In this chapter, you’ll learn how to implement directory security and Microsoft Exchange Server 2003 policies. In Active Directory, you manage security by using permissions. Users, contacts, and groups all have permissions assigned to them. These permissions control the resources that users, contacts, and groups can access. They also control the actions that users, contacts, and groups can perform.
Exchange policies are useful administration tools as well. With policies, you can specify management rules for Exchange systems and Exchange recipients. System policies help you manage servers and information stores. Recipient policies help you manage e-mail addressing and mailbox messages.
Users, contacts, and groups are represented in Active Directory as objects. These objects have many attributes that determine how the objects are used. The most important attributes are the permissions assigned to the object. Permissions grant or deny access to objects and resources. For example, you can grant a user the right to create public folders but deny that same user the right to view the status of the information store.
Permissions assigned to an object can be applied directly to the object or they can be inherited from another object. Generally, objects inherit permissions from parent objects. A parent object is an object that is above an object in the object hierarchy. In Exchange Server 2003, permissions are inherited through the organizational hierarchy. The root of the hierarchy is the Organization node. All other nodes in the tree inherit the Exchange permissions of this node. For example, the permissions on an administrative group folder are inherited from the Organization node.
You can override inheritance. One way to do this is to assign permissions directly to the object. Another way is to specify that the object shouldn’t inherit permissions.
Several security groups have access to and can work with Exchange Server. These groups are Domain Admins, Enterprise Admins, Exchange Domain Servers, Exchange Enterprise Servers, and Everyone.
Domain Admins are the designated administrators of a domain. Members of this global group can manage user accounts, contacts, groups, mailboxes, and computers. They can also manage messaging features, delivery restrictions, and storage limits. Nevertheless, they are subject to some restrictions in Exchange Server, and they don’t have full control over Exchange Server. If a user needs to be an administrator of a local domain and manage Exchange Server, all you need to do is make that user a member of the Domain Admins group. By default, this group is a member of the Administrators group on the Exchange server and its only member is the local user, Administrator.
Enterprise Admins are the designated administrators of the enterprise. Members of this global group can manage objects in any domain in the domain tree or forest. They have full control over Exchange Server and aren’t subject to any restrictions. This means that unlike Domain Admins, Enterprise Admins can delete child objects and entire trees in Exchange Server. If a user needs full access to the enterprise and to Exchange Server, make that user a member of the Enterprise Admins group. By default, this group is a member of the Administrators group and its only member is the local user, Administrator.
The Exchange Domain Servers group also has a special purpose. Members of this group can manage mail interchange and queues. By default, all computers running Exchange Server 2003 are members of this group, and you shouldn’t change this setup. This domain global group is in turn a member of the domain local group Exchange Enterprise Servers.
Exchange Enterprise Servers is a domain local group that you can use to grant special permissions to all Exchange servers throughout the domain forest. By default, the group has Exchange Domain Servers as its only member.
The final group that has Exchange permissions is Everyone. Everyone is a special group whose members are implicitly assigned. Its members include all interactive, network, dial-up, and authenticated users. By default, members of this group can create top-level public folders, subfolders within public folders, and named properties in the information store.
Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows permissions, object-specific permissions, and extended permissions.
Table 8-1 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Property and Write Property, Property is a placeholder for the actual property name.
Table 8-1. Common Permissions for Active Directory Objects
Permission | Description |
|---|---|
Full Control | Permits reading, writing, modifying, and deleting |
List Object | Permits listing the object |
List Contents | Permits viewing object contents |
Read Property | Permits reading a particular property of an object |
Write Property | Permits writing to a particular property of an object |
Read Properties | Permits reading properties of an object |
Write Properties | Permits writing to properties of an object |
Read Permissions | Permits reading object permissions |
Change Permissions | Permits changing object permissions |
Create Children | Permits creating child objects |
Delete Children | Permits deleting child objects |
Delete Tree | Permits deleting the object and its child objects |
Take Ownership | Permits taking ownership of the object |
Validate Write To ... | Permits a particular type of validated write |
Extended Write To ... | Permits a particular type of extended write |
All Validated Writes | Permits all types of validated writes |
All Extended Writes | Permits all extended writes |
Create Object | Permits creating a specific object type |
Delete Object | Permits deleting a specific object type |
Create All Child Objects | Permits creating all child objects |
Delete All Child Objects | Permits deleting all child objects |
Change Password | Permits changing passwords for the object |
Delete | Permits deleting an object |
Receive As | Permits receiving as the object |
Reset Password | Permits resetting passwords for the object |
Send As | Permits sending as the object |
Add/Remove Self | Permits adding and removing object as a member |
Table 8-2 summarizes Exchange-specific permissions. You use these extended permissions to control Exchange administration and use. If you want to learn more about other types of permissions, I recommend that you read Chapter 14 of Microsoft Windows Server 2003 Administrator’s Pocket Consultant (Microsoft Press, 2003).
Table 8-2. Extended Permissions for Exchange Server
Permission | Description |
|---|---|
Administer Information Store | Permits administration of the Information Store. |
Create Named Properties In The Information Store | Permits creation of named properties in the Information Store. |
Create Public Folder | Permits creation of a public folder under a top-level folder. |
Create Top-Level Public Folder | Permits creation of a top-level public folder. |
Full Store Access | Permits full access to the Information Store. |
Mail-Enable Public Folder | Permits mail-enabling a public folder. |
Modify Public Folder ACL | Permits modification of the access control list (ACL) on a public folder. |
Modify Public Folder Admin ACL | Permits modification of the admin ACL on a public folder. |
Modify Public Folder Deleted Item Retention | Permits modification of the deleted item retention period. |
Modify Public Folder Expiry | Permits modification of a public folder’s expiration date. |
Modify Public Folder Quotas | Permits modification of a quota on a public folder. |
Modify Public Folder Replica List | Permits modification of the replication list for a public folder. |
Open Mail Send Queue | Permits opening the Mail Send queue and message queuing. The Exchange Servers group must have this permission. |
Read Metabase Properties | Permits reading the properties of the metabase. |
View Information Store Status | Permits viewing the status of the Information Store. |
Permissions are inherited from the Organization node by default. You can change this behavior when you set server permissions. To view security permissions for Exchange Server, complete the following steps:
Start System Manager, and then right-click the root or leaf-level node you want to work with.
