2. Managing Contacts
Mail contacts are mail-enabled Active Directory contacts that contain information about recipients that exist outside your Exchange Server organization. Mail contacts
are visible in the GAL, and can be added as members to distribution
groups. Each contact has an internal e-mail alias and an external
e-mail address. All e-mail messages to a contact are automatically
forwarded to the external e-mail address.
If multiple people within
your organization regularly communicate with a trusted external person,
you can create a mail contact with the person's e-mail address. This
way the contact will show up in the GAL and allow people send the
person e-mail without first having to look up contact information. Mail
contacts are
often used when contract employees frequently communicate with
full-time employees but the contract employee has a separate e-mail
system. The contact will allow the company's users to send e-mail to
the contract employee using the GAL and the contractor will continue to
receive e-mail messages in his primary mailbox.
Mail users are similar to mail contacts
because both have external e-mail addresses and can contain information
about people outside your Exchange Server organization. You can also
display them in the GAL and other address lists. However, unlike a mail
contact, mail users have Active Directory logon credentials and can be
assigned access to resources. If a contract employee or other external
person requires access to network resources and will continue to use
her primary e-mail system, you should create a mail user instead of a
mail contact.
Another situation in which mail users and mail contacts
can be valuable is during migrations or long-term coexistence between
Exchange organizations or between mail systems. This allows you to
provide a consolidated GAL by creating contacts in both Exchange
organizations that forward e-mail to users in the other organization.
For example, Litware, Inc., acquired Proseware, Inc., a smaller niche
publishing company. Both companies will be working closely together but
don't have plans to establish network connectivity between the
companies and migrate all users and mailboxes into the same Active
Directory forest until the end of the next fiscal year. In the interim
they created Mail Users for employees that will require access to the
other company's information through a client VPN connection. They
created Mail Contacts for all other users, which allows them to use the
GAL to look up contact information as well as send e-mail to people in
the other company.
Creating a new mail
contact is straightforward using both the EMC and the EMS. One example
of how to create a contact using the EMS is by running the following
cmdlet: New-MailContact -Name "Kamil Amireh" -ExternalEmailAddress [email protected] -OrganizationalUnit ProsewareContacts
To mail-enable an existing contact using the EMS, you could use a cmdlet like this: run Enable-MailContact -Identity "Terry Adams" -ExternalEmailAddress [email protected]. At times you will need to remove a mail contact from Active Directory. You can do this in the EMS by running Remove-MailContact -Identity "Terry Adams".
3. Managing Groups
Mail-enabled groups
are used to send e-mail to multiple recipients and to assign
permissions to multiple users for Exchange objects. These Exchange
objects include private mailboxes and public folders. In Exchange 2010,
mail-enabled groups belong to one of the following four categories:
Distribution groups These mail-enabled groups can only be assigned Exchange object permissions for things such as Public Folders. Distribution groups can be either static or dynamic. The membership of static distribution
groups are defined with a list of members, whereas the membership of a
dynamic group is defined by an OPATH filter that provides Exchange with
the search criteria to locate the members of the group when e-mail
messages are sent to the group. Distribution groups can be used to
assign Exchange client permissions for objects such as public folders
and mailbox folders; however, they cannot be used to assign permissions
outside of Exchange for files or Active Directory.
Public groups
A new feature of Exchange 2010 that allows end users to manage the
distribution groups that they own through the ECP. Within the ECP, the
end user can add or remove group members, moderate the group, or even
request access to other public groups.
Moderated groups
These allow the distribution group manager to moderate messages sent to
the group. This includes approving and rejecting all messages sent to
the group or from specific users. Moderated groups can be used to
restrict the conversations that occur between group members. These
restrictions should be used for large groups or groups that deal with
sensitive information that needs to be controlled.
Universal Security groups
Security groups are used to assign permissions to groups of users;
however, they can also be mail-enabled and used as distribution groups.
These security groups can be used to assign permissions both for
Exchange and non-Exchange objects.
When creating distribution
groups it is important to consider following a naming convention. Doing
so allows users to more easily identify distribution groups with their
e-mail client. Some organizations like to prepend text or information
about who owns the distribution group to the name of the distribution
group. For example, the Contoso IT department decided that all
distribution groups should be prepended with the ^ character. This
helps arrange all distribution lists to the top of the GAL, allowing
users to quickly find the groups. Fabrikam chose to prepend all groups
with the name of the department—for example, Sales Engineers and Marketing Events.
