How to change your expired passwords in OWA Exchange 2010 SP3

Exchange Server 2010 Service Pack 1 and Exchange Server 2007 Service Pack 3 (running on Windows Server 2008 or Windows Server 2008 R2) have a new feature that will allow users with expired passwords to change their password. This also works for users who have their accounts configured to change password on next logon (User must change password at next logon in ADUC).

Use this procedure to enable it on Exchange 2007 SP3 and Exchange 2010 SP1 Client Access servers:

Note: If you are using a CAS Array, you must perform these steps on each CAS in the array.

  1. On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
  3. Right click the MSExchange OWA key and click New > DWord (32-bit).
  4. The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1.
    Note: The values accepted are 1 (or any non-zero value) for “Enabled” or 0 or blank / not present for “Disabled”
  5. After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.

Important: When changing passwords, users can’t use a UPN (for example, johndoe@contoso.com) in the Domain\user name field in the Change Password window shown below, unless E2010 SP1 RU3 or later has been deployed on the Client Access servers.

Understanding Exchange 2010 server Roles

With Exchange Server Setup, you can deploy servers with specific roles through¬out the enterprise. Prior to setup and configuration, you need to decide how you will use Exchange Server 2010, what roles you will deploy, and where you will locate those roles. Afterward, you can plan for your deployment and then roll out Exchange Server.

Exchange Server 2010 implementations have three layers in their architecture: a network layer, a directory layer, and a messaging layer. The messaging layer is where you define and deploy the Exchange Server roles. The Exchange servers at the core of the messaging layer can operate in the following roles:

Mailbox Server This is a back-end server that hosts mailboxes, public folders, and related messaging data, such as address lists, resource scheduling, and meeting items. For high availability of mailbox databases, you can use database availability groups.

Client Access Server This is a middle-tier server that accepts connections to Exchange Server from a variety of clients. This server hosts the protocols used by all clients when checking messages. On the local network, Outlook MAPI clients are connected directly to the Client Access server to check mail. Remote users can check their mail over the Internet by using Outlook Anywhere, Outlook Web App, Exchange ActiveSync, POP3, or IMAP4.

Unified Messaging Server This is a middle-tier server that integrates a private branch exchange (PBX) system with Exchange Server 2010, allowing voice messages and faxes to be stored with e-mail in a user’s mailbox. Unified messaging supports call answering with automated greetings and message recording, fax receiving, and dial-in access. With dial-in access, users can use Outlook Voice Access to check voice mail, e-mail, and calendar informa¬tion; to review or dial contacts; and to configure preferences and personal options. Note that to receive faxes, you need an integrated solution from a Microsoft partner.

Hub Transport Server This is a mail routing server that handles mail flow, rout¬ing, and delivery within the Exchange organization. This server processes all mail that is sent inside the organization before it is delivered to a mailbox in the organization or routed to users outside the organization. Processing ensures that senders and recipients are resolved and filtered as appropriate, content is filtered and has its format converted if necessary, and attachments are screened. To meet any regulatory or organizational compliance require¬ments, the Hub Transport server can also record, or journal, messages and add disclaimers to them.

Edge Transport Server This serves as an additional mail routing server that routes mail into and out of the Exchange organization. This server is designed to be deployed in an organization’s perimeter network and is used to establish a secure boundary between the organization and the Internet. This server ac¬cepts mail coming into the organization from the Internet and from trusted servers in external organizations, processes the mail to protect against some types of spam messages and viruses, and routes all accepted messages to a Hub Transport server inside the organization.

These five roles are the building blocks of an Exchange organization. Note that you can combine all of the roles except for the Edge Transport server role on a single server. One of the most basic Exchange organizations you can create is one that includes a single Exchange server that provides the Mailbox server, Client Access server, and Hub Transport server roles. These three roles are the minimum required for routing and delivering messages to both local and remote messaging clients. For added security, you could deploy the Edge Transport server role in a perimeter network on one or more separate servers.