Select Properties from the shortcut menu, and then in the Properties dialog box, click the Security tab, shown in Figure 8-1.
Note
If the Properties option isn’t available, you’re trying to work with a nonroot or nonleaf node, such as the Recipients, Administrative Groups, or Servers nodes. Expand the node by clicking the plus sign (+), and then select a lower-level node. Note also that for some nodes, you view and assign permissions through the Exchange Administration Delegation Wizard. For details, see the section of this chapter entitled "Delegating Exchange Server Permissions."
In the Group Or User Names list box, select the object for which you want to view permissions. The permissions for the object are then displayed in the Permissions list box. If the permissions are shaded, it means they are inherited from a parent object.
You can control the administration and use of Exchange Server in several ways:
Globally for an entire organization. Set the permissions at the organization level. Through inheritance, these permissions are then applied to all objects in the Exchange organization.
For each server. Set the permissions individually for each server in the Exchange organization. Through inheritance, these permissions are then applied to all child nodes on the applicable server.
For each storage group. Set the permissions at the storage group level. Through inheritance, these permissions are then applied to all mailbox and public folder stores within the storage group.
For an individual node. Set the permissions on an individual node and disallow auditing inheritance for child nodes.
To set permissions for Exchange Server, follow these steps:
Start System Manager, and then right-click the root or leaf-level node you want to work with.
Select Properties from the shortcut menu, and then click the Security tab in the Properties dialog box, shown previously in Figure 8-1.
Users or groups that already have access to the Exchange node are listed in the Group Or User Names list box. You can change permissions for these users and groups by selecting the user or group you want to change, and then using the Permissions list box to grant or deny access permissions.
To set access permissions for additional users, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box, shown in Figure 8-2.
Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set access permissions. To access account names from other domains, click Locations. You should see a list that shows the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the folder.
In the Group Or User Names list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.
Click OK when you’re finished.
To override or stop inheriting permissions from a parent object, follow these steps:
Start System Manager, and then right-click the root or leaf-level node you want to work with.
Select Properties from the shortcut menu, and then click the Security tab in the Properties dialog box.
Click Advanced to display the Advanced Security Settings dialog box.
Select or clear the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box.
Click OK twice.
At times, you might need to delegate control of Exchange Server without making a user a member of the Domain Admins or Enterprise Admins groups. For example, you might want a technical manager to be able to manage Exchange mailboxes, or you might want your boss to be able to view Exchange settings but not be able to modify settings. The tool you use to delegate control of Exchange Server is the Exchange Administration Delegation Wizard.
You use the Exchange Administration Delegation Wizard to delegate administrative permissions at the organization level or the administrative group level. The level of permissions you set is determined by where you start the wizard. If you start the wizard from the organization level, the groups or users that you specify will have administrative permissions throughout the organization. If you start the wizard from the administrative group level, the groups or users that you specify will have administrative permissions for that specific administrative group.
To simplify administration, you should always assign permissions to a group rather than to individual users. In this way, you grant permissions to additional users simply by making them members of the appropriate group, and you revoke permissions by removing the users from the group.
The Exchange Administration Delegation Wizard lets you assign any of the following administrative permissions to users and groups:
Exchange Full Administrator. Allows users or groups to fully administer Exchange system information and modify permissions. Grant this role to users who need to configure and control access to Exchange Server.
Exchange Administrator. Allows users or groups to fully administer Exchange system information but not to control access or modify permissions. Grant this role to users or groups who are responsible for the day-to-day administration of Exchange Server.
Exchange View Only Administrator. Allows users or groups to view Exchange configuration information. Grant this role to users or groups that need to view Exchange configuration settings but are not authorized to make changes.
Note
The Exchange Administration Delegation Wizard controls access to Exchange Server 2003. It doesn’t give a user administrative access to the local machine. If Exchange administrators need to manage services or access the registry or file system on the server itself, you will need to make them local machine administrators for each Exchange Server they need to manage. For example, full administrators should be members of the local machine’s Administrators group.
When setting permissions at the organization level, users and groups you delegate control to have the permissions shown in Table 8-3.
Table 8-3. Delegating Permissions at the Organization Level
PermissionType | Object | Permissions Granted | Do Permissions Apply to Subcontainers? |
|---|---|---|---|
Full Administrator | Organization | All except Send As and Receive As permissions | Yes |
Full Administrator | Exchange Container | Full Control | Yes |
Administrator | Organization | All except Send As and Receive As permissions | Yes |
Administrator | Exchange Container | All except Change permissions | Yes |
View Only Administrator | Organization | View Information Store Status | Yes |
View Only Administrator | Exchange Container | Read, List Object, List Contents | Yes |
When setting permissions at the administrative group level, users and groups you delegate control to have the permissions shown in Table 8-4.
Table 8-4. Delegating Permissions at the Administrative Group Level
PermissionType | Object | Permissions Granted | Do Permissions Apply to Subcontainers? |
|---|---|---|---|
Full Administrator | Organization | Read, List Object, List Contents | Yes |
Full Administrator | Administrative Group | All except Send As and Receive As | Yes |
Full Administrator | Exchange Container | Read, List Object, List Contents | No |
Full Administrator | Connectors | All except Change permissions | Yes |
Full Administrator | Offline Address Lists | Write | Yes |
Administrator | Organization | Read, List Object, List Contents | Yes |
Administrator | Administrative Group | All permissions except Change, Send As, and Receive As | Yes |
Administrator | Exchange Container | Read, List Object, List Contents | No |
Administrator | Offline Address Lists | Write | Yes |
View Only Administrator | Organization | Read, List Object, List Contents | No |
View Only Administrator | Administrative Group | Read, List Object, List Contents, View Information Store Status | Yes |
View Only Administrator | Exchange Containers | Read, List Object, List Content | Yes (Limited) |
You use the Exchange Administration Delegation Wizard to set permissions by completing the following steps:
After starting System Manager, right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate Control. This starts the Exchange Administration Delegation Wizard.
