Split Permissions Model Reference
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic is designed to help you plan your split permissions model. It provides details about Microsoft Exchange Server 2007 permissions in the following sections:
Recipient Management
User-Related Tasks
Contact-Related Tasks
Group-Related Tasks
Dynamic Distribution List-Related Tasks
The tables in this topic list attributes by their Lightweight Directory Access Protocol (LDAP) display name and the name of their Exchange Management Shell property or the name of their location in the Exchange Management Console. If an attribute name is followed by text in parentheses, that text indicates the name as seen in Active Directory directory service interfaces, such as Active Directory Service Interfaces (ADSI) Edit. All references to user objects also apply to the inetOrgPerson object. However, the inetOrgPerson object is not specified because it is rarely used.
Note
To create the corresponding objects in the domain partition, you must be either a member of a privileged security group such as Account Operators or be granted the appropriate security permissions. For more information, see Best Practices for Delegating Active Directory Administration.
Recipient Management
In Exchange 2007, you can use the following administrative interfaces to manage recipients:
Exchange Management Console
Exchange Management Shell
The Exchange Management Console supports the following:
Enabling and disabling recipients
Managing several recipient-related properties
The Exchange Management Shell supports all aspects of the recipient.
Exchange-Related Attributes on User, Group, and Contact Objects Managed from the Exchange Management Shell
The Exchange-related attributes are associated to user, inetOrgPerson, group, and contact class objects.
By granting an Exchange Administrator Read and Write access to the attributes that are associated with the tasks listed in this section, the administrator can perform a particular function, such as manage e-mail addresses.
You can be more specific in granting permissions. For example, the Exchange Administrator may be granted the ability to modify only the attributes that are associated with a particular function. For more information, see Planning and Implementing a Split Permissions Model.
User-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-User cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-User properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AssistantName |
msExchAssistantName |
City |
l |
Company |
company |
CountryOrRegion |
countryCode; co; c |
Department |
department |
CountryOrRegion |
countryCode; co; c |
DirectReports |
directReports |
DisplayName |
displayName (Display Name) |
Fax |
facsimileTelephoneNumber |
FirstName |
givenName |
HomePhone |
homePhone |
Initials |
initials |
LastName |
sn |
Manager |
manager |
MobilePhone |
mobile |
Name |
name; cn |
Notes |
info |
Office |
physicalDeliveryOfficeName |
OtherFax |
otherFacsimileTelephoneNumber |
OtherHomePhone |
otherHomePhone |
OtherTelephone |
otherTelephone |
Pager |
pager |
Phone |
telephoneNumber |
PhoneticDisplayName |
msDS-PhoneticDisplayName |
PostalCode |
postalCode |
PostOfficeBox |
postOfficeBox |
SimpleDisplayName |
displayNamePrintable |
StateOrProvince |
st |
StreetAddress |
streetAddress |
Title |
title |
TelephoneAssistant |
telephoneAssistant |
Mail-Enabled User-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-MailUser cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-MailUser properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AcceptMessagesOnlyFrom |
authOrig |
AcceptMessagesOnlyFromDLMembers |
dLMemSubmitPerms |
Alias |
mailNickname (Alias) |
CustomAttribute1 |
extensionAttribute1 (Custom Attribute 1) |
CustomAttribute10 |
extensionAttribute10 (Custom Attribute 10) |
CustomAttribute11 |
extensionAttribute11 (Custom Attribute 11) |
CustomAttribute12 |
extensionAttribute12 (Custom Attribute 12) |
CustomAttribute13 |
extensionAttribute13 (Custom Attribute 13) |
CustomAttribute14 |
extensionAttribute14 (Custom Attribute 14) |
CustomAttribute15 |
extensionAttribute15 (Custom Attribute 15) |
CustomAttribute2 |
extensionAttribute2 (Custom Attribute 2) |
CustomAttribute3 |
extensionAttribute3 (Custom Attribute 3) |
CustomAttribute4 |
extensionAttribute4 (Custom Attribute 4) |
CustomAttribute5 |
extensionAttribute5 (Custom Attribute 5) |
CustomAttribute6 |
extensionAttribute6 (Custom Attribute 6) |
CustomAttribute7 |
extensionAttribute7 (Custom Attribute 7) |
CustomAttribute8 |
extensionAttribute8 (Custom Attribute 8) |
CustomAttribute9 |
extensionAttribute9 (Custom Attribute 9) |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
EmailAddressPolicyEnabled |
msExchPoliciesIncluded; msExchPoliciesExcluded |
Extensions |
proxyAddresses (Proxy Addresses) |
ExternalEmailAddress |
targetAddress |
GrantSendOnBehalfTo |
publicDelegates |
HiddenFromAddressListsEnabled |
showInAddressBook; msExchHideFromAddressLists |
MacAttachmentFormat |
internetEncoding |
MaxReceiveSize |
delivContLength |
MaxSendSize |
submissionContLength |
MessageBodyFormat |
internetEncoding |
MessageFormat |
internetEncoding |
Name |
name; cn |
PrimarySmtpAddress |
mail (E-Mail Address) |
RecipientLimits |
msExchRecipLimit |
RejectMessagesFrom |
unauthOrig |
RejectMessagesFromDLMembers |
dLMemRejectPerms |
RequireSenderAuthenticationEnabled |
msExchRequireAuthToSendTo |
SecondaryAddress |
proxyAddresses (Proxy Addresses) |
SecondaryDialPlan |
proxyAddresses (Proxy Addresses) |
SimpleDisplayName |
displayNamePrintable |
UMDTMFMap |
msExchUMDtmfMap |
UseMapiRichTextFormat |
mAPIRecipient |
UsePreferMessageFormat |
internetEncoding |
Mailbox-Enabled User-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-Mailbox cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-Mailbox properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AcceptMessagesOnlyFrom |
authOrig |
AcceptMessagesOnlyFromDLMembers |
dLMemSubmitPerms |
Alias |
mailNickname (Alias) |
AntispamBypassEnabled |
msExchMessageHygieneFlags |
ApplyMandatoryProperties |
msExchVersion; msExchRecipientDisplayType; msExchRecipientTypeDetails |
CustomAttribute1 |
extensionAttribute1 (Custom Attribute 1) |
CustomAttribute10 |
extensionAttribute10 (Custom Attribute 10) |
CustomAttribute11 |
extensionAttribute11 (Custom Attribute 11) |
CustomAttribute12 |
extensionAttribute12 (Custom Attribute 12) |
CustomAttribute13 |
extensionAttribute13 (Custom Attribute 13) |
CustomAttribute14 |
extensionAttribute14 (Custom Attribute 14) |
CustomAttribute15 |
extensionAttribute15 (Custom Attribute 15) |
CustomAttribute2 |
extensionAttribute2 (Custom Attribute 2) |
CustomAttribute3 |
extensionAttribute3 (Custom Attribute 3) |
CustomAttribute4 |
extensionAttribute4 (Custom Attribute 4) |
CustomAttribute5 |
extensionAttribute5 (Custom Attribute 5) |
CustomAttribute6 |
extensionAttribute6 (Custom Attribute 6) |
CustomAttribute7 |
extensionAttribute7 (Custom Attribute 7) |
CustomAttribute8 |
extensionAttribute8 (Custom Attribute 8) |
CustomAttribute9 |
extensionAttribute9 (Custom Attribute 9) |
DeliverToMailboxAndForward |
deliverAndRedirect |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
EmailAddressPolicyEnabled |
msExchPoliciesIncluded; msExchPoliciesExcluded |
EndDateForRetentionHold |
msExchELCExpirySuspensionEnd |
Extensions |
proxyAddresses (Proxy Addresses) |
ExternalOofOptions |
msExchExternalOOFOptions |
ForwardingAddress |
altRecipient |
GrantSendOnBehalfTo |
publicDelegates |
HiddenFromAddressListsEnabled |
msExchHideFromAddressLists; showInAddressBook |
IssueWarningQuota |
mDBStorageQuota |
Languages |
msExchUserCulture |
LinkedMasterAccount |
msExchMasterAccountSid |
ManagedFolderMailboxPolicy |
msExchMailboxTemplateLink |
MaxBlockedSenders |
msExchMaxBlockedSenders |
MaxReceiveSize |
delivContLength |
MaxSafeSenders |
msExchMaxSafeSenders |
MaxSendSize |
submissionContLength |
Name |
name; cn |
Office |
physicalDeliveryOfficeName |
OfflineAddressBook |
msExchUseOAB |
PrimarySmtpAddress |
mail (E-Mail Address) |
ProhibitSendQuota |
mDBOverQuotaLimit |
ProhibitSendReceiveQuota |
mDBOverHardQuotaLimit |
RecipientLimits |
msExchRecipLimit |
RejectMessagesFrom |
unauthOrig |
RejectMessagesFromDLMembers |
dLMemRejectPerms |
