Bulk creating of users and mailboxes in Exchange 2007

The first part of this document will cover only the basics of creating users in AD and their mailboxes in Exchange server 2007.
The second part of this document specifically deals with bulk creating of users and creating their mailboxes in Exchange Server 2007.
The third part will discuss on enabling users with their mailboxes in Exchange server 2007.

Creating one user in AD and creating its mailbox in Exchange 2007 is very easy task. One can do this through Exchange management Console (EMC) or Exchange management shell (EMS) with no deep knowledge on the product.


Below are the step by step guidelines on creating a user and a mailbox through EMC and EMS.

In the EMC, you get the option to create new mailbox when you select the “mailbox” under “recipient configuration”.
Unlike in Exchange 2000/03 server here, in Exchange Server 2007 you get the options to create multiple types of mailboxes.
You can always have mailboxes for users and that’s where you get the option to create “User mailbox”.

You can have mailboxes for resources like conference rooms or a projector or a meeting room or any other resource in your company and for that you get the option to create “Room mailbox” or “Equipment Mailbox”.


You can also create linked mailbox for users who does not have a user account in the same AD forest where the mailbox is.


The next step is where you are asked to create a new user for a new mailbox or an existing user who is yet to have his mailbox.

We can always select the existing user if the user already exist in the AD and we need to enable his mailbox in the Exchange server 2007.
One you choose to create a new user, you should see the next console something like the one below.

Then, you will be prompted for the mailbox information such as the Mailbox Server name and the Mailbox database, etc.

Then comes the summary page and then the finishing page where you can also see the command to create a new mailbox with a new user account which you can use with Exchange Management Shell.

This was all about creating a new mailbox for new user or an existing user account through Exchange Management Console.
Now let’s see creating mailboxes through Exchange Management Shell.

This is how it goes.
To create a new mailbox for a new user account, the command is: New-Mailbox with some switches as mentioned below:


[MSH] C:\Documents and Settings\Administrator>New-Mailbox -Name Mohini -FirstName Mohini -LastName Giri -Alias Mohini -UserPrincipalName mohini@universe.net -OrganizationalUnit universe.net/test -Database "mailbox database"


cmdlet New-Mailbox at command pipeline position 1


Supply values for the following parameters:


Password: *******


Name    Alias    Server    ProhibitSendQuota
----        -----      ------      ---------------
Mohini   Mohini dcexsrvr01 unlimited


The lines above in yellow and the screen shot below are explained here:


As said earlier, for new user and new mailbox the command is New-Mailbox. Further we need to all the mandatory information about the new user and his mailbox information.


Mandatory user information is “Alias, Name, Organizational Unit, etc”. “First name, Last name” are really not required but we just gave those in this example.


Mandatory mailbox information would be like “database name where mailbox will reside, server name, etc”

In case, you need to create a new mailbox for existing users, your command would be as below:


[MSH] C:\Documents and Settings\Administrator>Enable-Mailbox -Identity: "universe.net/aa/pravin Giri" -Alias pravin -Database "mailbox database"


Name         Alias    Server       ProhibitSendQuota
---- -----      ------    -----------   ------------------------
Pravin Giri  pravin  dcexsrvr01         unlimited      

Now the real tough task is when we need to create multiple user accounts in AD and their mailbox in Exchange Mailbox Server.
Or when we have multiple user accounts in AD and we need to enable them with the mailboxes on the exchange server at one shot.


How do we do it?
Can we do it through Exchange Management Console?
Can we just select the user accounts in AD and perform the Exchange task?

These are few questions which you will come across and here’s the answer for those.
Well, to be very frank, there’s really no option to go to the exchange task in AD and user’s properties.
There’s also no way we can do it through Exchange Management console.
We can achieve these goals through some scripting knowledge and with the help of Exchange Management Shell.

Let us first have a look at the script on creating bulk mailboxes for users in AD.

In this example, I have an OU with the name CanadaUsers and few accounts within it who are yet to have their mailboxes.

Now, let’s see how do we do this.

First, we need to find users in AD without mailboxes.

To do so, we give the command,


[MSH] C:\Documents and Settings\Administrator>Get-User -OrganizationalUnit canadausers
where-object{$_.recipienttype -eq "user"}

Name      RecipientType
-------       -----------------


david thomas     User
Mike Williams      User
jonathan lile       User
sharon smith      User
richard jose        User

The same command is available in the screenshot below as well.

Now since the output is available to us, we need to enable users with their mailboxes.
So we further, put the output in the pipe and we enable the mailboxes.

This is done as given below.


