Groups, lists, and templates are extremely important in Microsoft Exchange Server 2003 administration. Careful planning of your organization’s groups, address lists, and address templates can save you countless hours in the long run. Unfortunately, most administrators don’t have a solid understanding of these subjects, and the few who do spend most of their time on other duties. To save yourself time and frustration, study the concepts discussed in this chapter and then use the step-by-step procedures to implement the groups, lists, and templates for your organization.
You use groups to grant permissions to similar types of users, to simplify account administration, and to make it easier to contact multiple users. For example, you can send a message addressed to a group, and the message will go to all the users in that group. Thus, instead of having to enter 20 different e-mail addresses in the message header, you enter one e-mail address for all of the group members.
Microsoft Windows defines several different types of groups, and each of these groups can have a unique scope. In Active Directory domains, you use three group types:
Security. Groups that you use to control access to network resources. You can also use user-defined security groups to distribute e-mail.
Standard Distribution. Groups that have fixed membership and that you use only as e-mail distribution lists. You can’t use them to control access to network resources.
Query-Based Distribution. Groups for which membership is determined based on a Lightweight Directory Access Protocol (LDAP) query and that you use only as e-mail distribution lists. The LDAP query is used to build the list of members whenever messages are sent to the group.
Note
Local groups are available only on local computers, and they aren’t discussed here. Additionally, query-based distribution groups are only available when Exchange is running in native mode.
Security and standard distribution groups can have different scopes—domain local, built-in local, global, and universal—so that they are valid in different areas.
You use domain local groups to grant permissions within a single domain. Members of domain local groups can include elements only from the domain in which they are defined.
Built-in local groups are a special group scope that has domain local permissions. For the sake of simplicity, they are often referred to as domain local groups. Built-in local groups differ from other groups in that you can’t create or delete them.
You use global groups to grant permissions to elements in any domain in the domain tree or forest. Members of global groups can include elements only from the domain in which they are defined. You can’t use predefined global groups.
You use universal groups to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include elements from any domain in the domain tree or forest.
Tip
You only create security groups with universal scope when Windows is operating in native mode. Note also that the operations mode for Windows is different from the operations mode for Exchange Server 2003. Windows operations mode supports or restricts backward compatibility with pre–Windows 2000 computers. Exchange Server 2003 operations mode supports or restricts backward compatibility with pre–Exchange 2000 servers. For more detailed information on Windows operations and groups, I recommend reading Chapters 6 through 10 of Microsoft Windows Server 2003 Administrator’s Pocket Consultant (Microsoft Press, 2003).
When you work with security and standard distribution groups, there are many things you can and can’t do based on the group’s scope. A summary of these items is shown in Table 7-1. Keep in mind that contacts can be members of groups as well.
Table 7-1. Understanding Group Scope
Scope | Windows Native-Mode Membership | Windows Mixed-Mode Membership | Group Membership |
|---|---|---|---|
Domain Local Scope | Accounts, global groups, and universal groups from any domain; domain local groups from the same domain only. | Accounts and global groups from any domain. | Can be put into other domain local groups and assigned permissions only in the same domain. |
Only accounts from the same domain and global groups from the same domain. | Only accounts from the same domain. | Can be put into other groups and assigned permissions in any domain. | |
Universal Scope | Accounts from any domain as well as groups from any domain, regardless of scope. | Can’t be created in mixed-mode domains. | Can be put into other groups and assigned permissions in any domain. |
When you work with query-based distribution groups, keep in mind that this feature is only available when Exchange is running in native mode and all Exchange servers in the enterprise are using at least Exchange 2000 with Service Pack 3. Query-based distribution groups do not have a specific local, global, or universal scope. Here, the membership could include only members of the local domain or it could include users and groups from other domains, domain trees or forests, and scope is determined by the container associated with the group when it is created.
More specifically, the associated container defines the root of the search hierarchy and the LDAP query filters to recipients in and below the specified container. For example, if the container associated with the group is adatum.com, the query filter is applied to all recipients in this domain. If the container associated with the organizational unit is Engineering, the query filter is applied to all recipients in or below this container.
As it does with user accounts, Windows uses unique security identifiers (SIDs) to track groups. This means that you can’t delete a group, re-create it, and then expect all the permissions and privileges to remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.
Exchange Server 2003 changes the rules about how you can use groups. Previously, you could use only distribution groups to distribute e-mail. Now, you can use both security and distribution groups to distribute e-mail and, as a result, you might need to rethink how and when you use groups.
