The difference between a good Microsoft Exchange administrator and a great one is the attention he or she pays to mailbox administration. Mailboxes are private storage places for sending and receiving mail, and they are created as part of private mailbox stores in Exchange. When you create user accounts, including those for InetOrgPersons, you have the option of creating mailboxes for those accounts. You can also add mailboxes to existing user accounts as necessary.
Mailboxes have many properties that control mail delivery, permissions, and storage limits. You can configure most mailbox settings on a per-mailbox basis. However, some settings cannot be changed without moving mailboxes to a different mailbox store or changing the settings of the mailbox store itself. For example, the storage location on the Exchange file system, the default public folder store for the mailbox, and the default offline address book are set on a per-mailbox-store basis. Keep this in mind when performing capacity planning and when deciding which storage group and mailbox store to use for a particular mailbox.
You often need to manage mailboxes the way you do user accounts. Some of the management tasks are fairly intuitive and others aren’t. If you have questions, be sure to read the sections that follow.
Tip
For all of the procedures in this section, you can select multiple users for whom you want to manage mailboxes. To select multiple users individually, hold down the Ctrl key and then click each user account that you want to select. To select a sequence of accounts, hold down the Shift key, select the first user account, and then click the last user account.
You don’t have to create an Exchange mailbox when you create a user account. If a user needs a mailbox later, you can create the mailbox by completing the following steps:
In Active Directory Users And Computers, right-click the user’s name, and then select Exchange Tasks to start the Exchange Task Wizard. You can select multiple user accounts as well; if you do this, the Exchange alias for each user will be set to that user’s logon name and cannot be changed.
If a Welcome page is displayed, click Next. You can skip the Welcome page in the future by selecting Do Not Show This Welcome Page Again.
Under Available Tasks, select Create Mailbox, and then click Next.
The Create Mailbox wizard page, shown in Figure 6-1, is displayed.
The Exchange alias is set to the logon name by default. You can change this value by entering a new alias as long as you do not have multiple accounts selected.
If multiple Exchange servers are configured with an Information Store, use the Server drop-down list to specify the server on which the mailbox should be stored.
Caution
In Exchange mixed-mode operations, mailboxes can’t be moved from a server in one administrative group to a server in another administrative group. In addition, although you can move mailboxes to different Exchange servers, these servers must be in the same routing group. You can’t move mailboxes among routing groups (regardless of the Exchange operations mode).
If multiple mailbox stores are configured, use the Mailbox Store drop-down list to specify the mailbox store that should be used.
Click Next and then click Finish.
You can use Exchange System Manager to view the current mailbox size and message count by completing these steps:
In Exchange System Manager, access the Servers node within the administrative or routing group you want to manage. Typically, you would expand Administrative Groups, First Administrative Group, and then the Servers node.
In the left pane (the console tree), select the Exchange server you want to manage. You should now see a list of storage groups that are available on the server.
Mailboxes are stored in the mailbox store associated with a storage group. Expand the storage groups and mailbox stores until you see the Mailboxes node you want to work with. For example, you could expand First Storage Group and Technology Mailbox Store, and then select the Mailboxes node.
The right pane should now display a summary list of mailboxes that are stored in the selected mailbox store.
To balance the server load or manage drive space, you can move mailboxes to another server or storage group. When you move mailboxes from one server to another or even to a different storage group on the same sever, keep in mind that the Exchange policies of the new mailbox store may be different from the old one. Because of this, consider the following issues before you move mailboxes to a new server or storage group:
General policy. Changes to watch out for include those for the default public folder store, the offline address book, and message settings. As a result, the users whose mailboxes you move could lose or gain access to public folders. They might have a different offline address book, which might have different entries and that will also have to be downloaded in its entirety the first time the user’s mail client connects to Exchange after the move. Message settings for mailbox stores control message archiving, support for Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures, and the font used to display plaintext messages.
Database policy. Changes to watch out for pertain to the maintenance interval and automatic mounting. If Exchange performs maintenance when these users are accessing their mail, they might have slower response times. If the mailbox store is configured so that it isn’t mounted at startup, restarting the Exchange services could result in the users not being able to access their mailboxes.
Limits. Changes to watch out for pertain to storage limits and deletion settings. Users might be prohibited from sending and receiving mail if the user’s mailbox exceeds the storage limits of the new mailbox store. Users might notice that deleted items stay in their Deleted Items folder longer or are deleted sooner than expected if the Keep Deleted Items setting is different.
You move mailboxes by completing these steps:
Right-click the user name in Active Directory Users And Computers, and then select Exchange Tasks to start the Exchange Task Wizard. You can select multiple user accounts as well.
