One-liner to export mailbox size, quotas and more to a CSV file

I got a question form a friend if I could help and sort out a command that exported mailbox size and quotas to a CSV file  for him. This should work for both Exchange Server 2007 and 2010, here is how we did it:

First run a get mailbox command:

Get-Mailbox -ResultSize Unlimited

Then we add a pipe and a number of attributes we want to get:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota

We continue with adding two that performs Get-MailboxStatistics to receive attributes from the mailbox that the Get-Mailbox Cmdlet does not give us:

@{label=”TotalItemSize(MB)”;expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}} and @{label=”ItemCount”;expression={(Get-MailboxStatistics $_).ItemCount}}

Then we add another attribute that Get-Mailbox gives us:


And to finish it off we export the results to a CSV file after another pipe:

| Export-Csv “UserMailboxSizes.csv” –NoTypeInformation

And the complete command again with all parts combined together:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota, @{label="TotalItemSize(MB)";expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}}, @{label="ItemCount";expression={(Get-MailboxStatistics $_).ItemCount}}, Database | Export-Csv "C:\Scripts\UserMailboxSizes.csv" -NoTypeInformation

This command can of course be modified and you can add other attributes or functions. In the following example I use where to get only the mailboxes that does not use the database default quota.

Where {$_.UseDatabaseQuotaDefaults -eq $false

And the complete command:

Get-Mailbox -ResultSize Unlimited | Where {$_.UseDatabaseQuotaDefaults -eq $false} | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota, @{label="TotalItemSize(MB)";expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}}, @{label="ItemCount";expression={(Get-MailboxStatistics $_).ItemCount}}, Database | Export-Csv "C:\Scripts\UserMailboxSizes.csv" -NoTypeInformation

There you go, enjoy and do not hesitate to let me know if you have any questions!


A fix for the “Close all dialogs” issue with EMC in combination with IE9 has been released!

I usually do not write about news or hotfix releases on my blog, mostly because I find it a bit unnecessary since you all probably follow the Microsoft Exchange Team Blog. But for this one I will make an exception.

Microsoft just released a fix for the problem with interoperability between Exchange Management Console and Internet Explorer 9 that many has seen since the release of IE9. When IE9 is installed and you try to close the EMC you will receive the following error message:

You must close all dialog boxes before you can close Exchange Management Console.


Neither the hotfix or the KB article is available to the public yet, but it can be requested from Microsoft support. The hotfix that you need to request is for the KB 2624899, more information on how to contact Microsoft Support follows…


How do I call support? Will I need to pay for this?

In order to reach Microsoft support, you can find the correct support contact for your location here. Microsoft does not charge for hotfixes or support cases related to product bugs. Both IE and Exchange support teams should be able to get this patch for you. 


More information regarding this can be found here!

Script to configure Exchange Server 2010 for SSLOffloading

When using a hardware load balancer you sometimes come across the need of configuring Exchange Server to support SSLOffloading. In my case I use a Citrix Netscaler to publish Exchange Server in a scenario where I have enabled SSLOffloading in the Citrix Netscaler. So, in order for this to work configuration changes needs to be done in Exchange Server 2010.

The script below configures both Exchange 2010 RTM and SP1, it also configures basic authentication in IIS for ECP, EWS and OWA.

# This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload
# It applies when using Hardware loadBalancer with SSLOffloading enabled
# Created by Martin Sundström 2011-09-26
Write-Host -f DarkGray "This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload"

# Set SSLOffload registry key for OWA 
Write-Host -f DarkGray -f DarkGray "Setting SSLOffload registry key for OWA..."

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD 

Write-Host -f DarkGray -f DarkGray "Done!"
Write-Host -f DarkGray -f DarkGray ""

# Assign Static Ports"
Write-Host -f DarkGray "Assigning static ports..."

# Assign Static Port for MSExchangeAB 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType String 

# Assign Static Port for MSExchangeRPC 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC -Name ParametersSystem -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 59532

