0 votes

Can you assist with a script to create non-user mailboxes, such as Resource Mailboxes or Shared Mailboxes?

by (350 points)
0

Michael,

Our script guy is already working on the required scripts. I'll update this topic as soon as he comes up with something.

1 Answer

0 votes
by (216k points)

Hello Michael,

Find the required scripts below.

Note that Resource Mailboxes and Shared Mailboxes are also represented as disabled user accounts in Active Directory. So, if you want to create Resource and Shared Mailboxes with Adaxes, you can create a customized Create User Home Page Actions for your Adaxes Web Interface. In those Home Page actions you can set a certain property of that user account to a certain predefined value. Then, you can create a Business Rule that will be triggered After Creating a User and check the value of the property that you chose, and if it equals to the predefined value, launch the required script that will create a user or resource mailbox. For this purpose you can use one of the Adaxes virtual properties, for example, CustomAttributeText1. Adaxes virtual properties are not stored in Active Directory, but you may use them as any other property of directory objects.

To create such a Home Page Action:

  1. On the computer, where your Web Interface is installed, start the Web Interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface you want to configure.
  3. Activate the General tab, select the Actions pane option, and click Configure Home Page Actions.
  4. In the dialog box that appears, click Add...
  5. On the 1st step of the Add Home Page Action wizard that appears, select Create and choose User from the associated drop-down list.
  6. On the 4th step of the wizard, click Add in the Predefined Fields section.
  7. In the Add Default Property Value dialog box that appears, select Show all properties and choose an Adaxes virtual property in the Property name field, for example, CustomAttributeText1.
  8. Type the text that will trigger execution of the script in your Business Rule (for example, Create Resource Mailbox or Create Shared Mailbox) and then click OK.
  9. Also, you may want to use a different form for creating resource and shared mailboxes than the one that you use for creating normal users. See Step 4 in the Create New Object section of the Configure Home Page Actions Tutorial for instructions on how to do this.

To create the Business Rule that will create the mailboxes:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select After Creating a User.
  3. On the 3rd step, add the Run a program or PowerShell script and paste the required script. For scripts, see Provision shared and room mailboxes in our Script Repository.
  4. Type a short description for the script and click OK.
  5. Click the Add Action button.
  6. In the dialog box that appears, select the Update User action and click Add...
  7. Open the drop-down list of the Property to modify field and select Show all properties.
  8. Select the property that serves as the trigger for the script and that you chose on the 7th step of creating the Home Page Action.
  9. Switch the radio button to Remove property.
  10. Click OK. This will remove the property as we no longer need it.
  11. Click the Add Condition button.
  12. In the dialog box that appears, select the If <property> <relation> <value> condition.
  13. In the <property> drop-down list, select Show all properties and select the virtual property that you chose as the trigger for the script and that you chose on the 7th step of creating the Home Page Action.
  14. Select equals and type the trigger text that you typed on the 8th step of creating the Home Page Action.
0

I received the following error when attemtping to execute the Shared Mailbox script

'Create Shared Mailbox': Run PowerShell script 'Create Shared Mailbox' for the user

Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. <output truncated>

'Create Shared Mailbox': Modify the user: clear adm-CustomAttributeText5

0

I updated $exchangeServer = "ExchangeServer.domain.com" to reflect the actual server name. Now I'm recieving the following error.

'Create Shared Mailbox': Run PowerShell script 'Create Shared Mailbox' for the user

The operation couldn't be performed because object 'stltestsharedmb@mydomain.local' couldn't be found on 'DC1.mydomain.local'. The operation couldn't be performed because object 'stltestsharedmb@mydomain.local' couldn't be found on 'DC1.mydomain.local'. Cannot bind argument to parameter 'Identity' because it is null. The term 'Add-ADPermission' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Cannot bind argument to parameter 'Identity' because it is null. The term 'Add-ADPermission' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

0

Michael,

There are two issues that cause the errors that you posted.

The operation couldn't be performed because object 'stltestsharedmb@mydomain.local' couldn't be found on 'DC1.mydomain.local' error occurs because your Exchange Server works on a domain controller other than the one, where Adaxes creates the new user account. There is not enough time between user creation and the time when Adaxes launches the script for replication to occur between the domain controllers. The same issue also causes the Cannot bind argument to parameter 'Identity' because it is null error. This requires modified scripts. I've updated the scripts in Need to create non-user mailboxes above.

