Had a chat with Rui Silva on Shared Mailboxes, and an interesting question came up…:-)

Question =

can a user, who has been given Full Mailbox access permissions to a Shared Mailbox, open that Shared Mailbox its Archive in Exchange 2010 RTM?

Answer =

Yes, using Microsoft Office Outlook 2010

Time to Test :-)

I have created a new Shared Mailbox, called Info.

I have given a mailbox-enabled user called User4, Full Mailbox Access to that shared mailbox. And I have enabled an Online Archive for that Shared Mailbox.

Using OWA, user 4 can open the Shared Mailbox

But User 4 does not see the Archive of the Shared Mailbox!

Using Microsoft Office Outlook 2010, User 4 can open the Shared Mailbox Info as an additional mailbox.

And the online Archive is visible…

and Accessible!

Ilse

As posted by the Exchange team yesterday, it is true: Exchange Server 2010 SP1 Beta Now Available for Download

Once you have downloaded the files, and deployed them, you are ready to rock the Exchange 2010 Sp1 world.

Let’s have a short look at some of the new features..

1. Ability to store a user’s personal archive in a different mailbox database than the one homing it’s primary mailbox

2. Theme selection available in Outlook Web App

3. Possibility to create a new role group using ECP

4. Possibility to create a new role assignment policy using ECP

5. Ability to create transport and journal rules using ECP

6. Ability to create Retention Policy Tags and Retention Policies using the EMC

Just a few first impressions…more to follow :-)

Ilse

Yes there is…:-) For more information, you can download the document that will help you to plan, deploy, and manage Exchange Server 2010 Sp1 (Beta) in a multi-tenant organization.

And if you want to know more, and share your thoughts, go to the Exchange 2010 for Hosters forum, available here.

Ilse

A lot of posts have been done by the Microsoft Exchange Team to document why and how one should remember to convert any LDAP filter used in your Exchange 2003 environment to OPATH filtering.

For more info have a look here:

• OPATH recipient filtering for Exchange Server 2007
• Need help converting your LDAP filters to OPATH?
• Address List and EAP filter upgrades with Exchange Server 2007

Last month I was in Luxembourg, talking about Exchange 2010, and one of the attendees wanted to know if the script provided by Bill Long to convert LDAP to OPATH, was still valid to convert any LDAP filter to OPATH in an Exchange 2003-Exchange 2010 environment. I promised to blog the answer, which is, lucky enough: YES :-)

Environment

In my demo environment, I have an Exchange 2003 SP2 server, and I have just finished installing an Exchange 2010 RTM (Mailbox, CAS, HUB) server in that organization. As can be seen in the picture below:

I have the following address lists defined in my Exchange organization:

All Rooms, is a new address list, included within Exchange 2010, which includes all resources that have been designated as a a room in your organization. It is in this setup the only address list that can be managed using Exchange 2010 management tools.

Why do we need to convert from LDAP to OPATH?

As taken from the MsExchangeTeam blog, here it is:

OPATH is basis for the filtering syntax used by PowerShell, and is therefore the filtering syntax used by Exchange 2007. It replaces the complicated syntax of LDAP used in Exchange 2003, and will allow for filters which are easier to create and interpret.

When using the Exchange Management Console 2010 to edit any of the existing address lists (besides All Rooms), the following error message will pop-up:

Using the Exchange System Manager, no error pops up…except for the newly built-in address list All Rooms, which generates the following error when trying to edit it using the Exchange System Manager:

Convert from LDAP to OPATH

The conversion can be done using the Exchange Management Shell, and its cmdlet Set-AddressList, which will enable you to populate a value for the parameter RecipientFilter:

Converting the default Address Lists is not that complicated, for example converting the default address lists, you just need to run the following lines:

Set-AddressList “All Users” –IncludedRecipients MailboxUsers

Set-AddressList "All Groups" -IncludedRecipients MailGroups

Set-AddressList "All Contacts" -IncludedRecipients MailContacts

Set-AddressList "Public Folders" -RecipientFilter { RecipientType -eq 'PublicFolder' }

The Default Global Address List is a bit more complicated…

Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Converting any custom built LDAP filter, is less easy, and that’s where the script can be a tremendous help!

Using the script

To download the script, click here!

Rename the file to .ps1, and you are ready to go.

In this example I will use the script to convert the LDAP filter used for my custom address list that includes all users that have customattribute1 set to a value of “mechelen”, by populating the attribute RecipientFilter.

To convert I enter:

Set-AddressList “All users in Mechelen” –RecipientFilter ( .\ConvertFrom-LdapFilter (Get-AddressList “All users in Mechelen”).LdapRecipientFilter

After running the script, I can manage the Address List, using the Exchange 2010 Management Console:

Ilse

As described in the TechNet forums (link http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/92925f7c-97ba-4a96-a4c4-33c193a7b201), I had the same problem when delegating permissions using RBAC, and setting a scope to a subset of users in my Exchange 2010 RTM organization.

For example, when delegating the “Mail Recipients” role to a user and adding the parameter RecipientOrganizationalUnitScope to make sure the user could only manage mail recipients located in one particular Organizational Unit, the user was able to manage only the intended recipients using both the Exchange Management Console, and using the Exchange Management Shell, but when using the Exchange Control Panel, all recipients would be marked as read-only.

Let’s see if this is different in an Exchange 2010 organization deployed with Sp1 Beta, available for download here.

Step 1. Creating the WHERE = Creating a Management SCOPE

I want my user “Admin1” to be able to manage all mailbox-enabled users that have customattribute6 set to a value of “Sunshine”.

In my environment, I have a total of 44 mailbox-enabled users, of which 11 have been given a value of “Sunshine” for customattribute6.

To create the scope, I’m using the EMS cmdlet New-ManagementScope, named “CA6 = Sunshine”, and define two criteria:

- only mailbox-enabled users

- that have a value set to “Sunshine” for CustomAttribute6.

Using the cmdlet Get-Recipient, it is easy to see which objects fall within the defined scope:

Step 2. Define the WHAT = Creating or customizing a Management ROLE

I want my Admin1 to be able to manage all mail recipients, EXCEPT for changing the value of CustomAttribute6.

Therefore I will create a new management role, by copying the existing Mail Recipients role, and remove the parameter CustomAttribute6 from the list of parameters that can be changed. In addition, I do not want my Admin1 to be able to change the phone number, since these numbers are linked to my CS14 environment!

First, copy the existing management role of Mail Recipients:

Second, remove the parameters of Phone and CustomAttribute6!

Step 3. Define the WHO = Creating a ROLE GROUP

In Exchange 2010 Sp1 Beta, it is possible to create a new role group using the Exchange Control Panel.

Logging into OWA as Administrator, I go to Options, and there I select to manage My Organization.

In the left pane I select to manage Roles & Auditing

And click New…and give the new role group a name, a description, select the just created scope and role, and add Admin1 to the new group!

After clicking Save, it is time to test :-)

Step 4. Test using EMC

When launching EMC, logged on as Admin1, I can see the necessary information is retrieved..

When trying to change a setting for user1, I get an access denied,

When a mailbox-enabled user falls into my management scope, I can change anything, except for the value of CustomAttribute6.

Step 5. Test using the EMS

Same results…

Step 6. Test using ECP

And yes…it works :-)

All settings for users out of management scope are greyed out, I can change any permitted setting for a user in my management scope

Lots of fun coming our way with Exchange 2010 Sp1 :-)

Ilse