Click Next.
In Users Or Groups, click Add to grant a new user or group administrative permissions. The Delegate Control dialog box is displayed.
Click Browse. Select the group or user to which you want to grant administrative permissions, and then click OK.
In the Delegate Control dialog box, use Role to choose the administrative role. The options are as follows:
Exchange Full Administrator
Exchange Administrator
Exchange View Only Administrator
Click OK. Repeat Steps 3 through 5 to delegate control to other users or groups.
Click Next, and then click Finish to complete the procedure.
Auditing lets you track what’s happening with Exchange Server. You can use auditing to collect information related to information store usage, creation of public folders, and much more. Any time an action that you’ve configured for auditing occurs, this action is written to the system’s security log, where it’s stored for your review. You can access the security log from Event Viewer.
Before you can configure auditing for Exchange, you must enable auditing in the domain through Group Policy. Once you enable auditing, you can configure individual Exchange servers in the domain to collect the information you want to track. You’ll need to be logged on using an account that’s a member of the Administrators group, or be granted the Manage Auditing And Security Log right in Group Policy.
You enable auditing in the domain through Group Policy. You can think of group policies as sets of rules that help you manage resources. You can apply group policies to domains, organizational units within domains, and individual systems. Policies that apply to individual systems are referred to as local group policies and are stored only on the local system. Other group policies are linked as objects in Active Directory.
You can enable Exchange auditing by completing the following steps:
Start Active Directory Users And Computers. In the console root, right-click the domain node, and then select Properties from the shortcut menu.
In the Properties dialog box, click the Group Policy tab. Edit the default policy by selecting Default Domain Policy and then clicking Edit.
As shown in Figure 8-3, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.
You should now see the following auditing options:
Audit Account Logon Events. Tracks events related to user logon and logoff.
Audit Account Management. Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.
Audit Directory Service Access. Tracks access to Active Directory. Events are generated any time users or computers access the directory.
Audit Logon Events. Tracks events related to user logon, user logoff, and remote connections to network systems.
Audit Object Access. Tracks system resource usage for mailboxes, information stores, and other types of objects.
Audit Policy Change. Tracks changes to user rights, auditing, and trust relationships.
Audit Privilege Use. Tracks the use of user rights and privileges, such as the right to create public folders.
Audit Process Tracking. Tracks system processes and the resources they use.
Audit System Events. Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.
To configure an auditing policy, double-click its entry, or right-click the entry, and then select Security. This opens a Properties dialog box for the policy.
Select Define These Policy Settings, and then select either the Success or Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.
Repeat Steps 5 and 6 to enable other auditing policies. The policy changes won’t be applied until the next time you start the Exchange server.
To ensure the security and integrity of Exchange Server, you should set auditing policies. Auditing policies specify the actions that should be recorded in the security log. As with permissions, the auditing policies you apply are inherited by child objects in Exchange Server. Knowing this, you can configure auditing at several levels:
Globally. To apply auditing policies for all of Exchange Server, set the policies at the organization level. Through object inheritance, these policies are then applied globally. Be careful, though; too many global policies can cause excessive logging, which slows the performance of Exchange Server.
Per server. To apply auditing policies on a per-server basis, set the policies individually on each server in the Exchange organization. Through inheritance, these policies are then applied to all subnodes on the applicable server. Again, you should try to limit the types of actions that you audit. If you don’t, you might reduce the quality of performance of Exchange Server.
Per storage group. To apply auditing policies to a particular storage group, set the policies at the storage group level. Through inheritance, these policies are then applied to all mailbox and public folder stores within the storage group.
Per object. To apply auditing settings to a single node or object, set the policies on a specific node. Disallow auditing inheritance for child nodes as necessary.
With this in mind, you can start logging for Exchange server by completing the following steps:
In System Manager, right-click the node you want to work with, and then select Properties from the shortcut menu. Click the Security tab, and then click Advanced.
In the Access Security Settings dialog box, click the Auditing tab. To inherit auditing settings from a parent object, make sure that the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box is selected.
Use the Auditing Entries list box to select the users, groups, or computers for which you want to audit actions. To remove an account, select the account in the list box, and then click Remove.
To add specific objects, click Add, and then use the Select User, Computer, Or Group dialog box to select an object name to add. When you click OK, you’ll see the Auditing Entry For dialog box (see Figure 8-4).
Use the Apply Onto drop-down list to specify where objects are audited.
Select either the Successful or Failed check box, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the permissions listed in Table 8-1 and Table 8-2.
Click OK when you’re finished. Repeat this process to audit other users, groups, or computers.
Auditing policies are only one type of policy that you can apply directly to Exchange Server. Another type of policy is a recipient policy. E-mail address recipient policies control e-mail address generation in the organization, and you also use them to establish new default e-mail addresses on a global basis. Mailbox Manager recipient policies help you track and control mailbox usage.
You can apply e-mail address recipient policies to all mail-enabled objects, including users, groups, contacts, and public folders. The first e-mail address recipient policy created in the organization is set as the default.
The default policy establishes how default e-mail addresses are generated for X.400, Simple Mail Transfer Protocol (SMTP), and whatever other gateways might be installed in your Exchange organization. The default policy applies to all mail-enabled objects in the organization. By modifying the default policy, you can update the default e-mail addressing throughout the organization. Your updates can either override the existing e-mail addresses or be added as the primary addresses (with the current defaults set as secondary addresses).
You can create additional e-mail address recipient policies as well. Through filters, you can apply these additional policies to specific types of objects and to objects matching specific filter parameters. Here are some examples:
By filtering for specific objects, you could create different recipient policies for users, groups, and contacts. Here, you might have user, group, and contact policies.
