Exchange 2007 - Exchange Management Shell - Exchange Management Console

Software Restriction through Group Policies

Posted by Nausherwan under Active Directory

If we want to restrict any software for usage through group policy.

1. Go to particular OU and right click on it and go into the Group policy properties.

2. Go to user configuration and click on Windows Settings —> Security Settings —->Software Restrictions.

3. In enforcement tab, we have to check all software files and All users except Local Administrator.

4. We have to define new path rule based policy.

5. Path will include that software installation path which you want to block. For e.g C:\Program Files\Microsoft Office. (What ever the software you want to block).

6. Close the Group policy console.

Exchange Server Remote Connectivity Analyzer

Posted by Usman under Uncategorized

Hey Guys,

Now You can test your exchange server online using the following website.

https://www.testexchangeconnectivity.com/

You can run the following tests.

Microsoft Exchange Server 2010 Beta Released

Posted by Usman under Exchange 2010

Microsoft Exchange Server 2010 Overview

http://www.microsoft.com/exchange/2010/en/us/overview.aspx

Microsoft Exchange Server 2010 Trial Software

http://www.microsoft.com/exchange/2010/en/us/trial-software.aspx

Hide all drives except Z drive using group policy

Posted by under Active Directory

By Default You can hide drives with following combination Using GPO !

• Restrict A, B, C and D drives only
• Restrict A, B and C drives only
• Restrict A and B drives only
• Restrict all drives
• Restrict C drive only
• Restrict D drive only
• Do not restrict drives

Now if you will setup home drive (Z:) for a user , that drive will be hide like others. To resolve this issue we can create custom ADM template to show only home drive.

Craete a Note Pad file and  rename it to  HideDrives.adm , Paste the following code into

CLASS USER

CATEGORY !!CustomizedSettings
CATEGORY !!WindowsExplorer
KEYNAME “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”
POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME “NoDrives”
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!CDOnly VALUE NUMERIC 12
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!AllExceptZ VALUE NUMERIC 33554431
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY

POLICY !!NoViewOnDrive
EXPLAIN !!NoViewOnDrive_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME “NoViewOnDrive”
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!CDOnly VALUE NUMERIC 12
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!AllExceptZ VALUE NUMERIC 33554431
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY

END CATEGORY ; !!WindowsExplorer

END CATEGORY ; !!CustomizedSettings

[STRINGS]
ABCDOnly=”Restrict drives A, B, C and D only”
ABConly=”Restrict drives A, B and C only”
ABOnly=”Restrict drives A and B only”
AllExceptZ=”Restrict all drives except Z”
ALLDrives=”Restrict all drives”
COnly=”Restrict drive C only”
DOnly=”Restrict drive D only”
CDOnly=”Restrict drives C and D only”
NoDrives=”Hide these drives in Explorer”
NoDrivesDropdown=”Choose one of the following combinations:”
NoDrives_Help=”*** Copy and paste this entry from %SYSTEMROOT%\inf\system.adm! ***”
NoViewOnDrive=”Restrict access to these drives”
NoViewOnDrive_Help=”*** Copy and paste this entry from %SYSTEMROOT%\inf\system.adm! ***”
RestNoDrives=”Do not restrict any drives”

CustomizedSettings=”Customized Settings”
WindowsExplorer=”Windows Explorer”

; Pattern to hide drives; convert the binary to decimal:
; zyxwvutsrqponmlkjihgfedcba
; 00000000000000000000001100

Now place this file to on your DC in following location.

C:\windows\inf

Open Group Policy Editor.

Administrative Templates->Right Clik->Add/Remove Templates.
Click add and select HideDrives.adm file

User Configuration –> Administrative Templates –> Customized Settings –> Windows Explorer
Hide these drives in explorer - Properties - Select Enable and Restrict all drives except Z from Combo box

How to change the default location of new user accounts and computers

Posted by under Active Directory

When you create a new user in active directory , new user account and computer put in predefined Active Directory OUs “Users” and “Computers”. DCPROMO put all newly user accounts in  “Users” AD container and all computers in “Computers” AD container.

