Introducing: Log Parser Studio
To download the Log Parser Studio, please see the attachment on this blog post. Anyone who regularly uses Log Parser 2.2 knows just how useful and powerful it can be for obtaining valuable information from IIS (Internet Information Server) and other logs. In addition, adding the power of SQL allows explicit searching of gigabytes of logs returning only the data that is needed while filtering out the noise. The only thing missing is a great graphical user interface (GUI) to function as a front-end to Log Parser and a ‘Query Library’ in order to manage all those great queries and scripts that one builds up over time. Log Parser Studio was created to fulfill this need; by allowing those who use Log Parser 2.2 (and even those who don’t due to lack of an interface) to work faster and more efficiently to get to the data they need with less “fiddling” with scripts and folders full of queries. With Log Parser Studio (LPS for short) we can house all of our queries in a central location. We can edit and create new queries in the ‘Query Editor’ and save them for later. We can search for queries using free text search as well as export and import both libraries and queries in different formats allowing for easy collaboration as well as storing multiple types of separate libraries for different protocols. Processing Logs for Exchange Protocols We all know this very well: processing logs for different Exchange protocols is a time consuming task. In the absence of special purpose tools, it becomes a tedious task for an Exchange Administrator to sift thru those logs and process them using Log Parser (or some other tool), if output format is important. You also need expertise in writing those SQL queries. You can also use special purpose scripts that one can find on the web and then analyze the output to make some sense of out of those lengthy logs. Log Parser Studio is mainly designed for quick and easy processing of different logs for Exchange protocols. Once you launch it, you’ll notice tabs for different Exchange protocols, i.e. Microsoft Exchange ActiveSync (MAS), Exchange Web Services (EWS), Outlook Web App (OWA/HTTP) and others. Under those tabs there are tens of SQL queries written for specific purposes (description and other particulars of a query are also available in the main UI), which can be run by just one click! Let’s get into the specifics of some of the cool features of Log Parser Studio … Query Library and Management Upon launching LPS, the first thing you will see is the Query Library preloaded with queries. This is where we manage all of our queries. The library is always available by clicking on the Library tab. You can load a query for review or execution using several methods. The easiest method is to simply select the query in the list and double-click it. Upon doing so the query will auto-open in its own Query tab. The Query Library is home base for queries. All queries maintained by LPS are stored in this library. There are easy controls to quickly locate desired queries & mark them as favorites for quick access later. Library Recovery The initial library that ships with LPS is embedded in the application and created upon install. If you ever delete, corrupt or lose the library you can easily reset back to the original by using the recover library feature (Options | Recover Library). When recovering the library all existing queries will be deleted. If you have custom/modified queries that you do not want to lose, you should export those first, then after recovering the default set of queries, you can merge them back into LPS. Import/Export Depending on your need, the entire library or subsets of the library can be imported and exported either as the default LPS XML format or as SQL queries. For example, if you have a folder full of Log Parser SQL queries, you can import some or all of them into LPS’s library. Usually, the only thing you will need to do after the import is make a few adjustments. All LPS needs is the base SQL query and to swap out the filename references with ‘[LOGFILEPATH]’ and/or ‘[OUTFILEPATH]’ as discussed in detail in the PDF manual included with the tool (you can access it via LPS | Help | Documentation). Queries Remember that a well-written structured query makes all the difference between a successful query that returns the concise information you need vs. a subpar query which taxes your system, returns much more information than you actually need and in some cases crashes the application. The art of creating great SQL/Log Parser queries is outside the scope of this post, however all of the queries included with LPS have been written to achieve the most concise results while returning the fewest records. Knowing what you want and how to get it with the least number of rows returned is the key! Batch Jobs and Multithreading You’ll find that LPS in combination with Log Parser 2.2 is a very powerful tool. However, if all you could do was run a single query at a time and wait for the results, you probably wouldn’t be making near as much progress as you could be. In lieu of this LPS contains both batch jobs and multithreaded queries. A batch job is simply a collection of predefined queries that can all be executed with the press of a single button. From within the Batch Manager you can remove any single or all queries as well as execute them. You can also execute them by clicking the Run Multiple Queries button or the Execute button in the Batch Manager. Upon execution, LPS will prepare and execute each query in the batch. By default LPS will send ALL queries to Log Parser 2.2 as soon as each is prepared. This is where multithreading works in our favor. For example, if we have 50 queries setup as a batch job and execute the job, we’ll have 50 threads in the background all working with Log Parser simultaneously leaving the user free to work with other queries. As each job finishes the results are passed back to the grid or the CSV output based on the query type. Even in this scenario you can continue to work with other queries, search, modify and execute. As each query completes its thread is retired and its resources freed. These threads are managed very efficiently in the background so there should be no issue running multiple queries at once. Now what if we did want the queries in the batch to run concurrently for performance or other reasons? This functionality is already built-into LPS’s options. Just make the change in LPS | Options | Preferences by checking the ‘Process Batch Queries in Sequence’ checkbox. When checked, the first query in the batch is executed and the next query will not begin until the first one is complete. This process will continue until the last query in the batch has been executed. Automation In conjunction with batch jobs, automation allows unattended scheduled automation of batch jobs. For example we can create a scheduled task that will automatically run a chosen batch job which also operates on a separate set of custom folders. This process requires two components, a folder list file (.FLD) and a batch list file (.XML). We create these ahead of time from within LPS. For more details on how to do that, please refer to the manual. Charts Many queries that return data to the Result Grid can be charted using the built-in charting feature. The basic requirements for charts are the same as Log Parser 2.2, i.e. The first column in the grid may be any data type (string, number etc.) The second column must be some type of number (Integer, Double, Decimal), Strings are not allowed Keep the above requirements in mind when creating your own queries so that you will consciously write the query to include a number for column two. To generate a chart click the chart button after a query has completed. For #2 above, even if you forgot to do so, you can drag any numbered column and drop it in the second column after the fact. This way if you have multiple numbered columns, you can simply drag the one that you’re interested in, into second column and generate different charts from the same data. Again, for more details on charting feature, please refer to the manual. Keyboard Shortcuts/Commands There are multiple keyboard shortcuts built-in to LPS. You can view the list anytime while using LPS by clicking LPS | Help | Keyboard Shortcuts. The currently included shortcuts are as follows: Shortcut What it does CTRL+N Start a new query. CTRL+S Save active query in library or query tab depending on which has focus. CTRL+Q Open library window. CTRL+B Add selected query in library to batch. ALT+B Open Batch Manager. CTRL+B Add the selected queries to batch. CTRL+D Duplicates the current active query to a new tab. CTRL+ALT+E Open the error log if one exists. CTRL+E Export current selected query results to CSV. ALT+F Add selected query in library to the favorites list. CTRL+ALT+L Open the raw Library in the first available text editor. CTRL+F5 Reload the Library from disk. F5 Execute active query. F2 Edit name/description of currently selected query in the Library. F3 Display the list of IIS fields. Supported Input and Output types Log Parser 2.2 has the ability to query multiple types of logs. Since LPS is a work in progress, only the most used types are currently available. Additional input and output types will be added when possible in upcoming versions or updates. Supported Input Types Full support for W3SVC/IIS, CSV, HTTP Error and basic support for all built-in Log Parser 2.2 input formats. In addition, some custom written LPS formats such as Microsoft Exchange specific formats that are not available with the default Log Parser 2.2 install. Supported Output Types CSV and TXT are the currently supported output file types. Log Parser Studio - Quick Start Guide Want to skip all the details & just run some queries right now? Start here … The very first thing Log Parser Studio needs to know is where the log files are, and the default location that you would like any queries that export their results as CSV files to be saved. 