Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In



PowerShell for Tier-2 Exchange Administrators

Using PowerShell and the Exchange Management Shell (EMS), the following commands can assist Exchange Tier-2 Administrators. (Yes, you still have a GUI, too - the Exchange Control Panel - )
It is assumed you are running these commands from the EMS or you can use Remote PowerShell to load the Exchange PowerShell module directly from one of the Exchange servers:

(NOTE: Use a regular PowerShell console for remote PowerShell to Exchange 2013 - don't load other Exchange PowerShell modules)

$srv = "exmbxprd" + (Get-Random -Minimum 1 -Maximum 20).ToString().PadLeft(2,'0')
= Get-Credential
= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ -Authentication Kerberos -Credential $UserCredential

Mail Enable a Universal Security Group

Enable-DistributionGroup -Identity "<Descriptive Name of Group>" 
-Alias "<alias-for-DL-(no-spaces)>"

Ex: [PS] C:\>Enable-DistributionGroup -Identity ". My-Dept SP - GBAS training readers" 
-Alias "My-Dept-SP-GBAS-training-readers" 
  • Identity: Title of the DL as seen in the Address Book
  • Alias: Must remove periods, commas, and spaces

NOTE: The DL's Alias my not contain spaces, commas, or periods, keep to just hypens and/or CamelCase.
NOTE: First create a Universal Security Group to mail enable - must be Universal in Exchange 2010. Create a Security group for greater use potential for other uses like for UF Connect SharePoint permissions (you can give staff permissions to modify the DL). 

Create Distribution Group
New-DistributionGroup -Name "Descriptive Name of Group" -Alias "alias-for-DistributionGroup-(no-spaces)" -OrganizationalUnit "OU Path to where to create Distribution Group"
Here is an example / definitions that might help...
Ex: New-DistributionGroup -Name ". BA-FA Accounting - Core Manager" -Alias "BA-FA-Accounting-Core-Manager" -OrganizationalUnit ""
Name: Title of the DL as seen in the Address Book
Alias: Must remove periods, commas, and spaces
OrganizationalUnit: OU where to create the DL
Create Dynamic Distribution List Based On Group Membership

New-DynamicDistributionGroup -Name "<Descriptive Name of Group>" 
-Alias "<alias-for-DL-(no-spaces)>" -OrganizationalUnit "<OU Path to where create DL>" 
-RecipientContainer "<Base OU to begin search>" -RecipientFilter <LDAP query>

Ex: [PS] C:\>New-DynamicDistributionGroup -Name ". My Dept Accounting - Core Manager" 
-Alias "My-Dept-Accounting-Core-Manager" 
-OrganizationalUnit "" 
-RecipientContainer "" 
-RecipientFilter {(MemberOfGroup 
-eq "cn=MyCoolGroup,ou=MyGroupOU,ou=Groups,ou=UF,dc=ad,dc=ufl,dc=edu")}" 
-RecipientContainer "" 
-RecipientFilter {(MemberOfGroup 
-eq "cn=MyCoolGroup,ou=MyGroupOU,ou=Groups,ou=UF,dc=ad,dc=ufl,dc=edu")}
  • Name: Title of the DL as seen in the Address Book
  • Alias: Must remove periods, commas, and spaces
  • OrganizationalUnit: OU where to create the DL
  • RecipientContainer: Top OU below which to look for members to include in the group
  • RecipientFilter: Selects the accounts to populate the DL

NOTE: If using EMS to modify a dynamic DL, you must include the full RecipientFilter value in the "set-" command if modifying the existing filter - it will include the automatically added filters to remove System Accounts, etc. - it will be just an overwrite.

Add Secondary User to a Mailbox with Full Control

Add-MailboxPermission -Identity <AliasAddingTo> -User <UserNameOrGroupGettingAdded> -AccessRights Fullaccess -InheritanceType all

Ex: [PS] C:\>Add-MailboxPermission -Identity fa-webmaster -User gasperj -AccessRights Fullaccess -InheritanceType all
  • Identity: Alias of mailbox to which you are adding a secondary user
  • User: Alias of secondary user/group

Grant a User SendAs Rights to Another User's Mailbox (this does not work on distribution groups)

Add-AdPermission -Identity <AD AliasAddingTo> -User <UserNameOrGroupGettingAdded> -ExtendedRights Send-As

Ex: [PS] C:\>Add-AdPermission -Identity dept-webmaster -User GatorWeb -ExtendedRights Send-As
  • Identity: AD Alias of mailbox to which you are allowing Send As permissions
  • User: Alias of user/group granted SendAs rights

***To grant SendAs permissions on a distribution group, you must apply the permission directly on the object in Active Directory.