How to view current mailbox size, message count and last logon

You can use the Exchange Management Console to view who last logged on to a mailbox, the last logon date and time, the mailbox size, and the message count by completing these steps:

1. Expand the Recipient Configuration node and then select the Mailbox node.
2. Double-click the mailbox with which you want to work.
3. On the General tab, the Last Logged On By text box shows who last logged on to the mailbox, and the Modified entry shows the date and time the mailbox was last modified.
4. On the General tab, the Total Items and Size (KB) areas show the number of messages in the mailbox and the current mailbox size in kilobytes, respec¬tively.

If you want to view similar information for all mailboxes on a server, the easiest way is to use the Get-MailboxStatistics cmdlet. Here are some examples of using this cmdlet.

Get-MailboxStatistics -Server ‘corpsvr127’
Get-MailboxStatistics -Database ‘Engineering Primary’
Get-MailboxStatistics –Identity ‘cpandl\williams’

How to allow permissions on another user mailbox using powershell

Users need to access someone else’s mailbox, and in certain situations this is appropriate and preferable. You can grant permissions for a mailbox in two ways: grant access to a mailbox and its content or grant the right to send messages as the mailbox owner.

If you want to grant access to a mailbox and its contents but not grant Send As permissions, you can use the Manage Full Access Permission Wizard. In the Exchange Management Console, right-click the mailbox you want to work with and then select Manage Full Access Permission.

In the Manage Full Access Permission Wizard, click Add, and then use the Select User Or Group dialog box to choose the user or users who should have access to the mailbox. To revoke the authority to access the mailbox, select an existing user name in the Security Principal list box and then click Remove. Click Manage to set the desired access permissions.

In the Exchange Management Shell, you can use the Add-MailboxPermission and Remove-MailboxPermission cmdlets to manage full access permissions.

Adding full access permissions

Add-MailboxPermission -Identity UserWhoseMailboxIsBeingConfigured -User UserBeingGrantedPermission -AccessRights ‘FullAccess’


Add-MailboxPermission -Identity ‘Manager@hitechcandy.com’ -User ‘hiotechcandy\premr’ -AccessRights ‘FullAccess’


Removing full access permissions

Remove-MailboxPermission -Identity ‘UserBeingGrantedPermission’ -User ‘UserWhoseMailboxIsBeingConfigured’ -AccessRights ‘FullAccess’ -InheritanceType ‘All’


Remove-MailboxPermission -Identity ”Manager@hitechcandy.com’ -User ‘hiotechcandy\premr’ -AccessRights ‘FullAccess’ -InheritanceType ‘All’

If you want to grant Send As permissions, you can use the Manage Send As Permission Wizard. In the Exchange Management Console, right-click the mailbox you want to work with and then select Manage Send As Permission. In the Manage Send As Permission Wizard, click Add, and then use the Select Recipient dialog box to choose the user or users who should have this permission. To revoke this permission, select an existing user name in the Security Principal list box and then click Remove. Click Manage to set the desired Send As permissions.

In the Exchange Management Shell, you can use the Add-ADPermission and Remove-ADPermission cmdlets to manage Send As permissions.

Adding Send As permissions

Add-ADPermission -Identity UserBeingGrantedPermission -User UserWhoseMailboxIsBeingConfigured -ExtendedRights ‘Send-As’


Add-ADPermission -Identity ”Manager@hitechcandy.com’ -User ‘hiotechcandy\premr’ -ExtendedRights ‘Send-As’
or

Add-RecipientPermissions -identity ‘Manager@hitechcandy.com’ -Trustee ‘hiotechcandy\premr’ -AccessRights SendAs

Removing Send As permissions

Remove-ADPermission -Identity UserBeingRevokedPermission -User UserWhoseMailboxIsBeingConfigured -ExtendedRights ‘Send-As’ -InheritanceType ‘All’ -ChildObjectTypes $null -InheritedObjectType $null -Properties $null


Remove-ADPermission -Identity ”Manager@hitechcandy.com’ -User ‘hiotechcandy\premr’ -ExtendedRights ‘Send-As’ -InheritanceType ‘All’ -ChildObjectTypes $null -InheritedObjectTypes $null -Properties $null

How to hide mailbox from address book in exchange server 2010

you might want to hide a mailbox so that it doesn’t appear in the global address list or other address lists. One reason for doing this is if you have administrative mailboxes that you use only for special purposes.