Rather than duplicating your existing security group structure with distribution groups that have the same purpose, you might want to selectively mail-enable your security groups. For example, if you have a security group called Marketing, you don’t need to create a MarketingDistList distribution group. Instead, you could enable Exchange mail on the original security group.
You can mail-enable built-in and predefined groups as well. Some of the groups you might want to consider mail-enabling include the following:
Account Operators
Backup Operators
Domain Admins
Domain Users
Print Operators
Server Operators
You might also want to mail-enable security groups that you previously defined. Then, if existing distribution groups serve the same purpose, you can delete the distribution groups.
Domain local, global, and universal groups give you numerous options for configuring groups. Although these group scopes are designed to simplify administration, poor planning can make these group scopes your worst administration nightmare. Ideally, you’ll use group scopes to help you create group hierarchies that are similar to your organization’s structure and that reflect the responsibilities of particular groups of users.
The best uses for domain local, global, and universal groups are as follows:
Groups with domain local scope have the smallest extent. Use groups with domain local scope to distribute mail to users within a specific department or office and to help you manage access to resources such as shared folders and printers. Typically, you add user accounts, global groups, and universal groups as members of domain local groups.
Use groups with global scope to help you manage e-mail distribution, user accounts, and computer accounts in a particular domain. Then you can grant access permissions to a resource by making the group with global scope a member of the group with domain local scope.
Groups with universal scope have the largest extent. Use groups with universal scope to consolidate groups that span domains. Normally, you do this by adding global groups as members.
Tip
If your organization doesn’t have two or more domains, you don’t really need to use universal groups. Instead, build your group structure with domain local and global groups. If you ever bring another domain into your domain tree or forest, you can easily extend the group hierarchy with universal groups.
It’s a fact of life that over time users will move to different departments, leave the company, or accept different responsibilities. With standard distribution groups, you’ll spend a lot of time managing group membership when these types of changes occur—and that’s where query-based distribution groups come into the picture. With query-based distribution groups, there isn’t a fixed group membership and you don’t have to add or remove users from groups. Instead, group membership is determined by the results of an LDAP query sent to your organization’s global catalog (or dedicated expansion) server whenever mail is sent to the distribution group.
When the member list returned in the results is relatively small (fewer than 25 members), you’ll get the most benefit from query-based distribution. If there are potentially hundreds or thousands of members, however, query-based distribution is very inefficient and could require a great deal of processing to complete. You can shift the processing requirements from the global catalog server to a dedicated expansion server (a server whose only task is to expand the LDAP queries). However, it could still take several minutes to resolve and expand large distribution lists.
One other thing to note about query-based distribution is that you can only associate one specific query with each distribution group. For example, you could create separate groups for each department in the organization. You could have groups called QD-Accounting, QD-BizDev, QD-Engineering, QD-Marketing, QD-Operations, QD-Sales, and SQ-Support. You could in turn create a standard distribution group or a query-based distribution group called AllEmployees that contains these groups as members—thereby establishing a distribution group hierarchy.
When using multiple parameters with query-based distribution, keep in mind that multiple parameters typically work as logical AND operations. For example, if you create a query with a parameter that matches all BizDev employees and a parameter that matches all Marketing employees, the query results will not contain a list of all BizDev and Marketing employees. Rather, the results will contain a list only of employees who are members of both BizDev and Marketing. In this case, you get the expected results by creating a query-based distribution group for all BizDev employees, another query-based distribution group for all Marketing employees, and a final group that has as members the other two distribution groups.
As you set out to work with groups, you’ll find that there are tasks specific to each type of group as well as tasks that can be performed with any type of group. Because of this, I’ve divided the group management discussion into three sections. In this section, you’ll learn about the typical tasks you perform with security and standard distribution groups. The next section discusses tasks you’ll perform only with query-based distribution groups. The third section discusses general management tasks.
The tool to use when you want to work with groups is Active Directory Users And Computers. Be sure to start this snap-in from the Microsoft Exchange menu.
Note
If you don’t have a Microsoft Exchange menu on your computer, follow the steps discussed in Chapter 1, in the section "Exchange Server Administration Tools." This ensures you are using the Exchange Server 2003 version of System Manager and Active Directory Users And Computers.
You use groups to manage permissions and to distribute e-mail. As you set out to create groups, remember that you create groups for similar types of users. Consequently, the types of groups you might want to create include the following:
Groups for departments within the organization. Generally, users who work in the same department need access to similar resources and should be a part of the same e-mail distribution lists.
Groups for roles within the organization. You can also organize groups according to the users’ roles within the organization. For example, you could use a group called Executives to send e-mail to all the members of the executive team and a group called Managers to send e-mail to all managers and executives in the organization.