Create a Resource (Room) Mailbox and Set Permissions 

  1. Create a service account in ADUC that will be the mailbox owner.
  2. Add the account to your unit's Exchange Users group and to UFX-Enable-Mailbox group. When the account is nolonger a member of the UFX-Enable-Mailbox group, the automatic process will have run and the account will have a mailbox (it should take less than 15 minutes).
  3. Change the mailbox to a Room resource: 
    Set-Mailbox -Identity "AliasBeingModifed" -Type Room
  4. Enable automatic processing of meeting requests: 
    Set-CalendarProcessing -Identity "AliasBeingModifed" -AutomateProcessing AutoAccept -AllBookInPolicy $true -AddAdditionalResponse $true -AdditionalResponse "Your meeting request has been accepted, but it may take 5 minutes before the meeting appears in the free/busy display for the room."
  5. Set default permissions on the mailbox calendar to Reviewer (enables viewing as a shared calendar): 
    Set-MailboxFolderPermission -Identity "AliasBeingModifed:\Calendar" -user "Default" -AccessRights Reviewer
  6. Add permissions on the mailbox calendar for a group to edit their own entries:
    Add-MailboxFolderPermission -Identity "AliasBeingModifed:\Calendar" -user "My Group" -AccessRights Author
[PS] C:\>Set-Mailbox -Identity "fa-mbx-tigert2-36" -Type Room

[PS] C:\>Set-CalendarProcessing -Identity "fa-mbx-tigert2-36" -AutomateProcessing AutoAccept -AllBookInPolicy $true -AddAdditionalResponse $true -AdditionalResponse "Your meeting request has been accepted, but it may take 5 minutes before the meeting appears in the free/busy display for the room."

[PS] C:\>Set-MailboxFolderPermission -Identity "fa-mbx-tigert2-36:\Calendar" -user "Default" -AccessRights Reviewer 
To restrict who can request the room resource, you can use the standard message delivery restrictions:
Ex: Set-Mailbox -Identity "AliasBeingModifed" -AcceptMessagesOnlyFrom "Albert Gator","Alberta Gator" -AcceptMessagesOnlyFromDLMembers "Gator Mascot Distribution Group"

Adding an Additional Email Address to a Recipient

You can add an additional email address (proxy, secondary) to a recipient by using a one-line command:
Set-Mailbox albertag -EmailAddresses @{Add=''}
Similarly, to remove an e-mail address in Exchange 2010:
Set-Mailbox albertg -EmailAddresses @{Remove=''}

Enable and Manage Internet Calendar Publishing

You can query the publishing status, detail levels and URLs using the Get-MailboxCalendarFolder cmdlet.
[PS] G:\>Get-MailboxCalendarFolder -Identity my-dept-cal:\Calendar

PublishEnabled       : False
PublishDateRangeFrom : ThreeMonths
PublishDateRangeTo   : ThreeMonths
DetailLevel          : AvailabilityOnly
SearchableUrlEnabled : False
PublishedCalendarUrl :
PublishedICalUrl     :
IsValid              : True
You can enable Internet Calendar Sharing using the Set-MailboxCalendarFolder cmdlet.
[PS] G:\>Set-MailboxCalendarFolder -Identity my-dept-cal:\Calendar -PublishEnabled $true -DetailLevel "LimitedDetails"
[PS] G:\>Get-MailboxCalendarFolder -Identity my-dept-cal:\Calendar | fl Search*,Published*
SearchableUrlEnabled : False
PublishedCalendarUrl :
PublishedICalUrl     :
Note that by default the Urls are obfuscated with random characters. You can enable a much user friendly and easily searchable url by setting the SearchableUrlEnabled value to $true.
[PS] G:\>Set-MailboxCalendarFolder -Identity my-dept-cal:\Calendar -SearchableUrlEnabled:$true
[PS] G:\>Get-MailboxCalendarFolder -Identity my-dept-cal:\Calendar | fl Search*,Published*
SearchableUrlEnabled : True
PublishedCalendarUrl :
PublishedICalUrl     :

Migrate User Mailbox to SVC Account

This procedure can be used when you need to preserve mail and/or mail delivery for a user departing UF.