To hide a mailbox from the address lists, follow these steps:

1. Open the Properties dialog box for the mailbox-enabled user account by double-clicking the user name in the Exchange Management Console.

2. On the General tab, select the Hide From Exchange Address Lists check box and then click OK.

How to Configure Auditing for exchange server

Auditing lets you track what’s happening with Exchange Server. You can collect information about logons and logoffs, permission use, and much more. Any time an action that you’ve configured for auditing occurs, it is written to the system’s security log, which you can access from Event Viewer.

You can audit Exchange activity by enabling auditing in a Group Policy object applied to your Exchange servers. This policy object can be a local Group Policy object or an Active Directory Group Policy object. You manage a server’s local Group Policy object using the Local Security Policy tool. You manage Active Directory Group Policy using the Group Policy Management Console (GPMC). GPMC is included as a Windows feature with Windows Vista and later versions of Windows. After you add GPMC as a feature, you can access it on the Administrative Tools menu.

You can enable Exchange auditing by completing the following steps:

1. Start the Group Policy Management Console by clicking Start, All Programs, Administrative Tools, Group Policy Management. You can now navigate through the forest and domains in the organization to view individual Group Policy objects.

2. To specifically audit users’ actions on Exchange Server, you should consider creating an organizational unit (OU) for Exchange servers and then define auditing policy for a Group Policy object applied to the OU. After you’ve created the OU or if you have an existing OU for Exchange servers, right-click the related policy object, and then select Edit to open the policy object for editing in Group Policy Management Editor.

3. You access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.

4. You should now see the following auditing options:

Audit Account Logon Events Tracks user account authentication during logon. Account logon events are generated on the authenticating computer when a user is authenticated.
Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.
Audit Directory Service Access Tracks access to Active Directory. Events are generated any time users or computers access the directory.
Audit Logon Events Tracks local logon events for a server or workstation.
Audit Object Access Tracks system resource usage for mailboxes, information stores, and other types of objects.
Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.
Audit Privilege Use Tracks the use of user rights and privileges, such as the right to create mailboxes.
Audit Process Tracking Tracks system processes and the resources they use.
Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.

5. To configure an auditing policy, double-click or right-click its entry, and then select Properties. This opens a Properties dialog box for the policy.

6. Select the Define These Policy Settings check box, and then select the Success check box, the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

7. Repeat steps 5 and 6 to enable other auditing policies. Note that the policy changes won’t be applied until the next time you start the Exchange server.

How to create a user account with a mailbox by using the New-Mailbox cmdlet in exchange 2010

Use below power shell in exchange shell to create a mailbox and account at the same time

New-Mailbox -Name “Prem Rana” -Alias “premr” -OrganizationalUnit “hitechcandy.com/People”
-Database “mbxDatabase1” -UserPrincipalName premr@hitechcandy.com -SamAccountName “shanek” -FirstName “Prem”
-Initials “P” -LastName “Rana” -ResetPasswordOnNextLogon $true

How to create new mailbox in exchange 2010 using management console

To create a User Mailbox, follow the below steps:

1. Open Exchange Management Console (EMC) and expand the Recipient Configuration node

2. clip_image002

3.

4. Right click on Mailbox and choose New Mailbox…

You can also create a new Mailbox by click on New Mailbox… from the right side pane under Actions

clip_image003

5. On the New Mailbox page, The available mailboxes are:

User Mailbox :
Select this button to create a mailbox that is owned by a user to send and receive e-mail messages. User mailboxes can’t be used for resource scheduling.

Room Mailbox :
Select this button to create a mailbox that will be used as a location resource for scheduling meetings. Room mailboxes can be included in meeting requests as resources and can be configured to automatically process incoming requests.
If you create a new user account for the room mailbox in Active Directory, it will be disabled. If you plan to associate the room mailbox with an existing account, you must select a disabled account.

Equipment Mailbox :
Select this button to create a mailbox that will be used as a resource for scheduling meetings. Equipment mailboxes can be included in meeting requests as resources and can be configured to automatically process incoming requests.