By filtering objects based on the department or division field, you could create recipient policies for each business unit in your organization. Here, you might have marketing, administration, and business development policies.
By filtering objects based on the city and state, you could create recipient policies for each office in your organization. Here, you might have Seattle, New York, and San Francisco policies.
In an organization in which many e-mail address recipient policies are in effect, only one policy is applied to a particular object. To determine which of the policies is applied to an object, Exchange Server checks the policy’s priority. Exchange Server applies a recipient policy with a higher priority before a recipient policy with a lower priority.
The default recipient policy is set to the lowest priority. This means that the default policy is applied only when no other policy is available for a particular object.
When you create a new e-mail address recipient policy, the policy is applied based on the update interval of the Recipient Update Service running under the System Attendant. By default, the update interval is set to Always Run, which means that new policies are applied immediately. In a busy organization, however, continuous updating of e-mail addresses could degrade Exchange performance. That’s why you can set the update interval to a different value. To determine or change the update interval, see the section of this chapter entitled "Scheduling E-mail Address Recipient Policy Updates."
You use recipient policies to generate e-mail addresses for users, groups, contacts, and other mail-enabled objects in the organization. If your organization doesn’t have a default recipient policy, the first policy you create is set as the default. You can’t change some parameters of default policies. For example, you can’t set filters on the default policy.
The default policy applies to all mail-enabled objects, and you can’t change this behavior. Each additional policy that you create is fully customizable. You can set a name for the policy and add one or more filters.
You create an e-mail address recipient policy by completing the following steps:
In System Manager, expand the Recipients node, and then select Recipient Policies. In the right pane, you should see a list of current policies.
Right-click Recipient Policies, point to New, and then click Recipient Policy.
In the New Policy dialog box, select the E-Mail Addresses check box and then click OK.
In the Name field, type a name for the recipient policy. Use a descriptive name that makes it easy to determine how the policy is used and to which objects the policy applies.
Click Modify to display the Find Exchange Recipient dialog box. You can now select the recipient types that you want the new policy to apply to by selecting Show Only These Recipients, and then selecting the Users, Groups, and Contacts check boxes as appropriate.
As shown in Figure 8-5, use the options on the Advanced tab to set filters for the policy. These filters are based on object type. For example, if you wanted to filter users by division, you would click Field, point to User, and then select Division. Next, you would select a condition. The available conditions are Starts With, Ends With, Is (Exactly), Is Not, Present, and Not Present. You would then create the filter by clicking Add. To specify additional filters, you would repeat this process.
Click OK when you finish defining filters. The filter should now be displayed in the Filter Rules field of the General tab. If you made a mistake, you can edit the filter by clicking Modify again.
Click OK to create the policy. The policy is applied according to the schedule for the applicable Recipient Update Service. To determine or change the update interval, see the section of this chapter entitled "Scheduling E-mail Address Recipient Policy Updates."
As necessary, modify the default e-mail addresses assigned, as described in "Modifying E-mail Address Recipient Policies and Generating New E-mail Addresses" next.
Once you create e-mail address recipient policies, they aren’t etched in stone. You can change their properties at any time. The changes you make might cause Exchange Server to generate new e-mail addresses for recipients.
To modify a recipient policy, complete the following steps:
In System Manager, expand the Recipients node, and then select Recipient Policies.
In the right pane, you should see a list of current policies. Double-click the policy you want to modify.
If you want to rename the policy, type a new name for the policy in the Name field.
If you want to modify the way the policy is applied, click Modify, and then follow Steps 4 through 6 in the section of this chapter entitled "Creating E-mail Address Recipient Policies."
Click the E-Mail Addresses (Policy) tab, as shown in Figure 8-6. You can now reconfigure the default e-mail address generation rules for the members of the recipient policy. Current rules are displayed in the Generation Rules list. You can now do the following:
Create a new rule. Click New. In the New E-Mail Address dialog box, select the type of e-mail address, and then click OK. Complete the Properties dialog box, and then click OK again.
Change an existing rule. Double-click the e-mail address entry, and then modify the settings in the Properties dialog box. Click OK.
Delete a rule. Select a rule, and then click Remove. Click Yes when prompted to confirm the deletion.
Set a primary e-mail address. When several e-mail addresses are defined for a particular gateway, you can specify a primary e-mail address. Simply select the address you want to use as the primary one, and then click Set As Primary Address.
If you want the new e-mail addresses defined in the policy to become the primary addresses, and the current primary addresses to become alternative addresses, choose each new address in turn, and then select Set As Primary.
Click OK to apply the changes. If you modified the recipient membership or changed e-mail address settings, you’ll see a prompt asking if you want to update all the corresponding recipient e-mail addresses. Click Yes to allow Exchange Server to generate new e-mail addresses based on the policy you’ve set.
The Recipient Update Service is responsible for applying recipient policies. When you create new policies, the Recipient Update Service running under the System Attendant applies these policies. A policy is applied only once—unless you modify a policy and cause Exchange Server to generate new e-mail addresses.
If you want to create exceptions to recipient policies, wait until the Recipient Update Service has applied the policies. Then complete the following steps:
Start Active Directory Users And Computers, and then access the node that contains the recipients you want to work with.
Double-click the recipient object you want to exclude from the recipient policy, and then, in the Properties dialog box, click the E-Mail Address tab. Now modify the e-mail address settings for the object that you selected:
Add a new e-mail address. Click New. In the New E-Mail Address dialog box, select the type of e-mail address, and then click OK. Complete the Properties dialog box, and then click OK again.
Change an existing e-mail address. Double-click the address entry, and then modify the settings in the Properties dialog box. Click OK.
Delete an e-mail address. Select the address you want to delete, and then click Remove. Click Yes when prompted to confirm the deletion.
Click OK when you’re finished, and then repeat this procedure for other recipients for whom you want to create policy exceptions.
The Recipient Update Service is responsible for making updates to e-mail addresses, and it does this based on recipient policy changes. These updates are made at a specific interval that is defined for the service. You can view the update interval and modify it as necessary by completing the following steps:
Start System Manager, and then in the left pane (the console tree), click the plus sign (+) next to the Recipients node. Then select Recipient Update Services.