Groups for users of specific projects. Often, users working on a major project need a way to send e-mail to all the members of the team. To solve this problem, you can create a group specifically for the project.
You can create a security or distribution group by completing the following steps:
Start Active Directory Users And Computers. Right-click the container in which you want to place the group, point to New, and then select Group. This opens the New Object – Group dialog box shown in Table 7-1.
Type a name for the group. Group names aren’t case-sensitive and can be up to 64 characters long.
The first 20 characters of the group name are used to set the pre–Windows 2000 group name. This group name must be unique in the domain. If necessary, change the pre–Windows 2000 group name.
Select a group scope—either Domain Local, Global, or Universal. If you are unsure which scope to use, the recommended scope is Universal. You can’t change the group scope when you’re operating in Windows mixed mode. When you’re operating in Windows native mode, keep the following in mind:
You can convert a domain local group to universal scope, provided it doesn’t have as its member another group having domain local scope.
You can convert a global group to universal scope, provided it’s not a member of any other group having global scope.
You can’t convert a universal group to any other group scope.
Select a group type—either Security or Distribution.
Click Next. If you’ve properly installed the Exchange extensions on the computer that you’re running, you’ll be able to choose whether the group should have an e-mail address. If the group shouldn’t have an e-mail address, clear the Create An Exchange E-Mail Address check box, and then skip Step 7. Otherwise, ensure Create An Exchange E-Mail Address is selected.
Like users, groups have an Exchange alias. The Exchange alias is set to the group name by default. You can change this value by entering a new alias. The Exchange alias is used to set the group’s e-mail address.
Mail for the group is routed through the specified administrative group. As necessary, use the Associated Administrative Group selection list to change the default setting.
Click Next, and then click Finish to create the group. If you created an Exchange e-mail address for the group, e-mail addresses are configured automatically for Simple Mail Transfer Protocol (SMTP), X.400, and other Exchange connectors you’ve configured. Exchange Server uses the SMTP address for receiving messages.
Creating the group isn’t the final step. Afterward, you might want to do the following:
All users, groups, and contacts can be members of other groups. You control the membership of these elements at the object level or at the group level. To manage membership at the object level, complete the following steps:
In Active Directory Users And Computers, double-click the user, contact, or group entry. This opens a Properties dialog box.
Click the Member Of tab. To make the object a member of a group, click Add. This opens the Select Groups dialog box. You can now choose groups that the currently selected object should be a member of.
To remove the object from a group, select a group, and then click Remove.
When you’re finished, click OK.
Another way to manage group membership is to use the group’s Properties dialog box to add or remove multiple objects. To do this, follow these steps:
In Active Directory Users And Computers, double-click the group entry. This opens the object’s Properties dialog box.
Click the Members tab. To add objects to the group, click Add. This opens the Select Users, Contacts, Computers, Or Groups dialog box. You can now choose objects that should be members of this currently selected group.
To remove members from a group, select an object, and then click Remove.
When you’re finished, click OK.
You use mail-enabled groups to distribute e-mail to multiple users, contacts, and even to other groups. They have an Exchange alias and one or more e-mail addresses associated with them. You can mail-enable a group by completing the following steps:
In Active Directory Users And Computers, right-click the group name, and then select Exchange Tasks to start the Exchange Task Wizard.
If a Welcome wizard page is displayed, click Next. You can skip the Welcome page in the future by selecting Do Not Show This Welcome Page Again.
Under Available Tasks, select Establish An E-Mail Address, and then click Next.
Type an Exchange alias for the group, and then click Finish.
New e-mail addresses are generated and set as the default addresses for SMTP, X.400, and other Exchange mail connectors you’ve configured.
Later, if you want to delete the Exchange alias and remove any e-mail addresses that might be associated with the group, follow these steps:
In Active Directory Users And Computers, right-click the group name, and then select Exchange Tasks to start the Exchange Task Wizard.
If a Welcome wizard page is displayed, click Next.
Under Available Tasks, select Delete E-Mail Addresses, and then click Next.
Click Finish. All e-mail addresses associated with the group are deleted.
Just as there are tasks only for security and standard distribution groups, there are also tasks only for query-based distribution groups. These tasks are discussed in this section. As before, the tool to use when you want to work with groups is Active Directory Users And Computers. Be sure to start this snap-in from the Microsoft Exchange menu.
With query-based distribution groups, group membership is determined by the results of an LDAP query. As long as Exchange is running in native mode, you can create a query-based distribution group and define the query parameters, by completing the following steps:
Start Active Directory Users And Computers. Right-click the container in which you want to place the group, point to New, and then select Query-Based Distribution Group. This opens the New Object – Query-Based Distribution Group dialog box shown in Figure 7-2.