If a Welcome wizard page is displayed, click Next.
Under Available Tasks, select Move Mailbox, and then click Next.
Use the Server drop-down list to specify the server on which the mailbox should be stored. Use the Mailbox Store drop-down list to specify the mailbox store that should be used.
Click Next, and then click Finish. Exchange Server attempts to move the mailbox. If a problem occurs, you’ll see an Error dialog box that lets you retry or cancel the operation.
Note
In Exchange mixed-mode operations, you can’t move mailboxes from a server in one administrative group to a server in another administrative group. You can’t move mailboxes among routing groups regardless of operations mode. To move mailboxes among servers, the servers must be in the same routing group.
Removing a mailbox from a user account deletes any e-mail addresses associated with the account and marks the primary mailbox for deletion. The mailbox is then deleted according to the retention period set on the account or on the mailbox store. For more information on deleted item retention, see the section of this chapter entitled, "Setting Deleted Item Retention Time on Individual Mailboxes."
You can remove a mailbox from a user account by completing the following steps:
Right-click the user name in Active Directory Users And Computers, and then select Exchange Tasks to start the Exchange Task Wizard. You can select multiple user accounts as well.
If a Welcome wizard page is displayed, click Next.
Under Available Tasks, select Delete Mailbox, and then click Next.
Click Next, and then click Finish.
Mailbox properties are used to set delivery restrictions, permissions, and storage limits. To change these configuration settings for mailboxes, follow the techniques discussed in this section.
You can set delivery restrictions on mailboxes using two techniques:
Globally. By creating default delivery restrictions for all mailboxes. Global restrictions are applied when the user account is created and they are updated when you define new global delivery restrictions.
Individually. By setting per-user delivery restrictions. You set per-user delivery restrictions individually for each user account, and they override the global default settings.
You’ll learn how to set global delivery restrictions in Chapter 13. See the section of that chapter entitled "Setting Default Delivery Restrictions for the Organization."
You set individual delivery restrictions by completing the following steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange General tab, click Delivery Restrictions. As shown in Figure 6-2, you can now set the following send and receive restrictions:
Sending Message Size. Sets a limit on the size of messages the user can send. If an outgoing message exceeds the limit, the message isn’t sent and the user receives a nondelivery report (NDR).
Receiving Message Size. Sets a limit on the size of messages the user can receive. If an incoming message exceeds the limit, the message isn’t delivered and the sender receives an NDR.
Click OK. The restrictions that you set override the global default settings.
You set message send and receive restrictions for contacts in the same way that you set these restrictions for users. Follow the steps listed in the section of this chapter entitled "Setting Message Acceptance Restrictions on Individual Mailboxes."
By default, user mailboxes are configured to accept messages from anyone. To override this behavior, you can specify that only messages from the listed users, contacts, or groups should be accepted, or that messages from all e-mail addresses except the users, contacts, or groups listed should be accepted.
You can also specify that only authenticated users, meaning users who have logged on to the Exchange system or the domain, can be accepted.
You set message acceptance restrictions by completing the following steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange General tab, click Delivery Restrictions to display the Delivery Restrictions dialog box shown previously in Figure 6-2.
If you want to ensure that messages are accepted only from authenticated users, select the From Authenticated Users Only check box.
To specify that only messages from the listed users, contacts, or groups should be accepted, select the Only From option.
To specify that messages from all e-mail addresses except the users, contacts, or groups listed should be accepted, select the From Everyone Except option.
Click Add to add recipients to the inclusion or exclusion list. This displays the Select Recipient dialog box shown in Figure 6-3. Type the object names that you want to select, making sure to separate each name with a semicolon.
Click Check Names. If a name is not found, correct the object name you provided and then click OK. If multiple names are found, select the name or names that you want to use and then click OK.
When you click OK to close the Select Recipient dialog box, the recipients you’ve selected are added to the inclusion or exclusion list. Click OK twice to complete the task.
You set message size and receive restrictions for contacts in the same way that you set these restrictions for users. Follow the steps listed in the section of this chapter entitled "Setting Message Acceptance Restrictions on Individual Mailboxes."
Occasionally, users will need to access someone else’s mailbox, and in certain situations you should allow them to. For example, if John is Susan’s manager and Susan is going on vacation, John might need access to her mailbox while she’s away. Another situation in which someone might need access to another mailbox is when you’ve set up special-purpose mailboxes, such as a mailbox for <[email protected]> or a mailbox for <[email protected]>.