Linked Mailbox :
Select this button to create a user mailbox that is accessed by a user in a separate, trusted forest. You must still create a user account in the forest in which Exchange Server resides. This is required to create the necessary Active Directory object for storing the mailbox information.
Choose User Mailbox then click Next
clip_image005

6. On the User Type page, you can either create a new email for a new user or a new email for an existing user in Active Directory.
New User : Select this button to simultaneously create a new user in Active Directory and mail-enable the user.
Existing users : Select this button to mail-enable one or more existing users.
If you already have an Active Directory user wish to create for him/her a new email, then Select Existing User and then click Add to open the Select User dialog box. This dialog box displays a list of user accounts in the forest that aren’t mail-enabled or don’t have Exchange mailboxes. Select the user accounts you want to mail-enable, and then click OK to return to the wizard.
We will be creating a new user, so select New User and then click Next

clip_image007

7. On the User Information page, fill the user information and then click Next
If you want to create the user in a specific OU, then select the checkbox beside Specify the organization unit rather than using a default one and then click Browse, select the appropriate OU and click OK.
Fill User information and click Next
clip_image009

8. Type the Alias for your user mailbox, and then specify the mailbox database, retention policy, exchange ActiveSync mailbox policy and Address book policy ( if available )
I will be only selecting the mailbox database, as I didn’t create any policy yet.
To select a database, select Specify the mailbox database rather than using a database automatically selected, then click Browse
clip_image011
The available databases will be displayed. Select the mailbox database and then click OK
clip_image012
The selected database will be displayed, Click Next

clip_image014

9. Choose the Archive Settings.
You can have a local archive or a remote hosted archive for your user mailbox.
Items will be moved automatically from the primary user mailbox to the archive based on the retention settings.
clip_image016

10. Review the configuration settings and then click New
clip_image018

11. The wizard will be completed successfully. You can click on Finish to close the wizard.
clip_image020

12. Finally, you can see the new user created in the Mailbox node under Recipient Configuration
clip_image022

Understanding Autodiscover in Exchange 2007/2010

Autodiscover is a feature which enables automatic client profile configuration and provides end point of Exchange Web Service (EWS) such that clients can utilize EWS related feature like getting free busy information. The following TechNet explains more about Autodiscover.

Autodiscover service

https://technet.microsoft.com/en-us/library/bb124251(v=exchg.160).aspx

When Outlook client attempts to autodiscover, Outlook tries to connect the following URLs.

1) URL defined in SCP (Service Connection Point) in On-premises Active Directory.

2) https://<SMTP-address-domain>/autodiscover/autodiscover.xml

3) https://autodisocver.<SMTP-address-domain>/autodiscover/autodiscover.xml

4) <SMTP-address-domain> defined in Local XML

5) http://autodisocver.<SMTP-address-domain>/autodiscover/autodiscover.xml

6) _Autodiscover._tcp. <SMTP-address-domain> (SRV Record)

Let me explain some key words and detail behaviors.

What is SCP ?

SCP is abbreviation for Service Connection Point, which means connection end points for Exchange related service. SCP is created for each CAS (in Exchange 2007/2010) or Mailbox server. SCP can be found at Active Directory Configuration partition by using ADSI Editor as follows.

 [Configuration] – [CN=Configuration,DC=example,DC=local] – [CN=Services] – [CN=Microsoft Exchange] – [CN=<Organization Name>] – [CN=Administrative Groups] – [CN=Exchange Administrative Group (FYDIBOHF23SPDLT)] – [CN=Servers] – [CN=<CAS or Mailbox server name>] – [CN=Protocols] – [CN=Autodiscover] – [CN=<CAS or Mailbox server name>]

Which SCP does Outlook client access?

We should be aware of which AD site clients belong to.

Outlook looks at Keyword attribute in SCP from the SCP list. This Keyword attribute contains AD site name and Outlook checks if its AD site matches with the one defined in the Keyword attribute. If Outlook finds SCP whose Keyword attribute matches with its AD site, Outlook sends Autodiscover request to URL defined in ServiceBindingInformation attribute of that SCP.

