• 1. London, UK
  • 2. New York, NY
  • 3. Sydney, Australia
  • 4. Melbourne, Australia
  • 5. Moscow, Russia
  • 6. Singapore
  • 7. Paris, France
  • 8. Chicago, IL
  • 9. Hong Kong
  • 10. Houston, TX

Thursday, December 14, 2006


Exchange Server 2007: Bulk mailbox-enabling users using Exchange Shell

Posted by Bharat Suneja at 8:49 AM
I’d written about how to bulk create mailboxes (including user accounts) from a CSV file [read previous post: Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell]. This is in response to the reader who posted a comment asking for a way to mailbox-enable existing user accounts.

Bulk mailbox-enabling users using the Exchange console

In Exchange Server 2007 SP1, the Exchange console (EMC) allows you to create mailboxes for existing users. When selecting an existing user in the New Mailbox wizard, you can select multiple users by using the regular SHIFT-Click (to select a continuous list of users) and CTRL-click (to pick the users you want).

First we need to find the users without mailboxes. The get-user command will list all users. The RecipientType property of the user is either User or UserMailbox. As the name clearly suggests, those with UserMailbox as RecipientType are already mailbox-enabled – leaving those with RecipientType User.

You can enable all users with RecipientType User:

get-user | where-object{$_.RecipientType –eq “User”}

Yes, that may not be a great idea! So let’s filter these users. If these users reside in a particular Organizational Unit, we can restrict our search to that OU. In this case, we’ll look for users in the OU called “People”:

get-user –organizationalUnit people | where-object{$_.RecipientType –eq “User”}

Now we get a list of all users (who are not mailbox-enabled) from that OU. We can further restrict this list to all users who are members of a particular department. Since Sales is our favorite department, let’s pick Sales:

get-user –organizationalUnit people | where-object{$_.RecipientType –eq “User” -and $_.department –eq “Sales”}

Now we’ve got a smaller list of folks – those residing in the People OU belonging to Sales dept. and aren’t mailbox-enabled yet. Let’s go ahead and mailbox-enable these users:

get-user –organizationalUnit people | where-object {$_.RecipientType –eq “User” -and $_.department –eq “Sales”} | Enable-Mailbox –Database “EXCHANGE1\Mailbox Database” | get-mailbox | select name,windowsemailaddress,database

The above command mailbox-enables these users and outputs a list of their names, default email address, and the mailbox Store on which their mailbox(es) reside.

Similarly, you can also use other user attributes of user accounts like city, state, country, etc. to selectively mailbox-enable users.

The WOW! factor and what really makes it a fun process is the fact that once you get a hang of the syntax and know what you're looking for, the entire process happens really quickly.

PowerShell / Exchange shell does to VBS scripts what scripting did to repetitive GUI tasks.

Labels: , ,


January 30, 2007 7:35 AM
Anonymous tizedboy said...

This is simply fantastic !

February 23, 2007 11:01 AM
Anonymous Anonymous said...

Are the variables and syntax the same for adding resources? I've got an OU full of conference rooms I'd like to auto-provision email accts for to use in Outlook calendaring. If the AD accts are disabled (which they are), will Power/ExchangeShell know to create a room mailbox instead of a user mailbox?

February 26, 2007 6:28 AM
Anonymous Anonymous said...

It would seem I found my own answer (gotta love that feeling!). Here's the command if you want to take an entire OU in AD and turn it into room mailboxes in Exchange 2007: (I ran it from the mailbox server but it shouldn't matter)

get-user -organizationalUnit "OUNameHere" | where-object{$_.RecipientType -eq "User"} | Enable-Mailbox -Database "MBXservernameHERE\mailbox database" -Room

Actually quite simple when I compare the new cmdlet to the old ;)

This doesn't set many switches or parameters on the mailbox but when you look at it in the Exchange Mgmt Console you'll see it listed as a "Room Mailbox". Man, PowerShell KIX (no pun intended)! Also remember - for this to work, the user acct in AD must be disabled (essentially any user accts you want to use for resource mailboxes need to be disabled prior to trying to create a mailbox for the acct). If it isn't, you'll get a nice red error meesage in PowerShell saying "Doh!". On the upside, the errors in PowerShell are much more informative than any I've seen to date where scripting is concerned!

Also, if you have other accts in the OU you're "harvesting" that already have mailboxes created for them, don't worry, it won't create additional mailboxes for rooms. The above cmdlet specifically looks for "user" object types; if you've already got a mailbox assigned to a user acct, the object type becomes "UserMailbox" and is skipped by the cmdlet. One of the nice things about the script is that when it finishes it lists all the users that had mailboxes created for them.

Hopefully this helps someone else out there...

June 1, 2007 7:50 AM
Anonymous Boso said...

