A common task in an Exchange environment is setting up shared mailboxes for multiple users to access. A specific “shared mailbox” recipient type was created with Exchange 2007 and continues through to Exchange 2013. A notable feature of the shared mailbox is that the associated AD account is disabled. This is unlike a traditional mailbox that was set up as an active user (with a password that had to be maintained) and then shared. Users who need to access the mailbox are granted the appropriate rights in the mailbox object, with the AD account essentially irrelevant.
I wrote this script to create a shared mailbox for AD accounts that had been previously created by our account management team. These poor buggers use a tool written by a Unix guy in the early 00s … yes, creating accounts for the AD domain. It has awesome “features” like being able to create identical email addresses and nest groups into themselves. But I digress. We follow typical Microsoft best practice and assign access to the mailbox by way of a domain group.
The most typical use case is that specified users require full access to the mailbox, and should be able to “Send As” that mailbox. The mailbox access group is also already created by our accounts team. If it’s an adhoc request and the group does not already exist, I generally find it’s quicker to create the group in ADUC, and create the mailbox via the script.
If you received the group membership information in a nicely-formatted way (we don’t), then scripting that too would be better.
This script is not rocket science, but essentially fills in a gap and eliminates manual handling by us – it’s not much, but when you run into hundreds of account creations over the course of time, it adds up.
- AD account to be associated with the mailbox has been created, and we have its sAMAccountName
- The AD account’s First Name, Last Name and/or Display Name fields are populated, and you have an Exchange address policy that will create addresses of the correct format for your organisation
- A domain group has been created to be granted the Send As and Full Access rights to the mailbox, and is named with the format FASA_[MBXName]
- User accounts that require access to the mailbox have been added to the FASA group (this can be done at any time, actually)
Of course, the biggest assumption is that most of this wouldn’t be necessary if the tool the accounts team uses worked properly!
The script assumes that you are working in an Exchange PowerShell environment (e.g. the EMS), and have the appropriate rights to create new mailboxes in the Exchange org. Your working directory is where the script is located.
To execute the script, run the following in the Exchange PS console:
.\bus-mbx.ps1 -mbx [MBX_NAME] -db [EX-MBX-01]
That is, run the script bus-mbx.ps1, specifying the mailbox name (AD account name) and the destination Exchange database. If you only have one Exchange database, that doesn’t need to be specified (and should be removed from the script).
The script will then carry out the following tasks:
- disable the AD account (must be done for the Shared mailbox type)
- create the mailbox in the specified database as type “Shared”
- grant the associated FASA group “Full access” and “Send As” permissions
The script itself is very short and sweet.
param ( [string]$mbx = $(throw "-mbx is required for mailbox name."), [string]$db = $(throw "-db is required for destination DB.") ) Import-Module ActiveDirectory # Disable existing AD account for shared MBX creation Disable-ADAccount $mbx # Enable shared mailbox and add SendAs/Full Access group perms Enable-mailbox $mbx -Database $db -Shared Add-MailboxPermission -Identity $mbx -User FASA_$mbx -AccessRights 'FullAccess' Add-ADPermission $mbx -User FASA_$mbx -Extendedrights "Send As"