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""

# Disable RequireSSL on websites
Write-Host -f DarkGray "Disabling RequireSSL on websites..."

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None 

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""

# Configure Outlook Anywhere
Write-Host -f DarkGray "Configure Outlook Anywhere"

$enabled = Get-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" 
If ($enabled) 
	Set-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true
	Write-Host -f DarkGray "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""

# This part of the script only applies to Exchange Server 2010 RTM, a version check will be made:
$VersionCheck = ((get-exchangeserver -identity ($env:COMPUTERNAME)).AdminDisplayVersion | Out-String ).StartsWith("Version 14.1")

If ($VersionCheck = $False)
	# Configure web.config files
	Write-Host -f DarkGray "Configuring web.config files for RTM..."

	$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}  | Set-Content $path\web.config
	$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path 
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config  

	Write-Host -f DarkGray "Done!"
	Write-Host -f DarkGray ""

# Run IISReset
Write-Host -f DarkGray "Running `"iisreset`" to complete the process..."


Write-Host -f DarkGray ""

Feel free to use and edit as you need and don’t hesitate to drop a comment if you find any errors or have any questions!

Configure Lync 2010 voice using a SIP gateway and an uncertified SIP trunk, step-by-step – Part 1

I got an idea the other day, I want to set up a Lync Server 2010 server and implement voice capabilities using a ordinary uncertified SIP trunk. this will hopefully give some of you out there an idea of what needs to be done for this to work without the need of an expensive certified trunk.

For the test I will use a ordinary consumer grade SIP trunk from the Swedish provider Cellip. Since the point is not to use a Lync certified enterprise SIP trunk I need something to handle the incoming trunk and then transfer it to Lync Server 2010.

I got a tip from Cellip that an Intertex IX78 is what I need. This product was actually something that I had never heard of, but I contacted Intertex and they where kind enough to provide me with a unit that I could use for my test.

Action plan

I already have a Lync Server 2010 deployed in my environment without phone configuration so I will exclude the Lync Server 2010 installation from this guide, more information on this in a step-by-step format can be found here.

  1. SIP enable users
  2. Configure the Intertex IX78 to handle the incoming SIP trunk and forward it to Lync Server 2010
  3. Configure Lync Server 2010 to receive incoming and outgoing calls

The Intertex IX78

First, I will start by giving you some information about the Intertex IX78 which I have found is a very useful piece of equipment. I have never had the privilege to work with it before but while performing this test I have got the opportunity to test it. The IX78 can actually do a lot of things and much more then what I have used it for, for example, it has a built-in advanced ADSL modem, supports wireless 802.11b/g, and provides back-up PSTN connectivity for emergency call handling. It is also the only firewalls in their market segment that I have heard of that fully addresses real-time, SIP-based Multimedia applications on the LAN.

But I will focus a bit more on the SIP functions of the IX78. One of the best functions that I have tested is the LAN SIParator module. This module enables one to add the IX78 while keeping an existing firewall that is thereby made SIP capable. This is great in production environment since it requires minimal changes in the existing firewall configuration. Let me explain this a bit more by showing you the setup I am using for this lab.

To start with, I am using a ADLS internet connection provided by Telia Sonera AB, one of Sweden’s largest ISPs. To connect to this I use a standard Zyxel ADSL modem, and it is quite old to be honest. Then, I have the Intertex IX78 running as a LAN SIParator with one leg on the internal network for connection to the Lync 2010 server and one leg connected to a Microsoft Threat Management Gateway (TMG) 2010 that I use as the primary firewall.


When using the LAN SIParator module I do not have to make any changes to my TMG which is very good. You might think that running this setup could cause disruption to the traffic passing through the IX78, but so far I have hade no trouble at all and have seen no loss in bandwidth or quality. It is absolutely doing its job and doing it great.

I am not going to make this a review of the IX78 but I would absolutely recommend it to anyone who thinks about implementing a solution similar to this. More information regarding the Intertex IX78 can be found on the Intertex homepage here.



