Master Exchange 2007

powershell, automation & more…

Exchange 2007 and Windows 2008 R2

Posted by shauncroucher on November 5, 2009

Yesterday, Microsoft revealed that they are planning to release an update in the future to support Windows 2008 R2 as a platform to install Exchange 2007.

This is great news for many. Read the blog posting by the Exchange team here:



Posted in Global\General | Leave a Comment »

Exchange 2007 Physical edb database size too large reduce size move mailbox offline defrag

Posted by shauncroucher on November 3, 2009


There is a myth that the only way to deal with an oversized *PHYSICAL* edb file in Exchange 2007 is to run an online and then offline defrag.

This is not true. You can use the Move-Mailbox method on a new database to effecively reduce the size of the database holding your mailboxes. The great thing about this method is that neither an online OR an offline defrag is required, so you can achieve the desired effect on the spot, perhaps after deleting (or Disable-Mailbox’ing) a whole bunch of mailbox enabled users.

Whilst it is true that you will never change the physical size of a database without doing an offline defrag, you can deal with an oversized database by deleting it. Stay with me.

The method is as follows:

1) If you have deleted item retention configured on your Exchange 2007 server inform your users to check their ‘Recover Deleted Items’ using OWA or Outlook. This is the message dumpster location where deleted items get sent when they have been emptied. The items will remain accessible until the retension period has passed. The next step will make the Dumpster unavailable.

2) Create a new Storage Group and Database (you can just create a new database if you prefer, but it’s generally good practice to try keeping 1 database to 1 Storage group.

3) Use the Move-Mailbox cmdlet, or the Move Mailbox management shell facility to move ALL the mailboxes from the original oversized database to the new database.

4) If you are dropping the original database, once all mailboxes have been moved, restart the Microsoft System Attendant to ensure the system mailboxes get recreated

5) Remove the original database files and log files.

Voila. You now have a mailbox database that does not inclue the white space (mailboxes and deleted items in the dumpster) and you will be left with a mailbox database that is smaller than the original.

Note that this process also includes no downtime for the users and no risky offline defrag. Granted, offline defrag will normally run without causing a problem, but because it operates on the database page by page, there is a chance that data loss will occur. It is far far better to use this Move-Mailbox approach.

Move-Mailbox command syntax would be as follows:

Get-MailboxDatabse “Name of Mailbox Database” | Move-Mailbox -TargetDatabase “Name of Target Database” -confirm:$false


Posted in Mailbox\Recipient | 2 Comments »

Microsoft support Exchange products

Posted by shauncroucher on November 2, 2009

Always worth keeping abreast of Microsoft support and product lifecycles.

This is where to find Microsoft product lifecycle information for Exchange 2007:


Posted in Miscellaneous | Leave a Comment »

Exchange 2007 allow relay authenticated users or printers or scanners or other device

Posted by shauncroucher on October 29, 2009

The Microsoft Exchange development team have documented the procedure for allowing an internal server to relay through Exchange. I won’t be covering this in any more detail as I believe the article is complete and I wouldn’t be able to add any extra value.

However, I would like to include a couple of useful cmdlet’s that I have used a few times to add specific relay rights for users who authenticate to the receive connector from outside the organisation.

First of all, you need to make sure that the external users have a way of authenticating to the appropriate receive connector. In the ‘Permissions’ tab, ensure Exchange Users is selected and also ensure that the Authentication tab has an authentication mechanism they can use (such as Basic Auth)

Allow authenticated users to relay using

Get-ReceiveConnector “RECEIVECONNECTORID” | Add-ADPermission -User ‘NT AUTHORITY\Authenticated Users’ -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

Allow authenticated users to relay using

Get-ReceiveConnector “RECEIVECONNECTORID” | Add-ADPermission -User ‘NT
AUTHORITY\Authenticated Users’ -ExtendedRights “ms-Exch-SMTP-Accept-Any-

CAUTION: Make sure you only do this for Authenticated Users and not Anonymous logon, because you can easily turn your server into an Open Relay using these commands with the wrong group.

As always,  make sure you have a good, complex password policy if you are allowing authentication to your Exchange server.


Posted in Transport | 3 Comments »

How to bulk add Send-As and FullAccess permissions using exchange 2007 powershell using add-adpermission and add-mailboxpermission

Posted by shauncroucher on October 28, 2009

Some email administrators have been asking how to add the Send-As and FullAccess permission to many users at once for a particular user account.