Type a name for the group. Group names aren’t case-sensitive and can be up to 64 characters long.
Like users, groups have an Exchange alias. The Exchange alias is set to the group name by default. You can change this value by entering a new alias. The Exchange alias is used to set the group’s e-mail address.
The container in which you create the group defines the scope of the query. This means the LDAP query you define for the group filters to recipients in and below the specified container. The default container, displayed in the Apply Filter To list box, is the one you right-clicked to create the group. To specify a different container for limiting the query scope, click Change and then use the Choose A Container dialog box to select a container. In most cases, you’ll want to select the domain container.
Click Customize Filter and then click Customize. This displays the Find Exchange Recipients dialog box shown in Figure 7-3.
Select Entire Directory in the In drop-down list and then click Browse. Use the Browse For Container dialog box to choose the container you want to work with.
On the General tab, select the specific types of recipients you want to search for. For example, if you want to search only for users with mailboxes, select Users With Exchange Mailbox and clear the other check boxes.
If you want to limit the search to a specific Exchange server or mailbox store, click the Storage tab. Select Mailboxes On This Server or Mailboxes In This Mailbox Store as appropriate and then type the server or mailbox store name in the field provided. Click Browse to search for the resource you want to use.
On the Advanced tab, click Field, point to the type of object you want to work with, such as User, and then select a filter parameter. Next, use the Condition list to specify a match condition, such as Is (Exactly). After you enter an associated condition value, click Add to add the filter parameter to the Condition List. Repeat this step to define other filter parameters.
Click OK to close the Find Exchange Recipients dialog box. Afterward, click Next and then click Finish to create the group. E-mail addresses are configured automatically for SMTP, X.400, and other Exchange connectors you’ve configured. Exchange Server uses the SMTP address for receiving messages.
Creating the group isn’t the final step. Afterward, you might want to do the following:
Preview the group to confirm its membership and determine how long it takes to return the query results.
Assign a manager as a point of contact for the group.
Set message size restrictions for messages mailed to the group.
Limit users who can send to the group.
Change or remove default e-mail addresses.
Add additional e-mail addresses.
You can preview a query-based distribution group to confirm its membership and determine how long it takes to return the query results.
In some cases, you might find that the membership isn’t what you expected. If this happens, you’ll need to change the query filters as discussed in the next section.
In other cases, you might find that it takes too long to execute the query and return the results. If this happens, you might want to rethink the query parameters. You might want to create several query groups.
To preview query-based distribution group membership, follow these steps:
Start Active Directory Users And Computers. Double-click the group you want to work with and then click the Preview tab.
As shown in Figure 7-4, the Preview pane shows the group members and the LDAP Filter pane shows the LDAP query.
Click Start to determine how long it takes to execute the query and return results.
Click OK to close the Properties dialog box.
You can change the LDAP query used with a query-based distribution group by completing the following steps:
Start Active Directory Users And Computers. Double-click the group you want to work with to display its Properties dialog box.
On the General tab, the Filter pane is used to set the query parameters. If you created a custom filter, you can click Customize to display the Find Exchange Recipients dialog box and then use the options of the General, Storage, and Advanced tabs to change the existing query parameters or define new ones.
Click OK twice when you are finished and then preview the group membership to confirm that the changes produce the expected results.
Previous sections covered tasks that were specific to a type of group. As an Exchange administrator, you’ll find that there are many additional group management tasks that you’ll need to perform. These essential tasks are discussed in this section.
Each mail-enabled group has an Exchange alias and one or more e-mail addresses associated with it. Whenever you change a group’s naming information, new e-mail addresses can be generated and set as the default addresses for SMTP, X.400, and other Exchange mail connectors you’ve configured. These e-mail addresses are used as alternatives to e-mail addresses previously assigned to the group. To learn how to change or delete these additional e-mail addresses, see the section of this chapter entitled "Changing, Adding, or Deleting a Group’s E-Mail Addresses."
To change the group’s Exchange alias, complete the following steps:
When you create a mail-enabled group, default e-mail addresses are created for SMTP, X.400, and other Exchange connectors you’ve configured. Any time you update the group’s Exchange alias, new default e-mail addresses can be created. The old addresses aren’t deleted, however; they remain as alternative e-mail addresses for the group.
To change, add or delete a group’s e-mail addresses, follow these steps:
Open the Properties dialog box for the group by double-clicking the group name in Active Directory Users And Computers. Then click the E-Mail Addresses tab.
