How to create Resource Mailboxes

Question

Hi there.
I'm trying to work out the best way to create a shared mailbox, which will automatically create a group based on the shared mailbox name, and then add this group to the delegation of the shared mailbox.
Any advice/scripts etc will be much appreciated.
Thanks

Comments

Hello,

Yes, that can be done with the help of a script. We've asked our script guys to do it for you. As soon as it is ready, we'll update this topic.

---

Superb. Thanks for this :)

---

Here's one that I've made with some help from other posts in the forum. It may work for you.

Import-Module Adaxes
$exchangeServer = "exchange.domain.local"

#Get the full name of the resource user
$displayname = '%fullname%'

#Set the name of the Access group, based on username, removing commas
$MAGroupName = "MAIL - " + $displayname.replace(',','')

#Get list of users that should be added to the MA group, split and trim them.
$UsersWithPermission = ($Context.TargetObject.Get("adm-CustomAttributeText5")).Split(",")
for ($i = 0; $i -lt $UsersWithPermission.Length; $i++)
{
    $UsersWithPermission[$i] = $UsersWithPermission[$i].Trim()
}

# Disable the MB User Object
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

#Get the name of a DC to use for everything from now on
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

#Create and import PSSession with Exchange for mailbox creation
$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

#Create the mailbox
Enable-Mailbox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN -Shared -Database DB01

#Set some custom stuff
Set-Mailbox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN -IssueWarningQuota 200MB -ProhibitSendQuota 250MB -ProhibitSendReceiveQuota 300MB -UseDatabaseQuotaDefaults $false

#Create the Access group
if ((Get-AdmGroup $MAGroupName -ErrorAction SilentlyContinue) -eq $NULL) {
  $Context.LogMessage("Creating MA Group","Information")

  $MAGroupProperties = New-AdmGroup -Name $MAGroupName -SamAccountName $MAGroupName -GroupScope Global -Server $domainControllerFQDN -Path "OU=Groups,DC=Domain,DC=Local" -PassThru    

  #Get Mailbox DN
  $sharedMailBox = Get-MailBox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN | Select-Object DistinguishedName

  #Add Full Access Perms
  $Context.LogMessage("Adding FullAccess Permissions for $MAGroupProperties.DistinguishedName","Information")
  Add-MailboxPermission -Identity $sharedMailBox.DistinguishedName -User $MAGroupProperties.DistinguishedName -DomainController $domainControllerFQDN -AccessRights 'FullAccess'

  #Add SendAs Perms
  $Context.LogMessage("Adding SendAs Permissions for $MAGroupProperties.DistinguishedName","Information")
  Add-ADPermission -Identity $sharedMailBox.DistinguishedName -User $MAGroupProperties.DistinguishedName -DomainController $domainControllerFQDN -Extendedrights 'Send As'
  $Context.LogMessage("Done Mailbox Stuff","Information")

  #Add users to Access Group
  foreach ($User in $UsersWithPermission) {
      if ((Get-AdmUser $User -ErrorAction SilentlyContinue) -ne $NULL) {
          $Context.LogMessage("Adding $User to MA Group","Information")
          Add-AdmGroupMember $MAGroupProperties.DistinguishedName $User
      } else {
          $Context.LogMessage("User $User not found. Please add manually.","Warning")
      }
  }
} else {
    $Context.LogMessage("MA Group Already Exists. Not creating group, or setting mailbox permissions.", "Warning")
}
Remove-PSSession -Session $session

#$Context.LogMessage("Done Everything","Information")

We have an OU specifically for shared mailboxes, so we created a business rule that kicks in when a user is created there. As well we used a customattribute on the web interface to allow a list of users to be entered that should be added to the mail access group.

Hope it works for you!

Answer 1

Hello,

Since shared mailboxes are represented as disabled user accounts in Active Directory, you can use a customized Create User Home Page Action in your Adaxes Web Interface to create such mailboxes. When creating a shared mailbox with such a Home Page Action, you can also set a certain property of that user account to a certain predefined value that will indicate that a user created via the Home Page Action will be a shared mailbox. Then, you can create a Business Rule that will be triggered after creating a user and check the value of the property that you chose. If it equals to the predefined value, the Business Rule will create a shared mailbox, a group and perform all the other necessary actions. For this purpose you can use one of the Adaxes virtual properties, for example, CustomAttributeBoolean1 and set it to True. Adaxes virtual properties are not stored in Active Directory, but you can use them the same as any other property of directory objects.