Its quite a straightforward command to achieve this, but it should be noted that it is not the Add-MailboxPermission you use, it is the Add-ADPermission for the Send-As rights.

You can easily amend this for adding FullAccess rights in bulk

So, to add Send-As rights for user JoeBloggs to ALL Mailboxes in your organisation:

Get-Mailbox | foreach-object{$mbDN = $_
.distinguishedname; Add-ADPermission -identity $mbDN -User “DOMAIN\JoeBloggs”
-ExtendedRights “Send-as”}

The CSV Approach

And if you have a list of users\mailboxes OR both you wish to process:

Create a CSV with 2 colums. TheMailbox and TheUser

For instance lets say the CSV looks like this:


This will give user emp66 Send-As rights to user emp70’s mailbox, user emp67 to user emp71’s mailbox etc etc

$Thelist = Import-csv “C:\thelist.csv”

ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-ADPermission $thembDN -Extendedrights “Send As”
-User $theobject.theuser}

To Add Mailbox ‘FullAccess’ permissions using the CSV approach…

Just a few small changes needed…

ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-MailboxPermission $thembDN -Accessrights “FullAccess” -User $theobject.theuser}


Posted in Mailbox\Recipient | 12 Comments »

Basic SMTP Telnet test exchange 2007 send connector send port 25

Posted by shauncroucher on October 26, 2009

This test is designed to TEST ‘outbound’ mail. That is, mail that you are trying to send to external recipients from your organisation. It is important to run this test from the Exchange server if possible to mimick the steps your exchange server goes through as accurately as possible.
Note you cannot use backspace or delete when using telnet, if you make a spelling mistake, start the command again after the error is generated.
Note you should use < > around email addresses as some email servers will not accept email addresses unless they are enclosed in <   >
Step 1

Use to find the MX record of the mail server you wish to test.

So to find the mailserver accepting email  for, type in the MX Lookup box.
make a note of the hostname (or one of the multiple hostnames) returned as we need this for Step 2.
Step 2

Note: If you are using Vista or Windows 2008 telnet is not enabled by default. See this excellent article on petri for details on how to enable Telnt on Vista or Windows 2008.  

Log onto your Exchange server and open up a command prompt.

Type the following:
[Wait for 220 response]
[Wait for 250 response]
[Wait for 250 response]
[Wait for 250 response]

[Wait for 354 response]
This is a test message
(note the dot on its own to end the session)
You should now get a message that the email has been queued for delivery.

Screenshot of how this conversation should look:

Screeshot Telnet Windows SMTP test

Screenshot of a telnet session to a server and submit SMTP message

Posted in Transport | Leave a Comment »

Exchange 2007 Internal and External URL \ URL’s – Autodiscover Availability IMAP POP3 OOF OAB

Posted by shauncroucher on October 17, 2009

Exchange 2007 stores quite a few URL’s for the new Autodiscover feature and for other services such as the Availability service, IMAP, POP3, OOF and OAB.

In total there are at least 7 powershell commands that can be used to display the URL’s for Exchange.

If you are aware of any I have missed off the list please leave me feedback and I will update this post.

This article is designed to show you which commands you will need to find all the URL’s in your organisation. The script will run for ALL servers in your organisation where appropriate.


Get-WebServicesVirtualDirectory | fl Id*,*url*

Get-OwaVirtualDirectory | fl Id*,*url*

Get-ClientAccessServer | fl Id*,*uri*

Get-OabvirtualDirectory | fl Id*,*url*

Get-ImapSettings | fl Id*,*509*,*url*

Get-POPSettings | fl Id*,*509*,*url*

Get-UMVirtualDirectory | fl Id*,*url*

The vast majority of these are self explanatory. One that is often forgot are the POP and IMAP URL’s, both for the additional CAS calendaring services that are available by setting the ‘OwaServerUrl’ value.

References: Security warning when you start Outlook 2007… – How to configure the Web Services URLs that are used by Outlook 2007 – More on Exchange 2007 and certificates – with real world scenario

Posted in Client Access | Leave a Comment »

Managing message size limits in Exchange 2007 using powershell

Posted by shauncroucher on October 11, 2009

The lists I have given below show the most common message size limits, however there are some attachment and header limits that the commands may not show you, so follow the links at the bottom of this article for further informationif you still have problems.