To create a new e-mail address, click New. In the New E-Mail Address dialog box, select the type of e-mail address, and then click OK. Complete the Properties dialog box, and then click OK again.
To change an existing e-mail address, double-click the address entry, and then modify the settings in the Properties dialog box. Click OK.
To delete an e-mail address, select it, and then click Remove. To confirm the deletion, click Yes when prompted.
By default, any mail-enabled security group or other distribution group that you create is shown in Exchange address lists such as the global address list. If you want to hide a group from the address lists, follow these steps:
Start Active Directory Users And Computers.
Double-click the group you want to work with to display its Properties dialog box.
On the Exchange Advanced tab, select Hide Group From Exchange Address Lists.
Click OK.
Note
When you hide a group it isn’t listed in Exchange address lists. If a user knows the name of a group, he or she can still use it in the mail client. To prevent users from sending to a group, you must set message restrictions as discussed in the section of this chapter entitled "Setting Usage Restrictions on Groups."
Hiding group membership is different than hiding the group itself. By default, users can view the membership of two types of groups: security groups that are mail-enabled and standard distribution groups. You can prevent viewing the group membership if necessary. To do so, follow these steps:
In Active Directory Users And Computers, right-click the group name, and then select Exchange Tasks to start the Exchange Task Wizard.
If a Welcome wizard page is displayed, click Next.
Under Available Tasks, select Hide Membership and then click Next.
Click Next again and then click Finish.
If you later decide that you want users to be able to view group membership, repeat this process but this time select Unhide Membership.
Groups are great resources for users in an organization. They let users send mail quickly and easily to other users in their department, business unit, or office. However, if you aren’t careful, people outside the organization can use groups as well. Would your boss like it if spammers sent unsolicited e-mail messages to company employees through your distribution lists? Probably not—and you’d probably be sitting in the hot seat, which would be uncomfortable, to say the least.
To prevent unauthorized use of mail-enabled groups, you can specify that only certain users or members of a particular group can send messages to the group. For example, if you created a group called AllEmployees, of which all company employees were members, you could specify that only the members of AllEmployees could send messages to the group. You do this by specifying that only messages from AllEmployees are acceptable.
To prevent mass spamming of other groups, you could set the same restriction. For example, if you have a group called Technology, you could specify that only members of AllEmployees can send messages to that group.
Real World
If you have users who telecommute or send e-mail from home using a personal account, you might be wondering how these users can send mail once a restriction is in place. What I’ve done in the past is create a group called OffsiteEmailUsers, and then added this as a group that can send mail to my mail-enabled groups. The OffsiteEmailUsers group contains separate mail-enabled contacts for each authorized off-site e-mail address.
Another way to prevent unauthorized use of mail-enabled groups is to specify that only mail from authenticated users is accepted. An authenticated user is any user accessing the system through a logon process. It does not include anonymous users or guests and is not used to assign permissions. If you use this option, keep in mind that off-site users will need to log on to Exchange before they can send mail to restricted groups, and this might present a problem for users who are at home or on the road.
You can set or remove usage restrictions by completing the following steps:
Open the Properties dialog box for the mailbox-enabled group by double-clicking the group name in Active Directory Users And Computers.
Click the Exchange General tab. As shown in Figure 7-5, you can now set the following restrictions:
No Limit. Specifies that messages of any size can be sent to the group.
Maximum (KB). Sets a limit on the size of messages that can be sent to the group. If a message exceeds the limit, the message isn’t sent and the sender receives a nondelivery report (NDR).
From Authenticated Users Only. Specifies that messages are accepted from only authenticated users.
From Everyone. The default setting that specifies that messages are accepted from anyone, including Internet addresses external to the organization.
Only From. Specifies that only messages from the listed users, contacts, or groups should be accepted. Click Add to add additional users, contacts, and groups to the list. Click Remove to remove users, contacts, and groups from the list.
From Everyone Except. Specifies that all e-mail addresses except those from the listed users, contacts, or groups should be accepted. Click Add to add additional users, contacts, and groups to the list. Click Remove to remove users, contacts, and groups from the list.
When you’re finished setting or removing restrictions, click OK.
By default, distribution groups are configured so that delivery reports are sent to the person who sent the mail message. You can change this so that delivery reports are sent to the group owner or not sent at all. You can also specify out-of-office messages that are returned in response to messages from the sender. To set these options, complete the following steps:
Start Active Directory Users And Computers, and then select Advanced Features from the View menu.
Double-click the group you want to work with and then in the properties dialog box, select the Exchange Advanced tab.