I've been a real cynic of Powershell, but this cmdlet has converted me !!

June 9, 2007 12:17 AM
Blogger Ibrahim said...

Hi ,
I have installed excahnge 2007 on a new server ,current email server is exch . 2000 pls some one tell me how to migrate the mail boxex from 2000 to 2007 ,my new server exch organization is identical to existing server.


July 26, 2007 4:16 PM
Blogger Tom said...

Thanks for your insight! But one thing I'm stumped on... how can I add an alias as the users [email protected]? Not just [email protected]?
Is there a way?

July 26, 2007 4:35 PM
Blogger Bharat Suneja said...


If you installed the new server in the same Exchange Organization, you should be able to move mailboxes from the 2000 server to the 2007.


July 26, 2007 4:44 PM
Blogger Bharat Suneja said...

Hi Tom,

If you mean email addresses - the default set of email addresses are controlled by the Email Address Policy (EAP). You will need to modify it to add a similar alias address (known as proxyAddress) to all recipients covered by that EAP.

If you want to do this for a single user/mailbox/recipient, you can go to the mailbox/recipient's properties in the Exchange console and add it from the E-Mail Addresses tab.

If you want to change the default email address (this is what is used to send and reply to messages, regardless of any number of proxyAddresses a recipient may have), you will need to uncheck "Automatically update e-mail addresses based on email address policy".

To do this using the Exchange shell, refer to previous post: "HOW TO: Add additional email addresses to a recipient".

To do this for Public Folders, refer to previous post: "HOW TO: Add Email Addresses To Public Folders"

August 6, 2007 12:46 AM
Anonymous Andrew said...

It`s really fantastic. I`m search a week over Internet, try csv and and from console. But it`s method much more simplest and faster. Thank very much to autor.

August 19, 2007 9:01 AM
Anonymous gitenberg said...

How can I sort/filter users by group before enabling mailbox?

March 24, 2008 11:22 PM
Anonymous Anonymous said...

A bit late, but for others that follow... to answer gitenberg you need to use the -filter option, e.g.

get-user -filter {memberofgroup -eq "cn=group,ou=orgunit,dc=network,dc=lan"}

hope that helps others.

April 7, 2008 1:43 PM
Blogger damianini said...

Your instructions work great. But how do you spread the mailboxes created over several storage groups

May 11, 2008 11:59 AM
Blogger Bharat Suneja said...


That would require a script to get all mailbox databases in the Org or one server or have the database names fed manually.

Alternatively, you can filter users based on OU/department or some other common attribute and place those on one mailbox database.

June 5, 2008 9:32 AM
Anonymous Rob said...

This is really superb! it saved lot of work for me! Thanks for the good post.

August 6, 2008 7:28 AM
Anonymous Wolle said...

Does someone know how to do this in an c#-Application from an external Windows-XP-client?

I allways get the error "No Windows PowerShell Snap-ins are available for version 1"

when I execute:

"PSSnapInInfo info = rsConfig.AddPSSnapIn("Microsoft.Exchange.Management.PowerShell.Admin", out snapInException);"

August 11, 2008 9:23 AM
Anonymous Anonymous said...

Yes, so much better tahn simple selecting a group of users in ADUC and selecting Exchange Tasks, what a huge adavancement....everyone thank Microsoft....

August 11, 2008 10:02 AM
Blogger Bharat Suneja said...

@Anonymous: The option to select multiple users is available in Exchange 2007 SP1. Since this post is titled "...using Exchange Shell", it did not include details on how to do this using the Exchange console.

The post has been updated to include the SP1 change.

August 25, 2008 6:35 AM
Anonymous Anonymous said...

I have to apply a mailbox management policy to all users in a particular database. There must be a command I can use in PowerShell to get this done? I am not having any luck.


August 26, 2008 7:56 AM
Blogger David said...

I would like to know how to create in bulk, mailbox enabled users and create them in a certain mailbox databases according to their last initial

October 13, 2008 4:29 AM
Anonymous Anonymous said...

great script. i think i can use it for my needs but how do you feed the script with values from, say, a text file?

October 13, 2008 7:46 AM
Blogger damianini said...

For Becky: To set the mailbox policy you can use the following switch in your powershell script: -ManagedFolderMailboxPolicy 'PolicyName'. This will set the mailbox policy for the users.

For txt file guy: Set up a csv/text file using a header row so your file would look like:

jdoe,"Doe, John",John,Doe

Then call the file in your powershell script import-csv C:\filename.csv | foreach {new-mailbox -Name $_.SamAccount -DisplayName $_.Display -FirstName $_.First -LastName $_.Last}

Depending on what you are trying to do the from the pipe, the text file would follow similar parameters. you would just change the powershell command Get- remove- add- ,etc.

October 21, 2008 12:55 PM
Blogger pejy said...