NOTE: Always include the qualifier ‘MB’ when using the management shell to specify message size restrictions.

NOTE: is the MASTER reference article for size restrictions for Exchange 2007 and most of the information below is plucked from there. The idea of this article is to extract and simplify some of the commands to get and set the settings.

Global Settings

Scope: RTM Only. Transport setting will change this automatically in SP1

Note: If the values found here and the values found using ‘get-transportconfig | fl M*ze’, the lowest value takes precedence.

Global Settings stored in Active Directory (access using ADSIEdit)
Configuration –> Services –> Microsoft Exchange –> [DOMAINNAME] –> Global Settings –> right client
Message Delivery –>
Check the settings below. They are in KB
msExchRecipLimit (default 5000)
submissionContLength (default 10240) (MaxSendSize)
delivContLength (default 10240) (MaxReceiveSize)

Transport Setting

Scope: Organisational limits for ALL EX2003 / EX2007 servers in the entire organisation.

To show current settings:
get-transportconfig | fl M*ze

To Alter:
Set-TransportConfig -MaxRecipientEnvelopeLimit -MaxReceiveSize MB -MaxSendSize MB

Also check there are no Transport Rules to check the Attachment size of messages.

Connector Limits

Scope: Will affect all messages using the specified connector. Either Send,Receive or Foreign.

To retrieve current settings:

get-ReceiveConnector | ft Id*,M*ze
Get-SendConnector | ft Id*, M*ze
Get-ForeignConnector | ft Id*, M*ze

To Alter:

Set-ReceiveConnector “” -MaxMessageSize MB
Set-SendConnector “” -MaxMessageSize MB
Set-ForeignConnector “” -MaxMessageSize MB

‘Server Specific’ Limits and Outlook Web Access (OWA) limits

Scope: Hub/Edge servers with Transport Rule AND Client Access Servers for the OWA restrictions.

Check there are no transport rules that have ‘server specific’ attachment size over restrictions

CAS servers provide OWA for users to access mail using a web browser. The underlying engine is ASP.NET.

ASP.NET uses the maxRequestLength setting to determine the maximum amount of data that the Web browser can submit to the Client Access server
The setting can be found in the web.config file.

See for instructions on changes needed here.

‘Multiple Sites’ and ‘E2000 \ E2003 Co-Existence’ Settings

Scope: Will affect messages using the site links and the routing group connectors for delivery. The settings themselves
DO NOT affect least-cost routing decisions.

* Note that Exchange 2007 RTM does not support site link or routing group connector size limits and routing loops
may occur if they are set. SP1 and above does support size limits though.

Active Directory site links:

Get-AdSiteLink | ft Name,M*ze
Set-AdSiteLink “Site link name” -MaxMessageSize MB

Routing Group connectors:

Get-RoutingGroupConnector | ft Name,M*ze
Set-RoutingGroupConnector “Name of routing group connector” -MaxMessageSize MB

‘Users and Groups’ Settings

Scope: All the above is for Transport level restrictions, but you need to check the MaxMessageSize setting for the user mailbox/contact and
also the groups they may belong to.

Get-Mailbox “name of mailbox user” | fl M*ze
Get-MailUser “name of user” | fl M*ze
Get-MailContact “name of contact” | fl M*ze
Get-DynamicDistributionGroup “name of dynamic dist” | fl M*ze
Get-DistributionGroup “name of dist” | fl M*ze
Get-MailPublicFolder “name of public folder” | fl M*ze

Manually SET a limit (if ‘unlimited’)

Some exchange administrators have reported that the limits indicate ‘unlimited’ in one or more of these location, and once they change to a value (such as 100MB), the problems disappear. If you are unsure, I would recommend setting a limit rather than leaving as ‘unlimited’.

References: – Exchange 2007 Message Size Limits – Managing Message Size Limits – How to Modify Exchange 2003 Global Message Size Limits in Exchange 2007 RTM – Message Routing in a Coexistence Environment – How to Configure Message Size Limits for Internal Routing – How to Manage Maximum Message Size in Outlook Web Access

Posted in Mailbox\Recipient, Transport | 8 Comments »

Create UC SAN Private CA issued certificate to replace self signed certificate Exchange 2007

Posted by shauncroucher on September 20, 2009

This guide is intended to help you setup your own Certification Authority, and issue a UC certificate for Exchange 2007 testing purposes \ lab environments.