1. Setup your default CSV output path: a. Go to LPS | Options | Preferences | Default Output Path. b. Browse to and select the folder you would like to use for exported results. c. Click Apply. d. Any queries that export CSV files will now be saved in this folder. NOTE: If you forget to set this path before you start the CSV files will be saved in %AppData%\Microsoft\Log Parser Studio by default but it is recommended that y ou move this to another location. 2. Tell LPS where the log files are by opening the Log File Manager. If you try to run a query before completing this step LPS will prompt and ask you to set the log path. Upon clicking OK on that prompt, you are presented with the Log File Manager. Click Add Folder to add a folder or Add File to add a single or multiple files. When adding a folder you still must select at least one file so LPS will know which type of log we are working with. When doing so, LPS will automatically turn this into a wildcard (*.xxx) Indicating that all matching logs in the folder will be searched. You can easily tell which folder or files are currently being searched by examining the status bar at the bottom-right of Log Parser Studio. To see the full path, roll your mouse over the status bar. NOTE: LPS and Log Parser handle multiple types of logs and objects that can be queried. It is important to remember that the type of log you are querying must match the query you are performing. In other words, when running a query that expects IIS logs, only IIS logs should be selected in the File Manager. Failure to do this (it’s easy to forget) will result errors or unexpected behavior will be returned when running the query. 3. Choose a query from the library and run it: a. Click the Library tab if it isn’t already selected. b. Choose a query in the list and double-click it. This will open the query in its own tab. c. Click the Run Single Query button to execute the query The query execution will begin in the background. Once the query has completed there are two possible outputs targets; the result grid in the top half of the query tab or a CSV file. Some queries return to the grid while other more memory intensive queries are saved to CSV. As a general rule queries that may return very large result sets are probably best served going to a CSV file for further processing in Excel. Once you have the results there are many features for working with those results. For more details, please refer to the manual. Have fun with Log Parser Studio! & always remember – There’s a query for that! Kary Wall Escalation Engineer Microsoft Exchange SupportHow to Export and Import mailboxes to PST files in Exchange 2007 SP1
There might be times when an Exchange Administrator will need to export the contents of individual mailboxes to offline files in order to present specific users with a format that is easily portable and ready to consume using Outlook clients. To fulfill this need Exchange 2007 SP1 will have a new set of features to export and import mailboxes to and from PST files. As I know you will ask - yes, those PST files can be bigger than 2 GB, which was a limitation of Exmerge tool used for this purpose in previous versions of Exchange. Export/Import to PST Requirements In order to export or import mailboxes to PST files the following requirements must be met: Export/Import to PST must be run from a 32 bit client machine with Exchange Management Tools installed (Version Exchange 2007 SP1 or later). The 32bit requirement comes from a dependency with the Outlook client. Either Outlook 2003 or Outlook 2007 must be installed on the client machine. The user running the task must be an Exchange Organization Admin or an Exchange Server Admin on the server where the mailbox to export/import lives. Exporting mailboxes to PST files The most basic cmdlet to export a mailbox to a PST file is as follows: Export-Mailbox –Identity <mailboxUser> -PSTFolderPath <pathToSavePST> PSTFolderPath must be a full path pointing either to a directory or to a (.pst) file. If a directory is specified a PST file named after the mailbox alias will be used as the target of the export. Note that if the PST file already exists the contents of the mailbox will be merged into it. Example: After the cmdlet finishes execution, the .pst file will be ready in the specified location: To export multiple mailboxes to their respective .pst files at once you can pipe in the identities of those mailboxes to the export task. Notice that when bulk exporting the PSTFolderPath parameter must forcefully point to a directory since one .pst file will be created for each mailbox. Example: Get-Mailbox -Database 'MDB' | Export-Mailbox -PSTFolderPath D:\PSTs Importing mailboxes from PST files The process for importing mailbox contents from a PST file is quite similar: Import-Mailbox -Identity <mailboxUser> -PSTFolderPath <PSTFileLocation> Again, PSTFolderPath must be the full path to the directory where the .pst file lives or to the (.pst) file itself. In the case where PSTFolderPath points to a directory the cmdlet will try to match the mailbox alias with the name of an existing .pst file in the specified directory and import the content of that file. Example: Just as with the export to PST scenario, when bulk importing mailboxes the PSTFolderPath must forcefully point to a directory and the task logic will try to match mailboxes alias with the .pst file names under that location. If no match is found for a particular mailbox, that mailbox will be skipped. Example: Get-Mailbox -Database 'MDB' | Import-Mailbox -PSTFolderPath D:\PSTs Filtering content in Export/Import to PST When only specific content is desired in the PST file (or back into the mailbox) a common set of filters can be used to leave out the rest of the messages. Export/Import to PST support the following filters: Locale, StartDate, EndDate, ContentKeywords, SubjectKeywords, AttachmentFileNames, AllContentKeywords, SenderKeywords, and RecipientKeywords. Example: Import only those messages that were created between 1/1/06 and 12/1/06 and contain the word "review" in the subject and any of the words {"project","alpha"} in the body. Import-mailbox -Identity ricardr -PSTFolderPath D:\PSTs -StartDate 1/1/06 -EndDate 12/1/06 -SubjectKeywords:'review' -ContentKeywords:'project','alpha' Now, we realize that you would like to try this today, but please be patient! - Ricardo Rosales GuerreroAllowing application servers to relay off Exchange Server 2007
From time to time, you need to allow an application server to relay off of your Exchange server. You might need to do this if you have a SharePoint, a CRM application like Dynamics, or a web site that sends emails to your employees or customers. You might need to do this if you are getting the SMTP error message "550 5.7.1 Unable to relay" The top rule is that you want to keep relay restricted as tightly as possible, even on servers that are not connected to the Internet. Usually this is done with authentication and/or restricting by IP address. Exchange 2003 provides the following relay restrictions on the SMTP VS: Here are the equivalent options for how to configure this in Exchange 2007. Allow all computers which successfully authenticate to relay, regardless of the list above Like its predecessor, Exchange 2007 is configured to accept and relay email from hosts that authenticate by default. Both the "Default" and "Client" receive connectors are configured this way out of the box. Authenticating is the simplest method to submit messages, and preferred in many cases. The Permissions Group that allows authenticated users to submit and relay is the "ExchangeUsers" group. The permissions that are granted with this permissions group are: NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit} NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing} NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam} NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient} The specific ACL that controls relay is the ms-Exch-SMTP-Accept-Any-Recipient. Only the list below (specify IP address) This option is for those who cannot authenticate with Exchange. The most common example of this is an application server that needs to be able to relay messages through Exchange. First, start with a new custom receive connector. You can think of receive connectors as protocol listeners. The closest equivalent to Exchange 2003 is an SMTP Virtual Server. You must create a new one because you will want to scope the remote IP Address(es) that you will