To be able to perform this test I needed someone to provide me with a trunk. Because they where recommended to me from at least two friends the choice fell on Cellip. Cellip is one of Sweden’s largest providers of communications solutions based on both mobile and PSTN to both companies and private persons.

I contacted Cellip as well and they set me up with an account with plenty of credit, a big thank you to Cellip for making the effort of helping me with this project. I am not going to walk you through the process of setting up a Cellip account since that is very easily done. If you need any assistance the excellent support will guide you through it. I have contacted them a couple of times during this project and they have been most helpful. You can find more information regarding Cellip on their homepage here.


SIP Enable a User

First I will start with SIP enabling a user that we will use for this test. I have created the user Test User1 for this test with the following configuration:

First name: Test
Last name: User1
User name: test.user1
SIP address: test.user1@sundis.local
Telephone number: 335

To SIP enable a user you need to open the Lync Server 2010 Control Panel. And then navigate to the Voice tab.


Click on Enable User to open the New Lync Server User window.


Click on Add to find the user you want to enable.


Enter the name of the user and click Find, or simply click Find to list all available users. Select the user you want to add and then click OK.


You will see that the user we selected now is listed in the Users box. Choose to assign your user to a pool, in my case I have only got one. You also need to make sure that the correct SIP URI is selected, I use an internal address for my SIP URI and specify it accordingly. Under Telephony, choose Enterprise Voice in the dropdown menu and enter the internal extension number that you want to use, make sure that you prefix the number with TEL:. We will keep the rest of the settings as default, click Enable to finish.


The user we just enabled now shows up in the list.


That is all we have to do to enable our user for voice, now we will take a look a the Intertex IX78.

Configuring the Intertex IX78

We want to configure the IX78 to run in WAN SIParator 1 mode to match the previously described scenario, we also need to configure SIP Trunk settings and network settings. To help us with this configure the IX78, Intertex has implemented a very good wizard in the IX78.

Note: Before proceeding, please contact Intertex and make sure that you have a firmware that fully supports the use of WAN SIParator 1 mode.

After you log on you are met by the home page of the IX78, it gives us the top menu which includes quick links to all topics and you also have a number of different links on the home page.

To get started with the Configuration wizard, navigate back to the home page and click on the Configuration Wizard link.

ix7805On The first page of the Configuration Wizard tells us we need to log in. The user name and password you need is provided by Intertex and is a way of controlling the licenses that you need to be able to use the different functions that the IX78 includes. If you don’t have a username and password please contact Intertex and they will get you settled.

To continue, click on Log In  next to The PBX Wizard.


Enter the username and password you provided to you by Intertex and click on Log In to continue.


In this step you need to choose the PBX you are using, in our case it is Lync 2010. Choose Microsoft OCS 2007/Lync 2010 and click Next to continue.


Under Select your Internet access, select the following settings to configure the Cellip trunk. Change these settings to match the information needed for your provider.

Trunk Service: Service 1 – No accounts need to be registered
SIP Server:

Under Select your firewall configuration, select Use the E-SBC as WAN SIParator® 1, connecting the existing firewall to the ET4 port of the E-SBC and sharing a single WAN IP-address and click Next to continue.


Now you have the option to configure your network settings, if you did not do it before starting the guide change the settings to match you environment. If you already have configured networking for your device like me, check Keep current settings. and then click next to continue.


More network settings, change the IP-address if you need to, click next to continue when ready.ix7811

In the next step it is time to enter the IP-address for your PBX, in other words, your Microsoft Lync 2010 Server. In my case it is, enter the IP-address for your server and then click next  to continue.


In my case I only have one number from Cellip so I do not have to worry about Called-ID. Check the option matching your requirements and then click next to continue.


Since we use internal extensions in Lync we will configure the IX78 to forward calls using internal extensions, choose The PBX uses internal extension numbers on its SIP trunk. then enter your external number assigned to you by your trunk provider and the internal extension matching that number.When finished, click next to continue.