Granting someone the right to access a mailbox also gives that person the right to view the mailbox and send messages on behalf of the mailbox owner. You can grant or revoke access by completing the following steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange General tab, click Delivery Options. The Grant This Permission To list box shows any users that currently have access permissions. You can now do the following:
Grant access. To grant the authority to access the mailbox, click Add and then use the Select Recipient dialog box to choose the user or users who should have access to the mailbox.
Revoke access. To revoke the authority to access the mailbox, select an existing user name in the Grant This Permission To list box, and then click Remove.
Click OK.
Note
Another way to grant access permissions to mailboxes is to do so through Outlook. Using Outlook, you have more granular control over permissions. You can allow a user to log on as the mailbox owner, delegate mailbox access, and grant various levels of access. For more information on this issue, see the sections of Chapter 2 entitled, "Accessing Multiple Exchange Server Mailboxes" and "Granting Permission to Access Folders Without Delegating Access."
Any messages sent to a user’s mailbox can be forwarded to another recipient. This recipient could be another user or a mail-enabled contact. You can also specify that messages should be delivered to both the forwarding address and the current mailbox.
To configure mail forwarding, follow these steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange General tab, click Delivery Options. To remove forwarding, in the Forwarding Address panel, choose None.
To add forwarding, choose Forward To, and then click Modify. Use the Select Recipient dialog box to choose the alternate recipient. If the mail should go to both the alternate recipient and the current mailbox owner, select the Deliver Messages To Both Forwarding Address And Mailbox check box (see Figure 6-4).
Click OK.
You can set storage restrictions on multiple mailboxes using global settings for each mailbox store or on individual mailboxes using per-user restrictions. Global restrictions are applied when you create the user account and are reapplied when you define new global storage restrictions. Per-user storage restrictions are set individually for each user account and override the global default settings.
Note
Storage restrictions apply only to mailboxes stored on the server. Storage restrictions don’t apply to personal folders. Personal folders are stored on the user’s computer.
You’ll learn how to set global storage restrictions in Chapter 10, See the section of that chapter entitled "Setting Mailbox Store Limits."
You set individual storage restrictions by completing the following steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange General tab, click Storage Limits. This displays the Storage Limits dialog box shown in Figure 6-5.
To set mailbox storage limits, in the Storage Limits panel, clear the Use Mailbox Store Defaults check box. Then set one or more of the following storage limits:
Issue Warning At (KB). This limit specifies the size, in kilobytes, that a mailbox can reach before a warning is issued to the user. The warning tells the user to clean out the mailbox.
Prohibit Send At (KB). This limit specifies the size, in kilobytes, that a mailbox can reach before the user is prohibited from sending any new mail. The restriction ends when the user clears out the mailbox and the mailbox size is under the limit.
Prohibit Send And Receive At (KB). This limit specifies the size, in kilobytes, that a mailbox can reach before the user is prohibited from sending and receiving mail. The restriction ends when the user clears out the mailbox and the mailbox size is under the limit.
Caution
Prohibiting send and receive might cause the user to lose e-mail. When a user sends a message to a user who is prohibited from receiving messages, an NDR is generated and delivered to the sender. The original recipient never sees the e-mail. Because of this, you should rarely prohibit send and receive.
Click OK.
When a user deletes a message in Microsoft Office Outlook 2003, the message is placed in the Deleted Items folder. The message remains in the Deleted Items folder until the user deletes it manually or allows Outlook to clear out the Deleted Items folder. With personal folders, the message is then permanently deleted and you can’t restore it. With server-based mailboxes, the message isn’t actually deleted from the Exchange Information Store. Instead, the message is marked as hidden and kept for a specified period of time called the deleted item retention period.
Default retention settings are configured for each mailbox store in the organization. You can change these settings, as described in the section of Chapter 10, entitled "Setting Deleted Item Retention," or override the settings on a per-user basis by completing these steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange General tab, click Storage Limits. This displays the Storage Limits dialog box shown previously in Figure 6-5.
In the Deleted Item Retention panel, clear the Use Mailbox Store Defaults check box.
In the Keep Deleted Items For (Days) text field, enter the number of days to retain deleted items. An average retention period is 14 days. If you set the retention period to 0, messages aren’t retained and can’t be recovered.
You can also specify that deleted messages should not be permanently removed until the mailbox store has been backed up. This option ensures that the deleted items are archived into at least one backup set.
Click OK.
Real World
Deleted item retention is very convenient because it allows the administrator the chance to salvage accidentally deleted e-mail without restoring a user’s mailbox from backup. I strongly recommend that you enable this setting either in the mailbox store or for individual mailboxes, and configure the retention period accordingly.
