Applying Managed Folder Policy to more than one user

by Bharat Suneja on May 16, 2007

Scenario: You have a Managed Folder Mailbox Policy called Policy-DeletedItems90Days. The policy has Managed Content Settings to permanently delete items in the Deleted Items folder after 90 days.

You can easily apply this Managed Folder Mailbox Policy to a single user using the Exchange console, as shown in Figure 1.

Screenshot: Applying Managed Folder Mailbox Policy using the Exchange Management Console
Figure 1: Applying a Managed Folder Mailbox Policy to a user using the Exchange Management Console

A Managed Folder Mailbox Policy can also be applied to a mailbox using the following shell command:

Set-Mailbox “Foo User” -ManagedFolderMailboxPolicy “Policy-DeletedItems90Days”

How do we apply this to more than one user? By using the Get-Mailbox command to fetch a bunch of mailboxes — either all mailboxes in the Organization, or all mailboxes in a particular Organizational Unit (OU), or all (mailbox-enabled) users who are members of a particular distribution group, or by filtering mailboxes based on other user parameters. The mailboxes returned can then be piped to the Set-Mailbox command.

To apply a Managed Folder Mailbox Policy to all (mailbox-enabled) users, we need to get a list of all mailboxes, and pipe it to the Set-Mailbox command:

Get-Mailbox -ResultSize unlimited | Set-Mailbox -ManagedFolderMailboxPolicy “Policy-DeletedItems90Days”

To apply the policy to all mailboxes in a particular OU, e.g. an OU called Sales, we restrict our Get-Mailbox query the Sales OU:

Get-Mailbox -OrganizationalUnit “Sales” -ResultSize unlimited | Set-Mailbox -ManagedFolderMailboxPolicy “Policy-DeletedItems90Days”

Apply a Managed Folder policy to members of a Distribution Group

When applying the policy to members of a Distribution Group, remember that Distribution Group members can include recipient types other than mailbox-enabled users (e.g. mail-enabled users, Contacts, other Distribution Groups, Public Folders, etc.) which can’t have a Managed Folder Mailbox Policy applied. To apply the policy to all mailbox users who are members of a Distribution Group called DL-Sales, we will need to get members of the Distribution Group using the Get-DistributionGroup command, filter the result to get only mailbox-enabled users, and pipe it to the Set-Mailbox command:

Get-DistributionGroupMember “DL-Sales” -ResultSize unlimited | where {$_.RecipientType -eq “UserMailbox”} | Set-Mailbox -ManagedFolderMailboxPolicy “Policy-DeletedItems90Days”

One logical question after the last example — can I do this with Security Groups (that are not mail-enabled) instead? You cannot get the group membership of a Security Group as easily as you can get the members of a Distribution Group. Unfortunately, Exchange Shell does not have any equivalent of the ADSI provider. (You can search the web for shell scripts to enumerate security group members – Bharat)

Avoid the confirmation prompts when applying a Managed Folder policy

When applying a Managed Folder Mailbox Policy, you run into 2 prompts. The first one is the default confirmation prompt produced by Set-Mailbox. This is cmdlet saying, “Hey, something changed! Are you sure you want to do this?”, and prompts you for a confirmation as shown below:

Confirm
Are you sure you want to perform this action?
Setting mailbox “exchangepedia.com/People/foo user1″.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):

You can avoid it by simply using -Confirm:$false in the command.

Next, you will run into the confirmation prompt produced when applying a Managed Folder Mailbox Policy. This is the cmdlet realizing, “Hey, this one’s a serious change — you’re applying a MF policy! Are you really, really sure? And btw, it’d be a good idea to block legacy Outlook clients!”. The resulting prompt is shown below:

Confirm
When assigning a managed folder mailbox policy with managed custom folders to the mailbox “exchangepedia.com/People/foo user1″, Outlook clients older than Outlook 2007 do not have all available client features and clients older than Outlook 2003 SP2 are not supported. You may use the “Set-CASMailbox” task to enable client version blocking. Are you sure you want to assign a managed folder mailbox policy to this mailbox?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):

To override this prompt, you’ll need to use the ManagedFolderMailboxPolicyAllowed switch. The command from the above example will thus look like this:

Get-Mailbox -ResultSize unlimited | Set-Mailbox -ManagedFolderMailboxPolicy “Policy-DeletedItems90Days” -ManagedFolderMailboxPolicyAllowed -Confirm:$false

A default Managed Folder policy for new users

A related frequently asked question — Can you have a default Managed Folder Mailbox Policy that’s applied to new mailboxes automatically? There’s no built-in way to specify a policy as the default policy for all users or new users at the time of account creation. However, you can use the Windows Scheduler to schedule a script or command to run on a schedule and apply the required policy to users. For example:

Get-Mailbox -ResultSize Unlimited -Filter {ManagedFolderMailboxPolicy -eq $null} | Set-Mailbox -ManagedFolderMailboxPolicy MyPolicyName -ManagedFolderMailboxPolicyAllowed -Confirm:$true

Why not use LDAP filters?

That’s fine, you say, but you really liked the Exchange 2003 way of applying a Recipient Policy, using LDAP filters. It allowed you to use pretty much any attribute you chose to filter on. In Exchange 2007, there’s no built-in way of using LDAP filters to apply a policy.

Having said that, it’s not such a great idea to apply message retention policies based on an LDAP filter, or at least not in a manner similar to Exchange 2003. For instance, if you’re using a particular attribute to filter on, such as department, or group membership, simply changing the attribute or group membership could change when and how a mailbox user’s messages are retained or purged. If you have multiple overlapping Recipient Policies, at times it’s difficult to determine which policy is applicable to a user.

Exchange 2007 offers a simpler and deterministic behavior— by making the policy a user attribute. A policy explicitly associated with a user allows you to instantly determine which policy applies, with no ambiguity. It’s also auditable, and reportable

The automation is provided by PowerShell. Of course, you can simulate Exchange 2003’s Recipient Policy behavior by using an OPATH filter with the Get-Mailbox cmdlet. (However, if you still need to use an LDAP filter, Nick Smith shows you how in Applying Managed Folder Mailbox Policies via LDAP Filters).

{ 28 comments… read them below or add one }

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: