTestUser2 -Database "mailbox database" ` -Name MyTestUser2 -OrganizationalUnit myTestOU -FirstName My ` -LastName TestUser2 -DisplayName "My TestUser2" ` -UserPrincipalName MyTestUser2@nwtraders.com -password $password
Open Notepad or your favorite Windows PowerShell script editor.
Create a variable called $password and use the ConvertTo-SecureString cmdlet to create a secure string from the plaintext string “P@ssw0rd1”. To ensure this command completes properly, use the force parameter. The code to do this is shown here:
$password = ConvertTo-SecureString "P@ssW0rD!" -asplaintext -force
Create a variable called $strDatabase. This variable will be used to hold a string that is used to tell the New-Mailbox cmdlet on which database to create the new mail-enabled user account. This line of code is shown here:
$strDatabase = "Mailbox Database"
On the next line, create a variable called $strOU. This variable is used to hold the name of the organizational unit that will hold the new user account. This line of code is shown here:
$strOU = "myTestOU"
Create a new variable called $strDomain. This variable will hold a string that will be used for the domain portion of the user name to be created. This line of code is shown here:
$strDomain = "Nwtraders.msft"
Create a variable called $strFname, which will be used to hold the user’s first name. This line of code is shown here:
$strFname = "My"
Create a variable called $strLname, which will be used to hold the user’s last name. This line of code is shown here:
$strLname = "TestUser"
Use a for statement to create a loop that will increment 11 times. Use the variable $i as the counter-variable. Start the loop from 0 and continue until it is less than or equal to 10. Use the double plus sign (++) operator to automatically increment the variable $i. This code is shown here:
for($i=0;$i -le 10;$i++)
Type the opening and closing curly brackets as shown here:
{ }
Between the two curly brackets, use the New-Mailbox cmdlet. Use the $strFname, $strLname, and $i variables to create the user’s Alias. Use the $strDatabase variable to supply the name for the database argument. Use the $strFname, $strLname, and $i variables to create name of the account. Use the $strOU variable to supply the value for the organizationalunit argument. Use the $strFname variable to supply the value for the firstname argument. Use the $strLname variable to supply the value for the lastname argument. Use the $strFname, $strLname, and $i variables to create the value for the displayname argument. To create the userprincipalname argument, use $strFname, $strLname, and $i, and supply the commercial at sign in parentheses (“@”) and the $strdomain variable. The last argument that should be supplied is the password contained in the $password variable. This line of code is shown here. Note: you can use the grave accent character (`) to break up the line of code for readability purposes, as is done here:
New-Mailbox -Alias $strFname$strLname$i -Database $strDatabase ` -Name $strFname$strLname$i -OrganizationalUnit $strOU -FirstName ` $strFname -LastName $strLname -DisplayName $strFname$strLname$i ` -UserPrincipalName $strFname$strLname$i"@"$strDomain ` -password $password
Save your script as yourname CreateMultipleUsersAndMailboxes.ps1. Run your script. Go to the Exchange Management Console and click on the Mailbox node. Select Refresh from the Action menu. The new users should appear within a minute or so. If this is not the case, compare your script with the CreateMultipleUsersAndMailboxes.ps1 script.
This concludes the creating multiple new users and mailboxes procedure.
After users are created in Exchange Server 2007, the next step in the user life cycle is to report on their configuration settings. To do this, we can use the Get-Mailbox cmdlet. This is shown here:
Get-Mailbox
When this command is run, it produces a table of output that lists the user name, alias, server name, and other information. A sample of this output is shown here:
Name Alias ServerName ProhibitSendQuota ---- ----- ---------- ----------------- Administrator Administrator smbex01 unlimited Claire O'Donnell claire smbex01 unlimited Frank Miller frank smbex01 unlimited Holly Holt holly smbex01 unlimited
If you are interested in more detailed information, or different information, then you will need to modify the default Get-Mailbox command. If you already know the server, and you are only interested in the alias and when the ProhibitSendQuota kicks in, you can use the following command:
Get-Mailbox | Format-Table alias, prohibitsendquota –AutoSize
This command uses the Get-Mailbox cmdlet and pipelines the resulting object into the Format-Table cmdlet. It then chooses the alias column and the ProhibitSendQuota column and uses the autosize argument to format the output. A sample of the resulting output is shown here:
Alias ProhibitSendQuota ----- ----------------- Administrator unlimited claire unlimited frank unlimited holly unlimited
If you use the Get-Mailbox cmdlet and supply the alias for a specific user, you will return the same four default columns we obtained earlier. This command is shown here:
get-mailbox mytestuser1
In reality, you are supplying the string mytestuser1 as the value for the identity argument of the Get-Mailbox cmdlet. The command shown here produces the same result:
get-mailbox -identity mytestuser1
Why is it important to know we are supplying a value for the identity argument of the Get-Mailbox cmdlet? There are two reasons: The first is that when you see the identity argument of this cmdlet, you will know what it does; but the second is that there is actually confusion in Exchange Server 2007 about what the identity attribute is and when to use it. For example, technically, the identity of a User object in Exchange Server 2007 would look something like this:
nwtraders.com/MyTestOU/MyTestUser1
What is interesting is the way I obtained the identity value. Take a look at the syntax of the Get-Mailbox cmdlet.
get-mailbox -identity mytestuser1 | Format-List identity
Remember, this command returned the identity attribute of the User object, so there is confusion between the identity argument of the Get-Mailbox cmdlet and the identity attribute used by Exchange Server 2007. But wait, it gets even stranger. When we supply the value for the identity argument and retrieve both the alias and the identity, we have a command that is shown here:
get-mailbox -identity mytestuser1 | Format-List alias, identity
The data returned from this command are shown here:
Alias : MyTestUser1 Identity : nwtraders.com/MyTestOU/MyTestUser1
We could move the commands around a little bit, and create a script that would be very useful from an audit perspective. The FindUnrestrictedMailboxes.ps1 script uses the Get-Mailbox cmdlet to retrieve a listing of all user mailboxes. It then uses the Where-Object cmdlet to filter out the amount of returned data. It looks for objects that have the ProhibitSendQuota property set to unlimited. It then pipelines the resulting objects to return only the alias of each User object.
FindUnrestrictedMailboxes.ps1
"Retrieving users with unrestricted mailbox limits " "This may take a few minutes ..." $a = get-mailbox| where-object {$_.prohibitSendQuota -eq "unlimited"} "There are " + $a.length + " users without restrictions." "They are listed below. `r" $a | Format-List alias
If you were interested in the status of all the quota settings on the Exchange Server, you could revise the script to use the following command:
Get-Mailbox | Format-Table alias, *quota