SendAs from a distribution group Exchange 2010

I received a request today from one of our users who wanted to send and email from their departmental distribution group. Now this task can be easily performed if a user wanted to do a send as from a public folder however with Exchange 2010 you are unable to grant a user the correct access via the EMC.

In order to grant a user this access you have to do it via the Exchange management shell “EMS” aka PowerShell. My first question was did the user really meant to say Public folder or was it an actual DG? To answer this question I ran the following command:

get-recipient -results unlimited | where {$_.emailaddresses -match “accounting@domain.com”} | select name,emailaddresses,recipienttype

Once I realized that I was working with a distribution group I then ran  this command to grant the user “send as ” permission:

Get-DistributionGroup “accounting” | Add-ADPermission -ExtendedRights Send-As -User “Jane Doe” -AccessRights ExtendedRight | fl

And just like that I had another satisfied user :). If you know of another way to accomplish this task do share in the comments.

Advertisements

Retention policy with a twist of MRM Exchange 2010

I was recently working on a project that involved creating some Retention policies for our Exchange 2010 sp1 environment. The project got a bit scary in the testing phase when we realized that the Inbox deletion policies were also deleting emails in the user’s sub-folder.  The came as a surprise to us since we were able to use the same type of policy in Exchange 2003 prior to upgrading.

To solve this issue we had to create retention policies to manage our deleted items, sent items, and drafts but use message record management to handle our inbox. Since MRM was being phased out of 2010 this solution needed to be implemented via the Exchange management shell (Powershell).

Implementing MRM:

Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value.

Prior to implementing this its best to check to see if any additional policies were created and if you don’t play on using them going forward delete them. You can do so with the below commands:

Review commands:

ManagedFolderMailboxPolicy

 [PS] C:Windowssystem32>Get-ManagedFolderMailboxPolicy

Name                      ManagedFolderLinks

—-                              ——————

Test Policy1            {Inbox}


ManagedContentSettings

 [PS] C:Windowssystem32>Get-ManagedContentSettings

 Name                      MessageClass              ManagedFolderName

—-                            ————- ————              —————–

Inbox Content               *                                           Inbox1


ManagedFolder

 [PS] C:Windowssystem32>Get-ManagedFolder

 Name                      FolderName                Description

—-                              ———-                ———–

Inbox1                    Inbox                     ManagedDefaultFolder

After retrieving this information you can now issue the following commands to remove any old or test policy:

Remove Policy from users

Set-Mailbox username -ManagedFolderMailboxPolicy $null

Removed ManagedFolder Mailbox Policy

[PS] C:Windowssystem32>Remove-ManagedFolderMailboxPolicy “Test Inbox Policy”

Remove Manage Content Setting

 [PS] C:Windowssystem32>Remove-ManagedContentSettings “Inbox Content”
Creating and Implementing MRM:

  1. Create your managed folder
  2. Create your managed folder content setting
  3. Create your manage mailbox folder policy
  4. Apply your policy to a user or to an exchange data store.
  5. Start the managed folder assistant service or wait for it process on schedule

The below policy will delete all emails from the user mailbox that are 60 days old without touching any sub folders in the user’s Inbox.

Managed Folder Creation

 New-ManagedFolder -Name “Test Inbox” -DefaultFolderType Inbox -BaseFolderOnly $true -Comment “Items would be moved to deleted items for 60 days” -MustDisplayCommentEnabled  $true

Managed Folder Content Settings

New-ManagedContentSettings -Name “Test Content” -FolderName “Test Inbox” -MessageClass * -AgeLimitForRetention 60 -RetentionAction MoveToDeletedItems -RetentionEnabled $true -TriggerForRetention WhenDelivered

 Managed Mailbox Folder Policy

New-ManagedFolderMailboxPolicy -Name “TestPolicy” -ManagedFolderLinks “Test Inbox”


Verify settings

[PS] C:Windowssystem32>Get-ManagedFolderMailboxPolicy “TestPolicy” |fl

[PS] C:Windowssystem32>Get-ManagedContentSettings “Test Content”|fl

[PS] C:Windowssystem32>Get-ManagedFolder “Test Inbox” |fl

 

Start the Managed Folder Assistant to process the mailbox.

Apply to single user:

 Set-Mailbox -Identity testuser -ManagedFolderMailboxPolicy “TestPolicy”

Start-ManagedFolderAssistant -ID  testuser

Apply to a database level:

Get-Mailbox –database “Database Name” | Set-Mailbox –ManagedFolderMailboxPolicy “Name of the Policy”

Tip:

If you run into issues wait about 30 mins for the folders to replicate after created them. You can also stop and restart the “Managed Folder Assistant” service.

 

Would love to know how others handled this issue.

References:

http://technet.microsoft.com/en-us/library/bb508901%28EXCHG.80%29.aspx
http://technet.microsoft.com/en-us/library/dd335093.aspx

Exchange 2010 and AD user provisioning script

Hello all, so  I know its been a while since my last post and I have not really posted anything Infosec related recently but to be honest I have been so busy at work I have not had any time for anything else.

Today I wanted to share with you a script that I originally got from  http://www.myexchangeworld.com , I have been working on tweaking this script as part of our migration to 2010. We normally get a list csv file with (Firstname, Lastname, StudentID) from our registra department and we have to create AD, and Exchange user account for these users.

The script would have worked as it is but instead of adding the following fields in the csv file I wanted to have the script input these vaules on the fly:

  •  User principal name
  • Alias
  • Database
  • OU
  • Display Name
  • Retention policy
Also we currently have three Exchange database for our Students (Student Store A-F, G-M and N-Z). So if a user last name matches any of those the script needed to automatically sort the user in the correct store.
This part of the script handled that:
Function ReadCSV
 {
 Param([string]$fileName)
 $users = Import-Csv $fileName
 foreach ($user in $users){
 $flln = $user.'last name'.ToUpper().Substring(0)
 $db = ""
 if(($flln.CompareTo("A") -ge 0) -and ($flln.CompareTo("F") -le 0)){
 $db = "Student Store A-F"
 }
 elseif($flln.CompareTo("G") -ge 0 -and $flln.CompareTo("M") -le 0){
 $db = "Student Store G-M"
 }
 else{
 $db = "Student Store N-Z"
 }
And here is the entire script –>http://pastebin.com/Lwcd4t4Y
I still have a few issues and maybe someone can help me with them:
  • According to a posting over at  technet social  I am unable to use the New-Mailbox cmdlest to add the user ID number to the Office field of the AD user properties.
  • I am also trying to add a portion after the user create portion to add group memberships and user profile path
I must also give a big shutout to byte_bucket over at the pauldotcom IRC room for helping me tweak this script, enjoy and leave your comments.