You should now see the available Recipient Update Services in the right pane. You’ll have an enterprise configuration service and one or more additional services for additional domains in the domain forest.
Right-click the service you want to work with, select Properties, and then use the Properties dialog box to view the service’s configuration settings.
Use Update Interval to choose a new update interval. The following options are available:
Always Run
Run Every Hour
Run Every 2 Hours
Run Every 4 Hours
Never Run
Use Custom Schedule
Tip
If you want to set a custom schedule, choose Use Custom Schedule, and then click Customize. You can then set times when the service should make updates using the Schedule dialog box shown in Figure 8-7. In this dialog box, you can set the detail of the view to be hourly or every 15 minutes. Each hour or 15-minute interval of the day or night is a field that you can turn on and off. Intervals where updates should occur are filled in with a dark bar—you can think of these intervals as being turned on. Intervals where updates shouldn’t occur are blank—you can think of these intervals as being turned off. To change the setting for an interval, click it to toggle its mode (either on or off).
Click OK to apply the changes.
Normally, the Recipient Update Service updates e-mail addresses at a specific interval. If necessary, you can manually start an update by completing the following steps:
Start System Manager and then, in the left pane (the console tree), click the plus sign (+) next to the Recipients node, and then select Recipient Update Services.
You should now see the available Recipient Update Services in the right pane. You’ll have an enterprise configuration service and one or more additional services for additional domains in the domain forest.
Right-click the service you want to work with, and then select Update Now.
In some rare circumstances, the changes you’ve made to recipient policies might not be applied properly. If you think there’s a problem, you can rebuild the default e-mail addresses for recipients. To do that, follow these steps:
Start System Manager and then, in the left pane (the console tree), click the plus sign (+) next to the Recipients node and then select Recipient Update Services.
You should now see the available Recipient Update Services in the right pane. You will have an enterprise configuration service and one or more additional services for additional domains in the domain forest.
Right-click the service you want to work with, and then select Rebuild. When prompted to confirm the action, click Yes.
Mailbox Manager is designed to help manage user mailboxes so that users experience fewer problems. Mailbox Manager does this by helping you as an administrator keep track of mailbox usage. You can also notify users when their mailboxes have messages that should be cleaned up or you can take action to clean up mailboxes by moving or deleting messages.
When activated, Mailbox Manager processes messages according to which folder the messages are stored in, and you can configure different settings for each type of folder. By default, items in folders older than 30 days and larger than 1 MB (1024 KB) are processed by Mailbox Manager and you have the following message processing options:
Generate Report Only. Generates a report that is delivered to designated administrators. You can send either a summary report or a detailed report.
Move To Deleted Items Folder. Moves items that exceed the age and size limits to the Deleted Items folder. The items will be purged from this folder based on the deletion settings for the mailbox store in which the mailbox is located or the individual settings for the user’s mailbox.
Move To System Cleanup Folders. Moves items that exceed the age and size limits to the System Cleanup folders. Items in the folder are marked for cleanup at the next cleanup interval, which can happen automatically or when the user chooses.
Delete Immediately. Deletes the items permanently. The items are not copied to the Deleted Items folder.
Caution
You’ll rarely, if ever, want to delete items immediately, and I don’t recommend using this option unless you’ve planned carefully. For example, one scenario in which you might want to delete items immediately is if you are using Mailbox Manager only to process items in the Deleted Items and System Cleanup folders. The caution here, however, is that another administrator might not understand how you’ve configured mailbox management and they might add other folders to the processing list without understanding the implications of the Delete Immediately setting.
You can apply Mailbox Manager recipient policies to all mailbox-enabled objects. Unlike e-mail address recipient policy, Exchange doesn’t create a default Mailbox Manager recipient policy and mailbox management isn’t activated. Activating Mailbox Manager is a two-part process:
Create and configure a Mailbox Manager recipient policy.
Specify when and how mailbox management occurs.
As with an e-mail address recipient policy, you can create multiple Mailbox Manager policies and you can use filters to custom tailor the list of mailboxes that are affected by the various policies. For example, you could create different Mailbox Manager policies for executives, managers, and users. Or you could create policies for each business unit in your organization, such as Customer Service, Marketing, Administration, and Engineering. Keep in mind that regardless of whether a mailbox matches multiple filter criteria, only one Mailbox Manager policy is applied to a particular object, as determined by the priority of the policy.
Mailbox Manager can be a great tool. Not only can you notify administrators of mailboxes that need cleaning up, but you can also take action by notifying users about messages that they should clean up, and moving or removing messages automatically. However, you should manage this feature carefully.
Remember, the key reasons for cleaning up mailboxes are to reduce mailbox size, reduce mailbox clutter, and eliminate potential problems. By reducing the size of the mailbox, you save disk space either on the server or on the user’s computer (and sometimes in both locations). By reducing mailbox clutter, you make it easier for users to find current information and reduce distraction. Less size and clutter also mean that the mailbox is easier to manage and that it is less likely for the mailbox to get corrupted.
You create a Mailbox Manager recipient policy by completing the following steps:
In System Manager, expand the Recipients node, and then select Recipient Policies. In the right pane, you should see a list of current policies.
Right-click Recipient Policies, point to New, and then click Recipient Policy.
In the New Policy dialog box, select the Mailbox Manager Settings check box and then click OK.
In the Name field, type a name for the recipient policy. Use a descriptive name that makes it easy to determine how the policy is used and to which objects the policy applies.
Display the Find Exchange Recipient dialog box by clicking Modify. You can now select the recipient types that you want the new policy to apply to. Do this by selecting Show Only These Recipients, and then selecting the Users, Groups, and Contacts check boxes as appropriate.
Use the options on the Advanced tab to set filters for the policy.
Click OK when you finish defining filters. The filter should now be displayed on the General tab in the Filter Rules field. If you made a mistake, you can edit the filter by clicking Modify again.