[MSH] C:\Documents and Settings\Administrator>Get-User -OrganizationalUnit canadausers
where-object{$_.recipienttype -eq "user"}
Enable-Mailbox -Database "mailbox database"


Name            Alias         Server            ProhibitSendQuota
-------            -----           ------             -----------------------


david thomas david     dcexsrvr01      unlimited
Mike Williams  mike      dcexsrvr01      unlimited
jonathan lile   jonathan dcexsrvr01    unlimited
sharon smith  sharon    dcexsrvr01    unlimited
richard jose    richard    dcexsrvr01    unlimited

Sounds a little easy hmm…. But this time we already had users in the AD. We just had to filter them and then enable their mailboxes.

Now, we’ll create some users in AD and their mailboxes as well.
Let’s see how do we do this.
First thing that I would like to do is , ensure that I follow the password policy of my company


So I prefix the password for all the users who will be created through EMS.


Here’s how we do it.


[MSH] C:\Documents and Settings\Administrator>$password=read-host "Please Enter the Password" -assecurestring


Please Enter te Password: *******

This will save the password format in the EMS unless it is changed or we close the EMS.

The second command we give is to create the users in the .csv format and import it to create their mailboxes.
For the convenience, we have already created a users.csv file and this is how it looks.

In the EMS, this is what we give and what the output looks like. In our case, Sachin was already a user account in the AD and no two accounts with the same name can be created so it gave us an error. For the rest of the user, it just triggered and here’s the output.

Of course, there are many different ways we can create mailboxes and user accounts in the AD and this is one way how I do it.


I hope after going through this document you should be able to create and test your labs with regards to bulk creation of users in AD and mailboxes in Exchange server 2007.

Recipient Management in Exchange 2007

We all know that Recipient Update service was responsible to stamp exchange recipients with the email address in Exchange 2000 and Exchange 2003.

RUS is the only object in Exchange which was solely responsible for stamping exchange recipients with the exchange specific attributes.

Unlike exchange 2000/03, Exchange 2007 does not use RUS to stamp recipients with the email address.

No No ... This doesn’t mean that RUS does not exist in Exchange 2007!!!

RUS is still part of Exchange 2007 and will continue to work under System Attendant service as it has always done. However, there are no such RUS objects in the directory under configuration partition.

The role of stamping objects with email address is taken by the Exchange server 2007 running Mailbox server role.

Previously, RUS used to automatically query the Active Directory Domain controller and get the list of new or modified objects from AD and process those objects with exchange specific attributes.

But now, RUS instead sits idle and will only work when triggered. One way to trigger RUS is to trigger the task “create-mailbox”.

The RUS in exchange 2007 has been redeveloped and rewritten into an Application Programming Interface (API) which is termed as RUS API.

The RUS API is broken into two parts, a server and a client:

Server RUS API– Runs on every Exchange Server 2007 Mailbox Server.
Client RUS API – Available to component that uses the AD Provider (i.e. create-mailbox task goes to the AD Provider to find a DC).

Question here.????
In which scenarios are the RUS API's used?

The following tasks uses the RUS API:

- Move-mailbox
- new-mailbox
- set-mailbox
- reconnect-mailbox
- Enable-CasMailbox
- Set-CasMailbox
- Enable-UMmailbox
- Set-UMMailbox
- new-mailuser
- set-mailuser
- new-mailcontact
- set-mailcontact
- new-DistributionList
- set-DistributionList
- new-DynamicDistributionList
- set-DynamicDistributionList
- new-addresslist
- update-addresslist
- new-globaladdresslist
- update-globaladdresslist
- new-emailaddresspolicy
- update-emailaddresspolicy

How is the Mailbox Server selected for this role?
In exchange 2003, we had a RUS object created in Active Directory.

This object always holds the information of:

1. The Exchange server name responsible to stamp users with email address.
2. The domain controller name to which the exchange server queries for new or modified objects. And,
3. Finally, Domain name for which the RUS is responsible.

But, now in Exchange 2007, we’ll not have the RUS object created in Active Directory.

There would be no such RUS object in Active directory unless we have got Exchange 2007 installed in an existing ORG with Exchange 2000 or Exchange 2003.

So some question which pops up are:

1. If there is no such RUS object in AD, then how do we set the properties of RUS?
2. Which mailbox server will be solely responsible for stamping objects with the exchange attributes?
3. Which domain controller will be queried for the list of objects for further processing?

The answers for the above questions are:

1. Since no RUS object exists in the AD, the properties cannot be set.
2. There is no such mailbox server which is predefined and preconfigured to do the activity.
3. Also there is no such pre-defined or pre-configured domain controller. The process of selecting the Domain Controller and the Mailbox server actually starts from the Exchange management interface such as Exchange Management shell (EMS) or Exchange Management Console (EMC).