If you want out-of-office messages to be delivered to the sender, select Send Out-Of-Office Messages To Originator.
If you want to stop sending delivery reports, select Do Not Send Delivery Reports. You also have the option of sending delivery reports to the group owner and the message originator. Click OK.
In Active Directory Users And Computers, you can rename a group by completing the following steps:
Right-click the group name, and then choose Rename. Type the new group name, and then press Enter.
You’ll see the Rename Group dialog box with the new group name highlighted. Press Tab and type a new pre–Windows 2000 group name.
Click OK.
When you rename a group, you give the group a new label. Changing the name doesn’t affect the SID, which is used to identify, track, and handle permissions independently from group names. It also doesn’t affect the exchange alias or the e-mail addresses that may be associated with the group.
Deleting a group removes it permanently. Once you delete a group, you can’t create a group with the same name and automatically restore the permissions that the original group was assigned because the SID for the new group won’t match the SID for the old group. You can reuse group names, but remember that you’ll have to re-create all permissions settings.
Windows doesn’t let you delete built-in groups. You could remove other types of groups by selecting them and pressing the Del key, or by right-clicking and selecting Delete. When prompted, click Yes to delete the group. If you click No, Windows will not delete the group.
Address lists help administrators organize and manage Exchange recipients. You can use address lists to organize recipients by department, business unit, location, type, and other criteria. The default address lists that Exchange Server creates and any new address lists that you create are available to the user community. Users can navigate these address lists to find recipients to whom they want to send messages.
During setup, Exchange Server creates a number of default address lists, including the following:
Default Global Address List. Lists all mail-enabled users, contacts, and groups in the organization.
Default Offline Address List. Provides an address list for viewing offline that contains information on all mail-enabled users, contacts, and groups in the organization.
All Contacts. Lists all mail-enabled contacts in the organization.
All Users. Lists all mail-enabled users in the organization.
All Groups. Lists all mail-enabled groups in the organization.
Public Folders. Lists all public folders in the organization.
The most commonly used address lists are the global address list and the offline address list.
You can create new address lists to accommodate your organization’s special needs. For example, if your organization has offices in Seattle, Portland, and San Francisco, you might want to create separate address lists for each office.
To create an address list that users can select in their Microsoft Office Outlook 2003 mail client, follow these steps:
Start System Manager, and then in the left pane (console tree), click the plus sign (+) next to the Recipients node. Next, right-click the All Address Lists node.
On the shortcut menu, point to New, and then select Address List.
Type a name for the address list. The name should describe the types of recipients that are viewed through the list. For example, if you’re creating a list for recipients in the Boston office, you could call the list Boston E-Mail Addresses.
Click Filter Rules to select membership criteria. On the General tab, select the check boxes for the users, groups, and contacts that should appear in the address list. If you want to show only users with mailboxes, select Users With Exchange Mailbox.
As shown in Figure 7-6, you use the options on the Advanced tab to limit the address list to users, groups, and contacts that meet the criteria you set. Advanced options let you set very specific criteria for list members. For example, if you wanted to limit the address list to users in Boston, you would click Field, point to User, and then select City. Next, you would select Condition Is (Exactly), and type the value Boston. To complete the process, click Add.
To edit an entry after you create it, double-click it, set new values, and then click Add.
Once you’ve set all the filters for the list, click OK. Users will be able to use the new address list the next time they start Outlook.
Address books are available to clients who are configured for corporate or workgroup use. To set the address lists used by the client, complete these steps:
In Outlook 2003, select Address Book from the Tools menu.
In the Address Book dialog box, select Options from the Tools menu, and then set the following options to configure how address lists are used:
Show This Address List First. Sets the address book that the user sees first whenever he or she works with the Address Book.
Keep Personal Addresses In. Specifies the default address book for storing new addresses.
When Sending Mail, Check Names Using These Address Lists In The Following Order. Sets the order in which address books are searched when you send a message or click Check Names. Use the up and down arrows to change the list order.
Click OK.
Tip
When checking names, you’ll usually want the Global Address List (GAL) to be listed before the user’s own contacts or other types of address lists. This is important because users will often put internal mailboxes in their personal address lists. The danger of doing this without first resolving names against the GAL is that although the display name might be identical, the properties of a mailbox might change. When changes occur, the entry in the user’s address book is no longer valid and any mail sent will bounce back to the sender with an NDR. To correct this, the user should either remove that mailbox from his or her personal address list and add it based on the current entry in the GAL, or change the check names resolution order to use the GAL before any personal lists.