allow. The next screen you must pay particular attention to is the "Remote Network settings". This is where you will specify the IP ranges of servers that will be allowed to submit mail. You definitely want to restrict this range down as much as you can. In this case, I want my two web servers, 192.168.2.55 & 192.168.2.56 to be allowed to relay. The next step is to create the connector, and open the properties. Now you have two options, which I will present. The first option will probably be the most common. Option 1: Make your new scoped connector an Externally Secured connector This option is the most common option, and preferred in most situations where the application that is submitting will be submitting email to your internal users as well as relaying to the outside world. Before you can perform this step, it is required that you enable the Exchange Servers permission group. Once in the properties, go to the Permissions Groups tab and select Exchange servers. Next, continue to the authentication mechanisms page and add the "Externally secured" mechanism. What this means is that you have complete trust that the previously designated IP addresses will be trusted by your organization. Caveat: If you do not perform these two steps in order, the GUI blocks you from continuing. Do not use this setting lightly. You will be granting several rights including the ability to send on behalf of users in your organization, the ability to ResolveP2 (that is, make it so that the messages appear to be sent from within the organization rather than anonymously), bypass anti-spam, and bypass size limits. The default "Externally Secured" permissions are as follows: MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain} MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam} MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50} MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender} Basically you are telling Exchange to ignore internal security checks because you trust these servers. The nice thing about this option is that it is simple and grants the common rights that most people probably want. Option 2: Grant the relay permission to Anonymous on your new scoped connector This option grants the minimum amount of required privileges to the submitting application. Taking the new scoped connector that you created, you have another option. You can simply grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous account. Do this by first adding the Anonymous Permissions Group to the connector. This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell: Get-ReceiveConnector "CRM Application" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient" In addition to being more difficult to complete, this step does not allow the anonymous account to bypass anti-spam, or ResolveP2. Although it is completely different from the Exchange 2003 way of doing things, hopefull y you find the new SMTP permissions model to be sensible. More information See the following for more information: Receive Connectors Exchange 2007 Transport Permissions Model - Scott LandryReleased: March 2016 Quarterly Exchange Updates
The Exchange team is happy to announce our spring quarterly updates for Exchange Server are now available on the Microsoft Download Center. Exchange Server 2016 receives its first Cumulative Update, and Exchange Server 2013 Cumulative Update 12 is also released. Exchange Server 2007 and Exchange Server 2010 Update Rollups provide an updated OWA S/MIME control signed with a SHA-2 certificate. More information and highlights of all these releases can be found below. Updated OWA S/MIME control All of the packages released today include an update to the OWA S/MIME control. The control itself has not changed, but has now been signed with a SHA-2 compliant certificate. All of the updates released will install the updated control onto the Exchange Server. Users who have installed the control into their browser will need to re-install this onto devices where the previous version was installed. Installing the control is straight forward and can be done quickly using OWA Options, Exchange Control Panel or Exchange Admin Center depending upon the release of Exchange you are using. New distribution package for Exchange Server 2016 updates With the introduction of Cumulative Updates for Exchange Server 2016, we are making a change to the update package type for this product version. Previous versions of Exchange used self-extracting packages to deliver service packs and cumulative updates. We have heard requests to release these updates as .ISO’s. With the capability to mount .ISO’s directly in Windows Server 2012 and later, we think it makes sense to ship Cumulative Updates as .ISO’s. At this time, we are not planning to do this for Exchange Server 2013 Cumulative Updates but could be persuaded to do so if enough people ask for it. One down side to this approach is that the package is much larger. However, copying a single .ISO vs. the ever growing number of files and folders over the network is much more efficient and faster. We hope you like this change. Change to Mailbox Anchoring for Remote PowerShell We heard your feedback on the changes to load balancing Remote PowerShell introduced into Exchange Server 2013 and 2016. As announced by Ross here, we have reverted this behavior in the Cumulative Updates being released today. Additional languages for Outlook on the Web Exchange Server 2016 Cumulative Update 1 adds support for 17 additional languages in Outlook on the Web. These languages will appear automatically in the language selection drop down after a server is updated to Cumulative Update 1. .Net 4.6.1 Support We know that many of you have been asking about .Net 4.6.1 and Exchange. Rest assured we are working closely with the .Net Framework team to resolve issues preventing us from supporting .Net 4.6.1 with Exchange Server. While we are not there yet, we hope to be very soon. Support for .Net 4.6.1 is planned for future Cumulative Updates for Exchange Server 2013 and 2016. Slow installations on Windows Server 2012 R2 For customers who are running Exchange on Windows Server 2012 R2, we want to make certain you are aware of a condition which can substantially increase the amount of time it takes to install Exchange Updates on this OS. Working with the .Net team, we have discovered that systems which have applied Windows Update KB3097966 can take 50% more time to install Exchange. The .Net team is working on a resolution to this and will include a fix in a future product update. In the meantime, customers who have deployed this Windows update can take a one-time action on their server before installing Exchange or a Cumulative Update to bring installation time back to normal. This procedure needs to be done once on every Exchange server running Windows Server 2012 R2. The command to execute is: “%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update” Errors and warnings encountered running this command can be safely ignored provided the final exit status code of 0 is reported in the output. Support for Standalone Hybrid Configuration Wizard in Exchange Server 2010 Customers using Exchange Server 2010 in Hybrid mode with Office 365 will notice a new link in the EMC to use the Updated Standalone Hybrid Configuration Wizard. We encourage all customers to use this updated version of the Hybrid Configuration Wizard. Release Details KB articles which contain greater depth on what each release includes are available as follows: Exchange Server 2016 Cumulative Update 1 (KB3134844), Download, UM Lang Packs Exchange Server 2013 Cumulative Update 12 (KB3108023), Download, UM Lang Packs Exchange Server 2010 Service Pack 3 Update Rollup 13 (KB3141339), Download Exchange Server 2007 Service Pack 3 Update Rollup 19 (KB3141352), Download Note: Documentation may not be fully available at the time this post was published. Exchange Server 2016 Cumulative Update 1 does include updates to Active Directory Schema. These updates will apply automatically during setup if the permissions and AD requirements are met during installation. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin should execute SETUP /PrepareSchema before installing Cumulative Update 1 on your first server. The Exchange Administrator should also execute SETUP /PrepareAD to ensure RBAC roles are updated correctly. Exchange Server 2013 Cumulative Update 12 does not include updates to Active Directory or additional RBAC changes. However, depending on the version you are upgrading from, it may be required. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission, otherwise, setup will require you to re-run setup with sufficient permissions. Additional Information Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation. Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings. Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., CU12) or the prior (e.g., CU11) Cumulative Update release. For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet. The Exchange TeamHow to Create and configure a meeting room mailbox with Exchange Server 2007