We will not configure any optional phones, click next to continue.


You can skip the next page to, click next to continue.


the last page before completing this wizard is a summary showing you the settings you have made. Take a moment to go through the settings and click Download when finished. This configures the device, if you press Exit you will quit the Wizard discarding all changes.


When the Wizard closes, navigate to the start page of your IX78 and open the SIP Trunk page.


Now we need to go through the SIP Trunk settings. Go through all of these blocks and make sure that your settings matches the ones I have in this example except for phone numbers and IP-addresses.




Now your IX78 should be all set and this concludes part one in this series. In post two we look at the Lync configuration.

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Exchange Server Version Numbers

A list of all versions of Exchange server released so far including version numbers.

Friendly name Version number
Microsoft Exchange Server  4.0 4.0.837
Microsoft Exchange Server  4.0 (a) 4.0.993
Microsoft Exchange Server  4.0 SP1 4.0.838
Microsoft Exchange Server  4.0 SP2 4.0.993
Microsoft Exchange Server 4.0 SP3 4.0.994
Microsoft Exchange Server 4.0 SP4 4.0.995
Microsoft Exchange Server 4.0 SP5 4.0.996
Microsoft Exchange Server 5.0 5.0.1457
Microsoft Exchange Server 5.0 SP1 5.0.1458
Microsoft Exchange Server 5.0 SP2 5.0.1460
Microsoft Exchange Server 5.5 5.5.1960
Microsoft Exchange Server 5.5 SP1 5.5.2232
Microsoft Exchange Server 5.5 SP2 5.5.2448
Microsoft Exchange Server 5.5 SP3 5.5.2650
Microsoft Exchange Server 5.5 SP4 5.5.2653
Microsoft Exchange 2000 Server 6.0.4417
Microsoft Exchange 2000 Server (a) 6.0.4417
Microsoft Exchange 2000 Server SP1 6.0.4712
Microsoft Exchange 2000 Server SP2 6.0.5762
Microsoft Exchange 2000 Server SP3 6.0.6249
Microsoft Exchange 2000 Server post-SP3 6.0.6487
Microsoft Exchange 2000 Server post-SP3 6.0.6556
Microsoft Exchange 2000 Server post-SP3 6.0.6603
Microsoft Exchange 2000 Server post-SP3 6.0.6620.5
Microsoft Exchange 2000 Server post-SP3 6.0.6620.7
Microsoft Exchange Server 2003 6.5.6944
Microsoft Exchange Server 2003 SP1 6.5.7226
Microsoft Exchange Server 2003 SP2 6.5.7638
Microsoft Exchange Server 2003 post-SP2 6.5.7653.33
Microsoft Exchange Server 2003 post-SP2 6.5.7654.4
Microsoft Exchange Server 2007 8.0.685.24 or 8.0.685.25
Microsoft Exchange Server 2007 SP1 8.1.0240.006
Microsoft Exchange Server 2007 SP2 8.2.0176.002
Microsoft Exchange Server 2007 SP3 8.3.0083.006
Microsoft Exchange Server 2010 14.00.0639.021
Microsoft Exchange Server 2010 SP1 14.01.0218.015

Manage full access permissions on mailboxes in Exchange 2010

This is the updated version with a few additions and corrections based on both comments and new features added by Microsoft since my first post.

Grant permissions on a single mailbox

Use the following command to grant access to just one mailbox:

Add-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Note: the User parameter can in fact be either users or groups, the parameter name “User” is a bit misleading!


Add-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all


Or If I want to add the security Group Group2:

Add-MailboxPermission -Identity "Test" -User Group2 -AccessRights Fullaccess -InheritanceType all


Grant permissions on all mailboxes

Use the following command to grant access to all mailboxes:

Get-Mailbox | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all


Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: In the screenshot below I received a message saying that Administrator already have access to the mailbox Test (Yellow text message).