The Users and Computers containers aren’t AD organizational units (OUs), so you can’t link OU-level Group Policy Objects (GPOs) to them. If you want to apply GPO on OUs level You must create new OUs for users and computer objects, it will make easier management of Active Directory. Its a good practise to change the default location of newly created users and computer objects. You can change the default when creating users using scripts, You can use Redirusr and Redircmp command-line utilities

Example:

Organizational Unit: usersou

Domain                  : Contoso.com

redirusr ou=usersou,dc=contoso,dc=com

Before executing this command , please make sure that “usersou” must exist in active directory.This command is only compatible with windows 2003 server , you cant execute in windows 2000 server and NT 4.0.

How to get Mailbox Size in Exchange 2007

Posted by under Exchange Management Shell

In Exchange 2007 , You can get mailbox size using different Exchange cmdlets ,

To get mailbox size for individual user. You can use following command

Get-MailboxStatistics -Identity UserSamAccountName

Here is Output.

AssociatedItemCount     : 71
DeletedItemCount          : 29
DisconnectDate             :
DisplayName                 : xxxxxxxxxxxx
ItemCount                     : 5485
LastLoggedOnUserAccount : Domain\UserName
LastLogoffTime          :
LastLogonTime           : 2/4/2009 9:23:02 AM
LegacyDN                : /O=xxxxx/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIB
3SPDLT)/CN=RECIPIENTS/CN=xxxx
MailboxGuid             : f291a2e9-e123-4f2a-be4d-ec0349c54a10
ObjectClass             : Mailbox
StorageLimitStatus      : BelowLimit
TotalDeletedItemSize    : 2205239B
TotalItemSize           : 463667583B
Database                : xxxxx\xxxxx\xxxxxx
ServerName              : xxxxxx
StorageGroupName        : xxxxxx
DatabaseName            : xxxxxxx
Identity                : f291a2e9-e123-4f2a-be4d-ec0349c54a10
IsValid                 : True
OriginatingServer       : xxxxxx.xxx.xxx

You can see the size of mailbox in bytes , You can convert in Megabytes or Gbs

To Get Mailbox size for multiple mailboxes , You can use the following Powershell cmdlet.

Get-MailboxStatistics |where {$_.TotalItemSize -gt 100MB} | sort $_.TotalItemSize |FT DisplayName,ItemCount,TotalItemSize >c:\size.txt

The above command will create a file with output containing all users accounts having mailbox size greater than 100MB.

How to assign Domain Joining rights to a normal user

Posted by under Active Directory

In active directory by default “Account Operators” have domain joining  rights to workstation but if you dont want to add a user in “Account Operator” group then you can assign domain joinging rights to a normal user with following procedure.

1. Click Start, click Run, type dsa.msc, and then click OK.
2. In the task pane, expand the domain node.
3. Locate and right-click the OU that you want to modify, and then click
Delegate Control.
4. In the Delegation of Control Wizard, click Next.
5. Click Add to add a specific user or a specific group to the Selected users
and groups list, and then click Next.
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from the list,
click to select the following check boxes: . Computer objects
. Create selected objects in this folder
. Delete selected objects in this folder

8. Click Next.
9. In the Permissions list, click to select the following check boxes:. Reset
Password
. Validated write to DNS host name
. Read and write Account Restrictions
. Validated write to service principal name

10. Click Next, and then click Finish.
11. Close the “Active Directory Users and Computers” MMC snap-in.

How to find out current Schema Version of Active Directory

Posted by under Active Directory

We can find out current schema version of active directory using following two methods

1- AdsiEdit.Msc

Navigate to:

“CN=Schema,CN=Configuration,DC=domain,DC=local“

and you can find current “objectVersion” attribute.

2-  DsQuery Command Line

“dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion“

Here is ObjectVersion of Active Directory Schema.