Exchange Server doesn’t replicate changes to address lists throughout the domain immediately. Instead, the changes are replicated during the normal replication cycle, which means that some servers might temporarily have outdated address list information. Rather than waiting for replication, you can manually update address list configuration, availability, and membership throughout the domain. To do this, follow these steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Then select Recipient Update Services.
Current Recipient Update services should now be displayed in the right pane. Typically, you’ll have an enterprise configuration and one or more additional configurations for additional domains in the domain forest.
To update the address list configuration information in the entire domain forest, right-click Recipient Update Service (Enterprise Configuration), and then select Update Now.
To update the address list availability and membership for a specific domain, right-click the related service, and then select Update Now. For example, if you wanted to update address lists in the Technology domain, you’d right-click Recipient Update Service (Technology), and then select Update Now.
In a large enterprise, address list membership and configuration can get out of sync when you make lots of changes. To resynchronize the address list, follow these steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Then select Recipient Update Services.
Current Recipient Update services should now be displayed in the right pane. Typically, you’ll have an enterprise configuration and one or more additional configurations for additional domains in the domain forest.
Because you want to rebuild address list membership and configuration for a specific domain, right-click the related domain service, and then select Rebuild. When prompted to confirm the action, click Yes.
Rebuilding address lists can take a long time. Be patient. Users will use the updates the next time they start Outlook.
Although you can’t change the properties of default address lists, you can change the properties of address lists that you create. To do this, complete the following steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, click the plus sign (+) next to the All Address Lists node.
Right-click the user-defined address list that you want to modify, and then choose Properties.
In the Properties dialog box click Modify. You can now set a new filter for the address list.
Select the Users, Groups, and Contacts check boxes as appropriate to specify the types of recipients that should appear in the address list. If you want to show only users with mailboxes, select Users With Exchange Mailbox.
Use the options on the Advanced tab to limit the address list to users, groups, and contacts that meet the criteria you set.
To edit an entry after you create it, double-click it, set new values, and then click Add.
Once you’ve set all the filters for the list, click OK. Users can use the modified address list the next time they start Outlook.
Although System Manager will let you rename and delete default address lists, you really shouldn’t do this. Instead, you should rename or delete only user-defined address lists.
Renaming address lists. To rename an address list, in System Manager, right-click its entry, and then select Rename. Type in a new name and then press Enter.
Deleting address lists. To delete an address list, in System Manager, right-click its entry, and then select Delete. When prompted to confirm the action, click Yes.
You configure offline address lists differently than online address lists. To use an offline address list, the client must be configured to have a local copy of the server mailbox, or use personal folders. Controlling how e-mail is delivered was discussed in Chapter 2, in the section entitled "Managing Delivery and Processing E-Mail Messages."
Offline address lists are available only when users are working offline. You can configure how clients use offline address lists by completing the following steps:
Start Outlook 2003. Click Tools, Send/Receive and then select Download Address Book. This displays the Offline Address Book dialog box.
Select Download Changes Since Last Send/Receive to download only items that have changed since the last time you synchronized the address list. Clear this check box to download the entire contents of your address book.
Specify the information to Download as:
Full Details. Select this option to download the address book with all address information details. Full details are necessary if the user needs to encrypt messages when using remote mail.
No Details. Select this option to download the address book without address information details. This reduces the download time for the address book.
If multiple address books are available, use the Choose Address Book drop-down list to specify which address book to download.
Click OK.
By default, offline address lists are rebuilt daily at 10:00 P.M. You can change the time when the rebuild occurs by completing these steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, select the Offline Address Lists node.
Right-click the address list you want to work with, and then select Properties.
Use the Update Interval drop-down list to set the rebuild time. The available options are as follows:
Run Daily At 2:00 A.M.
Run Daily At 3:00 A.M.
Run Daily At 4:00 A.M.
Run Daily At 5:00 A.M.
Never Run
Use Custom Schedule
Select Exchange 4.0 and 5.0 compatibility if you wish to share this address list with users on previous versions of Exchange Server.
Click OK.
Normally, offline address lists are rebuilt at a specified time each day, such as 11:00 P.M. You can also rebuild offline address books manually. To do this, complete the following steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, select the Offline Address Lists node.
Right-click the address list you want to work with, and then select Rebuild. When prompted to confirm the action, click Yes.
Rebuilding address lists can take a long time. Be patient. Users will see the updates the next time they start Outlook.
Although you can create many offline address lists, clients download only one. This address list is called the default offline address list, and you can set it by completing these steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, select the Offline Address Lists node.
In the right pane, you should see a list of the offline address lists that are currently available. The current default list has the prefix Default in its name.