Click the Mailbox Manager Settings (Policy) tab shown in Figure 8-8.
Use When Processing A Mailbox to specify when processing should occur. The options are as follows:
Generate Report Only
Move To Deleted Items Folder
Move To System Cleanup Folders
Delete Immediately
By default, items in folders older than 30 days and larger than 1 MB (1024 KB) are processed by Mailbox Manager. By clearing or selecting the following folders, you can enable or disable their processing:
Inbox. The primary mailbox folder for users. In most cases, you’ll want to ensure that 3 or more months of incoming mail messages are saved regardless of message size. With this in mind, you might want to use an age restriction of 90 days or more.
Sent Items. Used to save copies of outgoing mail messages. In most cases, you’ll want to ensure that 2 to 3 months of outgoing mail are saved regardless of message size. With this in mind, you might want to use an age restriction of 60 to 90 days.
Calendar. Used to schedule and track appointments, events, and meetings. Many users, especially managers and executives, like to keep 6 months or more of calendar information. Most calendar items don’t have large attachments, and I don’t recommend using Mailbox Manager to clear out calendar items.
Tasks. Used to create and track to-do items. Most task items are very small in size.
Journal. Used to create and track journal entries.
Contacts. Used to create and track personal and business contacts. Because contacts are essential to business, I don’t recommend using Mailbox Manager to clear out contacts.
Notes. Used to create and track notes, including sticky notes.
Deleted Items. Used to save temporary copies of messages that have been deleted from the Inbox or other folders.
System Cleanup. A system folder used by the operating system.
All Other Mail Folders. The catch-all option that allows you to specify what happens to other types of mail folders.
Age and message size limits are set on a per-folder basis. If you want to change the settings, double-click the folder entry in the Folder list to display the Folder Retention Settings dialog box shown in Figure 8-9. You can then do the following:
Use the Age Limit (Days) field to specify the age that must be exceeded to potentially trigger processing. If you set the age limit to zero or clear the Age Limit check box, you eliminate the age limit for processing.
Use the Message Size (KB) field to specify the message size that must be exceeded to potentially trigger processing. If you set the message size limit to zero or clear the Message Size check box, you eliminate the message size requirement for processing.
If you want to send e-mail to users about processing of their mailbox, choose Send Notification Mail To User After Processing and then click Message. After you use the Notification Message dialog box to specify the text of the message to send, click OK.
Click OK to create the policy. The policy is applied according to the mailbox management settings of the Exchange server. To determine or change the processing interval, see the next section, "Configuring Mailbox Management and Reporting."
After you create Mailbox Manager policies, you can configure the mailbox management process by specifying the run schedule, the type of reporting to use (if any), and the administrator who should receive reports. You configure mailbox management and reporting by completing the following steps:
Start System Manager. Under the Administrative Group node, click the plus sign (+) next to the administrative group you want to work with and then click the plus sign (+) for the Servers node.
Right-click the server you want to configure for mailbox management and then select Properties.
Select the Mailbox Management tab, as shown in Figure 8-10.
Use Start Mailbox Management Process to set the mailbox management schedule. The following are the available options:
Never Run
Run Friday At Midnight
Run Saturday At Midnight
Run Sunday At Midnight
Use Custom Schedule
Use Reporting to specify the type of reports that should be sent to administrators. The options are as follows:
None
Send Summary Report To Administrator
Send Detail Report To Administrator
Click Browse. Use the Select Recipient dialog box to specify the administrator that should receive mailbox management reports. Only one user account can be specified.
Click OK.
You can run the Mailbox Manager process manually at any time by right-clicking the server you want to work with and selecting Start Mailbox Management Process. In most cases, you’ll only want to do this when the server workload is low, such as before or after normal business hours.
As stated previously, only one recipient policy is applied to a recipient. This policy is the highest priority policy with filter conditions that match the properties of the recipient.
Priorities are assigned to recipient policies according to their position in the Recipient Policies list. In System Manager, you can view the current position and priority of a policy by expanding the Recipients node and then selecting Recipient Policies.
The default recipient policy has the lowest priority, and you can’t change this priority. You can, however, change the priority of other policies by right-clicking the policy in the Recipient Policies node, pointing to All Tasks, and then selecting Move Up or Move Down as appropriate. Changing the priority of policies might cause the Recipient Update Service to generate new e-mail addresses.
You can delete any recipient policies that you create by right-clicking the policy, selecting Delete, and then confirming the action when prompted.
For e-mail address recipient policies, the Address List service updates the e-mail addresses for the affected recipients as necessary. If for some reason these updates don’t occur, you can manually start an update as described in the section of this chapter entitled "Forcing E-mail Address Recipient Policy Updates."
Exchange Server supports three types of system policies: server, mailbox store, and public folder store. These policies control settings for Exchange servers and information stores.
You configure system policies through a set of property pages. With mailbox store policies, you can use the General, Database, and Limits property pages to configure a policy. With public store policies, you can use the General, Database, Replication, and Limits property pages to configure a policy. With server policies, you can use only the General property page to configure a policy.
The properties pages are used as follows:
General. Sets general-purpose options for the policy
Database. Sets storage group membership, Exchange database names, and maintenance schedules
Replication. Sets the replication interval and message size limits
Limits. Sets the deleted item retention interval and storage limits
When you create a policy, you don’t have to use all of the available property pages. Instead, you select only the property pages you want to use. Later, if you want to add or remove property pages, you can do so by changing the property page availability. The property pages are displayed in the Properties dialog box for the policy as tabs.
You don’t manage system policies in the same way that you manage recipient policies. Instead of creating a policy and relying on a service to implement it, you must take charge of each step of the creation and implementation process. For most system policies, the creation and implementation process works like this:
You create a server, mailbox store, or public store policy.
You specify the servers or stores to which the policy should apply by adding items to the policy.
You enforce the policy by applying it.
You can create multiple policies of a particular type, and you can apply all of these policies to the same objects. For example, you could create separate mailbox store policies to apply database, replication, and messaging controls. You could then apply these policies to the same mailbox store.