On a recent project I had to consider how to implement meeting rooms in Exchange 2007 SP1. I read all of the available TechNet articles and posts and then I realized that it was not necessarily easy to set up meeting rooms with correct policies on the first try. So, I made a synthesis on how to quickly create the meeting room of your dreams, in hopes that this can help you. Resource Mailbox Overview Resource mailboxes are specific types of mailboxes that can represent meeting rooms or shared equipment and can be included as resources in meeting requests. The Active Directory user that is associated with a resource mailbox is a disabled account. The different types of resource mailboxes in Microsoft Exchange Server 2007 are: Room mailbox: a resource mailbox that is assigned to a meeting location, such as a conference room, auditorium, or training room. Room mailboxes can be included as resources in meeting requests. Equipment mailbox: a resource mailbox that is assigned to a non-location specific resource, such as a portable computer projector, microphone, or a company car. Equipment mailboxes can be included as resources in meeting requests. Shared mailbox: a mailbox that is not primarily associated with a single user and is generally configured to allow logon access for multiple users. After a shared mailbox is created (by using the Exchange Management Shell), you must grant permissions to all users that require access to the shared mailbox. Even if this is not a resource mailbox, I mention it here because companies commonly use that kind of mailbox for collaboration or business needs. Example 1: How to create a resource mailbox Create a Room mailbox: New-Mailbox -database "Storage Group 1\Mailbox Database 1" -Name ConfRoom1 -OrganizationalUnit "Conference Rooms" -DisplayName "ConfRoom1" -UserPrincipalName ConfRoom1@contoso.com -Room Create an Equipment mailbox: New-Mailbox -database "First Storage Group\Mailbox Database" -Name VCR1 -OrganizationalUnit Equipment -DisplayName "VCR1" - UserPrincipalName VCR1@contoso.com -Equipment Create a Shared mailbox: New-Mailbox -database "Storage Group 1\Mailbox Database 1" -Name SharedMailbox01 -OrganizationalUnit "Resource Mailboxes" -DisplayName "SharedMailbox01" -UserPrincipalName SharedMailbox01@contoso.com -Shared (from http://technet.microsoft.com/en-us/library/bb201680.aspx) Resource Mailbox Properties You can configure resource mailbox properties for resource mailboxes. For example, you can use the ResourceCapacity, Office, and ResourceCustom parameters with the Set-Mailbox cmdlet to configure some of these settings. Custom resource properties can help users select the most appropriate room or equipment by providing additional information about the resource. For example, you can create a custom property for room mailboxes called AV. You can add this property to all rooms that have audio-visual equipment. This allows users to identify which conference rooms have audio-visual equipment available. A custom resource cannot contain a value; it's only a flag that can be added to a resource mailbox, flags are defined globally for the Exchange organization. Before you can assign custom resource properties to a room or equipment mailbox, you must first create these properties by modifying the resource configuration of your Exchange organization. Custom resource can be added with the Set-ResourceConfig cmdlet. Note: All entries provided to the Set-ResourceConfig cmd-let must start with either Room/ or Equipment/. Setting a new entry using the Set-ResourceConfig cmdlet will overwrite all existing entries, and not add a new entry to the list. Use the Get-ResourceConfig cmdlet to query the existing entries, and then append to the list. For every custom resource property you create in your organization, you must specify to which resource mailbox type it applies (room or equipment). When you are managing a resource mailbox, you can assign only those custom resource properties that apply to that specific resource mailbox type. For example, if you are configuring a room mailbox, you can assign only the custom resource properties that apply to room mailboxes. In Microsoft Exchange Server 2003 and earlier versions, LDAP filtering syntax is used to create custom address lists, global address lists (GALs), e-mail address policies, and distribution groups. In Exchange Server 2007, the new OPATH filtering syntax replaces the LDAP filtering syntax. For example a new address lists can only be based on properties filterable by the -RecipientFilter parameter (complete list: http://technet.microsoft.com/en-us/library/bb738157.aspx ). Other properties, including any customer schema extensions, cannot be used in the -RecipientFilter parameter. So LDAP attributes defined to search for rooms or create Address Book views must be included in OPATH properties to allow for a wide use within Exchange 2007. Example 2: Create Custom Properties for Resource Mailbox Set-ResourceConfig -ResourcePropertySchema ("Room/TV", "Room/VCR", "Equipment/Auto") Example 3 : Configure Resource Mailbox Properties Set-Mailbox -Identity "ResourceMailbox01" -ResourceCustom ("TV","VCR") -ResourceCapacity 50 (from http://technet.microsoft.com/en-us/library/aa996915.aspx) Room Mailbox Settings Before explaining how to create the different types of room mailbox, we must focus on the settings that can be done with Set-MalboxCalendarSettings. With this cmdlet you can configure many parameters on the resource mailbox (maximum meeting duration allowed, default reminder time, etc...). A complete list with description is available at http://technet.microsoft.com/en-us/library/aa996340.aspx. The main parameter that interests us is AutomateProcessing which allows enabling or disabling calendar management on the resource mailbox. The three possible values are: None Both resource booking and Calendar Attendant will be disabled on the mailbox. (Meeting requests will not be processed and stacked in the inbox of room mailbox). AutoUpdate This is the default value. The Calendar Attendant will process meeting requests which will sit in the calendar of the room in a "tentative state" waiting a delegate approval. (The meeting organizer will receive only the decision of the delegate) AutoAccept Resource booking will be enabled on the room mailbox. This means that the room will take into account the policies for the incoming requests (who can schedule.). (With automatic booking configuration, the organizer will receive the decision of the room. Otherwise organizer will first receive a message of recognition pending delegate approval). Note: Calendar Attendant automatically places new meetings on the calendar as tentative appointments, updates existing meetings with new information, and deletes out-of-date meeting requests without any client interaction. The Calendar Attendant also processes meeting forward notifications by sending a notification when a meeting request is forwarded and adding meeting attendees to the calendar when a meeting notification is received. Resource Booking Attendant automates acceptance and declination of resource booking requests. Policies can be set up for each resource based upon by whom, when, and for how long a resource can be booked. The AutoAccept value enables the resource booking policies to manage who can book the room and under what conditions. For each room mailbox, each user can be member of different policies: BookInPolicy: List of users who are allowed to submit in-policy meeting requests. In-policy requests from these users will automatically be approved; RequestInPolicy: List of users who are allowed to submit in-policy meeting requests. In-policy requests from these users will be subject to approval by a delegate; RequestOutOfPolicy: List of users who are allowed to submit out-of-policy meeting requests. Out-of-policy requests from these users will be subject to approval by a delegate; In the context of resource mailboxes, InPolicy and OutOfPolicy simply mean whether or not the meeting invitation matches any restrictions enabled on the resource mailbox. There are also policies to specify permissions for all users (AllBookInPolicy, AllRequestInPolicy, AllRequestOutOfPolicy). For example MaximumDurationInMinutes value for the resource mailbox is 30 minutes, any meeting invitation longer than 30 minutes would be OutOfPolicy. Using the RequestOutOfPolicy field, you can manually add users that are allowed to request meetings that are not within the policy. Figure 1 : Booking Policy - Who can schedule a resource for an Auto-Accept resource mailbox Room Mailbox Main Scenarios Now that we know how to create a meeting room with ideas a little clearer on strategies, let's look at main scenarios of room mailbox that we can implement: Room with automatic booking; Room with meeting requests forwarded to a delegate; Room requiring the logon of a delegate to manage the meeting requests. Room with automatic booking To set automatic booking , set AutomateProcessing to AutoAccept to enable resource booking policies. With the default configuration of room policies, all users will then be allowed to send in-policy meeting requests. These requests will be processed automatically by the room. Example 4: How to enable automatic booking on a Resource Mailbox Set-MailboxCalendarSettings -Identity "Conference Room" -AutomateProcessing AutoAccept (from http://technet.microsoft.com/en-us/library/bb123495.aspx) Room with meeting