RequireSenderAuthenticationEnabled |
msExchRequireAuthToSendTo |
ResourceCapacity |
msExchResourceCapacity |
ResourceCustom |
msExchResourceSearchProperties; msExchResourceDisplay |
RetainDeletedItemsFor |
garbageCollPeriod |
RetainDeletedItemsUntilBackup |
deletedItemFlags |
RetentionHoldEnabled |
msExchELCMailboxFlags |
RulesQuota |
msExchMDBRulesQuota |
SCLDeleteEnabled |
msExchMessageHygieneSCLDeleteThreshold |
SCLDeleteThreshold |
msExchMessageHygieneSCLDeleteThreshold |
SCLJunkEnabled |
msExchMessageHygieneSCLJunkThreshold |
SCLJunkThreshold |
msExchMessageHygieneSCLJunkThreshold |
SCLQuarantineEnabled |
msExchMessageHygieneSCLQuarantineThreshold |
SCLQuarantineThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
SCLRejectEnabled |
msExchMessageHygieneSCLRejectThreshold |
SCLRejectThreshold |
msExchMessageHygieneSCLRejectThreshold |
SimpleDisplayName |
displayNamePrintable |
StartDateForRetentionHold |
msExchELCExpirySuspensionStart |
Type |
nTSecurityDescriptor; userAccountControl; msExchMailboxSecurityDescriptor; msExchUserAccountControl; msExchRecipientDisplayType; msExchRecipientTypeDetails; msExchResourceDisplay; msExchResourceSearchProperties; msExchResourceMetaData; msExchMasterAccountSid; showInAddressBook |
UMDtmfMap |
msExchUMDtmfMap |
UseDatabaseQuotaDefaults |
mDBUseDefaults |
UseDatabaseRetentionDefaults |
deletedItemFlags |
Client Access Features: Mailbox-Enabled User-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-CASMailbox cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-CASMailbox properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
ActiveSyncAllowedDeviceIDs |
msExchMobileAllowedDeviceIDs |
ActiveSyncDebugLogging |
msExchMobileDebugLogging |
ActiveSyncMailboxPolicy |
msExchMobileMailboxPolicyLink |
ActiveSyncEnabled |
msExchOmaAdminWirelessEnable |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
HasActiveSyncDevicePartnership |
msExchMobileMailboxFlags |
ImapEnabled |
protocolSettings |
ImapMessagesRetrievalMimeFormat |
protocolSettings |
ImapUseProtocolDefaults |
protocolSettings |
MAPIBlockOutlookNonCachedMode |
protocolSettings |
MAPIBlockOutlookRpcHttp |
protocolSettings |
MAPIBlockOutlookVersions |
protocolSettings |
MAPIEnabled |
protocolSettings |
Name |
nme; cn |
OWAActiveSyncIntegrationEnabled |
msExchMailboxFolderSet |
OWAAllAddressListsEnabled |
msExchMailboxFolderSet |
OWACalendarEnabled |
msExchMailboxFolderSet |
OWAChangePasswordEnabled |
msExchMailboxFolderSet |
OWAContactsEnabled |
msExchMailboxFolderSet |
OWAEnabled |
protocolSettings |
OWAJournalEnabled |
msExchMailboxFolderSet |
OWAJunkEmailEnabled |
msExchMailboxFolderSet |
OWANotesEnabled |
msExchMailboxFolderSet |
OWAPremiumClientEnabled |
msExchMailboxFolderSet |
OWARemindersAndNotificationsEnabled |
msExchMailboxFolderSet |
OWASearchFoldersEnabled |
msExchMailboxFolderSet |
OWASignaturesEnabled |
msExchMailboxFolderSet |
OWASpellCheckerEnabled |
msExchMailboxFolderSet |
OWATasksEnabled |
msExchMailboxFolderSet |
OWAThemeSelectionEnabled |
msExchMailboxFolderSet |
OWAUMIntegrationEnabled |
msExchMailboxFolderSet |
OWAUNCAccessOnPrivateComputersEnabled |
msExchMailboxFolderSet |
OWAUNCAccessOnPublicComputersEnabled |
msExchMailboxFolderSet |
OWAWSSAccessOnPrivateComputersEnabled |
msExchMailboxFolderSet |
OWAWSSAccessOnPublicComputersEnabled |
msExchMailboxFolderSet |
PopEnabled |
protocolSettings |
PopMessagesRetrievalMimeFormat |
protocolSettings |
PopUseProtocolDefaults |
protocolSettings |
PrimarySmtpAddress |
mail (E-Mail Address) |
ProtocolSettings |
protocolSettings |
Unified Messaging Features: Mailbox-Enabled User-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-UMMailbox cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-UMMailbox properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AllowUMCallsFromNonUsers |
msExchUMListInDirectorySearch |
AnonymousCallersCanLeaveMessages |
msExchUMEnabledFlags |
AutomaticSpeechRecognitionEnabled |
msExchUMEnabledFlags |
CallAnsweringAudioCodec |
msExchUMAudioCodec |
Extensions |
proxyAddresses |
FaxEnabled |
msExchUMEnabledFlags |
MissedCallNotificationEnabled |
msExchUMServerWritableFlags |
OperatorNumber |
msExchUMOperatorNumber |
SubscriberAccessEnabled |
msExchUMEnabledFlags |
TUIAccessToAddressBookEnabled |
msExchUMEnabledFlags |
TUIAccessToCalendarEnabled |
msExchUMEnabledFlags |
TUIAccessToEmailEnabled |
msExchUMEnabledFlags |
UMDialPlan |
msExchUMRecipientDialPlanLink |
UMDtmfMap |
msExchUMDtmfMap |
UMMailboxPolicy |
msExchUMTemplateLink |
Contact-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-Contact cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-Contact properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AssistantName |
msExchAssistantName |
City |
l |
Company |
company |
CountryOrRegion |
department; countryCode; co |
Department |
c |
DisplayName |
displayName (Display Name) |
Fax |
facsimileTelephoneNumber |
FirstName |
givenName |
HomePhone |
homePhone |
Initials |
initials |
LastName |
sn |
Manager |
manager |
MobilePhone |
mobile |
Name |
nme; cn |
Notes |
info |
Office |
physicalDeliveryOfficeName |
OtherFax |
otherFacsimileTelephoneNumber |
OtherHomePhone |
otherHomePhone |
OtherTelephone |
otherTelephone |
Pager |
pager |
Phone |
telephoneNumber |
PhoneticDisplayName |
msDS-PhoneticDisplayName |
PostalCode |
postalCode |
PostOfficeBox |
postOfficeBox |
SimpleDisplayName |
displayNamePrintable |
StateOrProvince |
st |
StreetAddress |
streetAddress |
TelephoneAssistant |
telephoneAssistant |
Title |
title |
Mail-Enabled Contact-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-MailContact cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-MailContact properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AcceptMessagesOnlyFrom |
authOrig |
AcceptMessagesOnlyFromDLMembers |
dLMemSubmitPerms |
Alias |
mailNickname (Alias) |
CustomAttribute1 |
extensionAttribute1 (Custom Attribute 1) |
CustomAttribute10 |
extensionAttribute10 (Custom Attribute 10) |
CustomAttribute11 |
extensionAttribute11 (Custom Attribute 11) |
CustomAttribute12 |
extensionAttribute12 (Custom Attribute 12) |
CustomAttribute13 |
extensionAttribute13 (Custom Attribute 13) |
CustomAttribute14 |
extensionAttribute14 (Custom Attribute 14) |
CustomAttribute15 |
extensionAttribute15 (Custom Attribute 15) |
CustomAttribute2 |
extensionAttribute2 (Custom Attribute 2) |
CustomAttribute3 |
extensionAttribute3 (Custom Attribute 3) |
CustomAttribute4 |
extensionAttribute4 (Custom Attribute 4) |
CustomAttribute5 |
extensionAttribute5 (Custom Attribute 5) |
CustomAttribute6 |
extensionAttribute6 (Custom Attribute 6) |
CustomAttribute7 |
extensionAttribute7 (Custom Attribute 7) |
CustomAttribute8 |
extensionAttribute8 (Custom Attribute 8) |
CustomAttribute9 |
extensionAttribute9 (Custom Attribute 9) |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
EmailAddressPolicyEnabled |
msExchPoliciesIncluded; msExchPoliciesExcluded |
Extensions |
proxyAddresses (Proxy Addresses) |
ExternalEmailAddress |
targetAddress |
GrantSendOnBehalfTo |
publicDelegates |
HiddenFromAddressListsEnabled |
showInAddressBook; msExchHideFromAddressLists |
MacAttachmentFormat |
internetEncoding |
MaxReceiveSize |
delivContLength |
MaxRecipientPerMessage |
msExchRecipLimit |
MaxSendSize |
submissionContLength |
MessageBodyFormat |
internetEncoding |
MessageFormat |
internetEncoding |
Name |
name; cn |
PrimarySmtpAddress |
mail (E-Mail Address) |
RejectMessagesFrom |
unauthOrig |
RejectMessagesFromDLMembers |
dLMemRejectPerms |
RequireSenderAuthenticationEnabled |
msExchRequireAuthToSendTo |
SecondaryAddress |
proxyAddresses (Proxy Addresses) |
SecondaryDialPlan |
proxyAddresses (Proxy Addresses) |
SimpleDisplayName |
displayNamePrintable |
UMDTMFMap |
msExchUMDtmfMap |
UseMapiRichTextFormat |
mAPIRecipient |
UsePreferMessageFormat |
internetEncoding |
Group-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-Group cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-Group properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
DisplayName |
displayName (Display Name) |
ManagedBy |
managedBy |
Name |
name; cn |
Notes |
info |
PhoneticDisplayName |
msDS-PhoneticDisplayName |
SimpleDisplayName |
displayNamePrintable |
Universal |
groupType |
