Exchangepedia Blog: Applying Managed Folder Policy to more than one user

Monthly Archives

1. London, UK
2. Sydney, Australia
3. New York, NY
4. Melbourne, Australia
5. Bellevue, WA
6. Paris, France
7. Moscow, Russia
8. Chicago, IL
9. San Francisco, CA
10. Amsterdam, Netherlands

Wednesday, May 16, 2007

Applying Managed Folder Policy to more than one user

Posted by Bharat Suneja at 7:02 AM

Scenario: You have a Managed Folder Mailbox Policy called Policy-DeletedItems90Days. The policy has Managed Content Settings to permanently delete items in the Deleted Items folder after 90 days.

You can easily apply this Managed Folder Mailbox Policy to a single user using the Exchange console.

A Managed Folder Mailbox Policy can also be applied to a mailbox using the following shell command:

Set-Mailbox "Foo User" -ManagedFolderMailboxPolicy "Policy-DeletedItems90Days"

How do we apply this to more than one user? By using the Get-Mailbox command to fetch a bunch of mailboxes - either all mailboxes in the Org, or all mailboxes in a particular Organizational Unit (OU), or all (mailbox-enabled) users who are members of a particular distribution group, or other user parameters. The result can then be piped into the Set-Mailbox command.

To apply a Managed Folder Mailbox Policy to all (mailbox-enabled) users, we need to get a list of all mailboxes, and pipe it to the Set-Mailbox command:

Get-Mailbox -ResultSize unlimited | Set-Mailbox -ManagedFolderMailboxPolicy "Policy-DeletedItems90Days"

To apply the policy to all mailboxes in a particular OU, e.g. an OU called Sales - we restrict our Get-Mailbox query to a particular OU:

Get-Mailbox -OrganizationalUnit "Sales" -ResultSize unlimited | Set-Mailbox -ManagedFolderMailboxPolicy "Policy-DeletedItems90Days"

When applying the policy to members of a Distribution Group, remember that Distribution Group members can include recipients other than mailbox-enabled users (e.g. mail-enabled users, Contacts, other Distribution Groups, Public Folders, etc.). To apply the policy to all (mailbox-enabled) users who are members of a Distribution Group called DL-Sales, we will need to get members of the Distribution Group using the Get-DistributionGroup command, filter the result to get mailbox-enabled users, and pipe it to the Set-Mailbox command:

Get-DistributionGroupMember "DL-Sales" -ResultSize unlimited | where {$_.RecipientType -eq "UserMailbox"} | Set-Mailbox -ManagedFolderMailboxPolicy "Policy-DeletedItems90Days"

One logical question after the last example - can I do this with Security Groups instead? You cannot get the group membership of a Security Group as easily as you can get the members of a Distribution Group. Unfortunately, the Exchange shell does not have any equivalent of Get-DistributionGroupMember command that will work for Security Groups. (You can search the web for shell scripts to enumerate security group members - Bharat)

Labels: Administration, Exchange Server 2007, Exchange Shell, Mailbox

11 Comments:

Xavier said...: Let's suppose we apply the mailbox policy to a OU. What happens when I create a new mailbox-user in that OU. Is the policy applied ot the new user? Should I apply the policy to the OU everytime I create a new mailbox-user there?
Bharat Suneja said...: The policy is not applied to an OU - we're simply getting all users in an OU or container and applying the policy them.

When you create new users in that OU (or move existing users to it), you will need to use the command again to apply it to them.
Tom Davidson said...: That's a horrible step backwards. Here's another question: can I create MULTIPLE policies for, say, the Inbox folder? I have a student population whose Inbox should be cleared out semi-regularly, and a Staff population whose Inbox should be cleared out more often. How would I accomplish this in 2007? It was trivial in 2003.
Peter Lawton said...: Trying to automate the task I can't get rid of the yes, no , all prompt.
I've tried:-
$ConfirmPreference = "None"
get-mailbox | set-mailbox -Confirm:$False -ManagedFolderMailboxPolicy "Mailbox Policy"

But it always stops at a confirm prompt at the first mailbox that needs the policy applied?
Bharat Suneja said...: Peter,

Seems like that's fixed in SP1.
Jon Webster said...: I'm in the same boat as tom davidson,

> That's a horrible step backwards. Here's another question:
> can I create MULTIPLE policies for, say, the Inbox folder?
>
> I have a student population whose Inbox should be cleared
> out semi-regularly, and a Staff population whose Inbox
> should be cleared out more often. How would I accomplish
> this in 2007? It was trivial in 2003.

