One of the things that have changed drastically with Exchange Server 2007 is the way in which you manage recipients (or user mailboxes as they are called in Exchange 2007). As most of us are aware, recipients were managed via the Active Directory Users and Computers (ADUC) MMC snap-ins back in Exchange 2000 and 2003, however with Exchange 2007, the recipient management tasks have been integrated back into the Exchange Management Console and removed from ADUC! (This means things looks like they did prior to Exchange Server 2000). In addition to performing the recipient tasks using the Exchange Management Console, you of course also have the option of using the Exchange Management Shell, which is perfectly suited for performing bulk user changes typically using one-liners (single line commands).
Now that Exchange Server 2007 Service Pack 1 has finally been released, you can do more bulk user management from within the Exchange Management Console than was the case in the Exchange 2007 RTM version. See my previous Exchange 2007 SP1 Management improvements articles here on MSExchange.org for additional information on this topic.
So why did the Exchange Product group move away from extending and using the Active Directory Users and Computers (ADUC) MMC snap-in in order to manage recipients in Exchange 2007? Well, there are a couple of important reasons. The group wanted to attack the cost of managing recipients by introducing automation. This automation has been introduced via PowerShell CMDlets which, as mentioned, really shine when it comes to bulk user changes. They also wanted to truly support the split-permissions model, making it possible for an Exchange Administrator to do any relevant Exchange tasks from within a single console – the Exchange Management Console. But unfortunately this is only true for Exchange specific tasks. What about all the other things we need to manage when it comes to AD objects? It could be very interesting if all the other product groups followed the same strategy as the Exchange product group. Soon we would end up with loads of consoles. Ahem! Okay enough, let’s get back to the serious tone again, shall we?
Another goal was to simplify the management of the Global Address List (GAL) and recipient types from within the Exchange Management Console. This goal was accomplished as only the objects and attributes that pertain to Exchange are shown in this console. Finally, the Exchange Product group wanted to have explicit recipient types instead of implicit ones. Exchange Server 2007 has a total of 14 different explicit recipient types, all having their own individual icon and recipient type details, lowering the overall administrative burden.
Let me be honest and say there has been a lot of hype on the Internet about whether moving the management of recipients to the Exchange Management Console was a good idea or not. During the Exchange 2007 Technology Adoption Program (TAP) and the Rapid Deployment Program (RDP), many Exchange Administrators, as well as independent consultants, expressed their opinion about this move. The majority of them thought it was a bad decision primarily because it leads to huge retraining costs (for service desk etc.), and means you suddenly have to administer users using two different consoles, the ADUC snap-in and the EMC. I think the overall concern is valid but, at the same time, kind of understand the Exchange Product group’s decision to make the move. Since the group has no intention of changing this anytime soon, we’ll have to live with it for now.
Creating a Basic Exchange 2007 Recipient Management Console for the Service Desk
Depending on the specific Enterprise organization you work for (or work with as an Exchange consultant), there may be times where you’re required to create a custom Exchange 2007 Management Console which, for instance, only shows the Recipient Configuration work center node. This is especially true in situations where you have a service desk that is used to having a customized ADUC console snap-in that provided the respective organizational units (OUs) holding the Exchange user objects they were to administer. After the transition to Exchange 2007, it would be a little too drastic to let the service desk have the full blown Exchange Management Console at their disposal, right? In order to create a custom Exchange Recipient Management Console, exposing only the Recipient Configuration work center node with a scoped down number of user mailboxes, you will first need to click Start then type MMC.exe, followed by hitting Enter. This will bring up an empty MMC console as shown in Figure 1 below. Click File in the menu then Add/Remove Snap-in.
Figure 1: Empty MMC
In the Add/Remove Snap-in window click Add, then scroll down and select the Exchange Server 2007 snap-in as shown in Figure 2. Click Add, again, then Close and finally OK.
Figure 2: Adding the Exchange Server 2007 Snap-in
Expand the Microsoft Exchange tree and right-click on the Recipient Configuration work center node, selecting New Window from Here in the context menu, as shown in Figure 3.
Figure 3: Opening the Recipient Configuration work center node in a new Window
We now have a basic Exchange 2007 Recipient Management snap-in as you can see in Figure 4, but honestly we can’t keep it this simple, right? We need to make it more functional.
Figure 4: Recipient Configuration Console
The first thing you want to do is to enable the Action pane in addition to removing the Standard menus and Standard toolbar, as these aren’t required by Exchange 2007. To do so, click View | Customize and de-select Standard menus (Action and View) and Standard toolbar. Lastly, select Action pane, and click OK (Figure 5).
Figure 5: Customizing the view of the Recipient Management Console
Let’s spiff up the console a little more before we save it. To do so, click File | Options; in the Options window, replace Console1 with the text Exchange 2007 Recipient Management. Now click the Change Icon button and navigate to the Bin directory under the C:\Program Files\Microsoft\Exchange Server folder. Here you can select the ExSetupUI.exe file, click Open, and you have the option of choosing the Exchange 2007 icon shown in Figure 6. Do so and click Apply.
Figure 6: Changing the Console icon
Now select User mode – limited access, single window in the Console mode drop down menu as shown in Figure 7. Lastly, de-select the Allow the user to customize views option, and click OK.
Figure 7: Naming the console and change default options
You can now save the console by clicking File > Save As. Save the console as Exchange 2007 Recipient Management Console.msc and answer Yes to the message shown in Figure 8.
Figure 8: MMC Change verification
Now close the console and re-open it from where it was saved. It should now look similar to the one shown in Figure 9.
Figure 9: New Recipient Management Console finished
That looks much better.
You can also create isolated Management Consoles holding the Organization Configuration, Server Configuration or the Toolbox work center node. You can do this by following the same steps, however opening a new console window by right-clicking the respective work center node. If you have both the Exchange 2007 Tools and the Windows AdminPak installed on a server or workstation or have installed the Exchange 2007 Management Tools directly on a Domain Controller, you can even create a single console with access to both the ADUC snap-in and the Exchange 2007 Management Console as shown in Figure 10.
Figure 10: Exchange and Active Directory Management Console
Note that if you have multiple service desks (e.g. one per country) and you only want a service desk to be able to manage User Mailboxes, Mail Users, Mail Contacts and Distribution Groups located beneath a particular organizational unit (OU), you can use Recipient scopes for this purpose. Let’s say service desk personnel responsible for Exchange user management in Denmark only should be able to manage objects located beneath an OU named DK, we could do so by first selecting the Recipient Configuration work center node and then click Modify Recipient Scope in the Action pane. This will open the window shown in Figure 11.
Figure 11: Recipient Scope options
Under View all recipients in specified organizational unit > Organizational Unit, click Browse. We can now select the respective OU (Figure 12), which in this case was DK, and click OK twice.
Figure 12: Selecting the default Organizational Unit
Now, we’ll get Exchange objects in the DK OU listed when managing recipient under Recipient Configuration work center. In addition, when creating new Exchange recipients, the respective wizard will, by default, be set to create the object in that OU as you can see in Figure 13.
Figure 13: Preset Organizational Unit
Also remember to restrict the permissions for the respective OU by using the Delegate Control option, which can be found on the context menu when right-clicking on an OU in the ADUC snap-in.
That was all I had to share with you in this article, but it doesn’t stop here. In the near future, I’ll also do a video showing you how to create the ultimate Exchange Management console for the true Exchange 2007 guru.