Instead of searching for AD accounts within a specific OU or department, can you search for accounts within a security group?

October 21, 2008 1:25 PM
Blogger Bharat Suneja said...

@Pejy: If the Security Group is also mail-enabled (that is, it's a Distribution Group as well. Exchange 2007's definition of Distribution Groups = mail-enabled Distribution or Security Groups), you can use the Get-DistributionGroupMember cmdlet to get group members:
Get-DistributionGroupMember "Group Name" | Do-Blah

If the Security Group is not mail-enable, it's not as easy. There's no built-in Exchange shell/PowerShell task like Get-SecurityGroupMember. However, you can use the ADSI provider to get Security group members. Take a look at a previous post Script: Listing Distribution Groups a recipient is a member of for some pointers on the ADSI provider.

November 20, 2008 6:04 PM
Anonymous Anonymous said...

This solves one of my problems.

Is there a way to create a new user using a template/script from 2007 (AD 2003 environ) that gives group security permissions and other AD settings eg. remote desktop profile, settings etc.

February 26, 2009 12:05 PM
Blogger HikingStick said...

Great post! Thanks for sharing the information.

How would one modify the OrganizationalUnit parameter to search only a specific OU container that is on a nested branch if its name matches a higher level OU?

For example, in MyDomain.com, I have the deafault Users container. To help with internal administration, a child OU was created (let's call it "MD"--short for MyDomain), and I have a Users OU under MD. I'd like to pull users only from the Users.MD.Mydomain.com OU.

February 26, 2009 12:39 PM
Blogger Bharat Suneja said...

@HikingStick: One of the benefits of using unique names for things like Organizational Units/Containers, Exchange Databases/Storage Groups, etc. is that in a lot of cmdlets you can simply use the name of the object.

If the object is not unique, as in this case, you try to specify the *fully-qualified name* or path— a distinguishedName for AD objects.

February 26, 2009 4:30 PM
Blogger damianini said...

Another set of cmdlets is available using the free utility from Quest. It's ActiveRoles Management Shell for Active Directory. You can use these cmdlets to query any group regardless of security or distribution using Get-qadgroup or get-qadgroupmember. If you want exchange functionality also you can start powershell. Run the command Add-PSSnapin Microsoft.exchange* and then run Add-PSSnapin quest.ActiveRoles* . This will add both sets of cmdlets to powershell. This way you can query a security group and/or distribution group. Run queries against any active directory object/attribute or any exchange command.

For a particular OU all you would do is get-cmdlet -organizationalunit "mydomain.com/users/md" .

March 7, 2009 6:41 AM
Anonymous Anonymous said...

I have used scripts like this, but is there a way to list mailboxes without a mailbox policy, can I use -eq "no" or something like that? Thanks for your help.

March 7, 2009 10:59 AM
Blogger Bharat Suneja said...

@Anonymous from March 7: "Mailboxes without a policy"? Do you mean mailboxes set to not have email addresses generated by policy?

Get-Mailbox -Filter {EmailAddressPolicyEnabled -eq $false}

March 24, 2009 1:34 PM
OpenID aallien said...

Is there a way to do the same thing but instead use enable-mailuser. I've tried several things to make it do so and all I get are errors. I have 926 accounts to mail enable with external email addresses. The email field is populated in AD. I've been using a script that spawns a gui that populates fields and you click a button which is great, but it would be even better if I could just have it do the whole OU. I can't believe MS took that functionality out of ADUC. I am running exchange 2007 SP1 with the latest rollup (at this time) and I cannot select multiple users at once btw.

March 24, 2009 1:52 PM
Blogger Bharat Suneja said...

@aallien: Can you paste the exact command you're using (mask the real details)? For Enable-MailUser, the only required parameters are identity (which gets piped from Get-User) and ExternalEmailAddress.

Are you populating the ExternalEmailAddress property?

March 24, 2009 1:54 PM
Blogger damianini said...

depending on whether these accounts are mailcontacts or regular users what you can do is this:

Get-user -organizationalunit "domain/subfolder/subfolder" -resultsize unlimited | foreach {enable-mailuser $_ -ExternalEmailAddress "[email protected]"}

You can add any switch you like.

March 24, 2009 2:20 PM
Blogger Bharat Suneja said...

@damianini: For 926 user accounts, typing the -externalemailaddress isn't practical, and it already exists in the WindowsEmailAddress attribute.

@aallien: Sorry, not enough time to test the type conversion, but posting answer in a separate blog post soon... :)

January 27, 2010 3:17 PM
Blogger Eugene Rosenfeld [former MOSS MVP] said...

Thanks for the post. Is there a way to mail-enable a user through some remote API, i.e. something that doesn't have to run on the Exchange Server?


Post a Comment

Links to this post:

Create a Link

<< Home