It also uses powershell cmdlets wherever possible, rather than using the Windows 2008 or Exchange 2007 GUI interfaces.

When and why you shouldn’t use this guide

The reason I say this should be used for lab environments is because you really should use a commercial and trusted third party supplier of SSL certificates with Exchange 2007, it will save you a lot of time and aggravation over using a ‘Private CA’ certificate process. The problem with self signed certificates and Private CA issued certificates is that they are NOT TRUSTED by client devices, and so for the devices to use SSL successfully you have to import the SSL certificate or add the CA to the list of ‘trusted root certificates’. This can be achieved using a GPO for domain joined PC’s (this is outside the scope of this document) or you have to manually install the certificate on non-domain devices – PC’s and mobile devices alike.


Windows 2008 Standard

Exchange 2007 (tested to work this SP1 and SP2)

Step 1 – Install the root certification authority role:

You will need to install the server role called ‘Active Directory Certificate Services’.

Go to ‘Server Manager’ –> ‘Add Roles’ wizard –> Choose ‘Active Directory Certificate Services’ –> Next –> Choose ‘Certification Authority’ only (don’t need the other role services) –> Enterprise –> Next –> Root CA –> Next –> Create a new private key –> Keep all defaults here (2048 length / RSA Sha1 key) –> Keep Common Name as default –> Next –> Valid for 5 years should be fine as this is just for testing, change if you wish –> Next, Finish

You should now have a Certification Authority from which you can process certificate requests. Next is on to creating the certificate request for exchange 2007.

Step 2 – Create the UC \ SAN certificate request

I would highly recommend navigating to the Digicert website and making use of their ‘free to use’ tool for creating a Exchange 2007 UCC cmdlet.  (at time of writing this could be found at

All in all you will need to include the ‘fully qualified domain name’ as specified for external access. The server NetBIOS name and distinguished name for internal access PLUS the autodiscover reference (autodiscover is a tool used for automating the configuration of Outlook 2007 clients and providing the URLs necessary for the availability service etc, this is outside the scope of this document).

So, if you wish your external users to access the service using and your internal domain name is domain.local with a server name of ‘server’ then you would want the following as SAN names:



Note: Make sure you include the common name of the certificate as a ‘Subject Alternative Name’ as well. In the example this is

Alternatively you can use the New-ExchangeCertificate cmdlet as below:

New-ExchangeCertificate -GenerateRequest -Path c:\domain.csr -KeySize 2048 -SubjectName “c=GB, s=TheState, l=TheCity, o=TheOrgName, ou=TheDeptName,” -DomainName, server.domain.local, server, -PrivateKeyExportable $True

Note that we are using the -GenerateRequest here which basically tells exchange to create a ‘request’ for a CA to process rather than creating a self-signed certificate. This is an important distinction.

Then we use the ‘certreq’ command to import the request file and generate us a certificate. (Note that you could try this by using the ‘Certification Authority’ directly but will be prompted with an error, because standalone CA’s do not use certificate templates – see For this reason, we can bypass the problem by using either the web enrollment OR the certreq.exe command as below.

certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\domain.csr.

This will generate a .cer file for us to import into Exchange.

Step 3 – Process the certificate request file

Using the generated .cer, go into Certificate Authority MMC (Start –> Search –> type ‘Certification Authority’) –> Go to issued –> Go to certificate -> Open –> Details –> Copy to file –> Cryptographic message syntax standard -PKCS #7 Include all certificates in the path –> Export –> Export as C:\domain.p7b.

Now with the .p7b you can use this with the Import-ExchangeCertificate and Enable-ExchangeCertificate commands.

Step 4 – Importing the certificate and attaching the relevant services

Open up Exchange management shell and type:


This will show you all the certificates on the system with their associated thumbprint. The thumbprint of the certificate uniquely identifies it. Each certificate will have a unique thumbprint even if all other details are the same.


Import-ExchangeCertificate -Path C:\domain.p7b

Once the certificate has been imported, you can attach the certificate to the relevant services.

The services are as follows:

IMAP – For secure IMAP services

POP – For secure POP services

UM – For Unified messaging

IIS – For autodiscover \ owa \ oab and other web related services

SMTP – For TLS communication

None – To set a certificate to have no associated services.

Use Get-Exchangecertificate command and record the thumbprint for the new certificate. you can right click shell window –> Mark –> Highlight thumbprint –> Hit Enter to place the thumbprint in the clipboard.