I. Create Home Page Action
For information on how to create a Home Page Action described above, see section Create New Object in the Configure Home Page Actions tutorial.

To automatically set the CustomAttributeBoolean1 property to True, you need to add a predefined field for the property. For information on how to add it, see Step 4 of the Create New Object section.

II. Create Business Rule
To create a Business Rule that will actually set up a new shared mailbox, a group that will be added to the delegation of the created shared mailbox:

1. Create a new Business Rule.

2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
   

3. On the 3rd step, add the Run a program or PowerShell script action and paste the following script in the Script field.
   

    $exchangeServer = "ExchangeServer.domain.com" # TODO: Modify me
    $groupName = "SG_%name%" # TODO: Modify me
    $ouDN = "OU=Groups,DC=domain,DC=com" # TODO: Modify me
    [Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType =
        "ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED" # TODO: Modify me
   
    # Disable the Target User
    $targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
    $targetUser.AccountDisabled = $True
    $targetUser.SetInfo()
   
    $domainName = $Context.GetObjectDomain("%distinguishedName%")
    $rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
    $domainControllerFQDN = $rootDSE.Get("dnsHostName")
   
    $session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
    Import-PSSession -session $session
   
    # Create shared mailbox
    Enable-Mailbox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN -Shared
    $sharedMailBox = Get-MailBox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN | Select-Object DistinguishedName
   
    # Create group
    $ou = $Context.BindToObjectByDN($ouDN)
    $group = $ou.Create("group", "CN=$groupName")
    $group.Put("groupType", [Int32]$groupType)
    $group.Put("sAMAccountName", $groupName)
    $group.SetInfo()
   
    # Grant FullAccess permission for the shared mailbox to the group
    Add-MailboxPermission -Identity $sharedMailBox.DistinguishedName -User $groupName -DomainController $domainControllerFQDN `
        -AccessRight FullAccess -InheritanceType All
    # Grant SendAs permission for the shared mailbox to the group
    Add-ADPermission -Identity $sharedMailBox.DistinguishedName -User $groupName -DomainController $domainControllerFQDN `
        -Extendedrights "Send As"
   
    # Remove remote PowerShell session and free up resources
    Remove-PSSession -Session $session
   

4. In the script, modify the following to match your requirements:

   • $exchangeServer - specifies the fully qualified domain name (FQDN) of your Exchange Server.
   • $groupName - specifies the template for the group name. In the template, you can use the %name% value reference that will be replaced with the name of user account for which the rule is executed.
   • $ouDN - specifies the Distinguished Name (DN) of the OU where the group will be created. If you need to create groups in the same OU where the account of the shared mailbox resides, use the %adm-ParentDN% value reference.
   • $groupType - specifies the group type and scope. For a complete list of possible values, see ADS_GROUP_TYPE_ENUM.

5. Enter a short description for the script and click OK.

6. Now, you need to add a condition when the script will be executed. Right-click the action that you've just added and select Add Condition.
   

7. Select the If <property> <relation> <value> condition type.

8. In the <property> drop-down list, select Show all properties and select the virtual property that you chose as a trigger for the script, e.g. CustomAttributeBoolean1.
   

9. Select equals and True.
   

10. Click OK.

11. Finish creation of the Business Rule.

Comments

Superb. Thanks very much for both replies. I'll start working on it today. :)

---

this works like a charm for our company as well, thanks Support!

Right now we are in the process of moving to Office 365 and I was wondering if your scripting gurus can come up with something to create shared mailboxes within O365 through Adaxes, if possible.

Thanks in advance

---

"...Office 365 and I was wondering if your scripting gurus can come up with something to create shared mailboxes within O365 through Adaxes, if possible."

I second that. Have been trying to find a script that allows a Tech to create an O365 Shared Mailbox from the Home screen.

Thanks!

---

Hello,

There is a small difficulty with creating shared mailboxes in Office 365, because you cannot actually 'create' it. You need to create a regular user mailbox first, and then convert it to shared type. Another issue is that creation of user mailboxes in Office 365 is not immediate. Sometiones, it can take several minutes.

Thus, to create an Office 365 shared mailbox, we suggest the following:

i. Home Page Action
You need to create an action on the Web Interface home page that will create a regular user account in your AD. The account will contain a certain flag that indicates that an online shared mailbox needs to be created.

ii. Business Rule
You need to create a Business Rule triggered after creating a new user. If the online shared mailbox flag is set, it will create a new user in Office 365 and assign them a license with Exchange Online so that a regular user mailbox is created.

iii. Scheduled Task
You need to create a Scheduled Task that will convert a user mailbox in Office 365 to shared type povided that the mailbox has already been created and the online shared mailbox flag is set, ALso, it will remove the flag so as to avoid an attempt to convert the same mailbox again.