Exchange 2010 SP1 adds the
ability to require groups to follow a specified naming convention. The
naming convention can require a specific suffix or prefix to the group
name. The required text could be a specific text string, such as the ^
character that Contoso uses. This required text could also include
information included in the following attributes of the group:
The policy can also include a combination of these rules. This policy can be set using the Set-OrganizationConfig cmdlet or by using the ECP, as shown in Figure 2. This feature can also block specific words from being used in group names as well as set the default OU that all distribution groups should be created in.
3.1. Moderated Groups
Moderated
groups is a new feature in Exchange 2010 that allows messages to be
sent to a mail-enabled group. Before the message is delivered to all
recipients of the group, it must be approved. A moderator of the group
is determined and then given rights to approve or deny a message. This
feature helps to detain or remove any messages that might be
inappropriate for the group. You can see the Message Moderation properties of a moderated group in Figure 3.
These properties provide you with the ability to assign multiple
administrators, exempt users from moderation, and adjust how unapproved
messages are handled.
3.2. Public Groups
Public groups
is a new feature in Exchange 2010 that allows users to be able to join
and leave groups as needed without having to call the help desk. Users
can use the functionality in the ECP to do this. Administrators can
also configure a group to allow open membership from within the ECP,
EMS, and EMC. Although administrators can use Active
Directory Users And Computers to manage membership of these groups,
they do not have access to any of the Exchange-specific settings. You
should always use the Exchange management tools to manage public groups.
A public group by
definition is a distribution group that has been configured to allow
users to join the group by using the ECP. To set a mail-enabled group
to be a public group using the EMS you can run Set-DistributionGroup GroupName -MemberJoinRestriction Open -MemberDepartRestriction Open.
Using the ECP, EMS, or EMC the public group can be configured to
require owner approval to join the group. If the group is set to be
Open, users can join this distribution group without the approval of
the distribution group owners. If the group
is configured as Closed, only distribution group owners can add members
to the group and any requests to join the distribution group will be
rejected automatically. If the groups
are set for owner approval, users can request membership on this
distribution group, and the distribution group owner must approve or
reject the request.
A public group can also be configured to require approval for leaving the group. If the MemberDepartRestriction
property of the group is set to Open, users can leave the distribution
group without the approval of the distribution group owners. If the
group is set to Closed, only distribution group owners can remove
members from this distribution group and any requests to leave this
distribution group will be rejected automatically.
A user can view the list of the groups he is currently a member of as well as look for other groups to join within ECP, as shown in Figure 4. The Public
Groups management section in the ECP is also where a user who is the
administrator for a group can modify membership, hide the group from
the GAL, modify the MailTip, and make other changes.
3.3. Dynamic Groups
One of the first decisions that you need to make when it comes to distribution groups is deciding whether they will be static or dynamic distribution groups. Static
groups are just that, static; you must manually remove or add members.
Dynamic groups can be automatically maintained based on user attributes
of Active Directory. Wherever possible, it's best practice to use
dynamic distribution groups because of the reduced administrative effort required to maintain the group membership over time. Using static groups can lead to distribution
groups with no defined purpose and can result in members being in a
group that they no longer qualify for or users being left out of
essential distribution groups.
Dynamic distribution groups were introduced along with Exchange 2003 and provide an easy way to automatically create groups
without manually adding users. To create a dynamic distribution group
for a list of all users in the Sales OU, you can run New-DynamicDistributionGroup -Name "SalesGroup" -IncludedRecipients MailboxUsers -OrganizationalUnit Sales.
Dynamic groups have
drawbacks also. Membership in a dynamic distribution group can be
controlled by the user if you base the criteria on a user attribute
that the user can modify using the ECP, such as city or state. A user
may be able gain membership to a group by changing a user attribute.
The filter that controls a dynamic group should be based on user
attributes that are secured if sensitive information is being sent to
that distribution group. Auditing these groups on a regular basis is
recommended to ensure the integrity of the Exchange organization distribution
groups. It's important to determine ahead of time whether you need a
dynamic or a static group—you can't convert a static group to a dynamic
group or vice versa. You can, however, re-create the group and manually
configure it as needed.