13 -> Windows 2000 Server
30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 -> Windows Server 2003 R2
44 -> Windows Server 2008 RTM

How to Create a Room Mailbox for Manual Approval.

Posted by under Exchange Management Shell

1- Create a Room Mailbox Using Exchange Management Console

When you create a Room Mailbox , You will find that associated user will disable in Active directory , so   you will not able to access OWA for Room Mailbox , You have to assign permissions to an account to manage

2- To assign permissions on a Room Mailbox to owner , You can use the following cmdlet.

Add-MailboxPermission -Identity “Meeting Room Name” -User UserSamAccount -AccessRights FullAccess -InheritanceType All

3- Logon to Room Mailbox owner’s OWA  and Open Room Mailbox OWA , Click Option and then Resource Settings .select  the following Options.

Selected:  Automatically process meeting requests and cancellations
These users can schedule automatically if the resource is available:
Everyone
Selected:  Select Users and Groups:

These users can submit a request for manual approval if the resource is available:
Selected:  Everyone
Select Users and Groups:

These users can schedule automatically if the resource is available and can submit a request for    manual approval if the resource is unavailable:
Everyone
Selected:  Select Users and Groups:

For requests requiring approval:
Selected:  Always forward to delegates
Selected:  Always tentatively accept these requests

4- After these steps , Run the following command.

Set-MailboxCalendarSettings -Identity <MailboxIdParameter> [-AllRequestInPolicy <$true | $false>]  [-RequestInPolicy <RecipientIdParameter[]>]

Example :

Set-MailboxCalendarSettings -Identity “Meeting Room Name” -AllRequestInPolicy $true -RequestInPolicy UserSamAccount

5- Last and Final step to view output using Exchange Management Shell.

[PS] D:\>get-mailboxcalendarsettings -identity MeetingRoomName | fl

AutomateProcessing                           : AutoAccept
AllowConflicts                                    : False
BookingWindowInDays                       : 180
MaximumDurationInMinutes              : 1440
AllowRecurringMeetings                     : True
EnforceSchedulingHorizon                 : True
ScheduleOnlyDuringWorkHours         : False
ConflictPercentageAllowed                 : 0
MaximumConflictInstances                : 0
ForwardRequestsToDelegates             : True
DeleteAttachments                             : True
DeleteComments                                : True
RemovePrivateProperty                       : True
DeleteSubject                                     : True
DisableReminders                              : True
AddOrganizerToSubject                     : True
DeleteNonCalendarItems                   : True
TentativePendingApproval                 : True
EnableResponseDetails                      : True
OrganizerInfo                                     : True
ResourceDelegates                            : {User UserSamAccount}
RequestOutOfPolicy                           :
AllRequestOutOfPolicy                       : False
BookInPolicy                                      :
AllBookInPolicy                                  : False
RequestInPolicy                                 : {User UserSamAccount}
AllRequestInPolicy                             : True
AddAdditionalResponse                    : False
AdditionalResponse                          : <DIV><FONT size=2 face=Tahoma></FONT></DI
V>
RemoveOldMeetingMessages            : True
AddNewRequestsTentatively             : True
ProcessExternalMeetingMessages      : False
DefaultReminderTime                        : 15
RemoveForwardedMeetingNotifications : False
Identity                                                  : Domain/Users/Test Room

Note: UserSamAccount is a NT Login ID of  Room Mailbox Owner

Meeting Room Name is NT Login ID of Room Mailbox

How to assign ownership rights on Distribution Group

Posted by Usman under Exchange Management Shell

You can use following cmdlet to assign ownership rights on distribution groups.

Add-AdPermission -identity “Group Name” -User “User’s SamAccountname” -AccessRights WriteProperty -Properties “Member”

-identity : Group display name instead of email id of group
-User : User’s samaccount name

Example :

Add-AdPermission -identity “New Group” -User “Ali” -AccessRights WriteProperty -Properties “Member”

In above example , User Ali will get full rights to add/remove members from distribution through Global Address Book.