UF Exchange Tier-2 Operations Guide
This guide documents the daily tasks that Tier-2 Administrators may need to perform in support of their departmental Exchange users.
UF Exchange utilizes the Roles Based Access Control (RBAC) model to delegate permissions to unit administrators. Administrators are granted rights over their respective People and Department OU’s to perform management tasks. Exchange management is performed via the Exchange Admin Center (EAC) and the Exchange Management Shell (EMS). The Exchange Admin Center is a web-based administrative portal; this has changed from 2010 which used the EMC – an MMC based console. The Exchange Management Shell remains unchanged.
Departmental administrators need to download the Exchange 2013 media from the Microsoft Download Site and install the client tools. These tools should be run on Windows 7+ x64.
Your installed Exchange management tools must match the exact service pack and cumulative update levels on the UF Exchange servers.
When installing the Exchange 2013 management tools you should use to use the default options. Following the installation you will have a programs group that contains the following:
- Exchange Administrative Center - Shortcut to the EAC on the local computer. Will not work on management workstations.
- Exchange Management Shell - Exchange Powershell
- Exchange Server Help - Link to Exchange Server 2013 documentation on Technet.
- Exchange Toolbox - MMC interface to Queue Viewer
For UF Exchange (not, UF Health) Tier-2 there is an extra step that needs to be done following the installation of the Exchange Management tools. Exchange 2013 in now deployed across two different Active Directory Sites. Because of this, the default installation of the Exchange Management Shell will try to connect to an Legacy Exchange server in the Default AD site. We recommend that you modify the EMS shortcut to connect to a specific Exchange server.
In Windows Explorer - Navigate to the following folder.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2013
Right Click the Exchange Management Shell Shortcut and select Properties.
Modify the Target value to read the following.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -ServerFqdn exmbxprd01.ad.ufl.edu -ClientApplication:ManagementShell "
Exchange Admin Center (EAC):
The EAC is a web interface which allows you to manage your Exchange users and resources. You access the EAC by pointing a browser at: https://mail.ufl.edu/ecp using your ADM username and password.
Tier-2 will be primarily interested in the Recipients and Permission sections of the web interface.
Recipient management is split out into 5 types:
• Mailboxes – Primary User Mailboxes
• Groups – Distribution and Mail Enabled Security Groups
• Resources – Resource Mailboxes
By default only 500 objects are returned in a paged view with 50 results per-page. While you can modify the Maximum number of recipients to view it’s a better practice to filter your results. You can use the “Advanced Search” feature to scope your query using a number of attributes. For instance you can select only user mailboxes associated with your department by click the ellipses – Advanced Search selecting Department, entering a department identifier such as CNS-OSG, and clicking OK.
Optionally you could specify this search directly as:
To modify a recipient you can double-click on their entry in the results.
For mailboxes located in the People OU you will be able to edit a smaller number of attributes than Departments OU (service mailboxes). Attributes that you cannot edit will typically be grayed our otherwise inaccessible.
E-mail Addresses can be edited by selecting “email address” and using the add, remove and edit icons to manage SMTP addresses.
For People OU mailboxes the following addresses are always present
with the @ufl.edu set as primary. If your College / Unit does not use third-level domains there is no reason to edit these addresses; in fact; doing so can interfere with processes that manage SMTP addresses following events such as renames.
For Colleges / Units that use third-level domains UFIT recommends that you use e-mail address policies. These are rules in Exchange that automatically add SMTP addresses based on criteria such as OU location or typically group membership. E-mail Address Policies are the preferred method for assigning SMTP addresses in Exchange and are the _only_ supported method for assigning third-level domains to Office 365 mailboxes.
Exchange Management Shell (EMS)
The EMS is a command-line Powershell interface used to manage Exchange. You can use the EMS to modify any configuration that you would in the EAC. You can actually perform more actions within the EMS than you can within the EAC. When you use the EAC you are actually calling Powershell under the hood.
Mailboxes are created by a back-end script at a 15 minute interval. To enable a mailbox add the AD user to the following groups.
ad.ufl.edu/UF/Groups/Exchange User Groups/DEPT-Exchange-Users
ad.ufl.edu/UF/Groups/Exchange User Groups/UFX-Enable-Mailbox-2013
The mailbox provisioning process has 2 requirements.
1) The user exists in a DEPT-Exchange-Users group
2) The user is not located in the “Other” or “Disabled” People OU.
a. Service Account mailboxes (eg. Department OU) do not have this requirement.
*Please remember to set the UF Business Email Address.
This means that your users must have a valid Network Managed By. It is important to keep the NMB up to date, since RBAC roles and permissions are assigned based on OU location, you cannot manage a user until he or she is in your departments “People” OU.
Disabling mailboxes is a similar process to enabling them and also runs on a 15 minute interval. To disable a mailbox you must first remove the user from your Exchange users group at:
ad.ufl.edu/UF/Groups/Exchange User Groups/DEPT-Exchange-Users
You then add their Gatorlink to the following group.
ad.ufl.edu/UF/Groups/Exchange User Groups/UFX-Disable-Mailbox-2013
The process will remove all Exchange attributes on the user object, disconnect the mailbox and set an External SMTP address of firstname.lastname@example.org.
Please note: If you wish to export a user mailbox to PST, this must be performed before the NMB change. Once the NMB change is made the user will be moved out of your OU and your RBAC write scopes will not apply.
Creating a Distribution Group (List)
- Create a Universal Security group in UFAD and add your intended recipients.
- Using Exchange Management Shell, execute Enable-DistributionGroup "Name of Group".
- In EAC, navigate to recipients > groups and search for your UFAD object. Double-click to manage e.g. SMTP addresses and distribution list options.
Recipients – Mailboxes – Search – double-click mailbox – mailbox delegation
From here you can manage Send-As, Send-On-Behalf, and Full Mailbox permissions by choosing the add or remove icons and searching for a recipient.
Managing Full Access:
Grant Josh Full Access over James’ mailboxes.
Add-MailboxPermission -Identity James -User Josh -AccessRights FullAccess -Inheritancetype all
Granting SendAs permission:
The following command would grant Josh Rights to SendAs James.
Add-ADPermission –Identify James –User UFAD\Josh –ExtendedRights “Send As”
Import and Export (PST) operations:
In 2013 administrators two cmdlets, New-MailboxImportRequest and New-MailboxExportRequest are used to import and export mailboxes respectively. As part of the command syntax you can direct Exchange to read or write against a fileshare hosted in your department. There are two requirements for this share.
1) It must be accessible by all Exchange systems. Be mindful of ACL’s. [see subnet info below]
2) Access must be granted to the “Exchange Trusted Subsystem” group.
The following snippet from Microsoft Technet details the -filepath requirements:
“The FilePath parameter specifies the network share path of the .pst file from which data is imported, for example,
You need to grant read/write permission to the group Exchange Trusted Subsystem to the network share where you'll export or import mailboxes. If you don't grant this permission, you'll receive an error message stating that Exchange is unable to establish a connection to the target mailbox. “
New-MailboxImportRequest -Mailbox User –FilePath \\SRV\PST$\Gatorlink.pst
Note: There are other options that direct where in the mailbox hierarchy the imported mail is placed (Target Root Folder). Please consult the Technet documentation: http://technet.microsoft.com/en-us/library/ff607310.aspx
New-MailboxExportRequest -Mailbox User –FilePath \\SRV\PST$\Gatorlink.pst
UF Exchange currently uses the following subnets: