Managing users

Let's take a look at the most common recipient type in an Exchange organization—Mailbox enabled users. A mailbox in Exchange is associated with an Active Directory user account. The mailbox provides users the capability to store messages, tasks, notes, attachments and send and receive messages.

In this topic, we will cover how to manage mailbox enabled users, and we are going to use the Exchange management shell to perform all the management activities.

Before proceeding further, let's review the permission model briefly here to understand what permissions are required to perform user management tasks. This will be covered in detail in Chapter 4, Exchange Security.

With the release of Exchange 2010 and later, Microsoft introduced Role Based Access Control (RBAC), which is a permission model to manage various aspects of an Exchange organization. You do not need to rely on Active Directory Access Control Lists (ACLs) as you did in the previous versions of Exchange such as Exchange 2007 and earlier. Microsoft tried to fix issues by modifying ACLs and their unintended results such as carrying these modifications through upgrades and troubleshooting permission issues to improve the delegation model in the Exchange management.

With RBAC, administrators and helpdesk staff now have a way to provide granular access based on the task that a group is about to perform. I would like to stop here and pick this up later in Chapter 4, Exchange Security. At this point, if you think you are using the correct cmdlet to manage users in Exchange and it's not returning the result that you expect, review Chapter 4, Exchange Security and come back to this section.

Creating a Mailbox for a new user

Some of the ways you can create mailboxes in Exchange 2013 are listed here:

• Create a new user in Active Directory and a new mailbox for the user
• Enable the mailbox for an existing user in the Active directory

Creating a new user in Active Directory and a new mailbox for the user

The new-mailbox cmdlet in Exchange 2013 and 2016 is used to create a new user in the Active directory and a new mailbox on the Exchange 2013 server. For example, the following command creates a mailbox for Frank Miller:

New-Mailbox -Alias Frankm -Name "Frank Miller" -FirstName Frank -LastName Miller -DisplayName "Frank Miller" -UserPrincipalName frankm@contoso.com -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force)

Most of the parameters of the new-mailbox are self-explanatory, and you can use help to understand the syntax and parameters using Get-help new-mailbox –detailed.

The ConvertTo-SecureString function converts a plain text string called Pa$$w0rd1 into a secure string that will be accepted by Windows PowerShell when creating a new user account in Active Directory. The cmdlet will create the user in the default Organizational Unit (OU). If you want to create the user object in a specific OU, specify that you are using the –OrganizationalUnit parameter. If you notice carefully, the –Database option is not specified, but the cmdlet still succeeds in creating the new mailbox. This is possible due to the introduction of a new feature in the Exchange 2010 Service Pack 2 and later, called Automatic mailbox distribution feature, which will select a mailbox database to store the new or moved mailboxes. If you think this feature can create confusion in your Exchange Organization, it can be controlled using the role-based access control using Database management scopes, which we are going to cover in Chapter 4, Exchange Security.

Enabling mailbox for an existing user in Active directory

If you already have a user account in active directory and would like to create a mailbox for that user, Enable-Mailbox is the cmdlet for you. For example, the following cmdlet will enable the mailbox for Holly Holt on the database called MailboxDatabase01:

Enable-Mailbox holly@contoso.com -Database MailboxDatabase01

If you want to enable mailboxes for all the users, you can use the Get-User cmdlet to list and filter the users based on your requirement and then use pipe (|) to pass the output objects as input for the Enable-Mailbox cmdlet. For example, the following cmdlet will enable mailboxes for all users in the Sales department:

Get-user –Filter {Department -eq "Sales"} | Enable-Mailbox

Once the users are created in Active Directory with their mailbox enabled, you can then change any of the Active Directory properties using the Set-User cmdlet and exchange the related properties with the Set-Mailbox cmdlet.

The following cmdlet changes the department property of the users from sales to marketing and company attribute to Contoso:

Set-User –Identity Holly –Department Marketing –Company Contoso

Let's set the maximum message size that Holly can send to 3 MB:

Set-mailbox –identity holly –MaxSendSize 3145728

You can also run the cmdlets called Set-User and Set-Mailbox on multiple objects using the filtering capabilities of PowerShell and the usage of pipeline. The next example will change the issue Warning Quota, Prohibit Send Quota, and Prohibit Send Receive Quota to 3 GB, 4 GB, and 5 GB respectively to the users in the marketing organization unit. So, it will first warn the user that the mailbox is getting near the Quota at 3 GB but will still allow e-mail to be received and sent. After 4 GB, it will stop the user from sending emails and after 5 GB, both sending and receiving emails to and from these mailboxes will be stopped. Mailbox Quotas can also be applied on the Mailbox database on Exchange. The parameter called –UseDatabaseQuotaDefaults is set to False, so the quota applied on the mailbox database will not be applicable for these users:

Get-Mailbox –OrganizationalUnit "Marketing" | Set-Mailbox –IssueWarningQuota 3GB –ProhibitSendQuota 4GB –ProhibitSendReceiveQuota 5GB –UseDatabaseQuotaDefaults $false