As a flag, you can use one of Adaxes virtual properties, for example, CustomAttributeBoolean1 and set it to True. Adaxes virtual properties are not stored in Active Directory, but you can use them the same as any other property of directory objects.

To implement our sugestion:

i. Home Page Action

For information on how to create a Home Page Action described above, see section Create New Object in the Configure Home Page Actions tutorial.

To automatically set the CustomAttributeBoolean1 property to True, you need to add a predefined field for the property. For information on how to add it, see Step 4 of the Create New Object section.

ii. Business Rule
To create a Business Rule that will create an account in Office 365 and assign an Exchange Online license:

1. Create a new Business Rule.
2. On the 2nd step of the Create Business Rule Wizard, select User and After Creating a User.
   
3. On the 3rd step, add the Activate or modify Office 365 account action.
4. Select Activate.
5. Enable a license with access to the Exchange Online service. For example, that can be opne of the Enterprise E licenses.
   
6. Click OK.
7. Now, you need to add a condition when the script will be executed. Right-click the action that you've just added and select Add Condition.
8. Select the If <property> <relation> <value> condition type.
9. In the <property> drop-down list, select Show all properties and select the virtual property that you chose as a trigger for shared maiolbox creation, e.g. CustomAttributeBoolean1.
   
10. Select equals and True.
    
11. Click OK.
12. Finish creation of the Business Rule.

iii. Scheduled Task
To create a Scheduled Task that converts mailboxes to shared type:

1. Create a new Scheduled Task.
2. On the 3rd step of the Create Scheduled Task Wizard, select User.
   
3. On the 4th step, add the Run a program or PowerShell script action.
4. Add the following scripot from our Script Repository: http://www.adaxes.com/script-repository ... e-s160.htm.
   
5. Enter a short dscription and click OK.
6. Now, you need to redeem the license assigned to the user. Right-click the action and click Add New Action.
7. Select the Activate or modify Office 365 account action.
8. Select Deactivate and click OK.
   
9. Now, you need to remove the flag. Right-click the action and click Add New Action.
10. Select the Update the User action and click Add.
    
11. In the Property to modify drop-down list, select the virtual property that you chose as a trigger for shared maiolbox creation, e.g. CustomAttributeBoolean1.
12. Select Remove property.
    
13. Click OK 2 times.
14. Now, you need to add a condition when actions will be executed. Double-click Always.
15. Select the If <property> <relation> <value> condition type.
16. In the <property> drop-down list, select Show all properties and select the virtual property that you chose as a trigger for shared maiolbox creation, e.g. CustomAttributeBoolean1.
17. Select equals and True.
    
18. Click OK. You should receive something like this:
    
19. Finish creation of the Scheduled Task.

---

Thank you for this good tutorial.
Few side questions:
1. How long does office365 need to create the mailbox for the user created initially, is that overall within 15 minutes or within an hour?
Does somebody made experience here?
2. What happens when the scheduled task runs but the mailbox hasnt been created in o365 yet. Will it work when the task will run again at the next schedule?
3. I can add a task "send notification email", but how can I set it, to send the mail only if the task was run successfully or with a error message if not?

Appreciate any feedback,
thanks in advance
Patrick

---

Hello Patrick,

How long does office365 need to create the mailbox for the user created initially, is that overall within 15 minutes or within an hour?
Does somebody made experience here?

According to our experience, creating a new mailbox in Office 365 can take from a few minutes to a few hours.

What happens when the scheduled task runs but the mailbox hasnt been created in o365 yet. Will it work when the task will run again at the next schedule?

Sorry for the confusion. The solution described previously contains a weakness. The scheduled task should have additional condition – If the User has an Exchange mailbox. Thus, the actions in the task will be executed only when the user mailbox exists and the flag is set. If at least one condition is not met the mailbox conversion will be postponed to next run of the task. To add the condition:

1. Right-click an action and then click Add Condition.
   
2. Select If the User has an Exchange mailbox and then click OK.
3. Save the changes. The task should look like the following:
   

I can add a task "send notification email", but how can I set it, to send the mail only if the task was run successfully or with a error message if not?

If you want to create a task to send notification with results of execution of another task, you should save the results in a custom attribute during the first task run and then use the attribute in the notification.

---

Great, thank you for your sharing :D