Another issue is that the account of Adaxes default service administrator is not allowed to add permissions in Exchange, which causes the The term 'Add-ADPermission' is not recognized as the name of a cmdlet, function, script file, or operable program error to appear. You will need to grant Adaxes default service administrator sufficient privileges in Exchange to be able to use the scripts. By default, members of the Organization Management role group have sufficient privileges.

0

Thanks for your help! The updated script seems to be working. Is there a way to make it prompt for which users need to have Full Access and Send As permissions? I'm now getting this error:

User or group "user1" wasn't found. Please make sure you've typed it correctly. User or group "user1" wasn't found. Please make sure you've typed it correctly. User or group "user2" wasn't found. Please make sure you've typed it correctly. User or group "user2" wasn't found. Please make sure you've typed it correctly.

0

Hello Michael,

You need to specify the users whom you grant the Full Access and Send As permissions in the $usersIdentity variable in the script. The format is $usersIdentity = @("user1", "user2"), where user1 and user2 specify the users whom you grant the permissions. You can specify a user by his SamAccountName, SID, GUID or DN. You may specify as many users as you need. Each user should be in double quotes and separated by a comma.

0

I understand that the script can be modified each time it's run with the users that need access, but in the case that a Help Desk person is creating the shared mailbox from the web interface this won't work. There would need to be a way to input which users need Full Access & Send As permissions from the web portal. In this case there will not be any access to the BR to modify the script.

0

Michael,

There is a workaround for that, but it's a bit clumsy. The thing is that we can modify the script and the Home Page Action so that it will be possible to specify users who will be granted the permissions, but your Help Desk persons will have to input them manually, that is they will not be able to click a button, then locate and a user. They will have to manually specify the users by typing/pasting their SamAccountNames, SIDs, GUIDs or DNs. If this option is OK with you, then we can modify the script and the Home Page Action to your requirements.

0

I think that would be acceptable. Thank you for your assistance!

0

Michael,

OK, I gave our script guy the task to modify the script.

0

Hello Michael,

Find the modified script below. It uses the CustomAttributeText2 Adaxes virtual property of the newly created user account to specify users who will be granted the Send As and Full Access permissions to the mailbox.

To be able to use the script, you need to slightly modify the Home Page Action that you configured for creating Shared Mailboxes. In this action, you need to add the CustomAttributeText2 property to the form used for Shared Mailbox creation. Using this property users will be able to specify a list of users who will be granted the Send As and Full Access permissions to the mailbox. Each user should be specified by entering his/her SamAccountName. The users in the list should be separated by commas. For example:
user1,user2,user3

The modified script will read the list of users stored in this property and grant the permissions. To modify the Home Page Action:

  1. On the computer, where your Web Interface is installed, start the Web Interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface you want to configure.
  3. Activate the General tab and click Configure Home Page Actions.
  4. Double-click the Home Page Action that you configured for creating Shared Mailboxes.
  5. Activate the Form Customization tab and switch the radio button to Use customized form.
  6. Click Customize Form...
  7. Select the section that you would like to add the property to and then click Add... in the Section fields section.
  8. In the dialog that appears, select Show all properties.
  9. Select CustomAttributeText2.
  10. Click OK four times.

As a name like CustomAttributeText2 will not tell much to your users about the function of this field, you can give this field your own name as described in Customizing Display Names for AD Properties.

