Block users from creating global distribution list in Exchange 2010

Hello all, so once more I have another post that’s Exchange 2010 related; why you ask because with so much to learn about Exchange you can never stop talking about it. So the issue I was faced with a few weeks ago was trying to figure out how to stop the students at the Uni I worked for from created their personal  groups and publishing it to the GAL (Global Address List) for everyone to see.

Just picture the president of the college trying to search for a contact and seeing something like “HackerContacts” as an option, that might trigger a few calls to the IT department.

I release that by default Exchange 2010 “Default Role Assignment Policy” allow all users to login via Outlook Web App, go to options –> see all options, then click on the groups options and on the right under “Public Groups I Own” a user can create a new group which would be published in the GAL.

After doing some research I release to block this you need to edit the “Default Role Assignment Policy” and uncheck the options under “Distribution groups, and Distribution group membership”.

  • On your exchange server go to the toolbox->Role Based Access Control, This will launch IE and attempt to open the permissions area. If this does not open/work double check the account your logged in has a mailbox on 2010 first or is in the Enterprise admin group.
  • You should see 2 menu items, “Users & Groups” and “Reporting” , You want “Users & Groups” then switch to the “User Roles” tab. In there edit the “Default Role Assignment Policy” which will pop up in a new window. All you have to do is remove the checkboxes as required  and it will get rid of the option for you.


Hope you found this useful, leave a comment if you have a better way or doing this or if these steps did not solve the issue for you. Thanks for reading!



Exchange 2010 and AD user provisioning script

Hello all, so  I know its been a while since my last post and I have not really posted anything Infosec related recently but to be honest I have been so busy at work I have not had any time for anything else.

Today I wanted to share with you a script that I originally got from , I have been working on tweaking this script as part of our migration to 2010. We normally get a list csv file with (Firstname, Lastname, StudentID) from our registra department and we have to create AD, and Exchange user account for these users.

The script would have worked as it is but instead of adding the following fields in the csv file I wanted to have the script input these vaules on the fly:

  •  User principal name
  • Alias
  • Database
  • OU
  • Display Name
  • Retention policy
Also we currently have three Exchange database for our Students (Student Store A-F, G-M and N-Z). So if a user last name matches any of those the script needed to automatically sort the user in the correct store.
This part of the script handled that:
Function ReadCSV
 $users = Import-Csv $fileName
 foreach ($user in $users){
 $flln = $user.'last name'.ToUpper().Substring(0)
 $db = ""
 if(($flln.CompareTo("A") -ge 0) -and ($flln.CompareTo("F") -le 0)){
 $db = "Student Store A-F"
 elseif($flln.CompareTo("G") -ge 0 -and $flln.CompareTo("M") -le 0){
 $db = "Student Store G-M"
 $db = "Student Store N-Z"
And here is the entire script –>
I still have a few issues and maybe someone can help me with them:
  • According to a posting over at  technet social  I am unable to use the New-Mailbox cmdlest to add the user ID number to the Office field of the AD user properties.
  • I am also trying to add a portion after the user create portion to add group memberships and user profile path
I must also give a big shutout to byte_bucket over at the pauldotcom IRC room for helping me tweak this script, enjoy and leave your comments.



Allow full mailbox access

We have recently upgraded to Exchange 2010 from 2003 and with that update comes new ways of dealing with old recurring task, I will try to outline over the new few blog posting how to accomplish these task. If you are ask to remove or grant someone access to a user’s mailbox below is the recommended approach.

You can do this two ways first is via the Exchange management console (EMC) or via the PowerShell:

EMC approach:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Permissions and delegation” entry in the Mailbox Permissions topic.

  1. In the console tree, navigate to Recipient Configuration > Mailbox.
  2. In the result pane, select the mailbox for which you want to grant Full Access permission.
  3. In the action pane, under the mailbox name, click Manage Full Access Permission. The Manage Full Access Permission wizard opens.
  4. On the Manage Full Access Permission page, click Add.
  5. In Select User or Group, select the user to which you want to grant Full Access permission, and then click OK.
  6. Click Manage.
  7. On the Completion page, the Summary states whether Full Access permission was successfully granted. The summary also displays the Shell command used to grant Full Access permission.
  8. Click Finish.

PowerShell approach:

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Permissions and delegation” entry in the Mailbox Permissions topic.
First verify who currently has access to the user’s mailbox with the Get-MailboxPremission cmdlet, you will notice several default system accords you are only concern with user accounts.

Get-GmailboxPermission “John Doe”

If you want to remove Jane Doe  from having full access to John’s  mailbox you can do the following:

Remove-MailboxPermission “John Doe” -AccessRights FullAccess -User “Jane Doe”

If  you are ask to  grant the user Marry Full Access permission to Frank’s mailbox do the following:

Add-MailboxPermission “Frank Loew” -User “Mary May” -AccessRights FullAccess

Once you are finish granting access just mount the mailbox via outlook and close and reopen outlook and it should be accessible.