Enable-ExchangeCertificate -Thumbprint <your thumbprint> -services IIS, POP, IMAP, SMTP,UM

That is all that is required on the server side. You should now be able to run Get-Exchangecertificate and see all services attached.

Step 5 – Importing the ‘certificate authority’ to client devices

There are a number of ways to install the certificate to devices. The method describes below works for me and should work for you.

On the server –> Go to IE –> Internet Options –> Content –> Certificates –> Go to Trusted Root Certificate Authority –> Export –>

Cryptograpyhic Message Syntax Standard (.P7B) + Include all certificates in the path –> Export.

Then on the computers you need to TRUST the ‘certificate authority’ certificate, simply IMPORT this certificate into Trusted Root Certification

Authority using Internet Explorer Import command (make sure it is imported into Trusted Root Certification Authority when prompted by Import routine).

For mobile devices, copy the file to the Windows Mobile device, and then using the phone, select the certificate file and allow this to import.


After this you should be able to go to the URL for OWA and not get ANY certificate warnings.

You should be able to use Outlook Anywhere without any certificate warnings, and Activesync with SSL should work fine too.

As long as you have created the public DNS record, autodiscover will work too when it returns the https:// URL’s.

Feedback always welcome. Hope you found the article useful.

Based on information found in the following articles: – Active Directory Certificate Services Step-by-Step Guide – Understanding the Self-Signed Certificate in Exchange 2007 – Replacing the Exchange 2007 Self-Signed Certificate – You may receive a “The request contains no certificate template information” error message when you submit a CSR to an enterprise CA”– Enable-ExchangeCertificate

Posted in Client Access, Transport | 6 Comments »

Managing Public Folder Client Access Permissions – Exchange 2007 MSH / EMC (Exchange Management Shell)

Posted by shauncroucher on September 6, 2009

There are a number of ways to add permissions to public folders using the MSH (Exchange Management Shell).

Some of the common and useful commands for client permissions are as follows:

Add-PublicFolderClientPermissions -Identity <PublicFolder> -User “Username” -AccessRights <Right>

The rights for public folders can be explicit rights such as “ReadItems” or “CreateItems” or ‘roles’ such as Owner, Contributor etc, which have a set of rights.

Add-PublicFolderClientPermission -Identity “Company Contacts” -AccessRights PublishingEditor -User Steve

This will add the PublishingEditor ‘role’ to Steve, so he is able to create and delete all items that he creates, and can delete all content items regardless of ownership (but cannot delete folders he does not own). He cannot change permissions on folders that he has not created.

There is also a Remove-PublicFolderClientPermissions that will remove any permissions you wish in the same manner as above.

This is fine on a folder by folder basis but what if we want to give permissions to All users or permissions for a specific user but recursively for a whole bunch of public folders. Well, that is where the AddUsersToPFRecursive.ps1 script comes in!

So, with this we specify the -TopPublicFolder and specify the username and we can add the specified rights recursivley to all public folders beneath. Useful if want the same permission structure on all public folders.

**    Note, if the Top level PF has a space, you must place the name in ‘ ‘ inside the ” “. So -TopPublicFolder “‘\My Computer'”    **

**    Note, that you need to put the \ at the beginning of the path to represent the beginning of the public folder structure     **

AddUsersToPFRecursive.ps1 -TopPublicFolder “MyCompany” -User “Steve” -Permission “PublishingEditor”

AddUsersToPFRecursive.ps1 -TopPublicFolder “MyCompany” -User “Default” -Permission “PublishingEditor” (the Default user permissions apply to all users that are not explicitly defined)

AddUsersToPFRecursive.ps1 -TopPublicFolder “MyCompany” -User “Default” -Permission “None” (the Default user permissions apply to all users that are not explicitly defined)

AddUsersToPFRecursive.ps1 -TopPublicFolder “MyCompany” -User “Mr.ManagingDirector” -Permission “Owner”

There are a number of other scripts with similar recursive powers, the names are pretty self explanatory, but review in more detail by following links below.

RemoveUserFromPFRecursive.ps1 – Configuring Public Folder Permissions – How to Add Permissions for Client Users to Access Public Folder Content – Scripts for Managing Public Folders in the Exchange Management Shell


Posted in Miscellaneous, Public Folder | 3 Comments »