Distribution Group-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-DistributionGroup cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-DistributionGroup properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AcceptMessagesOnlyFrom |
authOrig |
AcceptMessagesOnlyFromDLMembers |
dLMemSubmitPerms |
Alias |
mailNickname (Alias) |
CustomAttribute1 |
extensionAttribute1 (Custom Attribute 1) |
CustomAttribute10 |
extensionAttribute10 (Custom Attribute 10) |
CustomAttribute11 |
extensionAttribute11 (Custom Attribute 11) |
CustomAttribute12 |
extensionAttribute12 (Custom Attribute 12) |
CustomAttribute13 |
extensionAttribute13 (Custom Attribute 13) |
CustomAttribute14 |
extensionAttribute14 (Custom Attribute 14) |
CustomAttribute15 |
extensionAttribute15 (Custom Attribute 15) |
CustomAttribute2 |
extensionAttribute2 (Custom Attribute 2) |
CustomAttribute3 |
extensionAttribute3 (Custom Attribute 3) |
CustomAttribute4 |
extensionAttribute4 (Custom Attribute 4) |
CustomAttribute5 |
extensionAttribute5 (Custom Attribute 5) |
CustomAttribute6 |
extensionAttribute6 (Custom Attribute 6) |
CustomAttribute7 |
extensionAttribute7 (Custom Attribute 7) |
CustomAttribute8 |
extensionAttribute8 (Custom Attribute 8) |
CustomAttribute9 |
extensionAttribute9 (Custom Attribute 9) |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
EmailAddressPolicyEnabled |
msExchPoliciesIncluded; msExchPoliciesExcluded |
ExpansionServer |
msExchExpansionServerName; homeMTA |
GrantSendOnBehalfTo |
publicDelegates |
HiddenFromAddressListsEnabled |
showInAddressBook; msExchHideFromAddressLists |
MaxReceiveSize |
delivContLength |
MaxSendSize |
submissionContLength |
Name |
name; cn |
PrimarySmtpAddress |
mail (E-Mail Address) |
RejectMessagesFrom |
unauthOrig |
RejectMessagesFromDLMembers |
dLMemRejectPerms |
ReportToManagerEnabled |
reportToOwner |
ReportToOriginatorEnabled |
reportToOriginator |
RequireSenderAuthenticationEnabled |
msExchRequireAuthToSendTo |
SendOofMessageToOriginatorEnabled |
oOFReplyToOriginator |
SimpleDisplayName |
displayNamePrintable |
UMDtmfMap |
msExchUMDtmfMap |
Dynamic Distribution Group-Related Properties
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-DynamicDistributionGroup cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-DynamicDistributionGroup properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AcceptMessagesOnlyFrom |
authOrig |
AcceptMessagesOnlyFromDLMembers |
dLMemSubmitPerms |
Alias |
mailNickname (Alias) |
ConditionalCompany |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute1 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute10 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute11 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute12 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute13 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute14 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute15 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute2 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute3 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute4 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute5 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute6 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute7 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute8 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalCustomAttribute9 |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalDepartment |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ConditionalStateOrProvince |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
CustomAttribute1 |
extensionAttribute1 (Custom Attribute 1) |
CustomAttribute10 |
extensionAttribute10 (Custom Attribute 10) |
CustomAttribute11 |
extensionAttribute11 (Custom Attribute 11) |
CustomAttribute12 |
extensionAttribute12 (Custom Attribute 12) |
CustomAttribute13 |
extensionAttribute13 (Custom Attribute 13) |
CustomAttribute14 |
extensionAttribute14 (Custom Attribute 14) |
CustomAttribute15 |
extensionAttribute15 (Custom Attribute 15) |
CustomAttribute2 |
extensionAttribute2 (Custom Attribute 2) |
CustomAttribute3 |
extensionAttribute3 (Custom Attribute 3) |
CustomAttribute4 |
extensionAttribute4 (Custom Attribute 4) |
CustomAttribute5 |
extensionAttribute5 (Custom Attribute 5) |
CustomAttribute6 |
extensionAttribute6 (Custom Attribute 6) |
CustomAttribute7 |
extensionAttribute7 (Custom Attribute 7) |
CustomAttribute8 |
extensionAttribute8 (Custom Attribute 8) |
CustomAttribute9 |
extensionAttribute9 (Custom Attribute 9) |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
EmailAddressPolicyEnabled |
msExchPoliciesIncluded; msExchPoliciesExcluded |
ExpansionServer |
msExchExpansionServerName; homeMTA |
ForceUpgrade |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata; proxyAddresses; msExchRecipientDisplayType |
GrantSendOnBehalfTo |
publicDelegates |
HiddenFromAddressListsEnabled |
showInAddressBook; msExchHideFromAddressLists |
IncludedRecipients |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
ManagedBy |
managedBy |
MaxReceiveSize |
delivContLength |
MaxSendSize |
submissionContLength |
Name |
name; cn |
Notes |
info |
PhoneticDisplayName |
msDS-PhoneticDisplayName |
PrimarySmtpAddress |
mail (E-Mail Address) |
RecipientContainer |
msExchDynamicDLBaseDN |
RecipientFilter |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
RejectMessagesFrom |
unauthOrig |
RejectMessagesFromDLMembers |
dLMemRejectPerms |
ReportToManagerEnabled |
reportToOwner |
ReportToOriginatorEnabled |
reportToOriginator |
RequireSenderAuthenticationEnabled |
msExchRequireAuthToSendTo |
SendOofMessageToOriginatorEnabled |
oOFReplyToOriginator |
SimpleDisplayName |
displayNamePrintable |
UMDtmfMap |
msExchUMDtmfMap |
Public Folder-Related Properties
New in Exchange 2007 Service Pack 1 (SP1)
The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-MailPublicFolder cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.
Set-MailPublicFolder properties
| Exchange Management Shell property | Active Directory attribute |
|---|---|
AcceptMessagesOnlyFrom |
authOrig |
AcceptMessagesOnlyFromDLMembers |
dLMemSubmitPerms |
Alias |
mailNickname (Alias) |
Contacts |
pFContacts |
CustomAttribute1 |
extensionAttribute1 (Custom Attribute 1) |
CustomAttribute10 |
extensionAttribute10 (Custom Attribute 10) |
CustomAttribute11 |
extensionAttribute11 (Custom Attribute 11) |
CustomAttribute12 |
extensionAttribute12 (Custom Attribute 12) |
CustomAttribute13 |
extensionAttribute13 (Custom Attribute 13) |
CustomAttribute14 |
extensionAttribute14 (Custom Attribute 14) |
CustomAttribute15 |
extensionAttribute15 (Custom Attribute 15) |
CustomAttribute2 |
extensionAttribute2 (Custom Attribute 2) |
CustomAttribute3 |
extensionAttribute3 (Custom Attribute 3) |
CustomAttribute4 |
extensionAttribute4 (Custom Attribute 4) |
CustomAttribute5 |
extensionAttribute5 (Custom Attribute 5) |
CustomAttribute6 |
extensionAttribute6 (Custom Attribute 6) |
CustomAttribute7 |
extensionAttribute7 (Custom Attribute 7) |
CustomAttribute8 |
extensionAttribute8 (Custom Attribute 8) |
CustomAttribute9 |
extensionAttribute9 (Custom Attribute 9) |
DeliverToMailboxAndForward |
deliverAndRedirect |
DisplayName |
displayName (Display Name) |
EmailAddresses |
proxyAddresses (Proxy Addresses) |
EmailAddressPolicyEnabled |
msExchPoliciesIncluded; msExchPoliciesExcluded |
GrantSendOnBehalfTo |
publicDelegates |
HiddenFromAddressListsEnabled |
showInAddressBook; msExchHideFromAddressLists |
MaxReceiveSize |
delivContLength |
MaxSendSize |
submissionContLength |
Name |
name; cn |
PhoneticDisplayName |
msDS-PhoneticDisplayName |
PrimarySmtpAddress |
mail (E-Mail Address) |
PublicFolderType |
msExchPFTreeType |
RejectMessagesFrom |
unauthOrig |
RejectMessagesFromDLMembers |
dLMemRejectPerms |
RequireSenderAuthenticationEnabled |
msExchRequireAuthToSendTo |
SimpleDisplayName |
displayNamePrintable |
UMDTMFMap |
msExchUMDtmfMap |
UseMapiRichTextFormat |
mAPIRecipient |
UsePreferMessageFormat |
internetEncoding |
Exchange-Related Attributes on User, Group, and Contact Objects Managed from the Exchange Management Console
The Exchange-related attributes are associated with user, inetOrgPerson, group, and contact class objects. In this section, these attributes are listed according to each tab in the Exchange Management Console.