When you actually trigger the task such as Create-Mailbox with the switch –DomainController “DC Name”, the mailbox server which is nearest to that domain controller’s site is selected.

If you run the Create-Mailbox task without the –DomainController switch, then the mailbox server closest to the site from where the task was triggered will be selected.

If you have multiple mailbox servers running in the same site, then anyone mailbox server which is best reachable will be selected.

This process of selection will continue until all the listed Mailbox servers are contacted with no replies from them.

Finally, if no mailbox servers are available, the create-mailbox task will fail with the “server is down” or “Access denied” error.


The objects used in the process

There are some AD objects which are used in the process of stamping objects with the exchange attributes.

The first object used is Email Address Policy (EAP). 
The EAP in Exchange 2007 is exactly as similar to Recipient policy in Exchange 2000/03.

Active Directory will store the EAP within its database as what it did for the Recipient policies.
Since the recipient policies in Exchange 2003 and the Email Address Policy (EAP) in exchange 2007 are one and the same, they’ll provide the same functionality.

The EAP will provide RUS API a format to stamp users with email address/es. It would act like a skeleton of the body to the mail/mailbox enabled objects in AD.

The only difference in EAP and Recipient policy is that the EAP will not work dynamically as Recipient policy did in Exchange 2000/03. This is because the RUS in Exchange 2007 does not work dynamically and is dependent on task such as Create-Mailbox.

The second object used is Address List (AL).
Address list is nothing but a dynamic list of all the exchange objects in the active Directory.
It can be defined by the attributes like description, country, city, street, etc. Since the Address List in Exchange 2000/03 and Exchange 2007 are one and the same, they’ll provide the same functionality.
The only change in Address List in Exchange 2007 is that it does not get created/modified dynamically as what it did in Exchange 2000/03
The simple reason is because the RUS in Exchange 2007 does not work dynamically and is triggered with task such as Create-Mailbox, etc.


The Process of stamping objects with Mail Attributes

In Exchange Server 2007, the operations of stamping objects with exchange attributes occur little differently.

As mentioned above, Exchange Server 2007 does not proactively schedule any operations. Instead, the RUS API sits idle until a task, such as create-mailbox, has been initiated. The RUS API also has an Internal Filter Evaluator.
This Internal Filter Evaluator existed in Exchange 2003 also but now it is enhanced in Exchange 2007.
This feature allows filters to be evaluated without querying the Active Directory and hence reducing the queries made to Active Directory.

The internal filter Evaluator was also used with the recipient policy in Exchange 2003.
It used the MsExchPurportedSearchUI attribute on the Recipient policy to find the object and if this attribute was modified by the administrator, then RUS queries the Active Directory using the filter in the MsExchPurportedSearchUI attribute.

Now let’s discuss the process of an object getting exchange attributes:

1. The Exchange Administrator will always use either EMC or EMS to create a mailbox.
2. Everytime, create new mailbox process happens, in the background, the create-mailbox task is triggered.
3. This task, in the background, tries to find the Active Directory domain controller to talk to. This task is performed by the client side of the RUS API.
4. On the other hand, the server side of the RUS, queries the Active Directory domain controller for the new or updated EAP and the AL objects which are stored in the AD. The RUS API queries AD every 5 minutes (by default) for this information. This information is cached on the local Exchange Mailbox server.
5. Once the connections is established with the domain controller as mentioned in step 3, the task then connects to the server side of RUS API and gets the list of EAP and the AL.
6. Basis on the EAP and the AL available and the information provided in the create-mailbox task, a virtual user is created by the RUS API.
7. Finally the uniqueness of the virtual server is checked by the RUS API and a complete user with the mail attributes is created in the Active Directory.


I hope this article helped you a little bit in understanding the process of getting mail attributes in Exchange 2007.

Single Item Recovery in Exchange 2010

Until now, we all know that single item recovery in Exchange has always been a tedious task for the administrators. User deletes an email item from the mailbox and fails to recover it from “recover deleted items” option in outlook and some other options in OWA. The only option left for the administrator was to restore from the valid previous backup and recover the deleted item for the user.

Isn’t it too tedious and complicated for an administrator to restore a single email from the entire database…? Especially when it comes to restoring the entire database for just one email. We were fortunate enough to have “Recovery Storage Group” in Exchange 2003 server and later versions to avoid the downtime for the user or the entire database while the restore was in progress.

Single item recovery doesn’t just apply to a theory of user wanting to recover it. There could also be possibilities in an organization when a user would delete a company’s confidential email from the mailbox and the legal team of the company would want it. This time it becomes a legal matter of the company and recovering those emails can become more critical.

