Configuring Hosted Exchange 2007 using Powershell – Part 2

This is part deus of the “Configuring Hosted Exchange 2007 using Powershell” series. Part 1, which you can find here, covered deploying a new hosted domain. This new domain is fully segregated on the exchange server with its own Address Lists, and login using AD accounts with their own UPN. Part 2 will cover creating a new mailbox after the hosted domain infrastructure has been created. This article builds somewhat on Part 1, so you may want to browse through that first. Let’s get started!

Our first line of code, like in Part 1, is our param() command. This captures input from the command line and passes that input into the script for configuring the new user. There are many, many configuration options for a new user in Exchange, the parameters listed here are just some of the ones I felt would be applicable in most scenarios, and provide the ability to up-sell features. The parameters include:

• Client (the unique “customer ID”)
• Domain (the hosted domain you are configuring the new user for, for instance zerodirection.com)
• User (this will be the user for the new email address…an input of “cory” would be used to obtain “cory@zerodirection.com” in the end)
• Password for the new user
• Quota for the users mailbox
• Retention to retain deleted mail items
• The OWA switch to determine if the user has OWA (Outlook Web Access) access
• The ActiveSync switch to determine if the user can use ActiveSync with their account
• The POP switch to allow the user to POP their account
• The IMAP switch to allow the user to use IMAP to access their account

1

param($client,$domain,$user,$password,[INT]$quota,[INT]$retention,[switch]$OWA,[switch]$ActiveSync,[switch]$POP,[switch]$IMAP)

Once again, we will be using the Quest ActiveRoles Management Shell for Active Directory. This makes Active Directory manipulation much easier. This next line of code is where we load those commandlets.

3

add-pssnapin quest.activeroles.admanagement

The next script block, once again, is string formation for the Canonical Name, the Distinguished Name, setting the active Mailbox Server and CAS (Client Access Server) server. In addition to many of the strings formed in the Part 1 script, we are also building the SAM (Security Access Manager) string for the new Active Directory user account, building the quota string, calculating the quota warning, and building the warning string.

5
6
7
8
9
10
11
12
13
14
15
16
17

$AL = "\$domain"
$CN = "Home.com/Hosting/$client/$domain"
$UPN = $user+"@"+$domain
$USERCN = $CN+"/"+$UPN
$CLIENTDN = "OU=$domain,OU=$client,OU=HOSTING,DC=HOME,DC=COM"
$USERDN = "CN="+$upn+","+$CLIENTDN
$GROUPDN = "CN=$domain" + "_Exchange_Group"+","+$CLIENTDN
$MBSERVER = (get-mailboxserver).name
$database = (Get-MailboxDatabase).servername+"\"+(get-mailboxdatabase).storagegroupname+"\"+(get-mailboxdatabase).name
$SAM = $domain+$user
$quotainMB = "$quota"+"MB"
$warning = $quota * .05
$warninginMB = "$warning"+"MB"

The users SAM string has to be unique to the domain. A good check to put in at this point would be to check the domain and make sure that the SAM string does not already exist (if it does, the script will not be able to create the user). I didn’t take the time to put this failsafe in, but for a large environment it would be a good idea.
The SAM string has a 15 character limitation in length (this is an Active Directory limitation), so this next block uses the Remove method in powershell to trim down a SAM that is larger than 15 characters. This uses the logic that, if a SAM is larger than 15 characters, the last 15 characters SHOULD be unique since all usernames for a domain will be unique.
For instance, if your domain is ilovetoeatbacon.com and your user is Chuck, the SAM defined above will be ilovetoeatbacon.comChuck. Since the domain name itself is longer than 15 characters, if we simply limited the length of the SAM and cut off the end, the SAM would be ilovetoeatbacon (which would conflict with the next user that was created for that domain as its SAM would be the same).
Since we are trimming is from the END (we are removing character 1 through 9 (determined by the untrimmed SAM length, 24 characters, minus the last 15 characters that we want to keep, which leaves us with the first 9 characters to remove…24-15=9). Therefore, the SAM after trimming would be changed from ilovetoeatbacon.comChuck to tbacon.comChuck (which doesnt mean anything to the end user, but it will satisfy our AD requirements).