First steps
  1. Export the user's mailbox to a PST file.  See Export a Mailbox to a PST File
  2. Create a SVC account mailbox.
After your PST is exported and your SVC account mailbox is created.

Back up user's mailbox attributes: [Need Exchange CMDlets]

​# Get user mailbox info​​​
$umbx = Get-Mailbox -Identity emailaddress
# Pull user email addresses into a variable
$addrs = $umbx.EmailAddresses  | ?{$_ -notlike "SIP*"}
# Add user legacyexchangedn to list of email addresses
$addrs += "x500:$($umbx.LegacyExchangeDN)"​

Disable user's mailbox by adding to ufx-disable-mailbox-201# group. Allow 30 mins for the script to run.

Import PST from users mailbox to SVC Acct mailbox.  See Import A PST File into a Mailbox
Once disabled, add Email Addresses to SVC Acct mailbox:

# Add user email addresses to service account mailbox
Set-Mailbox -Identity svcmailbox -EmailAddresses @{Add=$addrs}

Finally, test mail flow to ensure delivery.
Export a Mailbox to a PST File

To export a mailbox or archive, you must first create a network shared folder. You need to grant read/write permission to the group "Exchange Trusted Subsystem" to the network share where you'll export or import mailboxes. You may need to edit share permissions and NTFS permissions. If you have a firewall/ACL you may need to open access to the Exchange servers - their subnets are: and

​​#Create batch request to export mailboxes to PST (recommend the BadItemLimit):
$exportTo = "\\My-Server-fqdn\MyShare\PST"
$batch = "MyDept-YearMonthDay-01"
#When exporting a single mailbox
@("user1") | %{New-MailboxExportRequest -Mailbox $_ -BatchName $batch -FilePath "$exportTo\$_.pst" -BadItemLimit 50}
#When exporting multiple mailboxes
@("user1","user2","user3") | %{New-MailboxExportRequest -Mailbox $_ -BatchName $batch -FilePath "$exportTo\$_.pst" -BadItemLimit 50}

#Getting the status of Export batch request:
Get-MailboxExportRequest -BatchName $batch | ft -AutoSize

#Getting approximate PST size:
@("user1","user2") | %{Get-MailboxStatistics $_ | ft DisplayName,TotalItemSize -AutoSize}

NOTE: If you need to change the BadItemLimit because of failed exports (use status cmdlet above), increase the bad item limit and resume:
Get-MailboxExportRequest -status failed -BatchName $batch | Set-MailboxExportRequest -BadItemLimit -500 -AcceptLargeDataLoss
Get-MailboxExportRequest -status failed -BatchName $batch | Resume-MailboxExportRequest

NOTE: You can use New-MailboxImportRequest to transfer a PST into a mailbox, see: Create a Mailbox Import Request​

Import a PST File into a Mailbox
#Import the PST into the user's maibox
$usergl = 'gatorlinkusername'
$folder = 'RecoveredEmail'
New-MailboxImportRequest -Mailbox $usergl -FilePath "\\my-server-fqdn\share\Fmr-employee-pst\$usergl.pst" -TargetRootFolder $folder -Name "Import_$usergl"
 (Note: share must be accessible by "Exchange Trusted Subsystem" group.
Set Distribution Group Owner
NOTE: In Exchange 2013, you must be an owner of a distribution group to add another owner. The -BypassSecurityGroupManagerCheck switch will allow Exchange Admins to get around this.
Set-DistributionGroup -identity MyDistributionGroup -BypassSecurityGroupManagerCheck -ManagedBy 'glid1','glid2','glid3'   #initial set of user(s)
Set-DistributionGroup -identity MyDistributionGroup -BypassSecurityGroupManagerCheck -ManagedBy @{add= 'glid4'}   #add another user
Set-DistributionGroup -identity MyDistributionGroup -BypassSecurityGroupManagerCheck -ManagedBy @{remove= 'glid3'}  #remove a user

Mail Recovery Options

We don’t provide recovery in Exchange, however this is something you should be able to accomplish yourself as long as the mail items still exist. 

The most common reasons for missing folders/messages in a mailbox is that the user inadvertently deletes or moves them. 

You can use PowerShell to search and recover items or you can try manually searching through the user’s recoverable items with an Outlook client (either directly or via an exported .pst). 

Here’s some documentation on the cmdlets you can use…

And a helpful tutorial that sounds like it could be useful to you…


 Last modified at 12/7/2017 11:45 AM by Gasper, Joe