requests forwarded to a delegate To set the room forwarding the incoming meeting requests to a delegate for approval, you must enable and configure policies, and define a delegate: Enable policies: set AutomateProcessing to AutoAccept; All incoming meeting request must be approved by a delegate: set AllRequestInPolicy to True and AllBookInPolicy to False ; Define a delegate under ResourceDelegates parameter. A Resource delegate will have the following permission: Editor on the Calendar folder of the resource mailbox; Editor on the "FreeBusy Data" system folder of the resource mailbox; Ability of "Send on behalf" of resource mailbox. Example 5: How to set a Room to forward request to a delegate Set-MailboxCalendarSettings -Identity "Training Room" -AutomateProcessing AutoAccept -ResourceDelegates "Isabelle Dupont" -AllBookInPolicy:$false -AllRequestInPolicy:$true The delegate can now manage meeting requests forwarded by the room mailboxes from his own mailbox by accepting or rejecting them. He can also access to the calendar folder of the room mailbox (by the "Open other user's folder" feature of Outlook client). It should be noted that the responses received by the organizers will be from the delegate on behalf of the room mailbox. Note: When the Set-MailboxCalendarSettings cmdlet is re-run to modify any settings the original delegate's permissions are removed. The delegate is still displayed when running the 'Get-MailboxCalendarSettings' cmdlet however if you look at the permissions on the resource calendar, the delegate's permissions have been removed. To re-grant permissions on the resource calendar you must run a "Set-MailboxCalendarSettings resource_alias -ResourceDelegates:$null" command. Afterwards you can re-grant permissions to the intended user. Until this problem is fixed, we would recommend running this command before making any changes to resource delegates. Room whose management is done directly by the delegate It's the default of a newly created room with the AutomateProcessing parameter set to AutoUpdate. The Calendar Attendant will process meeting requests which will sit in the calendar of the room in a "tentative state" waiting a delegate approval. The delegate needs permissions to connect to the resource mailbox and manage the meeting requests: "Full Mailbox Access" to access the resource mailbox and for example "Send-As" to respond to requests in a transparent manner. Example 6: The delegate manage the request from the resource mailbox Set-MailboxCalendarSettings -Identity "Conference Room" -AutomateProcessing AutoUpdate Add-MailboxPermission -AccessRights FullAccess -Identity "Conference Room" -User "Isabelle Dupont" Add-ADPermission -Identity "Conference Room" -User "Isabelle Dupont" -ExtendedRights Send-As Note: "Send As" versus "Send on Behalf" Send As permission will allow a user to send as another user. Send on Behalf permission will allow a user to send on behalf of another user. This means that the recipient knows who really sent the message because it is clearly stated in the message. Synthesis Based on the previously detailed main scenarios the minimum parameters to set are the following: Resource Calendar Settings (set-mailboxcalendarsettings) Automate Processing All Book In Policy All Request In Policy Resource Delegate Room Mailbox Automatic Booking AutoAccept True (default value) False (default value) None (default value) Room Mailbox Manual Approval Request forwarded to delegates AutoAccept False True List of Delegates Room Mailbox Manual Approval Delegates approve from room mailbox AutoUpdate (default value) True (default value) False (default value) None (default value) Whatever the scenario, a delegate can modify the resource booking parameter (except the delegate's part) by accessing the resource mailbox with Outlook Web Access (https://mail.contonso.com/room@contoso.com). To do this, the delegate needs the "Full Mailbox Access" permission to the resource mailbox. Figure 2 : Resource Mailbox Settings with Outlook Web Access For further reading and the most up-to-date information: Understanding Recipients: http://technet.microsoft.com/en-us/library/bb201680.aspx Managing Resource Mailboxes: http://technet.microsoft.com/en-us/library/bb124374.aspx How to Set Resource Booking Policies: http://technet.microsoft.com/en-us/library/bb124987.aspx Set-MailboxCalendarSettings: http://technet.microsoft.com/en-us/library/aa996340.aspx Resource scheduling in Exchange Server 2007: http://msexchangeteam.com/archive/2007/05/14/438944.aspx French version of this post : http://blogs.technet.com/frmcsuc/pages/exchange-2007-room-mailbox.aspx -- Murat GunyarNeed help converting your LDAP filters to OPATH?
After installing Exchange 2007 into your existing Exchange organization, the address lists and recipient policies must have OPATH filters specified in order to administer them from the Exchange 2007 tools. As discussed in the earlier blog post, OPATH is the basis for the filtering syntax used by PowerShell, and is therefore the filtering syntax used by Exchange Server 2007. Reading up on OPATH syntax can be a considerable time sink for an administrator who just wants to get his policies upgraded. I've written a PowerShell script that will perform these conversions for you, allowing you to save the OPATH documentation for the next time you're having trouble getting to sleep. To use the script, just drop it somewhere on the Exchange 2007 server, change the extension to ps1, and change to that folder at the PowerShell prompt. The top of the script shows some various syntax examples, ranging from the simple conversion of a manually entered filter to the automatic upgrading of every existing legacy filter. Of course, before you just automatically upgrade every filter and call it a day, you should consider testing the script in your lab and saving your existing filters, just in case. One of the syntax examples shows how to write out the name, legacy LDAP filter, and suggested OPATH filter for each legacy object to a tab-delimited file, which you could then open in Excel for viewing. This is one of several ways you could save out your old filters before upgrading. Some notes about the script: All syntax examples assume you've changed into the folder where the script is, and that it's not in the path. If you drop the script in Exchange Server\bin you can eliminate the .\ that precedes the script name in the examples. Some LDAP attributes are not available in OPATH. If the script encounters such an attribute in one of your filters it will report, "Could not convert LDAP attribute 'blah' to OPATH", and will fail out. The script does very direct conversions from LDAP to OPATH. For instance, it typically will not use the 'RecipientType' property in OPATH since there is no LDAP equivalent. There is one exception where it looks for a specific string and produces 'RecipientType -eq UserMailbox' in response. The script looks for filters matching the default address list filters and, if it finds one, it skips the normal conversion routine and produces the filter suggested in Evan's earlier post (http://msexchangeteam.com/archive/2007/01/11/432158.aspx). Hopefully this will save you some time during your Exchange 2007 upgrade! The link to the script is below (ConvertFrom-LdapFilter.txt - download and rename to .ps1 to run): LDAP to OPATH filter conversion script - attached to this blog post. - Bill LongExchange releases: December 2014
Editor's Note: Updates added below for important information related to Exchange Server 2010 SP3 Update Rollup 8. The Exchange team is announcing today a number of releases. Today’s releases include updates for Exchange Server 2013, 2010, and 2007. The following packages are now available on the Microsoft download center. Exchange Server 2013 Cumulative Update 7 UM Language Packs for Cumulative Update 7 Exchange Server 2010 SP3 Update Rollup 8 Exchange Server 2007 SP3 Update Rollup 15 These releases represent the latest set of fixes available for each of their respective products. The releases include fixes for customer reported issues and minor feature improvements. The cumulative updates and rollup updates for each product version contain important updates for recently introduced Russian time zones, as well as fixes for the security issues identified in MS14-075. Also available for release today are MS14-075 Security Updates for Exchange Server 2013 Service Pack 1 and Exchange Server 2013 Cumulative Update 6. Exchange Server 2013 Cumulative Update 7 includes updates which make migrating to Exchange Server 2013 easier. These include: Support for Public Folder Hierarchies in Exchange Server 2013 which contain 250,000 public folders Improved support for OAB distribution in large Exchange Server 2013 environments Customers with Public Folders deployed in an environment where multiple Exchange versions co-exist will want to read Brian Day’s post for additional information. Cumulative Update 7 includes minor improvements in the area of backup. We encourage all customers who backup their Exchange databases to upgrade to Cumulative Update 7 as soon as possible and complete a full backup once the upgrade has been completed. These improvements remove potential challenges restoring a previously backed up database. For the latest information and product announcements about Exchange 2013, please read What's New in Exchange 2013, Release Notes and Exchange 2013 documentation on TechNet. Cumulative Update 7 includes Exchange-related updates to Active Directory schema and configuration. For information on extending schema and configuring Active Directory, please review Prepare Active Directory and Domains in Exchange 2013 documentation. Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., CU7) or the prior (e.g., CU6) Cumulative Update release. Update 12/12/2014: Exchange Server 2010 SP3 Update Rollup 8 has been re-released to the Microsoft download center resolving a regression discovered in the initial release. The update RU8 package corrects the issue which impacted users connecting to Exchange from Outlook. The issue was insulated to the MAPI RPC layer and was able to be isolated to quickly deliver the updated RU8 package. The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package. The updates for Exchange Server 2013 and 2007 were not impacted by this regression and have not been updated. Update 12/10/2014: An issue has been identified in the Exchange Server 2010 SP3 Update Rollup 8. The update has been recalled and is no longer available on the download center pending a new RU8 release. Customers should not proceed with deployments of this update until the new RU8 version is made available. Customers who have already started deployment of RU8 should rollback this update. The issue impacts the ability of Outlook to connect to Exchange, thus we are taking the action to recall the RU8 to resolve this problem. We will deliver a revised RU8 package as soon as the issue can be isolated, corrected, and validated. We will publish further updates to this blog post regarding RU8. This issue only impacts the Exchange Server 2010 SP3 RU8 update, the other updates remain valid and customers can continue with deployment of these packages. The Exchange TeamResource scheduling in Exchange Server 2007
Update 4/16/2009: We have corrected an incorrect permissions entry in this blog post. Heard of the term calendar concierge? Look up http://msexchangeteam.com/archive/2006/07/24/428390.aspx. In this post I'm going to talk about what happened to the Auto Accept Agent in Exchange Server 2007 and how you can define, schedule and manage resources easily and reliably. Booking resources (e.g. a conference room) in conjunction with a meeting frequently leads to multiple meeting updates, general confusion and lost productivity for both organizers and attendees. The system should enable organizers to reliably find and book an available resource in one attempt and later confirm the reservation while minimizing attendee confusion. This is accomplished in Exchange Server 2007. Exchange Server 2007 helps the Information Worker quickly find a room at the right time and schedule it. It helps minimize the effort that resource managers must undertake to manage a resource schedule. Help resource administrators control who can schedule resources. Resource booking in Exchange 2003 In Exchange 2003 there are two ways for customers to automate resource booking using Outlook and Exchange: Exchange 2003 Auto Accept Agent and Outlook direct booking The Auto Accept Agent (AAA) is a server-side store event sink available in the Exchange 2003 SP1 timeframe. It provides automatic server-side processing of meeting requests sent to resource mailboxes that have been registered with the agent. The agent handles both requests and cancellations and sends responses to the meeting organizer. AAA uses EXOLEDB and CDOEX for notification of incoming messages and calendar item processing, respectively. Direct booking is an Outlook-specific feature that uses the organizer's Outlook client (Outlook 2000 or later) to book an appointment directly into a resource mailbox schedule. The Outlook client of the person organizing the meeting performs all the necessary tasks, such as conflict checking and placing the reservation on the resource calendar. The resource mailbox must be manually configured with Outlook to support direct booking. It can be set up to allow automatically accept non-conflicting meeting requests and to allow/deny recurring bookings. What's new in resource booking in Exchange 2007? Exchange 2007 provides a reliable resource management solution that maps to information worker goals and increases organizational productivity. Exchange Server 2007 introduces changes to the resource booking architecture that address many of the concerns. Resource management improvements have been made in the following areas. Booking and search services Up-to-date Free/busy Integration with Office Outlook 2007 meeting request process Schedule management services Ability to delegate management of resource policy to users using Outlook Web Access Policies and rules to control who can schedule and when they can schedule Support for both manual and automatic approval Enterprise-wide resource management services Ability to create and manage resource schema Resource Booking Attendant Exchange 2007 identifies meeting resources as either a room or equipment and includes special attributes for each of these types of resources. For example, a room resource includes a capacity attribute. Custom attributes, such as audio-visual capabilities can also be defined. The Resource Booking attendant provides the following features: Enforces maximum meeting duration Schedules meetings only during working hours Forwards out-of-policy requests to delegates for approval Provides conflict information for declined meetings Feature Comparison The following table shows a comparison of the features available for direct booking in Outlook, using the Auto Accept Agent, and resource scheduling in Exchange Server 2007. Feature Outlook Direct Booking Auto Accept Agent Resource Scheduling Booking Process Directly books without sending mail x Resource can be designated as any type of attendee x x Does not require permissions to calendar folder of resource x x Resource schema Distinguish between user and resource mailboxes in GAL/OAB x Find resources based on resource criteria (location, custom property) x Add additional, custom resource properties x Resource administration Integration with Exchange Management Console and Shell x Scheduling Logic Return information on conflicts in recurring meetings x x Prevent double booking x x x Partially book recurring meeting x x Strips sensitive information from request, calendar item x x Scheduling Policy Define list of users who can book directly x x Control how far requests are booked in the future x x Define list of users who can book with approval, book outside policy x Set available hours, max duration x Custom meeting response text* x x *Its per server in AAA and per mailbox in Exchange Server 2007 Steps to set up Resource booking in Exchange 2007 Before going further I want to explain a few points one should be aware while working with a resource mailbox in Exchange Server 2007. A resource mailbox has the same structure as a user mailbox - it is composed of an Active Directory mailbox-enabled user object and an Exchange mailbox. The major difference between a user and resource mailbox is that the resource mailbox: Always has special resource-specific properties set on the Active Directory user object. Typically has a disabled user account and grants logon privileges to one or more "resource managers" May have a scheduling policy automatically enforced by the Resource Booking mailbox assistant. I will talk more above Exchange Server 2007/Exchange server 2003 environments and how legacy resource mailboxes can be converted to Exchange Server 2007 resources without interrupting the ability of legacy clients to send meeting requests to them later on. In this post I'm going to concentrate on a pure Exchange Server 2007 environment. Resource mailbox scheduling and administration in Exchange Server 2007 is primarily handled by the Resource Booking Attendant. The calendar and Resource Assistant interact with each other. The Resource Assistant provides a call that determines if a mailbox is a resource or not. 1. Create a new mailbox. This can be done either from the Shell (Powershell/Exchange Management Shell) or by using the EMC . Create a new mailbox using the EMC : Expand Recipient Configuration > select Mailbox, and then click New Mailbox in the Mailbox section of the Actions task pane. Figure 1: Click New Mailbox to start the New Mailbox Wizard Note: In Exchange 2007, only disabled accounts can be used as resource mailboxes. When you create a new resource mailbox, the user account is disabled by default. If you click Existing User and then Browse, only disabled accounts are presented. Enabling the user account for a resource mailbox is NOT a supported configuration. Use the Shell to create a new mailbox: New-Mailbox -Name:"Resource1" -Alias:Resource1 -OrganizationalUnit:Users -Database:"Database Name" -UserPrincipalName:"Resource1@domain.com" -DisplayName:"Resource Mailbox" -Room If you use the EMC , the end result is the same. In the final page of the wizard, the EMC actually shows you the Shell command that it uses. Figure 2: The final page of the New Mailbox Wizard shows the Shell command used This will create a new