In Exchange 2003, Active Directory Users and Computers (ADUC) was the place to go for recipient management. This was frustrating to some, as it was a management environment totally separate from the Exchange system management console. In Exchange 2007, this recipient management functionality has been integrated back into the Exchange management tools, both in Exchange management shell and in Exchange management console.

So, without further delay, the top 5 ADUC activities:

1. Creating a new mailbox

The most common activity by Exchange administrators in Exchange 2003 ADUC was to create a new mailbox (new user with mailbox properties). Note that included in this scope is taking an existing non-mailbox-enabled user and adding mailbox properties to it.

This administrator action is very easily accomplished in Exchange 2007 using the new Exchange management console or the Exchange management shell. We'll focus here on both the new and the enable case for Mailbox only, although the pattern is nearly identical for the other recipient objects (DistributionGroup, MailContact, etc).

In the image above, you can see that the new Exchange 2007 recipient management GUI is integrated directly into the Exchange 2007 management console.

Step1: The red arrow in the image above indicates the action in the action pane to create a new mailbox.

Step2: The second page of the New Mailbox wizard allows you to create a new user or select an existing user. In order to create a "New User", you must have the appropriate AD permissions to create a user object (such as Windows Account Operator). Creating a mailbox on an "Existing User" requires only that you be granted Exchange Recipient Administrator permissions - facilitating split permissions scenarios where one group is responsible for creating users and another for creating mailboxes.

If you choose to mailbox-enable an "Existing User", you will then be able to select the user to enable from a GUI picker like the below:

Note that only users which are not already configured for mail or mailbox properties will be shown in this picker. Also, if you are creating a User Mailbox, only AD-enabled users will be shown (likewise, if you are creating a Resource mailbox or Linked Mailbox, only disabled user accounts will be shown).

In Exchange 2007 management shell, the new and enable cases were covered in Jared's "Recipient Management One-liners" post the other day, so I won't revisit them here.

2. Modifying properties on a mailbox

Once you've created a new mailbox, it is likely you will want to manage some properties on this recipient object. Exchange 2007 recipient management tools allow you to manage both the Exchange property set and some portions of the Windows/AD property set, as permissions granted to your user account allow (Exchange Recipient Administrator role for the Exchange property sets and Windows Account Operator for the AD property set - see Ross' Property Sets post for more details on these property sets).

This administrator action is very easily accomplished in Exchange 2007 using the new Exchange management console or the Exchange management shell. We'll focus here on the "properties" case for Mailbox only, although the pattern is nearly identical for the other recipient objects (DistributionGroup, MailContact, etc).

In the image above, the red arrow points to the "Properties" action in the action pane. With the mailbox you wish to edit selected, you can click on "Properties" to review and change the properties on a mailbox object.

From these property pages you can review or modify various user or mailbox-related properties such as name, displayname, mailbox quotas, etc.

In Exchange 2007 management shell, various "set" cases were covered in Jared's "Recipient Management One-liners" post the other day, so I won't revisit them here.

3. Configuring "Exchange Features" on a mailbox

Once you've created a new mailbox, it is likely you will want to manage the status and settings of some Exchange Mailbox features. In Exchange 2003 these were called "Exchange Features" and include configuring the various mobile services and protocols available to access a mailbox.

This administrator action is very easily accomplished in Exchange 2007 using the new Exchange management console or the Exchange management shell. We'll focus here on the "Exchange Activesync" case only, although the pattern is similar for the other mailbox features.

After opening up mailbox properties, as above and switching to the Mailbox Features tab in the GUI, various mailbox features are listed. Some features allow access to feature-specific properties, while some features allow enable/disable action.

In the case of "Exchange ActiveSync" feature, the option is available to enable/disable the feature for this mailbox, as well as to review or modify the properties of the feature for this mailbox.

Within the properties dialog, you can configure this mailbox to have an ActiveSync policy applied:

In Exchange 2007 management shell, various "set" cases (including configuring mailbox features) were covered in Jared's "Recipient Management One-liners" post the other day, so I won't revisit them here.

4. Moving mailboxes

Moving mailboxes between mailbox databases or servers is a common activity using Exchange 2003 ADUC. In Exchange 2003, it could be challenging to select the correct set of users to move, particularly if the criteria were complex (for instance, all mailboxes in a certain distribution group, or all mailboxes with a particular custom attribute set).