By granting an Exchange Administrator Read and Write access to the attributes that are associated with the tabs documented in this section, the administrator can perform a particular function, such as manage e-mail addresses.
You can be more specific in granting permissions. For example, you can grant the Exchange Administrator the ability to modify only the attributes that are associated with a particular function on the tab, such as Delivery Restrictions. For more information, see Permission Considerations.
General Tab: Mailbox
The following table lists the attributes that can be viewed on the General tab of mailbox-enabled user objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
General tab |
displayName (Display Name) |
Display name |
General tab |
mailNickname (Alias) |
Alias |
General tab |
msExchHideFromAddressLists |
Hide from Address Book |
Custom Attributes button |
extensionAttribute1 (Custom Attribute 1) |
Custom Attribute |
Custom Attributes button |
extensionAttribute10 (Custom Attribute 10) |
Custom Attribute |
Custom Attributes button |
extensionAttribute11 (Custom Attribute 11) |
Custom Attribute |
Custom Attributes button |
extensionAttribute12 (Custom Attribute 12) |
Custom Attribute |
Custom Attributes button |
extensionAttribute13 (Custom Attribute 13) |
Custom Attribute |
Custom Attributes button |
extensionAttribute14 (Custom Attribute 14) |
Custom Attribute |
Custom Attributes button |
extensionAttribute15 (Custom Attribute 15) |
Custom Attribute |
Custom Attributes button |
extensionAttribute2 (Custom Attribute 2) |
Custom Attribute |
Custom Attributes button |
extensionAttribute3 (Custom Attribute 3) |
Custom Attribute |
Custom Attributes button |
extensionAttribute4 (Custom Attribute 4) |
Custom Attribute |
Custom Attributes button |
extensionAttribute5 (Custom Attribute 5) |
Custom Attribute |
Custom Attributes button |
extensionAttribute6 (Custom Attribute 6) |
Custom Attribute |
Custom Attributes button |
extensionAttribute7 (Custom Attribute 7) |
Custom Attribute |
Custom Attributes button |
extensionAttribute8 (Custom Attribute 8) |
Custom Attribute |
Custom Attributes button |
extensionAttribute9 (Custom Attribute 9) |
Custom Attribute |
General Tab: Mail-Enabled User or Mail-Enabled Contact Objects
The following table lists the attributes that can be viewed on the General tab of mail-enabled user or mail-enabled inetOrgPerson or mail-enabled contact objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
General tab |
displayName (Display Name) |
Display name |
General tab |
mailNickname (Alias) |
Alias |
General tab |
msExchHideFromAddressLists |
Hide from Address Book |
General tab |
mAPIRecipient |
Use MAPI Rich Text Format (RTF) |
Custom Attributes button |
extensionAttribute1 (Custom Attribute 1) |
Custom Attribute |
Custom Attributes button |
extensionAttribute10 (Custom Attribute 10) |
Custom Attribute |
Custom Attributes button |
extensionAttribute11 (Custom Attribute 11) |
Custom Attribute |
Custom Attributes button |
extensionAttribute12 (Custom Attribute 12) |
Custom Attribute |
Custom Attributes button |
extensionAttribute13 (Custom Attribute 13) |
Custom Attribute |
Custom Attributes button |
extensionAttribute14 (Custom Attribute 14) |
Custom Attribute |
Custom Attributes button |
extensionAttribute15 (Custom Attribute 15) |
Custom Attribute |
Custom Attributes button |
extensionAttribute2 (Custom Attribute 2) |
Custom Attribute |
Custom Attributes button |
extensionAttribute3 (Custom Attribute 3) |
Custom Attribute |
Custom Attributes button |
extensionAttribute4 (Custom Attribute 4) |
Custom Attribute |
Custom Attributes button |
extensionAttribute5 (Custom Attribute 5) |
Custom Attribute |
Custom Attributes button |
extensionAttribute6 (Custom Attribute 6) |
Custom Attribute |
Custom Attributes button |
extensionAttribute7 (Custom Attribute 7) |
Custom Attribute |
Custom Attributes button |
extensionAttribute8 (Custom Attribute 8) |
Custom Attribute |
Custom Attributes button |
extensionAttribute9 (Custom Attribute 9) |
Custom Attribute |
General Tab: Mail-Enabled Group and Dynamic Distribution Group Objects
The following table lists the attributes that can be viewed on the General tab of mail-enabled group and dynamic distribution group objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
General tab |
displayName (Display Name) |
Display name |
General tab |
mailNickname (Alias) |
Alias |
Custom Attributes button |
extensionAttribute1 (Custom Attribute 1) |
Custom Attribute |
Custom Attributes button |
extensionAttribute10 (Custom Attribute 10) |
Custom Attribute |
Custom Attributes button |
extensionAttribute11 (Custom Attribute 11) |
Custom Attribute |
Custom Attributes button |
extensionAttribute12 (Custom Attribute 12) |
Custom Attribute |
Custom Attributes button |
extensionAttribute13 (Custom Attribute 13) |
Custom Attribute |
Custom Attributes button |
extensionAttribute14 (Custom Attribute 14) |
Custom Attribute |
Custom Attributes button |
extensionAttribute15 (Custom Attribute 15) |
Custom Attribute |
Custom Attributes button |
extensionAttribute2 (Custom Attribute 2) |
Custom Attribute |
Custom Attributes button |
extensionAttribute3 (Custom Attribute 3) |
Custom Attribute |
Custom Attributes button |
extensionAttribute4 (Custom Attribute 4) |
Custom Attribute |
Custom Attributes button |
extensionAttribute5 (Custom Attribute 5) |
Custom Attribute |
Custom Attributes button |
extensionAttribute6 (Custom Attribute 6) |
Custom Attribute |
Custom Attributes button |
extensionAttribute7 (Custom Attribute 7) |
Custom Attribute |
Custom Attributes button |
extensionAttribute8 (Custom Attribute 8) |
Custom Attribute |
Custom Attributes button |
extensionAttribute9 (Custom Attribute 9) |
Custom Attribute |
User Information Tab: User Objects
The following table lists the attributes that can be viewed on the User Information tab of user or inetOrgPerson objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
User Information tab |
givenName |
First Name |
User Information tab |
initials |
Initials |
User Information tab |
sn |
Last Name |
User Information tab |
cn |
Name |
User Information tab |
displayNamePrintable |
Simple Display Name |
User Information tab |
info |
Notes |
Contact Information Tab: Contact Objects
The following table lists the attributes that can be viewed on the User Information tab of contact objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
User Information tab |
givenName |
First Name |
User Information tab |
initials |
Initials |
User Information tab |
sn |
Last Name |
User Information tab |
cn |
Name |
User Information tab |
displayNamePrintable |
Simple Display Name |
User Information tab |
info |
Notes |
Address and Phone Tab: User and Contact Objects
The following table lists the attributes that can be viewed on the Address and Phone tab of user, inetOrgPerson, and contact objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Address and Phone tab |
streetAddress |
Street Address |
Address and Phone tab |
l |
City |
Address and Phone tab |
st |
State/Province |
Address and Phone tab |
postalCode |
ZIP/Postal Code |
Address and Phone tab |
c; co; countryCode |
Country/region |
Address and Phone tab |
telephoneNumber |
Business Phone |
Address and Phone tab |
pager |
Pager |
Address and Phone tab |
homePhone |
Home Phone |
Address and Phone tab |
facsimileTelephoneNumber |
Fax Number |
Address and Phone tab |
mobile |
Mobile Number |
Organization Tab: User and Contact Objects
The following table lists the attributes that can be viewed on the Organization tab of user, inetOrgPerson, and contact objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Organization tab |
title |
Title |
Organization tab |
company |
Company |
Organization tab |
department |
Department |
Organization tab |
physicalDeliveryOfficeName |
Office |
Organization tab |
manager |
Manager |
Organization tab |
directReports |
Direct Reports |
Group Information Tab: Group Objects
The following table lists the attributes that can be viewed on the Group Information tab of group and dynamic group objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Group Information tab |
cn; name |
Name |
Group Information tab |
managedBy |
Managed By |
Group Information tab |
info |
Notes |
E-Mail Addresses Tab
The following table lists the attributes that can be viewed on the E-Mail Addresses tab of a user, inetOrgPerson, group, dynamic distribution group, contact, or public folder object when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
E-Mail Addresses tab |
proxyAddresses (Proxy Addresses) |
All proxy addresses |
E-Mail Addresses tab |
msExchPoliciesExcluded; msExchPoliciesIncluded |
Controlled by recipient policy? |
E-Mail Addresses tab |
mail (E-Mail Address) |
Primary e-mail address |
E-Mail Addresses tab |
textEncodedORAddress |
Primary X.400 address |
Mailbox Settings Tab: Mailbox
