Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Automatic mailbox distribution is a feature in Microsoft Exchange Server 2010 that randomly selects a mailbox database to store a new or moved mailbox when you don't specify a database explicitly. This feature can be helpful when you want to allow junior administrators or help desk staff to create mailboxes without needing to know which mailbox databases mailboxes should be created on.
You can use database management scopes to control which mailbox databases can be selected by automatic mailbox distribution. When you apply database scopes to an administrator, only the databases that match the defined database scope are available to the administrator. Because automatic mailbox distribution uses the context of the current user, it's also constrained by the database scopes applied to the administrator.
For more information about automatic mailbox distribution, database scopes, and role assignments, see the following topics:
- Understanding Automatic
Mailbox Distribution
- Understanding Management
Role Scopes
- Understanding Management
Role Assignments
Looking for other management tasks related to scopes? Check out Managing Advanced Permissions.
Step 1: Create a database scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management scopes" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to create a database scope. |
In this step, decide which databases you want to include in the database scope. Also, decide whether you want to specify a static list of databases, or whether you want to create a database filter that includes only the databases that match the criteria you specify.
Important: |
---|
Role assignments associated with database scopes are applied only to users who connect to servers running Exchange 2010 Service Pack 1 (SP1). If a user assigned a role assignment associated with a database scope connects to a release to manufacturing (RTM) version of Exchange 2010, the role assignment isn't applied to the user, and the user won't be granted any permissions provided by the role assignment. |
Use a database list scope
Use a database list if you want to define a static list of mailbox databases that should be included in this scope. Use the following syntax to create a database list scope.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -DatabaseList <database 1>, <database 2...> |
This example creates a scope that applies only to the databases Database 1, Database 2, and Database 3.
Copy Code | |
---|---|
New-ManagementScope -Name "Accounting databases" -DatabaseList "Database 1", "Database 2", "Database 3" |
For detailed syntax and parameter information, see New-ManagementScope.
Use a database filter scope
Use a database filter if you want to create a dynamic database scope that includes only the databases that match the criteria you specify. This can be useful if you don't want to manage the database scope after it's created and you've defined standard values for your organization that can identify specific sets of mailbox databases.
For a list of filterable database properties, see Understanding Management Role Scope Filters.
Use the following syntax to create a database filter scope.
Copy Code | |
---|---|
New-ManagementScope -Name <scope name> -DatabaseRestrictionFilter <filter query> |
This example creates a scope that includes all the databases that contain the string "ACCT" in the Name property of the database.
Copy Code | |
---|---|
New-ManagementScope -Name "Accounting Databases" -DatabaseRestrictionFilter { Name -Like '*ACCT*' } |
For detailed syntax and parameter information, see New-ManagementScope.
Step 2: Add the database scope to a management role assignment
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to add the database scope to a management role assignment. |
After you create the scope, you must add it to a new or existing management role assignment. We recommend that you use management role groups to control administrative permissions, so the examples in this step use an example role group called Accounting Administrators. For more information about how to create a role group, see Create a Role Group.
After you assign the role to a role group with the database scope, the members of the role group will only be able to create mailboxes on, and move mailboxes to, the databases included in the scope.
For a list of built-in roles that you can assign to role groups, see Built-in Management Roles.
Add a new role assignment
Use this procedure if you've just created a role group and you need to add roles to it.
Use the following syntax to create a role assignment between the management role you want to assign and the new role group, with the new database scope.
Copy Code | |
---|---|
New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -CustomConfigWriteScope <database scope name> |
This example creates a role assignment between the Mail Recipients and Mail Recipient Creation roles and the Accounting Administrators role group, using the Accounting Databases database scope.
Copy Code | |
---|---|
New-ManagementRoleAssignment -SecurityGroup "Accounting Administrators" -Role "Mail Recipients" -CustomConfigWriteScope "Accounting Databases" New-ManagementRoleAssignment -SecurityGroup "Accounting Administrators" -Role "Mail Recipient Creation" -CustomConfigWriteScope "Accounting Databases" |
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Modify an existing role assignment
Use this procedure if you have an existing role group that already has role assignments between it and the roles you want to apply the new database scope to.
This procedure uses pipelining. For more information, see Pipelining.
Use the following syntax to modify a role assignment between the management role that you want to apply the database scope to, and an existing role group.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -RoleAssignee <role group name> -Role <role name> | Set-ManagementRoleAssignment -CustomConfigWriteScope <database scope name> |
This example adds the Accounting Databases database scope to the Mail Recipients and Mail Recipient Creation roles assigned to the Accounting Administrators role group.
Copy Code | |
---|---|
Get-ManagementRoleAssignment -RoleAssignee "Accounting Administrators" -Role "Mail Recipients" | Set-ManagementRoleAssignment -CustomConfigWriteScope "Accounting Databases" Get-ManagementRoleAssignment -RoleAssignee "Accounting Administrators" -Role "Mail Recipient Creation" | Set-ManagementRoleAssignment -CustomConfigWriteScope "Accounting Databases" |
For detailed syntax and parameter information, see Get-ManagementRoleAssignment or Set-ManagementRoleAssignment.
Step 3: Add members to a role group (if applicable)
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to add members to a role group. |
If you want to add members to a role group, see Add Members to a Role Group.
Important: |
---|
If you add members to this role group to restrict what databases they can create users on, or move mailboxes to, make sure they aren't members of other role groups that could grant extra permissions. |
Step 4: Remove members from a role group (if applicable)
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Management roles" entry in the Role Management Permissions topic.
Note: |
---|
You can't use the EMC to remove members from a role group. |
If you've added members to a new role group that restricts what databases they can create mailbox on, or move mailboxes to, and they're members of another role group that has additional permissions, remove them from the old role group. For more information, see Remove Members from a Role Group.