If two policies conflict, you’ll be notified of the conflict when you create the policy, and you’ll have the opportunity to remove the item from the conflicting policy. If you don’t rectify the conflict, you won’t be able to add the item to the policy. To see how this would work, consider the following scenario.
You create a policy that sets a storage limit on all mailbox stores in the Exchange organization, and then create a new policy that removes the storage limit on the Technology mailbox store. You’re notified that a conflict exists and you’re given the opportunity to remove the Technology mailbox store from the first policy.
As you work with these policies, you’ll note that you could use other techniques to set some of the options. For example, you can set deleted item retention these ways:
Through the properties of individual mailboxes
Through the Mailbox Store Properties dialog box
Through mailbox store policies
The differences among these techniques are ones of scope and manageability. With mailbox properties, you’re setting per-mailbox limits that affect a single mailbox. With mailbox store properties, you’re setting limits on individual mailbox stores, which can affect multiple mailboxes. With mailbox store policies, you’re setting limits on one or more mailbox stores and all of the related mailboxes.
Policy settings also take precedence, and in some cases they disallow configuring options at other levels. For example, if you set a deleted item retention period in a mailbox store policy, you can’t edit the deleted item retention period in an affected mailbox store. You can override the policy settings only on individual mailboxes.
Server policies set message tracking and logging rules for Exchange servers in an organization. Message tracking allows you to track messages sent within the organization, messages received from external mail servers, and messages coming from or going to foreign mail systems. With message tracking enabled, you can track system messages, e-mail messages, and public folder postings.
There are many reasons for using message tracking. You can use message tracking to do the following:
Track a message’s path from originator to recipient.
Search for messages sent by specific users.
Search for messages received by specific users.
Confirm receipt of messages.
Monitor the organization for inappropriate messages.
To create a server policy, complete the following steps:
Start System Manager. Under the Administrative Group node, click the plus sign (+) next to the administrative group you want to edit. Right-click the System Policies node, and point to New. Then click Server Policy.
In the New Policy dialog box, select the General check box, and then click OK. You’ll see a Properties dialog box.
Type a descriptive name for the policy.
As shown in Figure 8-11, you configure the server policy options using the General (Policy) tab. Policies you can set include these:
Enable Subject Logging And Display. Logs all subject fields for messages processed by the server.
Enable Message Tracking. Tracks all messages processed by Exchange Server.
Remove Log Files. Removes all log files older than the value set in the Remove Files That Are Older Than (Days) field. The valid range is from 1 to 99 days.
Click OK to create the policy. Keep in mind that you can’t modify settings that are inherited from server policies, and they appear disabled in the Server Properties dialog box.
Add items to the policy and then apply the policy, as discussed in the sections of this chapter entitled "Adding Items to a System Policy" and "Applying a System Policy."
Mailbox store policies set storage limits, deleted-item retention intervals, and maintenance rules for mailbox stores in the Exchange organization. You can’t modify settings that are inherited from mailbox store policies, and they appear disabled in the Mailbox Store Properties dialog box.
You create a mailbox store policy by completing the following steps:
Start System Manager. Under the Administrative Group node, click the plus sign (+) next to the administrative group you want to edit. Right-click the System Policies node, point to New, and then click Mailbox Store Policy. If no System Policies node is listed, right-click the administrative group in which you want to create the policy, point to New, and then select System Policy Container.
In the New Policy dialog box, select the property pages you want to use in the policy. The available options are General, Database, Limits, and Full-Text Indexing.
When you click OK, you’ll see a Properties dialog box.
Type a descriptive name for the policy.
As shown in Figure 8-12, use the General (Policy) tab to set default messaging options. The only mandatory setting is the default public store. All other settings are optional. The available options are as follows:
Default Public Store. Shows the default public store for the mailbox store. To set this value, click the corresponding Browse button, select a public store to use, and then click OK.
Offline Address List. Shows the default offline address list for the mailbox store. To set this value, click the corresponding Browse button, select an offline address list to use, and then click OK.
Archive All Messages Sent Or Received By Mailboxes On This Store. Select this check box if you wish to enable archiving for messages sent or received on this store.
Clients Support S/MIME Signatures. Select this check box if mail clients use Secure/Multipurpose Internet Mail Extensions (S/MIME).
Display Plain Text Messages In A Fixed-Sized Font. Select this check box to convert the text of incoming Internet messages to a fixed-width font such as Courier.
In the Database (Policy) tab, use Run Maintenance During This Time to select a maintenance schedule for the affected mailbox stores. The available options are as follows:
Run Daily From 11:00 P.M. To 3:00 A.M.
Run Daily From Midnight To 4:00 A.M.
Run Daily From 1:00 A.M. To 5:00 A.M.
Run Daily From 2:00 A.M. To 6:00 A.M.
Use Custom Schedule
As shown in Figure 8-13, you use the Limits (Policy) tab to set deleted item retention and storage limits. These settings are then enforced through the policy. The available options are as follows:
Issue Warning At (KB). Sets the size, in kilobytes, that a mailbox can reach before a warning is issued to the user. The warning tells the user to clean out the mailbox.
Prohibit Send At (KB). Sets the size, in kilobytes, that a mailbox can reach before the user is prohibited from sending any new mail. The restriction ends when the user clears out the mailbox and the total mailbox size is under the limit.
Prohibit Send And Receive At (KB). Sets the size, in kilobytes, that a mailbox can reach before the user is prohibited from sending and receiving mail. The restriction ends when the user clears out the mailbox and the total mailbox size is under the limit. Use this option sparingly because users over this quota won’t be able to receive new mail; messages intended for them will be returned to the sender.
Warning Message Interval. Determines the time interval when warning messages are set. Select a specific time (Daily At Midnight, Daily At 1:00 A.M., or Daily At 2:00 A.M.) or use a custom schedule.
Keep Deleted Items For (Days). Enter the number of days to retain deleted items. If you set the retention period to 0, messages aren’t retained and can’t be recovered.