Grant permissions on mailboxes using Where

We might as well add a where to the command while we are at it. With this command we grant access to all mailboxes in a specific OU:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “” } | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all


Get-Mailbox | Where { $_.OrganizationalUnit -eq “sundis.local/Test/Users” } | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all



Remove permissions on a single mailbox

Quite simple, just change Add to Remove:

Remove-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all


Remove-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all


Remove permissions on all mailboxes

Well you have probably figured this one out already, but I will show it to you anyway:

Get-Mailbox | Remove-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all


Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: As you can se below, using this command will remove the users full access to its own mailbox. That is not good, this command should be used with care…


How to configure the rights assignment to apply on new mailboxes automatically

This can be done using one of three methods, you can add permissions using EMS or ADSIEdit.

Using EMS method 1 (recommended)

With this method we grant permissions on the databases container in the configuration Naming context using the following PowerShell command:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>” -User <UserorGroupIdentity> -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents

If we brake this up a bit we can se that the Identity is in fact the Distinguished Name of the Databases container:

“CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>”

The InheritedObjectType parameter specifies what kind of object inherits this access control entry, in this case it is only Exchange Mailbox Databases:

-InheritedObjectType msExchPrivateMDB

Then we grant Receive-As permissions. Granting Receive As and  Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes:

-AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

And finally we set the inheritance type to Descendents:

-inheritanceType Descendents


Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sundis,DC=local” -User test8 -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
 -inheritanceType Descendents



Using EMS method 2

With method two we use a pipe to set the permission on each mailbox database with the following command:

Get-Mailboxdatabase | Add-ADPermission -User <UserorGroupIdentity> -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As


Get-Mailboxdatabase | Add-ADPermission -User test3 -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As


Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes.

Using ADSIEdit

There are also the ADSIEdit way of addressing the problem. I will give you a description on what you need to do but I STRONGLY recommend you to have a look at Michaels post instead. That said, here you go…

Open ADSIEdit, Right click ADSIEdit and choose Connect to.


Select the Configuration Naming Context and click Ok

Navigate to Configuration/Services/Microsoft Exchange/<OrganisationName>/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT).


Right Click the Databases folder and choose Properties.


Click on the Security tab and click Add.


Enter the users or groups that you want to add and then click Ok.


Make sure that the added users or groups is selected, check the Allow box for Full control for each user or group, then click Ok to close the window and now we are finished with ADSIEdit.


This adds permissions to all databases. If you want to edit the permissions for a specific database you can open the Databases folder and open Properties for the database you want to configure.

A final note: Full Access or Receive As permissions are granted next time the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store service.

Thanks for reading, I hope that you found it useful and please let me know if you have any questions!

What’s this RBAC in Exchange Server 2010 anyway? – Part 3

I am sorry to realize that It has been ages since my last post. There has just been a lot of other things that needed my attention. But now I am back and I will start with this last post in my series of posts about Role Based Access Control. In this post I will focus on different examples. If you have another example you would presented here please let me know. And if you find an error of any sort or have any questions or thoughts about it please do not hesitate to drop a comment or contact me.


Scenario 1 – Adding users to role groups

We will start with a simple scenario where we want to add two users to different role groups, Help Desk and Organization Management. We will use both ECP and EMS and we will start with EMS.

Example 1 – Adding the user Test8 to the Help Desk role group using EMS

This is done using a simple one-liner:
Add-RoleGroupMember <role group name> -Member <member>

Add-RoleGroupMember “Help Desk” -Member Test8


To list all members of the Help Desk group use the following command:
Get-RoleGroupMember “Help Desk”


Example 2 – Adding the user Test8 to the Help Desk role group using ECP

Using the ECP involves several more steps then using the EMS one-liner. I will start with showing you where you can find the Organizational settings in ECP. In Outlook Web App choose Options and then See All Options.


In ECP, click on Manage Myself and choose My Organization.


To view the Role Groups click on Roles & Auditing.


In the work pane you will see a list of all Role Groups including Help Desk that we are looking for. Double-click Help Desk or select Help Desk and click Details to open the details window.