The following table lists the attributes that can be viewed on the Mailbox Settings tab of a mailbox-enabled user or inetOrgPerson object when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Messaging Records Management dialog box |
msExchMailboxTemplateLink |
Records Management Folder Policy |
Messaging Records Management dialog box |
msExchELCMailboxFlags |
Suspension Flag |
Messaging Records Management dialog box |
msExchELCExpirySuspensionStart |
Suspension Start Date/Time |
Messaging Records Management dialog box |
msExchELCExpirySuspensionEnd |
Suspension End Date/Time |
Storage Quotas dialog box |
mDBOverHardQuotaLimit |
Prohibit send/receive |
Storage Quotas dialog box |
mDBOverQuotaLimit |
Prohibit send |
Storage Quotas dialog box |
mDBStorageQuota |
Warning size |
Storage Quotas dialog box |
mDBUseDefaults |
Use store defaults |
Storage Quotas dialog box |
garbageCollPeriod |
Deleted item retention |
Storage Quotas dialog box |
deletedItemFlags |
Deleted item retention |
Mail Flow Settings Tab: Mailbox
The following table lists the attributes that can be viewed on the Mail Flow Settings tab of a mailbox-enabled user or inetOrgPerson object when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Delivery Options dialog box |
deliverAndRedirect |
Store and forward message |
Delivery Options dialog box |
publicDelegates |
Send on behalf |
Delivery Options dialog box |
altRecipient |
Forwarding address |
Delivery Options dialog box |
msExchRecipLimit |
Maximum recipient limits |
Message Size Restrictions dialog box |
delivContLength |
Prohibit receive size |
Message Size Restrictions dialog box |
submissionContLength |
Prohibit send size |
Message Delivery Restrictions dialog box |
unauthOrig |
Messages rejected from (for mailboxes) |
Message Delivery Restrictions dialog box |
authOrig |
Messages accepted from (for mailboxes) |
Message Delivery Restrictions dialog box |
dLMemRejectPerms |
Messages rejected from (for distribution groups) |
Message Delivery Restrictions dialog box |
dLMemSubmitPerms |
Messages accepted from (for distribution groups) |
Message Delivery Restrictions dialog box |
msExchRequireAuthToSendTo |
Restrict messages from authenticated users only |
Mail Flow Settings Tab: Mail-Enabled Objects
The following table lists the attributes that can be viewed on the Mail Flow Settings tab of a mail-enabled user, mail-enabled inetOrgPerson, mail-enabled contact, or distribution group objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Message Size Restrictions dialog box |
delivContLength |
Prohibit receive |
Message Delivery Restrictions dialog box |
unauthOrig |
Messages rejected from (for mailboxes) |
Message Delivery Restrictions dialog box |
authOrig |
Messages accepted from (for mailboxes) |
Message Delivery Restrictions dialog box |
dLMemRejectPerms |
Messages rejected from (for distribution groups) |
Message Delivery Restrictions dialog box |
dLMemSubmitPerms |
Messages accepted from (for distribution groups) |
Message Delivery Restrictions dialog box |
msExchRequireAuthToSendTo (Applies only to Exchange Server 2003) |
Restrict messages from authenticated users only |
Mail Flow Settings Tab: Public Folders
New in Exchange 2007 SP1
The following table lists the attributes that can be viewed on the Mail Flow Settings tab of a mail-enabled public folder object when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Delivery Options dialog box |
deliverAndRedirect |
Store and forward message |
Delivery Options dialog box |
publicDelegates |
Send on behalf |
Delivery Options dialog box |
altRecipient |
Forwarding address |
Message Size Restrictions dialog box |
delivContLength |
Prohibit receive size |
Message Size Restrictions dialog box |
submissionContLength |
Prohibit send size |
Message Delivery Restrictions dialog box |
unauthOrig |
Messages rejected from (for mailboxes) |
Message Delivery Restrictions dialog box |
authOrig |
Messages accepted from (for mailboxes) |
Message Delivery Restrictions dialog box |
dLMemRejectPerms |
Messages rejected from (for distribution groups) |
Message Delivery Restrictions dialog box |
dLMemSubmitPerms |
Messages accepted from (for distribution groups) |
Message Delivery Restrictions dialog box |
msExchRequireAuthToSendTo |
Restrict messages from authenticated users only |
Mailbox Features Tab: Mailboxes
The following table lists the attributes that can be viewed on the Mailbox Features tab of a mailbox-enabled user or inetOrgPerson object when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Mailbox Features tab |
protocolSettings |
Allows use of Internet Protocols |
Mailbox Features tab |
protocolSettings |
Allows use of MAPI Clients |
Mailbox Features tab |
msExchOmaAdminWirelessEnable |
Allows use of ActiveSync |
Exchange ActiveSync properties |
msExchMobileMailboxPolicyLink |
ActiveSync Device Security Policy |
Advanced Tab: Mail-Enabled Group and Dynamic Distribution Group Objects
The following table lists the attributes that can be viewed on the Advanced tab of mail-enabled group and dynamic distribution group objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Advanced tab |
msExchHideFromAddressLists |
Hide object from GAL |
Advanced tab |
showInAddressBook |
Address Book object for which object is a member |
Advanced tab |
displayNamePrintable (Simple Display Name) |
Legacy display name format for down-level mail systems |
Advanced tab |
msExchExpansionServerName homeMTA |
Group expansion Server |
Advanced tab |
oOFReplyToOriginator |
Send OOF messages to message originator |
Advanced tab |
reportToOwner |
Send delivery report to owner |
Advanced tab |
reportToOriginator |
Send delivery report to originator |
Resource Information Tab: Resource Mailboxes
The following table lists the attributes that can be viewed on the Resource Information tab of equipment or room mailbox-enabled user or inetOrgPerson objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Resource Information tab |
msExchResourceCapacity |
Resource Capacity |
Resource Information tab |
msExchResourceSearchProperties |
Resource Custom Properties |
Filter and Conditions Tabs: Dynamic Distribution Group Objects
The following table lists the attributes that can be viewed on the Filter and Conditions tabs of a dynamic distribution group object when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Filter tab; Conditions tab |
msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata |
LDAP filter |
Filter tab |
msExchDynamicDLBaseDN |
LDAP filter base distinguished name |
Exchange General Tab: Public Folders
New in Exchange 2007 SP1
The following table lists the attributes that can be viewed on the Exchange General tab of mail-enabled public folder objects when you use the Exchange Management Console.
| Location | Attribute name | Description |
|---|---|---|
Exchange General tab |
displayName (Display Name) |
Display name |
Exchange General tab |
mailNickname (Alias) |
Alias |
Exchange General tab |
msExchHideFromAddressLists |
Hide from Address Book |
Exchange General tab |
displayNamePrintable (Simple Display Name) |
Legacy display name format for down-level mail systems |
Custom Attributes button |
extensionAttribute1 (Custom Attribute 1) |
Custom Attribute |
Custom Attributes button |
extensionAttribute10 (Custom Attribute 10) |
Custom Attribute |
Custom Attributes button |
extensionAttribute11 (Custom Attribute 11) |
Custom Attribute |
Custom Attributes button |
extensionAttribute12 (Custom Attribute 12) |
Custom Attribute |
Custom Attributes button |
extensionAttribute13 (Custom Attribute 13) |
Custom Attribute |
Custom Attributes button |
extensionAttribute14 (Custom Attribute 14) |
Custom Attribute |
Custom Attributes button |
extensionAttribute15 (Custom Attribute 15) |
Custom Attribute |
Custom Attributes button |
extensionAttribute2 (Custom Attribute 2) |
Custom Attribute |
Custom Attributes button |
extensionAttribute3 (Custom Attribute 3) |
Custom Attribute |
Custom Attributes button |
extensionAttribute4 (Custom Attribute 4) |
Custom Attribute |
Custom Attributes button |
extensionAttribute5 (Custom Attribute 5) |
Custom Attribute |
Custom Attributes button |
extensionAttribute6 (Custom Attribute 6) |
Custom Attribute |
Custom Attributes button |
extensionAttribute7 (Custom Attribute 7) |
Custom Attribute |
Custom Attributes button |
extensionAttribute8 (Custom Attribute 8) |
Custom Attribute |
Custom Attributes button |
extensionAttribute9 (Custom Attribute 9) |
Custom Attribute |
User-Related Tasks
Each organization defines what it expects from an Exchange administrator. However, Exchange administrators must perform certain common tasks with regard to user and inetOrgPerson objects, such as the following:
Mailbox-enabling user or inetOrgPerson objects
Moving mailboxes
Mailbox-disabling user or inetOrgPerson objects
Changing properties on mailbox-enabled user or inetOrgPerson objects
Mail-enabling user or inetOrgPerson objects
Mail-disabling user or inetOrgPerson objects
Changing properties on mail-enabled user or inetOrgPerson objects
Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.