When done with the Home Page Action, you need to update the Business Rule that is used for creating Shared Mailboxes with the new script:

  1. Launch Adaxes Administration Console.

  2. Open your Business Rule that is used for creating Shared Mailboxes.

  3. Double-click the Run a program or PowerShell script action that launches the script for creating Shared Mailboxes.

  4. Replace the existing script with the following one:

     $exchangeServer = "exchangeserver.domain.com" # TODO: Modify me
    
     try
     {
         $usersIdentity = ($Context.TargetObject.Get("adm-CustomAttributeText2")).Split(',')
     }
     catch
     {
         $Context.LogMessage("No users to grant the 'Send As' and 'Full Access' permissions to", "Error") # TODO: modify me
         $usersIdentity = $NULL
     }
    
     # Disable the Target User
     $targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
     $targetUser.AccountDisabled = $True
     $targetUser.SetInfo()
    
     $domainName = $Context.GetObjectDomain("%distinguishedName%")
     $rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
     $domainControllerFQDN = $rootDSE.Get("dnsHostName")
    
     $session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
     Import-PSSession -session $session
    
     Enable-Mailbox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN -Shared
    
     $sharedMailBox = Get-MailBox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN | Select-Object DistinguishedName
     if ($usersIdentity -ne $NULL)
     {
         foreach ($userIdentity in $usersIdentity)
             {
                 Add-MailboxPermission -Identity $sharedMailBox.DistinguishedName -User $userIdentity.Trim() -DomainController $domainControllerFQDN `
                     -AccessRight FullAccess -InheritanceType All
                 Add-ADPermission -Identity $sharedMailBox.DistinguishedName -User $userIdentity.Trim() -DomainController $domainControllerFQDN `
                     -Extendedrights "Send As"
             }
     }
     Remove-PSSession -Session $session
    
0

This is the error being returned now.

Run PowerShell script 'Create Shared Mailbox' for the user

This task does not support recipients of this type. The specified recipient mydomain.local/Adaxes/USA-Dallas/SharedMBDallas is of type UserMailbox. Please make sure that this recipient matches the required recipient type for this task. The term 'Add-ADPermission' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

The script does create the mailbox with a disabled user account as it should, but when I pull up the mailbox details in EMS it shows as a user mailbox and not a shared mailbox (get-mailbox sharedmbdallas | fl)

RecipientType : UserMailbox
RecipientTypeDetails : UserMailbox

0

I cleared the error "The term 'Add-ADPermission' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again." by replacing

$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

with

add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010

However I'm still receiving the following error message:

'Create Shared Mailbox': Run PowerShell script 'Create Shared Mailbox' for the user

This task does not support recipients of this type. The specified recipient mydomaint.local/Adaxes/USA-Dallas/dallassharetest is of type UserMailbox. Please make sure that this recipient matches the required recipient type for this task.

The script does create the mailbox with a disabled user account as it should, but when I pull up the mailbox details in EMS it shows as a user mailbox and not a shared mailbox (get-mailbox dallassharetest | fl)

RecipientType : UserMailbox
RecipientTypeDetails : UserMailbox

The Full Access & Send As Permissions are getting aplied properly.

0

Hello Michael,

The most probable reason for the error to appear is that, when the script tries to create a Shared Mailbox for the user, the user already has an Exchange mailbox. Probably, you have some other Business Rules or actions that create a mailbox for the user before the script launches.

To check this, try to create another Shared Mailbox and have a look at the Execution Log of the operation to see, which Business Rules were triggered and which actions were performed.

0

You were correct. I have both the Shared Mailbox and Resource Mailbox scripts working now. Thank you!

0

Hi,

I understand that the script can be modified each time it's run with the users that need access, but in the case that a Help Desk person is creating the shared mailbox from the web interface this won't work. There would need to be a way to input which users need Full Access & Send As permissions from the web portal. In this case there will not be any access to the BR to modify the script.

You might think of adding a security group to AD that is managed via Adaxes in addition to the shared mailbox itself. Attach a business rule "after modify group" to that group which runs a script that will sync the group members to the shared mailbox permissions and access rights.
Permissions and access rights of the shared mailbox can then be managed by Help Desk staff via the AD group.

I think the drawback of an additional group in AD is worth the improvment in help desk's all day business. And, you can even put the member change task into the Self Service Portal so that users can register themselves for the shared mailbox (perhaps add approval to the business rule in that case).

Hope, this is of any help. (Maybe the Adaxes scripting guys can provide a detailed HowTo?)

Greetings

Edit:

Here is, what I implemented so far (most parts can be found in this forum - thanks for such a good source of great ideas by the way).
Please be lenient as I am not an experienced PowerShell programmer...