Need separate policies for different groups of people, on the same folder.
Jon Webster said...: I have not tested this yet, but it looks like it can be done according to Bharat Suneja. http://www.eggheadcafe.com/software/aspnet/30837517/mrm-in-exchange-2007-ques.aspx

Bharat Suneja [MVP]
28-Sep-07 12:55:12

Absolutely - as shown in this screenshot (multiple instances of Deleted
Items):
http://exchangepedia.com/blog/images/ManagedDefaultFolders-mi.jpg

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------
Bharat Suneja said...: Hi Jon,

Look at the recent post: Managed Folders: How to apply different Managed Content Settings to Default Folders.
Hugo Slabbert said...: Tom and xavier:

With Exchange management no longer having AD integration, as well as the inability to create new user accounts from templates in the Exchange Management Console, we have actually moved to using interactive Powershell scripts for account creation.

We will be moving to actually taking input from a PHP forms page and just exec'ing the appropriate cmdlets that way, but for now we use Read-Host to gather info from the tech creating the account:

$firstname = Read-Host "Enter the new user's first name"
$lastname = Read-Host "Enter the new user's last name"

How you fetch the name of the template account to use totally depends on you, but I made use of the Powershell Community Extensions (http://www.codeplex.com/PowerShellCX) to search through AD for template accounts matching the need.

With this, it's simple enough to add a something like:

Set-Mailbox "$firstname $lastname" -ManagedFolderMailboxPolicy [Policy Name]

If you want to get fancy, you can also grab the template account's OU using something like:

$ou = $template.OrganizationalUnit

...where $template is your chosen template account's mailbox.

From this you can set up a switch statement in your script that matches the user's OU to the appropriate mailbox management policy:

switch ($ou)
{
[path to first ou name] { $mailboxpolicy = $mailboxpolicy1
[path to second ou name] { $mailboxpolicy = $mailboxpolicy2
etc.
}

...and then modify your set-mailbox command to use that:

Set-Mailbox "$firstname $lastname" -ManagedFolderMailboxPolicy $mailboxpolicy

To be honest, our user creation script is just shy of 300+ lines of Powershell code in order to suit our needs in a fairly complex hosted Exchange environment, but it can be done, and it's a lot faster for us now to provision a new user than it was in Exchange 2003.

Is it more work than RUS and recipient policies? Upfront, yes.
Is it more flexible? Yes.

Which way is better? That answer depends on you...
Nitin said...: Hugo, I want to implement something similar to what you are talking about. I am having some difficulty transferring the group membership of the template to the new user. Can you help please. Thanks.
justanothersysadmin said...: Hi Nitin,

My apologies for the slow response; I have not been monitoring this thread.

The Exchange snap-in for Powershell unfortunately does not carry over group memberships. The Exchange Team's answer for this is that the Exchange tools are concerned with Exchange attributes and not regular user attributes. Still, you could copy a template mailbox in Exchange 2003 ADUC and get group memberships, so not being able to do that with Exchange 2007 counts as a reduction in functionality in my mind.

Anyway, copying group memberships are a bit tricky, but do-able. Something like this ought to do:

##################################

# Get the template account's group membership.
$filterid = ( Get-User $templaccn.name ).identity
$groups = Get-Group -filter { Members -eq $filterid }

# Run through all of the groups of which the template account is a member,
# and add the new account to them.

$groups | foreach-Object {

$groupdn = $_.DistinguishedName
$adobjgroup = [ADSI]("LDAP://$groupdn")
$membercheck = ($adobjgroup.member | where-Object { $_ -eq $newuser})
if ( $membercheck.length -ge 1)
{
Write-Host $firstname $lastname "is already a member of "+$_.name+". No group addition made. `n"
}
else
{
$adobjgroup.member.add("$newuserdn")
$adobjgroup.setinfo()
}
}

##################################

I have a full post on this on my tech blog at http://justanothersysadmin.wordpress.com/2008/01/19/modifying-group-memberships-with-powershell-part-1/. The post offers some more info and explanations of what's being done. I also monitor it more actively for comments.