Note
This section does not discuss the rights that are needed to run the New-Mailbox, New-MailUser, Remove-Mailbox, and Remove-MailUser cmdlets. In addition to the rights listed in the "Mail-Enabling User Objects" and "Mail-Disabling User Objects" sections here, an administrator must also be able to create and delete user or inetOrgPerson objects. For more information about what rights are required to create user or inetOrgPerson objects, see Best Practices for Delegating Active Directory Administration.
Mailbox-Enabling User Objects
To run the Enable-Mailbox cmdlet, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.
authOrig |
dlMemSubmitPerms |
homeMDB |
homeMTA |
legacyExchangeDN |
mailNickname |
mDBUseDefaults |
|
msExchHomeServerName |
msExchMailboxGuid |
msExchMailboxSecurityDescriptor |
msExchMailboxTemplateLink |
msExchMasterAccountSid |
msExchMobileMailboxPolicyLink |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchRecipientTypeDetails |
msExchResourceDisplay |
msExchResourceMetaData |
msExchResourceSearchProperties |
msExchUserAccountControl |
msExchVersion |
protocolSettings |
proxyAddresses |
publicDelegates |
securityProtocol |
showInAddressBook |
textEncodedORAddress |
unauthOrig |
|
|
The administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to apply the appropriate address information to the object.
The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
In addition, the administrator must be able to read and modify the security permissions on the user or inetOrgPerson objects so that the task can apply the appropriate permissions for resource, shared, and linked mailboxes.
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions. For example, to grant the ability to mailbox-enable existing user objects, the following steps must be performed:
Run the following command to grant the OU1AdminGroup security group the ability to manage Exchange-related attributes on the user objects in the organizational unit (OU).
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,dlMemRejectPerms,dlMemSubmitPerms,homeMDB,homeMTA,legacyExchangeDN,mail,mailNickname,mDBUseDefaults,msExchHomeServerName,msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink,msExchMasterAccountSid,msExchMobileMailboxPolicyLink,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipientTypeDetails,msExchResourceDisplay,msExchResourceMetaData,msExchResourceSearchProperties,msExchUserAccountControl,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,securityProtocol,showInAddressBook,textEncodedORAddress,unauthOrig -InheritedObjectType User -InheritanceType DescendentsRun the following command to grant the Admin account the ability to change the discretionary access control list of the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights WriteDACL,ReadControl -InheritedObjectType User -InheritanceType DescendentsRun the following command to grant the Admin account the extended right to access the Recipient Update Service.
Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType DescendentsRun the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.
Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
Moving Mailboxes
To run the Move-Mailbox cmdlet between servers that are running Exchange Server in the organization, the Exchange administrator must have the appropriate rights in the configuration partition. For more information about how to delegate the role, see How to Delegate Server Administration.
You must be a local administrator and have the following role on the source Exchange server:
If the source Exchange server is running Exchange 2007, the account you use must be delegated the Exchange Server Administrator role.
If the source Exchange server is running Microsoft Exchange Server 2003, the account you use must be delegated the Exchange Administrator role on the administrative group where the Exchange 2003 server resides.
You must be a local administrator and have the following permission on the target Exchange server:
If the target Exchange server is running Exchange 2007, the account you use must be delegated the Exchange Server Administrator role.
If the target Exchange server is running Exchange 2003, the account you use must be delegated the Exchange Administrator role on the administrative group where the Exchange 2003 server resides.
The administrator must be a member of the Administrators group on the local workstation or server to create a dynamic MAPI profile.
In addition, the Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes:
homeMDB
homeMTA
msExchHomeServerName
targetAddress
protocolSettings
proxyAddresses
The following attributes may be modified or removed when you move a mailbox between a server that runs Exchange 2007 and a server that runs a legacy version of Exchange Server (Exchange 2000 Server or Exchange Server 2003).
mDBOverHardQuotaLimit |
mDBOverQuotaLimit |
mDBStorageQuota |
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionStart |
msExchELCMailboxFlags |
msExchMailboxTemplateLink |
msExchMDBRulesQuota |
msExchMessageHygieneFlags |
msExchMessageHygieneSCLDeleteThreshold |
msExchMessageHygieneSCLJunkThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
msExchMessageHygieneSCLRejectThreshold |
msExchMobileAllowedDeviceIDs |
msExchMobileDebugLogging |
msExchMobileMailboxFlags |
msExchMobileMailboxPolicyLink |
msExchOmaAdminExtendedSettings |
msExchOmaAdminWirelessEnable |
msExchRecipientDisplayType |
msExchRecipientTypeDetails |
msExchResourceCapacity |
msExchResourceDisplay |
msExchResourceMetaData |
msExchResourceSearchProperties |
msExchUMAudioCodec |
msExchUMEnabledFlags |
msExchUMOperatorNumber |
msExchUMPinChecksum |
msExchUMRecipientDialPlanLink |
msExchUMServerWritableFlags |
msExchUMSpokenName |
msExchUMTemplateLink |
msExchUserCulture |
msExchVersion |
|
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain partition. For example, to update the attributes necessary to move the mailboxes, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=company,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties homeMDB,homeMTA,mDBOverHardQuotaLimit,mDBOverQuotaLimit,mDBStorageQuota,msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart,msExchELCMailboxFlags,msExchHomeServerName,msExchMailboxTemplateLink,msExchMDBRulesQuota,msExchMessageHygieneFlags,msExchMessageHygieneSCLDeleteThreshold,msExchMessageHygieneSCLJunkThreshold,msExchMessageHygieneSCLQuarantineThreshold,msExchMessageHygieneSCLRejectThreshold,msExchMobileAllowedDeviceIDs,msExchMobileDebugLogging,msExchMobileMailboxFlags,msExchMobileMailboxPolicyLink,msExchOmaAdminExtendedSettings,msExchOmaAdminWirelessEnable,msExchRecipientDisplayType,msExchRecipientTypeDetails,msExchResourceCapacity,msExchResourceDisplay,msExchResourceMetaData,msExchResourceSearchProperties,msExchUMAudioCodec,msExchUMEnabledFlags,msExchUMOperatorNumber,msExchUMPinChecksum,msExchUMRecipientDialPlanLink,msExchUMServerWritableFlags,msExchUMSpokenName,msExchUMTemplateLink,msExchUserCulture,msExchVersion,protocolSettings,proxyAddresses,targetAddress -InheritedObjectType User -InheritanceType Descendents
Mailbox-Disabling User Objects
To run the Disable-Mailbox cmdlet against a user or inetOrgPerson object, the Exchange administrator must have the appropriate rights in the configuration partition. For more information about how to delegate the role, see How to Delegate Server Administration.
You must be a local administrator and have the following role on the Exchange server where the mailbox resides:
If the Exchange server is running Exchange 2007, the account does not require any role; you only need to have the permissions defined below. However, when executing Disable-Mailbox, you will receive a warning, "Failed to commit the change on object "<Mailbox GUID>" because access is denied". This warning means that an attempt was made to immediately disable the mailbox but the action failed for some reason. Therefore, you have to wait until online maintenance does this in batch for the store in which the mailbox resides.
If the Exchange server is running Exchange 2003, the account you use must be delegated the Exchange Administrator role on the administrative group where the Exchange 2003 server resides.