resource mailbox mailbox. At the command prompt type Get-Mailbox Resource1 | fl *resource* The output: IsResource : True ResourceType : Room Notice the ResourceType is Room. At this point, the resource mailbox is not completely configured. If you attempt to book the resource it will not automatically accept the meeting. After creating a resource mailbox, you'll need to configure it to auto-accept meetings to which the resource mailbox has been invited. Otherwise, the resource mailbox does not automatically accept meetings sent to it and meetings sent to it will sit in the calendar of the resource in a "tentative state". Note: To learn more about the Format-List cmdlet (the short form or alias fl is used here), please see this. Additionally, piping the output to fl *resource* will display all the attributes (of that mailbox) where the attribute name contains the string resource. Let's check calendar settings for the mailbox: Get-MailboxCalendarSettings Resource1 | fl The output shows that AutomateProcessing is set to AutoUpdate by default: AutomateProcessing : AutoUpdate If AutomateProcessing is set to AutoUpdate (the property that controls the automatic acceptance of meeting requests), then the meeting organizer receives no response from the resource. In order to accept a meeting, one would have to log into the resource mailbox (using an account that has permissions to access the resource mailbox) and accept it. 2. Enable Auto-Accept for a resource and configuring resource mailbox settings Using OWA or the Shell, you can configure a mailbox to automatically process meeting requests and cancellations. Using the Shell: Set-MailboxCalendarSettings Resource1 -AutomateProcessing:Autoaccept Get-MailboxCalendarSettings Resource1 | fl The output: AutomateProcessing: AutoAccept Using Outlook Web Access You can log on to the resource mailbox using OWA and configure the resource account to automatically process meeting requests and cancellations from the Options page. What account do you use to log into OWA? Because the account for a resource mailbox is disabled, you can use either of the following methods to log into the resource mailbox using OWA: Explicit OWA logon to the resource mailbox with credentials for an account that has FullAccess permissions to the mailbox. Use this command to grant FullAccess permissions to User1 for the Conference Room1 resource mailbox. Add-MailboxPermission -Identity:Resource1 -AccessRights:fullaccess -User:user1 After User1 has been given FullAccess rights, in your browser, enter the explicit URL for the resource mailbox: http://servername/owa/Resource1@domain.com. When prompted for credentials, enter the username and password for an account that has FullAccess permission to the resource mailbox - in this case User1. Log into OWA using an account that has has FullAccess permissions to the resource mailbox and select Open Other Mailbox. Enter the normal URL for OWA: http://servername/owa When prompted for credentials, enter the username and password for an account that has FullAccess permissions to the resource mailbox. In the upper right corner of the OWA page, click the dropdown next to the logged on username, select Open Other Mailbox and then enter the name of the resource mailbox. Figure 3: Select Open Other Mailbox to open another mailbox in OWA When you log into a resource mailbox, click on Options and notice Resource Settings on the left pane as an available option just for resource mailboxes. You can set the following options on this page. Every single option via the shell is available on this page. Resource Scheduling Options Resource Scheduling Permissions Resource Privacy Options and Response Message Scheduling a Room Resource Exchange 2007 creates an All Rooms address list as seen in the following screenshot: Figure 4: Exchange 2007 creates an All Rooms address list by default In Outlook 2007, the All Rooms search feature transpires itself as shown below. Instead of clicking the To" button, which is everything in the GAL , you can now click on Rooms and we come up with the All Rooms address list. If you select a room, it automatically adds it in the Resources well. This should work if the resource is added to the "Required" field. Figure 5: Selecting Rooms when scheduling a meeting, Outlook 2007 displays all rooms from the Rooms address list Managing Resource Scheduling If you want to lock down the resource booking options, you have the option to do so. Let's take a look at a few of the options available to lock down resource mailboxes. Open up the shell prompt and type: Get-MailboxCalendarSettings Resource1 | fl Take a look at the different parameters that can be set for a resource mailbox. Most of the parameters are self-explanatory. Let's focus instead on some of the policy-based settings, such as RequestInPolicy, BookInPolicy, RequestOutOfPolicy, AllBookInPolicy, AllRequestOutOfPolicy, etc BookInPolicy: List of users/groups that can submit an in-policy request for automatic approval - Value is a String: SMTP address; series of SMTP addresses RequestInPolicy: List of users/groups that can submit an in-policy request that is subject to approval by a resource mailbox delegate. - Value is a String: SMTP address RequestOutOfPolicy: List of users/groups that can submit an in-policy request for automatic approval; Out-of-policy requests are subject to approval by a resource mailbox delegate. The RequestOutOfPolicy setting is good for situation where certain users (CEO for example) that should never receive an automatic meeting decline. - Value is a String: SMTP address The default options allow all users to book resources if they are within the set policies (i.e. up to 180 days in the future, up to 1440 minutes in duration, etc.), and will reject all other meetings. In the context of resource mailboxes, InPolicy and OutOfPolicy simply mean whether or not the meeting invitation matches any restrictions enabled on the resource mailbox. For example MaximumDurationInMinutes value for the resource mailbox is 30 minutes, any meeting invitation longer than 30 minutes would be considered OutOfPolicy. Using the RequestOutOfPolicy parameter, you can manually add users that are allowed to request meetings that are not within the policy, and if you really want to lock things down, you can set the AllBookInPolicy value to False, and then manually add users to the BookInPolicy field, or more restrictive, to the RequestInPolicy field. By default, the BookInPolicy parameter is configured for Everyone. If you leave BookInPolicy with the default setting and you configure the RequestInPolicy parameter with one or more SMTP addresses, the BookInPolicy setting overrides RequestInPolicy. The meeting is automatically accepted if it is within policy. Compared to the options that were available with Auto Accept Agent, these settings allow you a lot of control to lock down and customize resource booking permissions. You can't use the EMC to set resource booking policies. To run the Set-MailboxCalendarSettings cmdlet, the account you use must be delegated Exchange Organization Administrator role. How to Set Resource Booking Policies To control who can schedule a resource, use the following parameters in conjunction with the Set-MailboxCalendarSettings command: AllBookInPolicy, AllRequestInPolicy, AllRequestOutOfPolicy, BookInPolicy, RequestInPolicy, RequestOutOfPolicy, ForwardRequestsToDelegates, TentativePendingApproval, ResourceDelegates To control when a resource can be scheduled, use the following parameters in conjunction with the Set-MailboxCalendarSettings command: AllowConflicts, BookingWindowInDays, EnforceSchedulingHorizon, MaximumDurationInMinutes, AllowRecurringMeetings, ScheduleOnlyDuringWorkingHours, ConflictPercentageAllowed, MaximumConflictInstances To control what meeting information will be visible on the resource's calendar, use the following parameters in conjunction with the Set-MailboxCalendarSettings command: DeleteAttachments, DeleteComments, RemovePrivateProperty, DeleteSubject, DisableReminders, AddOrganizerToSubject, DeleteNonCalendarItems, OrganizerInfo To customize the response message that meeting organizers will receive, you can use the following parameters in the Set-MailboxCalendarSettings command: AddAdditionalResponse, AdditionalResponse Here's how "Restricting who can book" will look like: More information regarding booking policies can be found in Set-MailboxCalendarSettings cmdlet help. How to Customize the Response Message for Resource Scheduling To use the Exchange Management Shell to customize the response message for resource scheduling, run the following command Set-MailboxCalendarSettings -Id ResourceMailbox01 -AddAdditionalResponse:$true -AdditionalResponse:<text> As an example: Set-MailboxCalendarSettings -Identity "ResourceMailbox01" -AddAdditionalResponse "Add your response text here" You can also set a custom response through OWA as mentioned previously. Figure 6: Creating a custom response message using Outlook Web Access How to Set a Delegate on a Resource Mailbox In the context of resource mailboxes, the term delegate is used very loosely. You do not use the Delegates tab in the Outlook Tools > Options dialog box to configure the delegate even though the user(s) managing the resource mailbox