But just the “Recovery Storage Group” feature wasn’t enough for the administrators and hence Exchange 2010 brings in a new and improved functionality to help administrators recover such single items from the given users mailbox with minimum effort and time to spend.

Let us take a look at how a deleted email from the user mailbox can be retrieved using new and improved features in Exchange 2010.

Given below is the step by step guide on recovering single item in Exchange 2010.

Below is the screenshot of a user mailbox with some email items in it.

We would be using the selected email in the above screenshot which would be deleted and then recovered.

Currently we would use outlook Web App to delete this email assuming that the user is a sales user and has access to his email through Outlook Web App only.

In previous versions of Exchange (like Exchange 2000/2003/2007), it was possible for the end user to recover deleted emails from the dumpster using OWA and outlook both. This feature is now restricted to Outlook ONLY in Exchange 2010.

Since the user is using OWA in this case, it is not possible for him to use the “Recover deleted Items” feature and hence the only option left is calling the helpdesk and asking the exchange administrator to recover it from the database.

The user has just used shift delete button to delete the email in picture below and the email is not visible in deleted items folder as well. This is where the email has by-passed the “deleted items” folder and is gone into the dumpster of the user mailbox.

Now…the real game starts for the administrator. Until exchange 2007, there was only one option left and it was restoring from the previous backups and retrieving the deleted email.

But now, the exchange 2010 Discovery Management feature would allow the administrator to search within the user’s mailbox (including dumpster) and pull the email item in question. Let’s see how.

NOTE: The administrator who will perform the task to recover this deleted item for the user should be a member of the “Discovery Management” group so that it can perform searches within the user’s mailbox. I have already added the administrator to the group from the Exchange control Panel and this is how it looks.

Now, let’s quickly jump onto the Exchange management shell to perform the recovery steps.
In the shell, we would give the command as shown in the below screenshot.

Let me first explain you the command we just gave.

Search-mailbox: as the word sounds, it is used to search within user’s mailbox.

-Identity: Here we need to give the mailbox name which we need to search. In this example, we searched the mailbox of user “hiteg”.

-searchquery: here, we can give the details like the subject of the email, the FROM field, the TO field of the email, etc. You can also think as of it is a search filter. In this example, we are looking for an email item with the subject “company deal”

-targetmailbox: the target mailbox would always be “discovery search mailbox”.

-targetfolder: the target folder can be any folder/subfolder where you would want the search query results to be exported within the “discovery search mailbox” mailbox. In this example, we want the data to be exported to the “Hiteg_Data_Recovered” folder within the “discovery search mailbox” mailbox.

Now that we have got the results, we let us login to the “Discovery search mailbox” mailbox and check the email item that we just recovered.

NOTE: By default, no user/administrator has rights to login to the “Discovery search mailbox” mailbox and access data from it. Users who are members of the “Discovery management” group ONLY have rights to login to the “Discovery search mailbox” mailbox. In this example, the administrator account has the rights to login to the “Discovery search mailbox” mailbox. Hence I would use the administrator’s credentials to login to the “Discovery search mailbox” mailbox.

In the above picture, you can see the “Discovery search mailbox” mailbox and a subfolder with the name “Hiteg_Data_Recovered” and the actual email item which was deleted.

Hey, wait. We are still not done. The email is still not in the actual user’s mailbox. Right now, it is just in the mailbox of “Discovery search mailbox”. We now need to move this email item from the “Discovery search mailbox” mailbox to “hiteg” mailbox and to do so, we have numerous ways to do it. I would follow the simple way again.

I hope by now you are very much comfortable with the only command we gave above to recover the email so I would use the same command. We would now search the “Discovery search mailbox” mailbox and we would target the “hiteg” mailbox for any search results.

Here’s how we do it.

We literally gave the same command and just changed the source and the destination mailbox locations.


Also, If you check the output of the command, interestingly, you would see that the “ResultItemCount” is “2” . But we actually had just one email to be recovered.. rite?

Well, when we recover from the “Discovery Search Mailbox” mailbox, there’s a summary email also which automatically gets created to the actual email.

Let’s login to the mailbox of HITEG and check if he recovered the email.

The above screen shot shows the search result summary and the below email was the actual email which was deleted.

Isn’t this wonderful!!! The administrator had to give just two commands and the email is back in the user’s mailbox.

Note: the above task can be performed through Exchange control panel as well if one is not comfortable in using Exchange management shell.

Well…since I am done with recovering single item in exchange 2010, I would come up with another blog and another topic to discuss.

I hope this topic was helpful and you liked it. Please share your feedback and comments on this to improve on future blogs.

You can also reply to me at hiteg@microsoft.com if you have any queries or doubts.