If there are multiple offline address lists available, you can assign a new default by right-clicking an address list and then selecting Set As New Default.
Users will use the new default offline address list the next time they start Outlook.
The offline address list is based on other address lists that you’ve created in the organization. You can modify the lists that are used to create the offline address list by completing the following steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, select the Offline Address Lists node.
Right-click the offline address list that you want to modify, and then choose Properties.
To make additional address lists a part of the master offline address list, click Add, and then select the lists you want to use.
If you no longer want an address list to be a part of the offline address list, select the address list, and then click Remove.
Click OK.
In a large organization in which lots of users are configured to use offline folders, managing and maintaining offline address lists can put a heavy burden on Exchange Server. To balance the load, you might want to designate a server other than the primary Exchange server to manage and propagate offline address lists.
You can change the offline address list server by completing these steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, select the Offline Address Lists node.
Right-click the offline address list that you want to modify, and then choose Properties.
The current offline address book server is listed in the Offline Address List Server field. To use a different server, click Browse, and then in the Select Exchange Server dialog box, choose a different server.
Have users ever asked you if you could change the fields in the Address Book for users, groups, or contacts? Chances are they have, and you probably said you couldn’t. Well, you can customize the graphical interface for address book recipients, and the way you do it is to modify Exchange Server’s address templates.
Address templates specify how recipient information appears in the Address Book. This graphical interface is unique for each type of recipient, including users, contacts, groups, and public folders. There are also templates for the address book Search dialog box and the mailbox agent.
Each template has a predefined set of controls that describe its interface. These controls are as follows:
Label. Creates a text label in the template
Edit. Creates single-line text fields or multiline text boxes
Page Break. Specifies where a tab begins and where to set the text for the tab
Group Box. Creates a panel that groups together a set of controls
Check Box. Adds a check box with a text label
List Box. Adds a list box with optional scroll bars
Multi-Valued List Box. Adds a list box that can accept and display multiple values
Multi-Valued Drop-Down. Adds a drop-down list with multiple values
Each control has a specific horizontal (X) position and a specific vertical (Y) position in a dialog box. The control also has a specific width and height. The X, Y, width, and height values are set in screen pixels.
By modifying the controls within a template, you can change the way information is presented in the Address Book view. To learn how you can modify templates, see Figure 7-7 and Figure 7-8. Figure 7-7 shows the default Address Book view for users. Figure 7-8 shows a modified Address Book view for users that is streamlined and simplified.
Modifying address book templates creates a custom view of the template that is available to all users in the organization. As you create the view, you’ll have the opportunity to preview it so that you can check for mistakes. If you make a mistake, don’t worry. You can restore the original template at any time.
Modify address book templates by completing these steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, click the plus sign (+) next to the Address Templates node, and then select the template language you want to work with. For example, if you want to modify English language templates, select English.
You should see the available templates in the right pane. Double-click the template you want to modify.
Click the Templates tab. System Manager will read all the values defined in the template and the Active Directory attributes that are available for the related object. When System Manager is finished reading attributes, you’ll see the complete set of controls available for the template (see Figure 7-9).
Click Test to preview the existing template. Study the template’s configuration before you continue.
To add a new control to the template, click Add, and then choose a control type. Next, set the properties for the control, and then click OK. Click Test to check the modified view.
To update the settings of an existing control, select the control on the Templates tab, and then click Modify. After you modify the control’s properties, click OK. Click Test to check the modified view.
To remove a control from the address book view, select the control in the Templates tab, and then click Remove.
Repeat Steps 5 through 7 until the template is customized to your liking. If necessary, use the Move Up and Move Down buttons to modify the position of controls in the scrolling list. If you need to restore the original view, click Original and then confirm the action when prompted.
When you’re finished, close the Properties dialog box by clicking OK. Then rebuild the address lists as discussed in the section of this chapter entitled "Rebuilding Address List Membership and Configuration."
When you modify address book templates, the original template files aren’t overwritten and you can restore the original templates if you need to. Simply complete the following steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Next, click the plus sign (+) next to the Address Templates node, and then select the template language you want to work with.
You should see the available templates in the right pane. Double-click the template you want to restore.
Click the Templates tab. System Manager will go out and read all the values defined in the template and the Active Directory attributes that are available for the related object.
Restore the original view by clicking Original. When prompted, confirm the action by clicking Yes.
Close the Properties dialog box by clicking OK.
Repeat Steps 2 through 5 for other templates that you need to restore. Then rebuild the address lists in the manner described in the section of this chapter entitled "Rebuilding Address List Membership and Configuration."