20
21
22
23

if ($SAM.length -gt 14)
{
$SAM = $sam.Remove(0,($sam.length -15))
}

Next, we set some boolean values based on our input switches for the various features for a mailbox

25
26
27
28

if ($OWA){[Boolean]$owa = $true}else{[Boolean]$owa = $false}
if ($ActiveSync){[Boolean]$ActiveSync = $true}else{[Boolean]$ActiveSync = $false}
if ($POP){[Boolean]$POP = $true}else{[Boolean]$POP = $false}
if ($OWA){[Boolean]$IMAP = $true}else{[Boolean]$IMAP = $false}

Now that all of the string formation, logic, and math has been done (we haven’t really done anything at this point), its time to make things happen. This next line of code uses the Quest Activeroles shell to create the actual user account. We pass in the name of the account, the UPN (which allows the user to log in with their hosted domain, zerodirection.com, instead of the host domain (0direction.local), the parent container (which is the distinguished name to the customers OU, the users password, and the SAM name. We also add an attribute called mail that is set as the UPN.

31

New-QADUser -Name $upn -UserPrincipalName $upn -ParentContainer $CLIENTDN -UserPassword $password -SamAccountName $sam -DisplayName $user -ObjectAttributes @{mail=$upn}

Now we add that user to the default exchange group for the hosted domain.

33

add-QadGroupMember -identity $GROUPDN -member $USERDN

Now that the user has been created, added to the default group, and had the correct polices applied to it, we need to create the mailbox. We pass in the canonical name for the user, the alias (which we just define as the username, and the database (which was defined up top).

35

Enable-mailbox -identity $USERCN -alias $user -Database $database

Now that the mailbox is created, we initiate an update for the email address policy, the address list, and the global address list policies (all of which we created in Part 1, and that “watch” the group that we just put this new user into). This is where the new user is actually put in the Address List and Global Address List and assigned an SMTP address.

37
38
39

Update-emailaddresspolicy -identity $domain
Update-addresslist -identity $AL
Update-globaladdresslist -identity $domain

At this point, we have a fully functional mailbox. However, the mailbox hasn’t been assigned to an Offline Address Book (so others users in that domain, when they download the OAB, will not see this user. Let’s set this user up on this hosted domains OAB

41

Get-User -Filter { userPrincipalName -eq $UPN } | Set-Mailbox -OfflineAddressBook $domain

The user, as it sits right now, will be able to query the ENTIRE exchange server for objects, which we dont want, so we need to set this users base query location to the domains OU (so they only see other users and Address Lists in their domain).

43

Set-QADObject $USERDN -ObjectAttributes @{msExchQueryBaseDN=$CLIENTDN}

This next script block has to do entire with quotas, alerts, and retaining deleted items. In the first two lines, we disable the default settings as we want to apply our own custom settings. Then, we set the prohibit limits (do not let the user send or receive mail if they have reached their quota. In the string formation block, we set our warning limit at .05 (5%) of the quota. We tell exchange here to issue a warning when a user has reached 5% remaining of their quota. Lastly, we set the retention for deleted items (how long exchange will hang on to deleted items before removing them).

45
46
47
48
49
50

Get-Mailbox|where {$_.name -eq $UPN}|set-mailbox -UseDatabaseQuotaDefaults $false
Get-Mailbox|where {$_.name -eq $UPN}|set-mailbox -UseDatabaseRetentionDefaults $false
Get-Mailbox|where {$_.name -eq $UPN}|set-mailbox -Prohibitsendquota $quotainMB
Get-Mailbox|where {$_.name -eq $UPN}|set-mailbox -Prohibitsendreceivequota $quotainMB
Get-Mailbox|where {$_.name -eq $UPN}|set-mailbox -issuewarningquota $warninginMB
Get-Mailbox|where {$_.name -eq $UPN}|Set-Mailbox -RetainDeletedItemsFor $retention

In the last part of the script, we set mailbox features that were defined through switches in the input parameters. Here, we set if the mailbox can use OWN, ActiveSync, POP, or IMAP. There are a few other options that are configurable, however through my experience these are the options that could labeled as premium options and hence would need to be enabled/disabled.

51
52
53
54

Set-CASMailbox -Identity $UPN -OWAEnabled $OWA
Set-CASMailbox -Identity $UPN -Activesyncenabled $ActiveSync
Set-CASMailbox -Identity $UPN -Popenabled $POP
Set-CASMailbox -Identity $UPN -Imapenabled $IMAP

And BAM…you’ve got a mailbox with defined restrictions in place and a defined set of Exchange features. This user, as with the base hosted domain covered in Part 1, should be entirely secluded from the rest of the domains and users on the Exchange environment.

Tags: exchange, Hosting, powershell