To add a new member to the Role Group, click Add in the Members section.


Select the users, USGs, or other role groups you want to add to the role group, and then click OK.


Click Save to save the changes to the role group.


It is strongly recommended to use the built-in Role Groups as far as possible and only add own Role Groups if it is absolutely necessary.


Scenario 2 – Create a new role group

Next we will create two new role groups, on with a custom scope and one with a OU scope.

Example 1 – New role group with custom scope

For this example we will use the ECP to create the new role group. I will not explain the initial steps for ECP, you can find more information on that under Scenario 1 – Example 2.

Before we can create the group we will have to create the custom scope. This can only be done using EMS. In the following example we will create a scope with a filter to include all users in the department Sales.

New-ManagementScope -Name "Mailboxes in department IT" -RecipientRestrictionFilter {Department -Eq "IT"}


More information about management role scope filters syntax can be found here:

When we have the management scope in place we can move on to create the role group. Navigate to the Administrator Roles tab, Role Groups, click New.


Enter a name and description for the new role group and for Write Scope choose our newly created management scope Mailboxes in department Sales.


To add a management role for the role group click Add under Roles. In the new window add the roles by selecting them ad click add, click Ok when finished.


To add members to this role group click Add under Members. In the new windows add the groups and mailboxes by selecting them and click add, click Ok when finished.


Review the settings and click Ok when finished.


In this example we created a new role group that affects all mailboxes in the department Sales. We added the user Test and the management roles Mailbox Recipients which enables the user to manage existing mailboxes, mail users, and mail contacts.

Example 2 – New role group with OU scope

For this example we will use the EMS to create the new role group based on an OU scope. Start by opening Exchange Management Shell, and then have a look at the following command:

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

Let us create a new group and add the role Mail Recipients Role for the OU IT Support:

New-RoleGroup -Name "Mailboxes in OU IT Support" -Roles "Mail Recipients" -RecipientOrganizationalUnitScope "IT Support"




Scenario 3 – Remove a role group

There will probably be a time where you would want to remove a role group for some reason.

Example 1 – Remove a role group using EMS

I will show you how to do this using Exchange Management Shell. Use the following command:

Remove-RoleGroup –Identity <RoleGroupIdentity>

In the example we remove the role group we created in Scenario 2 – Example 2:

Remove-RoleGroup "Mailboxes in OU IT Support"




Scenario 4 – Working with assignment policies to enable users to manage their own mailboxes and properties

In this scenario we will create a new assignment policy and add a role to the policy to enable users to manage information related to their own mailboxes.

Example 1 – New assignment policy using ECP

First we will create a new assignment policy, in Outlook Web App choose Options and then See All Options.


In ECP, click on Manage Myself and choose My Organization.


To view the Assignment Policies click on Roles & Auditing and then User Roles. Click on New to start creating a new policy.


Start with entering a name for the assignment policy, Profile information for my example.


We are going to add roles to control Profile information for the user. Check MyProfileInformation, this will also check the roles MyDisplayName and MyName.


Also make sure that you check MyBaseOptions, this enables the users to use ECP.


More information on built in management roles can be found here:

Click on Save to create the assignment policy.


Example 2 – Change the Assignment Policy on a Mailbox

The next step in this scenario is to change the assignment policy on a mailbox. Open EMC and navigate to Recipient Configuration and Mailbox. Right click on the mailbox you want to change and choose properties.

Click on the tab Mailbox Settings, select Role Assignment Policy and click properties.


Click on Browse, this opens a new dialog window.


Select the Assignment Policy you want to change to and then click Ok.


Check that the correct Assignment Policy is listed and then click Ok.


Click Ok to close the mailbox properties window. You now have the correct Assignment Policy applied on the mailbox and this should have immediate effect on the mailbox.

That is all for this time, I hope that you find the examples useful and if you have any ideas on other examples you would like me to include in this post just let me know. And as usual, if you find any errors or have any further questions do not hesitate to post a comment. Thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!