Script CreateSharedMailbox
Will be run by a business rule after creating a user (the shared mailbox) in a certain LDAP-Context.
I mainly wanted to manage the rights for the calendar of that mailbox. You might change the approriate parts of the scripts to change this.

The logical connection between the shared mailbox and the AD group to manage permissions on the shared mailbox is done via the CN of the shared calendar which has to be identical to the CN of the group. Therefore the shared mailbox and the group have to reside in different OUs. If this is a problem, you might use some CustomAttribute to interconnect the both objects.

Import-Module ActiveDirectory

$domainControllerFQDN = "ADserver.your.dom" # TODO: modify me 
$exchangeServer = "mailserver.your.dom"  # TODO: modify me
$database = "Mailbox Database NAME" # TODO: modify me

#Destination for the AD group that manages the permission holders
$GroupDN="OU=...,OU=...,DC=...,DC=..." # TODO: modify me  

$usersIdentity = @("%manager%") # TODO: you may add static calendar managers as additional array items

$MBoxAlias=%cn%
$MBoxFolderName=$MboxAlias + ":\Calendar"

$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

$Context.LogMessage("Enable Mailbox: %userPrincipalName%", "Information")

$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

Enable-Mailbox -Identity '%userPrincipalName%' -Shared -Database $database -Alias $MBoxAlias

$sharedMailBox = Get-MailBox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN | Select-Object DistinguishedName

Set-CASMailbox -Identity $MBoxAlias -ActiveSyncEnabled $false -ImapEnabled $false -PopEnabled $false -OWAEnabled $false # TODO: modify me to your needs
Set-CalendarProcessing -Identity $MBoxAlias -RemoveOldMeetingMessages $false # TODO: modify me to your needs

# Manager of the group and static added members get FullAccessRights to the mailbox  and 'Owner' permission on the calendar
foreach($userIdentity in $usersIdentity)
{
    Add-MailboxFolderPermission -Identity $MBoxFolderName -User '%adm-ManagerEmail%' -AccessRights Owner
    Add-MailboxPermission -Identity $MBoxAlias  -User $userIdentity -AccessRights 'FullAccess'
}
Remove-PSSession -Session $session

# Create a group to manage permissions for the shared calendar via Adaxes
New-ADGroup -Server $domainControllerFQDN "$MBoxAlias" -SamAccountName "$MBoxAlias" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$MBoxAlias" -Path "$GroupDN" -Description "Members get access to shared Calendar $MBoxAlias" -ManagedBy "%manager%" -Confirm:$False

Script SyncCalendarRights
Implemented as a custom command.
Will be run by a business rule after adding/removing members to/from the group created by the script above. Can also be run manually on the corresponding AD group that manages the permissions of a shared calendar.

Import-Module Adaxes

[array] $Group
[array] $Box
[array] $Remove
[array] $Add

$domainControllerFQDN = "ADserver.your.dom" # TODO: Modify me
$exchangeServer = "mailserver.your.dom" # TODO: Modify me

$MBoxName='%fullname%' 
$MBoxAlias=$MBoxName
$MBoxFolderName=$MboxAlias + ":\Calendar"

$mgrObj=$Context.BindToObjectByDN("%managedBy%") 
$Manager=$mgrObj.Get("cn")

$targetGrp = $Context.BindToObject($Context.TargetObject.AdsPath)
# catch error in case of no members in that group
try {
    $Members=$targetGrp.GetEx("member")    
    foreach ($MemberDN in $Members){
       $Member = $Context.BindToObjectByDN($MemberDN)  
       $Group += ,($Member.Get("cn"))
    }
}
catch {
    # do nothing special because $Group stays empty which should work
}

$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

#Get currently assigend rights of the shared mailbox
$Rights=Get-MailboxFolderPermission -Identity $MBoxFolderName -DomainController $domainControllerFQDN | Select User

foreach ($Right in $Rights){
    $Box += ,$Right.User
}

foreach ($Has in $Box){
    #Skip the users 'Default' and 'Anonymous' and preserve the manager's permissions in the calendar by never putting manager to $Remove
    if (($Has -ne "Default") -and ($Has -ne "Anonymous") -and ($Has -ne $Manager)){    
            if ($Group -notcontains $Has){
                $Remove += ,$Has
            }    
    }     
}

foreach ($Should in $Group){
       if ($Box -notcontains $Should){
           $Add += ,$Should
       }
}
# Ensure to have owner permissions for the manager
if ($Box -notcontains $Manager){
   $context.LogMessage("Add owner permissions for $Manager", "Information") 
   Add-MailboxFolderPermission -Identity $MBoxFolderName -User "$Manager" -DomainController $domainControllerFQDN -AccessRights Owner
}
foreach ($A in $Add){
    if ($A){
        $context.LogMessage("Add rights for $A", "Information")
        Add-MailboxFolderPermission -Identity $MBoxFolderName -User "$A" -DomainController $domainControllerFQDN -AccessRights Editor # TODO: Modify me to the wanted rights     
    }
}

foreach ($Rem in $Remove){
    if ($Rem){
        $context.LogMessage("Remove rights for $Rem", "Information")
        Remove-MailboxFolderPermission -Identity $MBoxFolderName -User "$Rem" -DomainController $domainControllerFQDN -Confirm:$False     
    }
}

Remove-PSSession -Session $session

Attention: Changes in permissions via outlook wil be dropped by this script because in my usecase the AD group is defined to be the leading object.

0

Hello,

Thank you very much for your contribution, we really appreciate it.

If you want, we can help you with implementing the solution that you suggested.

0

I'm attempting to move the orginal script provided by support previously in this post to our production environment. Although it worked well in the test lab evnironment I'm now receiving the error below in production. I've attempted inserting Start-Sleep commands in a couple spots in the script but that seems to cause other issues. Do you have any recommendations on how this can be rectified?

The operation couldn't be performed because object 'testresourcemb@mydomain.com' couldn't be found on 'DC5.mydomain.com'. The operation couldn't be performed because object 'testresourcemb@mydomain.com' couldn't be found on 'DC5.mydomain.com'. Cannot bind argument to parameter 'Identity' because it is null.

0

Hello Michael,

Can you send the version of the script that you are currently using to our support email (adaxes[at]softerra.com) so that we can get around with the issue?

0

I sent the script to the address. It is the same script that Supported originally posted in this thread.

0

Hello,

Well, it is not exactly the script that we posted in this topic, actually. It is the above script to create resource mailboxes extended with the functionality to specify resource mailbox delegates.

The first issue with your version of the script is that you set the resource mailbox delegates one-by-one in a foreach loop. This shouldn't be done like this. All resource mailbox delegates should be set in a one-time operation, otherwise each new delegate will just replace the existing delegate. We've modified the script to set resource mailbox delegates in a one-time operation.

Also, we've modified the script to pass the Distinguished Name (DN) of the user account for the resource mailbox instead of its SAM Account Name when invoking Exchange management cmdlets. This should resolve the issue.

try
{
    $usersIdentity = ($Context.TargetObject.Get("adm-CustomAttributeText8")).Split(',')
}
catch
{
    $Context.LogMessage("No users to grant Delegates permissions to", "Error") # TODO: modify me
    $usersIdentity = $NULL
}

# Disable the Target User
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

Enable-Mailbox -Identity '%distinguishedName%' -DomainController $domainControllerFQDN -Room

if ($usersIdentity -ne $NULL)
{
    $resourceDelegates = @()
    foreach ($userIdentity in $usersIdentity)
    {
        $resourceDelegates += Get-MailBox -Identity $userIdentity.Trim()
    }

    Set-CalendarProcessing -Identity '%distinguishedName%' -ResourceDelegates $resourceDelegates -DomainController $domainControllerFQDN
}

If this doesn't help, try to revert to PowerShell remoting as this is done in the original script posted in this topic instead of just loading the Exchange management PowerShell snapin.

0

I'm still receiving the following error message.

Load balancing failed to find a valid mailbox database. The operation couldn't be performed because object 'mydomain.com/Corp/Service Accounts/adaxes resource mb2' couldn't be found on 'DC5.mydomain.com'.

0

Hello,

The most probable reason for such an error is that all mailbox storage databases that are available in your Exchange organization are not considered by the provisioning load balancer. A mailbox storage database is not considered by the provisioning load balancer if it has its IsExcludedFromProvisioning parameter set to true. If the IsExcludedFromProvisioning parameter is enabled for a mailbox database, new mailboxes aren't added automatically to this database, and the provisioning balancer ignores it.