If there aren’t any SCP which has client’s AD site,  Outlook attempts to connect each SCP in the order of the SCP list obtained by LDAP query. There is no sort mechanism in SCP list so in general Outlook connects to SCP in random order. (As a rule of thumb, it is the order by the time SCP was created).

 

In other words, autodiscover access point is configurable by changing Keyword or ServiceBindingInformation attributes. Those attributes can be defined by Set-CleintAcessServer command and Keyword attribute corresponds to AutodiscoverSiteScope parameter and ServiceBindingInformation attribute to AutodiscoverServiceInternalUri parameter.

There is TechNet article which explains how to control target SCP by utilizing AutodiscoverSiteScope parameter.

Configure the Autodiscover Service to Use Site Affinity

https://technet.microsoft.com/en-us/library/aa998575(v=exchg.141).aspx

Non-domain joined Outlook client scenario

Non-domain joined or Workgroup clients cannot access SCP, so those clients start trying to connect from Step (2) explained above. It means we need DNS A record for autodiscover.<smtp-address-domain> or hosts file which has  autodiscover.<smtp-address-domain> entry.

Resource/Account forest scenario

If you are running Exchange in resource/account forest topology, you have user accounts and clients reside in account forest and utilize “Linked mailbox” to connect to mailboxes which are in resource forest. In order for clients to successfully make autodiscover connection, you should either have SCPs in account forest or create DNS records (since SCP lookup fails).

There is an Exchange PowerShell command called Export-AutoDiscoverCnnfig to create SCP in account forest. You ran this command from Exchange in resource forest as follows.

Export-AutoDiscoverConfig -TargetForestDomainController <DC in account forest> -TargetForestCredential:(get-credential).

For more detail on Export-AutoDiscoverConfig, check up the following TechNet below.

Export-AutoDiscoverConfig

https://technet.microsoft.com/en-us/library/aa998832(v=exchg.160).aspx

SCP created in account forest has ServiceBindingInformation attribute pointing to LDAP URL of resource forest (Example: LDAP://example.com).

Outlook client attempts to connect DC in resource forest based on this LDAP URL and get ServiceBindingInformation attribute of SCP in resource forest.

How does Outlook client attempt to connect SCP if there are multiple SCPs in resource forest?

The behavior is the same as I explained previously. Outlook relies on Keyword attribute (AutodiscoverSiteScope). In other words, if SCP of CAS or Mailbox server set AutodiscoverSiteScope as AD site called “AccountForest01”, all clients in “AccountForest01” always attempt to connect  AutodiscoverServiceInternalUri of the corresponding Exchange servers.


Hybrid Exchange scenario

If you are planning to migrate Onpremise Exchange to Exchange Online, you may need to configure Hybrid Exchange. I think the importance of Autodiscover is even greater in Hybrid Exchange scenario because Autodiscover helps user connect to mailbox in Exchange Online without any manual profile setting after migration. You may wonder how Outlook detect correct target Exchange server even if mailbox is moved from Onpremise Exchange to Exchange Online. The secret is remote mailbox in Onpremise Exchange. If you move mailbox to Exchange Online under Hybrid environment, moved mailbox turns into “Remote mailbox”, which is basically mail enabled user. This mailbox conversion process is a part of mailbox migration and is done automatically.

The process of finding Autodiscover end point does not rely on mailbox location (Onpremise or cloud) but is consistent as I explained earlier. Domain-joined client first looks up SCP and attempts to connect to Onpremise Exchange servers defined in SCP. If the mailbox is moved to Exchange Online or the mailbox becomes remote mailbox, Outlook client make another autodiscover request based on RemoteRoutingAddress parapeter of the remote mailbox.

Here is how Outlook attempts to make Autodiscover request.

//// User account

Primary SMTP address:User1@contoso.com

RemoteRoutingAddress;User1@contoso.mail.onmicrosoft.com

You can check RemoteRoutingAddres by the following command-let.