This administrator action is very easily accomplished in Exchange 2007 using the Exchange management console or the Exchange management shell.

In the image above, the red arrow points to the "Move Mailbox..." action in the action pane. You can select multiple mailboxes to be moved in one action, and you can use the "Create Filter" feature of the recipient workcenter to help you select the correct mailbox or mailboxes to move.

At the Exchange management shell, even more extensive filtering is possible. The Move-Mailbox cmdlet will directly take a pipelined input of mailbox objects to be moved, so any filtered output from Get-Mailbox can be used to feed a Move-Mailbox action as a simple one-liner.

For example, if I wanted to move all mailboxes with CustomAttribute1 set to "Executive", I could run the following one-liner:

Get-Mailbox -Filter { CustomAttribute1 -eq 'Executive' } | Move-Mailbox -TargetDatabase MyTargetMDB

5. Checking for or changing email addresses on a mailbox/mail-enabled object

Another common task for ADUC is to check for email addresses or change them on a particular recipient object. In Exchange 2003, this was commonly done immediately after creating a mailbox or mail-enabled object, to see if the Recipient Update Service (RUS) had processed the object yet. Since Exchange 2007 eliminates the RUS (will be covered separately) in favor of immediate email address provisioning, it may not be as necessary in Exchange 2007.

Even so, there may be times where it is useful to inspect the email addresses stamped onto a mailbox or mail-enabled recipient. And, of course, there may be times where you need to change the application of Email Address Policy for a particular mailbox/mail-enabled recipient and control their email addresses directly.

After opening up mailbox properties, as above and switching to the Mailbox Features tab in the GUI, the current email addresses are listed.

The red arrow in the image above indicates the checkbox where you can enable or disable Email Address Policy for this mailbox. If the checkbox is checked (the default state), the mailbox will fall under Email Address Policy control and some options are disabled. If unchecked, you will be able to control all aspects of the mailbox email address assignment.

Removing the legacy ADUC extensions

You may have noticed from my examples above or while using the Exchange 2007 Beta2 console that there are no longer any legacy ADUC extensions installed on Exchange 2007 servers or admin-only consoles. These extensions have been deprecated for Exchange 2007 to consolidate recipient management into a single, updated management interface.

This was done for a number of reasons:

- Attack the cost of managing users (add/delete/modify) by introducing automation. Since the Exchange 2007 recipient management tools are built on top of Powershell cmdlets, we were able to introduce automation and a powerful bulk management solution. In a Radicati study of Exchange 2003, the second highest administrative labor cost was managing users (second only to managing rich clients!)

- Truly support the split-permissions model where an Exchange Administrator can do everything relevant to Exchange within one console.

- Simplify the management of the GAL and recipient types from the Exchange console - only the objects and attributes that pertain to Exchange are shown.

- Make recipient types explicit, rather than implicit. Exchange 2007 has 13 different explicit recipient types and having these types differentiated makes it easier to manage recipients, lowering labor costs.

The downside is that customers who today use ADUC to do non-exchange related user management along with their mailbox management may need to use two tools. This may equate to a retraining cost. To help mitigate training costs, a custom Exchange 2007 console snap-in can be created to only show the recipient configuration node and its children (none of the organizational or server management nodes) - see below for details!

For many customers who today use ADUC for recipient management, two tools will not be necessary as the most common recipient management activities are available in the new management toolset (as shown above).

Creating a Recipient Management only console

As mentioned above, it is possible to create a custom console snap-in which has only the Recipient node of the console available in a few easy steps. This custom console can be used to isolate visibility of the additional management capabilities of the Exchange 2007 management console from recipient management focused administrators or helpdesk.

Step 1: Open MMC.exe directly (no snap-ins added)

Step 2: Add the Exchange Snap-in to this empty MMC console

Step 3: Select the Recipient Configuration node. Right click and choose "New Window from Here"

Step 4: Under File->Options, configure the Console mode and options to "lock it down", as desired.

Step 5: Save this custom MMC to an MSC file. This MSC file can be used to launch your new "Recipient Management Only" console!

- Evan Dodds