The Exchange administrator must also have the Administer Information Store permission on the Exchange organization container. In addition, the Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.
altRecipient |
authOrig |
deletedItemFlags |
delivContLength |
deliverAndRedirect |
displayNamePrintable |
dlMemRejectPerms |
dlMemSubmitPerms |
extensionAttribute1 |
extensionAttribute10 |
extensionAttribute11 |
extensionAttribute12 |
extensionAttribute13 |
extensionAttribute14 |
extensionAttribute15 |
extensionAttribute2 |
extensionAttribute3 |
extensionAttribute4 |
extensionAttribute5 |
extensionAttribute6 |
extensionAttribute7 |
extensionAttribute8 |
extensionAttribute9 |
garbageCollPeriod |
homeMDB |
homeMTA |
legacyExchangeDN |
mailNickname |
mDBOverHardQuotaLimit |
mDBOverQuotaLimit |
mDBStorageQuota |
mDBUseDefaults |
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionStart |
msExchELCMailboxFlags |
msExchExternalOOFOptions |
msExchHideFromAddressLists |
msExchHomeServerName |
msExchMailboxGuid |
msExchMailboxSecurityDescriptor |
msExchMailboxTemplateLink |
msExchMasterAccountSid |
msExchMDBRulesQuota |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchRecipientTypeDetails |
msExchRecipLimit |
msExchRequireAuthToSendTo |
msExchResourceCapacity |
msExchResourceMetaData |
msExchResourceSearchProperties |
msExchResourceDisplay |
msExchUMAudioCodec |
msExchUMEnabledFlags |
msExchUMOperatorNumber |
msExchUMPinChecksum |
msExchUMRecipientDialPlanLink |
msExchUMTemplateLink |
msExchUseOAB |
msExchUserAccountControl |
msExchUserCulture |
msExchVersion |
protocolSettings |
proxyAddresses |
publicDelegates |
securityProtocol |
showInAddressBook |
submissionContLength |
textEncodedORAddress |
unauthOrig |
|
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.
For example, to disable mailboxes, you must follow these steps:
Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties altRecipient,authOrig,deletedItemFlags,delivContLength,deliverAndRedirect,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,garbageCollPeriod,homeMDB,homeMTA,legacyExchangeDN,mailNickName,mDBOverHardQuotaLimit,mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart,msExchELCMailboxFlags,msExchExternalOOFOptions,msExchHideFromAddressLists,msExchHomeServerName,msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink,msExchMasterAccountSid,msExchMDBRulesQuota,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipientTypeDetails,msExchRecipLimit,msExchRequireAuthToSendTo,msExchResourceCapacity,msExchResourceMetaData,msExchResourceSearchProperties,msExchResourceDisplay,msExchUMAudioCodec,msExchUMEnabledFlags,msExchUMOperatorNumber,msExchUMPinChecksum,msExchUMRecipientDialPlanLink,msExchUMTemplateLink,msExchUseOAB,msExchUserAccountControl,msExchUserCulture,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,securityProtocol,showInAddressBook,submissionContLength,textEncodedORAddress,unauthOrig -InheritedObjectType User -InheritanceType DescendentsTo avoid receiving the store warning mentioned above, run the following command to grant the Admin account the Administer Information Store extended right.
Add-ADPermission -Identity "CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
Changing Mailbox-Enabled User Object Properties
To run the Set-Mailbox, Set-UMMailbox or Set-CASMailbox cmdlet against a user or inetOrgPerson object:
The account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the desired user or inetOrgPerson object attributes. For more information about how the Set-Mailbox, Set-UMMailbox, or Set-CASMailbox task properties map to the Active Directory attributes, see the "Mailbox-Enabled User-Related Properties" section earlier in this article.
In addition, because the Set-Mailbox, Set-UMMailbox, or Set-CASMailbox cmdlets are used to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following permissions:
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
Read and Write access to the following attributes:
proxyAddresses
msExchPoliciesIncluded
msExchPoliciesExcluded
mail
textEncodedORAddress
Mail-Enabling User Objects
To run the Enable-MailUser cmdlet against a user or inetOrgPerson object, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.
authOrig |
dlMemRejectPerms |
dLMemSubmitPerms |
internetEncoding |
legacyExchangeDN |
mailNickname |
msExchPoliciesExcluded |
|
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchVersion |
protocolSettings |
proxyAddresses |
publicDelegates |
showInAddressBook |
targetAddress |
textEncodedORAddress |
unauthOrig |
|
|
In addition, the administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.
For example, to grant the ability to mail-enable existing user objects, the following steps must be performed.
Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU:
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties textEncodedORAddress,mail,msExchRecipientDisplayType,msExchVersion,authOrig,dLMemSubmitPerms,showInAddressBook,mailNickName,proxyAddresses,targetAddress,publicDelegates,internetEncoding,legacyExchangeDN,msExchPoliciesIncluded,msExchPoliciesExcluded,protocolSettings,unAuthOrig,dlMemRejectPerms -InheritedObjectType User -InheritanceType DescendentsRun the following command to grant the Admin account the extended right to access the Recipient Update Service.
Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType DescendentsRun the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.
Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
Mail-Disabling User Objects
To run the Disable-MailUser cmdlet against a user or inetOrgPerson object, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.
authOrig |
delivContLength |
displayNamePrintable |
dlMemRejectPerms |
dlMemSubmitPerms |
extensionAttribute1 |
extensionAttribute2 |
extensionAttribute3 |
extensionAttribute4 |
extensionAttribute5 |
extensionAttribute6 |
extensionAttribute7 |
extensionAttribute8 |
extensionAttribute9 |
extensionAttribute10 |
extensionAttribute11 |
extensionAttribute12 |
extensionAttribute13 |
extensionAttribute14 |
extensionAttribute15 |
internetEncoding |
legacyExchangeDN |
mailNickname |
mAPIRecipient |
msExchHideFromAddressLists |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchRecipLimit |
msExchRequireAuthToSendTo |
msExchVersion |
protocolSettings |
proxyAddresses |
publicDelegates |
showInAddressBook |
submissionContLength |
targetAddress |
textEncodedORAddress |
unauthOrig |
|
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.
For example, to grant the ability to mail-disable user objects, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,delivContLength,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,internetEncoding,legacyExchangeDN,mailNickname,mAPIRecipient,msExchHideFromAddressLists,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipLimit,msExchRequireAuthToSendTo,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,showInAddressBook,submissionContLength,targetAddress,textEncodedORAddress,unauthOrig -InheritedObjectType User -InheritanceType Descendents
Changing Mail-Enabled User Object Properties
To run the Set-MailUser cmdlet against a user or inetOrgPerson object, the following permissions are required:
The account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the desired user or inetOrgPerson object attributes. For more information about how the Set-MailUser properties map to the Active Directory attributes, see the "Mailbox-Enabled User-Related Properties" section earlier in this topic.
In addition, because you must use the Set-MailUser cmdlet to make sure that the object is assigned to the appropriate E-mail Address Policy, the Exchange Administrator also requires the following:
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
Read and Write access to the following attributes:
proxyAddresses
msExchPoliciesIncluded
msExchPoliciesExcluded
mail
textEncodedORAddress
Contact-Related Tasks
Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to contact objects, such as the following:
Mail-enabling contact objects
Mail-disabling contact objects
Changing properties on mail-enabled contact objects
Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.
Note
This section does not discuss the rights that are needed to run the New-MailContact and Remove-MailContact cmdlets. In addition to the rights listed in the Mail-Enabling and Mail-Disabling sections, an administrator must also be able to create and delete contact objects. For more information about what rights are required to create contact objects, see Best Practices for Delegating Active Directory Administration.
Mail-Enabling Contact Objects
To run the Enable-MailContact cmdlet on a contact object, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following contact object attributes:
authOrig |
displayName |
dlMemRejectPerms |
dLMemSubmitPerms |
internetEncoding |
legacyExchangeDN |
mailNickname |
|
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchVersion |
protocolSettings |
proxyAddresses |
publicDelegates |
showInAddressBook |
targetAddress |
textEncodedORAddress |
unauthOrig |
|
In addition, the administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.
For example, to grant the ability to mail-enable existing contact objects, the following steps must be performed:
Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties displayName,textEncodedORAddress,mail,msExchRecipientDisplayType,msExchVersion,authOrig,dLMemSubmitPerms,showInAddressBook,mailNickName,proxyAddresses,targetAddress,publicDelegates,internetEncoding,legacyExchangeDN,msExchPoliciesIncluded,msExchPoliciesExcluded,protocolSettings,unAuthOrig,dlMemRejectPerms -InheritedObjectType Contact -InheritanceType DescendentsRun the following command to grant the Admin account the extended right to access the Recipient Update Service.
Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType DescendentsRun the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.
Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
Mail-Disabling Contact Objects
To run the Disable-MailContact cmdlet against a contact object, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following contact object attributes:
authOrig |
delivContLength |
displayNamePrintable |
dlMemRejectPerms |
dlMemSubmitPerms |
extensionAttribute1 |
extensionAttribute2 |
extensionAttribute3 |
extensionAttribute4 |
extensionAttribute5 |
extensionAttribute6 |
extensionAttribute7 |
extensionAttribute8 |
extensionAttribute9 |
extensionAttribute10 |
extensionAttribute11 |
extensionAttribute12 |
extensionAttribute13 |
extensionAttribute14 |
extensionAttribute15 |
internetEncoding |
legacyExchangeDN |
mailNickname |
mAPIRecipient |
msExchHideFromAddressLists |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchRecipLimit |
msExchRequireAuthToSendTo |
msExchVersion |
protocolSettings |
proxyAddresses |
publicDelegates |
showInAddressBook |
submissionContLength |
targetAddress |
textEncodedORAddress |
unauthOrig |
|
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions. For example, to grant the ability to mail-disable contact objects, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=company,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,delivContLength,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,internetEncoding,legacyExchangeDN,mailNickname,mAPIRecipient,msExchHideFromAddressLists,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipLimit,msExchRequireAuthToSendTo,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,showInAddressBook,submissionContLength,targetAddress,textEncodedORAddress,unauthOrig -InheritedObjectType Contact -InheritanceType Descendents
Changing Mail-Enabled Contact Object Properties
To run the Set-MailContact cmdlet against a contact object, the following permissions must be granted:
The account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the desired contact object attributes. For more information about how the Set-MailContact cmdlet properties map to the Active Directory attributes, see the "Mailbox-Enabled Contact-Related Properties" section earlier in this topic.
In addition, because the Set-MailContact task is used to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following permissions:
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
Read and Write access to the following attributes:
proxyAddresses
msExchPoliciesIncluded
msExchPoliciesExcluded
mail
textEncodedORAddress
Group-Related Tasks
Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to group objects, such as the following:
Mail-enabling group objects
Mail-disabling group objects
Changing properties on mail-enabled group objects
Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.
Note
This section does not discuss the rights that are needed to run the New-DistributionGroup and Remove-DistributionGroup cmdlets. In addition to the rights listed in the "Mail-Enabling Group Objects" and "Mail-Disabling Group Objects" sections here, an administrator must also be able to create and delete group objects. For more information about what rights are required to create group objects, see Best Practices for Delegating Active Directory Administration.
Mail-Enabling Group Objects
To run the Enable-DistributionGroup cmdlet against a group object, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following group object attributes.
authOrig |
displayName |
dlMemRejectPerms |
dLMemSubmitPerms |
legacyExchangeDN |
mailNickname |
msExchPoliciesExcluded |
|
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchRequireAuthToSendTo |
msExchVersion |
proxyAddresses |
publicDelegates |
reportToOriginator |
showInAddressBook |
textEncodedORAddress |
unauthOrig |
|
|
In addition, the administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to update the object with the appropriate address information. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.
For example, to grant the ability to mail-enable group objects, you must follow these steps:
Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,displayName,dlMemRejectPerms,dlMemSubmitPerms,legacyExchangeDN,mail,mailNickName,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRequireAuthToSendTo,msExchVersion,proxyAddresses,publicDelegates,reportToOriginator,showInAddressBook,textEncodedORAddress,unauthOrig -InheritedObjectType Group -InheritanceType DescendentsRun the following command to grant the Admin account the extended right to access the Recipient Update Service.
Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType DescendentsRun the following commands to grant the examined account the ability to update the address lists and e-mail address policies.
Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
Mail-Disabling Group Objects
To run the Disable-DistributionGroup cmdlet against a group object, the account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the following group attributes:
authOrig |
delivContLength |
displayNamePrintable |
dlMemRejectPerms |
dlMemSubmitPerms |
extensionAttribute1 |
extensionAttribute2 |
extensionAttribute3 |
extensionAttribute4 |
extensionAttribute5 |
extensionAttribute6 |
extensionAttribute7 |
extensionAttribute8 |
extensionAttribute9 |
extensionAttribute10 |
extensionAttribute11 |
extensionAttribute12 |
extensionAttribute13 |
extensionAttribute14 |
extensionAttribute15 |
homeMTA |
internetEncoding |
legacyExchangeDN |
mailNickname |
mAPIRecipient |
msExchHideFromAddressLists |
msExchExpansionServerName |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchRecipientDisplayType |
msExchRecipLimit |
msExchRequireAuthToSendTo |
msExchVersion |
oOFReplyToOriginator |
protocolSettings |
proxyAddresses |
publicDelegates |
reportToOriginator |
reportToOwner |
showInAddressBook |
submissionContLength |
targetAddress |
textEncodedORAddress |
unauthOrig |
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions. For example, to grant the ability mail-disable group objects, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.
Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,delivContLength,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,homeMTA,internetEncoding,legacyExchangeDN,mailNickname,mAPIRecipient,msExchHideFromAddressLists,msExchExpansionServerName,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipLimit,msExchRequireAuthToSendTo,msExchVersion,oOFReplyToOriginator,protocolSettings,proxyAddresses,publicDelegates,reportToOriginator,reportToOwner,showInAddressBook,submissionContLength,targetAddress,textEncodedORAddress,unauthOrig -InheritedObjectType Group -InheritanceType Descendents
Changing Mail-Enabled Group Object Properties
To run the Set-DistributionGroup cmdlet against a group object, the following permissions must be granted:
The account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the desired group object attributes. For more information about how the Set-DistributionGroup properties map to the Active Directory Attributes, see the "Distribution Group-Related Properties" section earlier in this topic.
In addition, because you can use the Set-DistributionGroup cmdlet to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following:
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
Read and Write access to the following attributes:
proxyAddresses
msExchPoliciesIncluded
msExchPoliciesExcluded
mail
textEncodedORAddress
Dynamic Distribution Group-Related Tasks
Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to dynamic distribution group objects, such as the following:
Mail-enabling group objects
Mail-disabling group objects
Changing properties on mail-enabled group objects
Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.
Creating and Deleting Dynamic Distribution Group Objects
To run the New-DynamicDistributionGroup and Remove-DynamicDistributionGroup cmdlets against a dynamic distribution group object, the account you use must be delegated the Exchange View-Only Administrator role.
In addition, the administrator must have the following:
Create msExchDynamicDistributionList objects permission
Delete msExchDynamicDistributionList objects user right
Full Control over msExchDynamicDistributionList objects
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.
For example, to grant the ability to create/delete dynamic distribution group objects, the following steps must be performed:
Run the following command to grant the Admin account the appropriate permission to manage dynamic distribution groups in the OU.
Add-ADPermission "ou=Container1,dc=Contoso,dc=com" -User company\Admin -AccessRights GenericAll -InheritanceType Descendents -InheritedObjectType msExchDynamicDistributionListTo run the preceding command in Exchange 2007 SP1:
Identity "ou=Container1,dc=Contoso,dc=com" -User "Contoso\OU1AdminGroup" -AccessRights GenericAll -ChildObjectTypes msExchDynamicDistributionListRun the following command to grant the Admin account the appropriate permission to create and delete dynamic distribution groups in the OU.
Add-ADPermission "ou=Container1,dc=Contoso,dc=com" -User company\Admin -AccessRights CreateChild, DeleteChild -ChildObjectTypes msExchDynamicDistributionListRun the following command to grant the Admin account the extended right to access the Recipient Update Service.
Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\OU1AdminGroup " -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType DescendentsRun the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.
Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
Changing Dynamic Distribution Group Object Properties
To run the Set-DynamicDistributionGroup cmdlet against a dynamic distribution group object, the following permissions must be granted:
The account you use must be delegated the Exchange View-Only Administrator role.
The Exchange administrator must have Read and Write access to the desired group object attributes. For more information about how the Set-DynamicDistributionGroup properties map to the Active Directory attributes, see the "Dynamic Distribution Group-Related Properties" section earlier in this topic.
In addition, because the Set-DynamicDistributionGroup cmdlet is used to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following permissions:
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
Read and Write access to the following attributes:
proxyAddresses
msExchPoliciesIncluded
msExchPoliciesExcluded
mail
textEncodedORAddress
Public Folder-Related Tasks
New in Exchange 2007 SP1
Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to public folder objects, such as the following:
Mail-enabling public folder objects
Mail-disabling public folder objects
Changing properties on mail-enabled public objects
Mail-Enabling Public Folder Objects
To run the Enable-MailPublicFolder cmdlet against a public folder object, the account you use must be delegated the Exchange Public Folder Administrator role.
Mail-Disabling Public Folder Objects
To run the Disable-MailPublicFolder cmdlet against a public folder object, the account you use must be delegated the Exchange Public Folder Administrator role.
Changing Mail-Enabled Public Folder Object Properties
To run the Set-MailPublicFolder cmdlet against a public folder object, the following permissions must be granted:
The account you use must be delegated the Exchange Public Folder Administrator role.
The Exchange administrator must have Read and Write access to the desired group object attributes. For more information about how the Set-MailPublicFolder properties map to the Active Directory Attributes, see the "Public Folder-Related Properties" section earlier in this topic.
In addition, because you can use the Set-MailPublicFolder cmdlet to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following:
The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.
Read and Write access to the following attributes:
proxyAddresses
msExchPoliciesIncluded
msExchPoliciesExcluded
mail
textEncodedORAddress