Do Not Permanently Delete Mailboxes And Items Until The Store Has Been Backed Up. Select this check box to ensure that deleted items are archived into at least one backup set.
Tip
You should set deleted mailbox retention through the properties of individual mailbox stores. This feature is invaluable to Exchange administrators because it enables users to recover deleted items without requiring an administrator to restore the Exchange database from tape. Because the restore and extraction process of Exchange data can be arduous, this is a setting that you should enable across the enterprise, based on your service-level agreement with the user community. In most cases, users will quickly realize it if they click Delete too soon on a piece of e-mail. Therefore, it’s common to set this interval to 2 weeks.
Click OK to create the policy.
Add items to the policy and then apply the policy, as discussed in the sections of this chapter entitled "Adding Items to a System Policy" and "Applying a System Policy."
Public store policies set rules for storage limits, deleted item retention, replication, and maintenance of public stores in an Exchange organization. You can’t modify settings that are inherited from public store policies, and they appear disabled in the Public Store Properties dialog box.
You can create a public store policy by completing the following steps:
Start System Manager. Under the Administrative Group node, click the plus sign (+) next to the administrative group you want to edit. Right-click the System Policies node, point to New, and then click Public Store Policy. If no System Policies node is listed, right-click the administrative group in which you want to create the policy, point to New, and then select System Policy Container.
In the Policy Manager dialog box, select the property pages you want to use in the policy. The available options are General, Database, Replication, Limits, and Full-Text Indexing.
When you click OK, you’ll see a Properties dialog box.
Type a descriptive name for the policy.
Use the General (Policy) tab to set default messaging options. The available options are as follows:
Clients Support S/MIME Signatures. Select this check box if mail clients use S/MIME.
Display Plain Text Messages In A Fixed-Sized Font. Select this option to convert the text of incoming Internet messages to a fixed-width font such as Courier.
On the Database (Policy) tab, use Run Maintenance During This Time to select a maintenance schedule for the affected public stores. The available options are as follows:
Run Daily From 11:00 P.M. To 3:00 A.M.
Run Daily From Midnight To 4:00 A.M.
Run Daily From 1:00 A.M. To 5:00 A.M.
Run Daily From 2:00 A.M. To 6:00 A.M.
Use Custom Schedule
As shown in Figure 8-14, use the Limits (Policy) tab to set deleted item retention, storage limits, and folder aging. These settings are then enforced through the policy. The available options are the following:
Issue Warning At (KB). Sets the size, in kilobytes, of the data that a user can store in the public store before a warning is issued to the user. The warning tells the user to clean out the public store.
Prohibit Post At (KB). Sets the size, in kilobytes, of how large a folder can grow before no more posts can be added.
Maximum Item Size (KB). Sets the size, in kilobytes, of the largest message that can be posted to the folder.
Warning Message Interval. Determines when over-limit messages are set. Select a specific time (Daily At Midnight, Daily At 1:00 AM, or Daily At 2:00 AM) or use a custom schedule.
Keep Deleted Items For (Days). Enter the number of days to retain deleted items. If you set the retention period to 0, messages and files aren’t retained and can’t be recovered.
Do Not Permanently Delete Items Until The Store Has Been Backed Up. Select this check box to ensure that deleted items are archived into at least one backup set.
Age Limit For All Folders In This Store (Days). Sets the number of days items can remain in the public store. Items over the age limit are deleted.
As Figure 8-15 shows, you use the Replication (Policy) tab to set replication intervals and limits for public stores. The available options are as follows:
Replication Interval. Determines when changes to public folders are replicated. Select a specific time (Always Run, Run Every Hour, Run Every 2 Hours, Run Every 4 Hours, or Never Run) or use a custom schedule.
Replication Interval For Always (Minutes). Sets the interval, in minutes, used when you select Always Run as the replication option.
Replication Message Size Limit (KB). Sets the size limit, in kilobytes, for messages that are replicated. Messages over the size limit aren’t replicated.
Click OK to create the policy.
Add items to the policy and then apply the policy, as discussed in the sections of this chapter entitled "Adding Items to a System Policy" and "Applying a System Policy."
Once you create system policies, you’ll need to add items and apply the policy to the Exchange organization. The following sections explain these procedures.
You can add items to a system policy by completing these steps:
In System Manager, access the System Policies node under the organization or administrative group node.
Right-click the policy you want to work with, and then choose Add Server, Add Public Store, or Add Mailbox Store as appropriate. This displays the Select Item To Place Under The Control Of This Policy dialog box.
Select an item in the Name list box and then click Add. Repeat this step for each item you want to place under the control of the selected policy.
Click OK. You’ll see a prompt asking you to confirm that you want to add the items to the policy. Click Yes.
If one or more of the items are under the control of another policy, you’ll see individual prompts asking if you want to remove the object from the control of the other policy. Answer Yes to each prompt.
To remove items from a system policy, follow these steps:
In System Manager, access the System Policies node under the organization or administrative group node, and then double-click the policy you want to work with.
In the right pane, you should see a list of items under the control of the policy. Right-click the item you want to remove, point to All Tasks, and then choose Remove From Policy.
You normally apply system policies during the maintenance cycle for a server or information store. However, you can apply policies immediately by completing the following steps:
When you make changes to system policies, you normally want these changes to be applied immediately. With this in mind, you should modify system policies by completing the following steps:
In System Manager, access the System Policies node under the specific administrative group node where you want to edit this policy.
Right-click the policy you want to work with and then choose Properties. Use the Properties dialog box to make changes to the policy.
When you’re finished, click OK to close the dialog box.
Right-click the policy, and then choose Apply Now to implement the changes.
You can delete system policies by completing the following steps:
In System Manager, access the System Policies node under the specific administrative group node from which you want to remove this policy.
Right-click the policy you want to work with, and then choose Delete. Confirm the deletion by clicking Yes.
Instead of deleting a system policy, you might want to disable it by removing all the items that are under its control. If you ever need to reapply the policy, you can simply add items instead of to re-creating the entire policy.