Several key properties of mailboxes are considered to be advanced settings that should only be set as necessary. These settings include mailbox rights, Internet Locator Service (ILS) settings, and custom attributes. To view or work with these and other advanced settings, you use the Exchange Advanced tab shown in Figure 6-6.
Note
With Exchange 2003, the Exchange Advanced tab and its settings are available regardless of whether Advanced Features is enabled. If future security settings change this, however, you may have to select View, Advanced Features to access the Exchange Advanced tab.
In some cases the full display name for a mailbox won’t be available for display. This can happen when multiple language versions of the Exchange snap-in are installed on the network or when multiple language packs are installed on a system. Here, the system cannot interpret some or all of the characters in the display name, and as a result doesn’t show the display name. To correct this problem, you can set an alternate display name using a different character set. For example, you could use Cyrillic or Kanji characters instead of standard ANSI characters.
You can set an alternate display name for a mailbox by following these steps:
Occasionally you might want to hide a mailbox so that it doesn’t appear in the global address list or other address lists. One reason for doing this is if you have administrative mailboxes that are only used for special purposes. To hide a mailbox from the address lists, follow these steps:
Address lists, like the global address list, make it easier for users and administrators to find Exchange resources, including users, contacts, distribution groups, and public folders that are available. The fields available for Exchange resources are based on the type of resource. If you want to add additional values that should be displayed or searchable in address lists, such as an employee identification number, you can assign these values as custom attributes.
Exchange provides 15 custom attributes, labeled extensionAttribute1, extensionAttribute2, and so on, through extensionAttribute15. You can assign a value to a custom attribute by completing the following steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange Advanced tab, click Custom Attributes. This displays the Exchange Custom Attributes dialog box.
Double-click the attribute you want to define. This displays the Custom Attributes dialog box shown in Figure 6-7.
Enter the attribute value in the field provided and then click OK. Define the custom attribute as a string of standard characters. If you want, you can include the name of the attribute you are defining as well as the value. However, that might make it more difficult to perform searches based on the field value.
Click OK twice.
Microsoft NetMeeting allows users to collaborate during meetings using audio, video, and a shared whiteboard. If your organization uses NetMeeting, you might want users to be able to contact each other and set up meetings through Exchange. To make this possible, you’ll need to configure the ILS for user and contact mailboxes, specifying the ILS server and account that is to be used for NetMeeting.
You can specify the ILS settings by completing the following steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange Advanced tab, click ILS Settings. This displays the Exchange Internet Locator Service dialog box as shown in Figure 6-8.
In the ILS Server field, enter the fully qualified domain name (FQDN) or Internet Protocol (IP) address of the ILS server to which the user or contact connects, such as logon.netmeeting.microsoft.com.
In the ILS Account field, enter the ILS account for the user, such as <[email protected]>.
Click OK twice.
In Chapter 2, in the sections "Accessing Multiple Exchange Server Mailboxes" and "Granting Permission to Access Folders Without Delegating Access," I discussed how you could configure access to mailboxes through Outlook. Access to mailboxes can also be configured through mailbox rights in Active Directory Users And Computers.
Mailbox rights let you assign various access rights on a per-mailbox basis. By default, the user account associated with a particular mailbox, through the special identity SELF, has full mailbox access and read permission. These access rights allow the user to access his or her mailbox, and to read, send, change, and delete mail. The Administrator user and the Administrators group are listed as the owners of mailboxes, which allows administrators to manage mailbox settings, view mailbox summary information, and delete mailboxes.
Mailbox rights that you can assign include the following:
Delete Mailbox Storage. Allows a user to delete the mailbox from the information store. This mailbox right is given only to administrators by default.
Read Permissions. Allows a user to read mail in the mailbox. If you assigned only this right to a user, the user could read another user’s mail but not send, change, or delete messages.
Change Permissions. Allows a user to delete or modify items in the mailbox.
Take Ownership. Allows a user to take ownership of a mailbox. By default, the Administrator user and the Administrators group are the owners of mailboxes.
Full Mailbox Access. Allows a user to access a mailbox; to create, read, and delete items in the mailbox; and to send messages from the mailbox.
To add or remove mailbox access rights, follow these steps:
Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in Active Directory Users And Computers.
On the Exchange Advanced tab, click Mailbox Rights. This displays the Permissions For dialog box shown in Figure 6-9.
Users or groups with access rights are listed in the Group Or User Names list box. You can change permissions for these users or groups by doing the following:
To set access rights for additional users or groups, click Add. Then use Select Users, Computers, Or Groups to add users or groups. Afterward, use the Permissions area to allow or deny permissions. Repeat for other users or groups.
Click OK twice when you are finished.