Get-RemoteMailbox <User name> | FL RemoteRoutingAddress

 

1) Detect Autodiscover end point (URL) of SCP based on User’s primary SMTP address

(Example https://onpremEx01.contoso.com/Autodiscover/Autodiscover.xml)

Client may subsequently make autodiscover request based on contoso.com domain

2) Detect Autodiscover redirect (User1@contoso.mail.onmicrosoft.com)

3) Autodiscover to https://contoso.mail.onmicrosoft.com/autodiscover/autodiscover.xml

4) Autodiscover to https://autodiscover.contoso.mail.onmicrosoft.com/autodiscover/autodiscover.xml

5) Local autodiscover to contoso.mail.onmicrosoft.com

6) Redirect check to http://autodiscover.contoso.mail.onmicrosoft.com/autodiscover/autodiscover.xml

7) Autodiscover URL redirection to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

8) Autodiscover to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

9) Redirect check to http://autodiscover.contoso.mail.onmicrosoft.com/autodiscover/autodiscover.xml

If clients are domain-joined, Step1 is always performed and client attempts to connect to Onpremise Exchange servers.

If you enable AutoDiscover registry on Outlook Client, client skips looking up SCP even if it is domain-joined.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook version (Note)>\Outlook\AutoDiscover

Value Name: ExcludeScpLookup

Type : REG_DWORD

Value : 0x00000001 (1)

Note:

14.0 for Outlook 2010,15.0 for Outlook 2013 and 16.0 for Outlook 2016

Troubleshooting Autodiscover

So far, we covered a basic autodiscover behavior and how Outlook client makes autodiscover request under a few well-known scenarios.

Now I want to walk you through some troubleshooting steps so that you understand if autodiscover is working or what is going wrong.

Check with Test E-mail AUtoConfiguration

Test E-mail AutoConfiguration is your friend. Test E-mail AtoConfiguration helps you to check if Autodiscover succeeds or how far AUtodiscover process goes till it fails.

1) Start Outlook.

2) Logon to Outlook profile and then right click on Outlook icon in Task tray.

3) Click “Test E-mail AutoConfiguration”

4) Enter correct email address if needed and provide credential if asked.

5) Check only  “Use Autodiscover”

6) Check “Results” tab if autodiscover succeeds and check “Log” tab to see where autodiscover fails.

Here is a sample.

7)
If you are familiar with Autodiscover response (XML), checking “XML” tab helps you see if client receive expected response.

————– Additional tips —————–

You can utilize Test E-mail AutoConfiguration even if you don’t have any Outlook profile.

Here are the steps.

1) Delete all profiles and start OUtlook

2) Enter Outlook profile name and click “OK”.

3) Click “Cancel”  and then “OK” for dailogue box not to create a profile.

4) Click “Next” for Profile creation wizard.

5) Click “No” and then click “Next”

6) Check “Use Outlook without an email account” and click “Finish”

————————————————


Test with browser access

You can use any browser to access Autodiscover endpoint. If it fails, you may have network issue or other causes that prevent you from accessing it.

If Outlook client is non-domain joined,AutoDiscover endpoint is most likely   https://autodisocver.<SMTP-address-domain>/autodiscover/autodiscover.xml.

Open up any browser and try accessing that endpoint.

You will be asked for credential and if you provide correct credential and see the following response below, you can successfully access the endpoint. If not, you should troubleshoot further (It is most likely network related troubleshooting)

<Autodiscover xmlns=”http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006″>

<Response>

<Error Time=”06:32:34.3818286″ Id=”413347856″>

<ErrorCode>600</ErrorCode>

<Message>Invalid Request</Message>

<DebugData/>

</Error>

</Response>

</Autodiscover>


Test with ExRCA

Remote Connectivity Analyzer or ExRCA helps you diagnose Autodiscover, Outlook connectivity or EWS related issues.

Here are the steps

1) Access the following URL

https://testconnectivity.microsoft.com/

2) If you want to check Autodiscover connectivity, check “Outlook Autodiscover”.

3) Enter SMTP address and credential for the user you want to test, and then Click “Perform test”

4) If you see “Connectivity Test Successful” as a result, you have no issue. If not, you should expand each test phase and you can get detail error like below.