might appear on the Delegates tab. These users appear on the Delegates tab because they have Send-on-behalf permissions to the resource mailbox. In scenarios where you are using the AllRequestOutOfPolicy, RequestOutOfPolicy, AllRequestInPolicy, or RequestInPolicy parameters, you need to use a delegate to respond to meetings that are not automatically accepted or declined by the resource mailbox. Note: If you don't want to forward requests to a delegate (ForwardRequestsToDelegates = false), you can get away with granting FullAccess permissions for the resource mailbox to a regular user. This user can respond to meeting invites from the Inbox of the resource mailbox. Because resource mailboxes use disabled accounts in Exchange 2007, the steps to create a delegate for a resource mailbox are a little different than in earlier versions of Exchange. To configure a delegate for an Exchange 2007 resource mailbox, use the following steps. Run a command similar to the following to specify the delegate for the resource mailbox. Set-MailboxCalendarSettings Resource1 -ResourceDelegates Delegate1 Note: Because of a bug in ResourceDelegates, the complete permissions for the delegate are not added to the resource mailbox. This is fixed in Exchange 2007 SP1. Therefore, you must also perform one the following methods to provide the necessary permissions to the delegate. Use either of the following methods to provide adequate permissions on the resource mailbox to the delegate: Method 1: Provide Full Access permissions to the delegate Assign FullAccess mailbox permission for the resource mailbox to a delegate: Add-MailboxPermission Resource1 -AccessRights FullAccess -User Delegate1 Method 2: Modify the Free/Busy Permissions for the resource mailbox To modify just the free/busy permissions on the Resource mailbox, use the following steps: Assign FullAccess mailbox permission for the resource mailbox to an administrator: Add-MailboxPermission Resource1 -AccessRights FullAccess -User Admin1 Create an Outlook 2007 profile for the resource mailbox. Start Outlook with this new profile and provide the credentials of the Admin1 user when prompted. Note: Granting an administrator user Full Access permission instead of the delegate is a technique you can use for central administration of resource mailboxes. This allows the administrator to gain access to the resource mailbox while also allowing the delegate to process meetings for the resource. Right-click the Calendar folder and click Properties On the Permissions page, make sure the delegate (a user other than the administrator Admin1) has at least Editor permissions to the Calendar folder. Click OK. Exit Outlook. Now check the delegates on the resource mailbox using this command: Get-MailboxCalendarSettings Resource1 |fl It should now show: ResourceDelegates : {Delegate1} The default setting for the ForwardRequestsToDelegates parameter is true. Therefore, meetings are forwarded to the delegates (listed under ResourceDelegates). If this is set to false, the delegate will not receive the forwarded invite. Happy resource booking in Exchange Server 2007. Nagesh MahadevThe Autodiscover Service and Outlook Providers - how does this stuff work?
To allow Autodiscover to function completely there is an important component in Exchange 2007 Server named Providers. Providers are components that are specifically related to the type of client that is trying to connect and be configured. When the Client Access Server role is installed, by default three providers are created: EXCH, EXPR and WEB. We will here discuss each one. In the second part of this blog post, we will talk about when and if those should be modified. The Autodiscover Service and Outlook Providers The diagram below explains the role of the Outlook Provider in the Autodiscover process. When creating or refreshing an Outlook 2007 profile a request is placed to the Autodiscover service; the service determines which provider needs to handle the request. The XML request contains the necessary information for this to happen, such as the SMTP address and which client (MAPI client or Outlook Anywhere) made the request so the Autodiscover service can easily identify the provider the request needs to be forwarded to. How does the Autodiscover service know which Outlook client is making the request? 1. The client posts an HTTP(S) request to the Autodiscover service including a XML request. 2. The Autodiscover service parses and validates the request so it knows which provider the request is targeted for. The XML request contains a reference to a schema as the first part of the opening <Autodiscover> XML tag. As you the see in the example bellow the portion "outlook" in the path of the "xmlns=" indicates that a request was made from an Outlook (MAPI) client. xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006a" 3. If an Outlook Provider cannot be found, the requesting client is notified and the Autodiscover retrieval fails. 4. Once the Autodiscover service has identified the correct provider it will pass the request to it. By default three Outlook Providers are used to configure settings individually for Exchange RPC protocol or internal clients (EXCH), Outlook Anywhere (EXPR) and WEB. The EXCH setting references the Exchange RPC protocol that is used internally. This setting includes port settings and the internal URLs for the Exchange services that you have enabled. The EXPR setting references the Exchange HTTP protocol that is used by Outlook Anywhere. This setting includes the external URLs for the Exchange services that you have enabled, which are used by clients that access Exchange from the Internet. The WEB setting contains the best URL for Outlook Web Access for the user to use. This setting is not in use. Note: The EXCH and EXPR settings are vital for the proper configuration of Outlook. If not configured correctly, initial connections and configurations for your Exchange Server 2007 mailbox and server services may not function as expected. 5. The provider relies on the Services Discovery service (set of XSO API calls) to retrieve the stored URL settings from Active Directory. Services Discovery also determines which setting is the best to return, using the e-mail name passed along with the request. Services Discovery will decide which entry to return based on proximity. 6. The provider then processes the request and uses Services Discovery to compile all information configured for the requesting user, returns that to the Autodiscover Service which then forwards the response to the requesting client. a. If the request is made by an Outlook Exchange RPC client, the EXCH provider will return the InternalUrl configured on the best CAS server for the following services: Availability Service, OAB virtual directory and Unified Messaging virtual directory. http://technet.microsoft.com/en-us/library/bb332063.aspx b. If the request is made by an Outlook Anywhere Exchange HTTP client, the EXPR provider will return the External URL configured on the best CAS server for the same services: Availability Service, OAB virtual directory and Unified Messaging virtual directory and ExternalHostName for Outlook Anywhere. Note: If the ExternalUrl is not set, the CAS will fail-back returning the InternalUrl. Note: The Internal and External URL for EWS, OAB and UM can be configured through the following cmdlets: Set-WebServicesVirtualDirectory, Set-OABVirtualDirectory and Set-UMVirtualDirectory respectively. Outlook Providers are global settings in Active Directory The Outlook Providers are global settings in the Active Directory forest, thus there is no need to create an Outlook Provider; however, depending of your environment you might have to tweak their configuration. The Outlook providers settings are in Active Directory, in the following location: DC=<domain>, CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=<Organization Name>, CN=Client Access, CN=Autodiscover, CN=OutlookCN=EXCH or CN=EXPR In a few days, I'll cover when and if you should make modifications to those providers. Stay tuned! - Vandy RodriguesReleased: Update Rollup 5 for Exchange 2010 Service Pack 3 and Update Rollup 13 for Exchange 2007 Service Pack 3
The Exchange team is announcing the availability of the following updates: Update Rollup 5 for Exchange Server 2010 Service Pack 3 Update Rollup 13 for Exchange Server 2007 Service Pack 3 Exchange Server 2010 Service Pack 3 Update Rollup 5 resolves customer reported issues and includes previously released security bulletins for Exchange Server 2010 Service Pack 3. A complete list of the issues resolved in this rollup is available in KB2917508. Exchange Server 2007 Service Pack 3 Update Rollup 13 provides recent DST changes and adds the ability to publish a 2007 Edge Server from Exchange Server 2013. Update Rollup 13 also contains all previously released security bulletins and fixes and updates for Exchange Server 2007 Service Pack 3. More information on this rollup is available in KB2917522. Neither release is classified as a security release but customers are encouraged to deploy these updates to their environment once proper validation has been completed. Note: KB articles may not be fully available at the time of publishing of this post. The Exchange Team