We can suggest two options how you can remedy the issue. The first one is to enable some or all of your mailbox storage databases for automatic mailbox creation by setting their IsExcludedFromProvisioning parameter to false. To do this, you need to execute the following command in the Exchange Management Shell:
Set-MailboxDatabase -Identity "Mailbox Database Name" -IsExcludedFromProvisioning $false
where Mailbox Database Name is the name of the storage database that you want to be considered by the provisioning load balancer.

Another option is to use a modified version of the script, in which the mailbox storage database is specified explicitly. Here's the modified version of the script:

$dataBaseName = "db01" #TODO: modify me

try
{
    $usersIdentity = ($Context.TargetObject.Get("adm-CustomAttributeText8")).Split(',')
}
catch
{
    $Context.LogMessage("No users to grant Delegates permissions to", "Error") # TODO: modify me
    $usersIdentity = $NULL
}

# Disable the Target User
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

Enable-Mailbox -Identity '%distinguishedName%' -DomainController $domainControllerFQDN -Database $dataBaseName -Room

if ($usersIdentity -ne $NULL)
{
    $resourceDelegates = @()
    foreach ($userIdentity in $usersIdentity)
    {
        $resourceDelegates += Get-MailBox -Identity $userIdentity.Trim()
    }

    Set-CalendarProcessing -Identity '%distinguishedName%' -ResourceDelegates $resourceDelegates -DomainController $domainControllerFQDN
}

In the script, $dataBaseName specifies the mailbox storage database to be used for creating resource mailboxes.

0

The IsExcludedFromProvisioning is set to false on all Databases, so that is not the issue. We need the mailbox creation to be distributed, preferable to the Database that contains the least amount of mailboxes. Do you have any other ideas or suggestions how we can rectify the error message?

0

Hello,

What Exchange service Pack are you running?

Also, to help us troubleshoot the issue, can you create a new resource mailbox from your Exchange Management Console without specifying a specific mailbox storage database? To do this:

  1. Launch Exchange Management Console.
  2. Create a new room mailbox.
  3. On the 4th step of the New Mailbox wizard, unselect the Specify a mailbox database rather than using a database automatically selected option.
  4. Finish the New Mailbox wizard.

Is the new resource mailbox created successfully?

0

We are running Exchange 2010 SP2 and, yes I can successfully create a resource mailbox (and any other type of MB) from EMC & EMS without specifying the database.

0

OK, our QA team will be further investigating the issue. I'll update this topic as soon as they come up with something.

0

Hello,

Here's the version of the script that uses PowerShell Remoting instead of simply loading the Exchange management snapin. This should remedy the issue.

$exchangeServer = "exchangeServer.domain.com" # TODO: Modify me

try
{
    $usersIdentity = ($Context.TargetObject.Get("adm-CustomAttributeText8")).Split(',')
}
catch
{
    $Context.LogMessage("No users to grant Delegates permissions to", "Error") # TODO: modify me
    $usersIdentity = $NULL
}

# Disable the Target User
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

Enable-Mailbox -Identity '%distinguishedName%' -DomainController $domainControllerFQDN -Room

if ($usersIdentity -ne $NULL)
{
    $resourceDelegates = @()
    foreach ($userIdentity in $usersIdentity)
    {
        $resourceDelegates += Get-MailBox -Identity $userIdentity.Trim()
    }

    Set-CalendarProcessing -Identity '%distinguishedName%' -ResourceDelegates $resourceDelegates -DomainController $domainControllerFQDN
}
Remove-PSSession -Session $session
0

Still receiving the following error message.

The operation couldn't be performed because object 'mydomain.com/Adaxes/adaxes resource mb3' couldn't be found on 'DC5.mydomain.com'. Cannot process argument transformation on parameter 'ResourceDelegates'. Cannot convert value "System.Collections.ArrayList" to type "Microsoft.Exchange.Configuration.Tasks.RecipientIdParameter[]". Error: "Cannot convert the "adaxes testuser2" value of type "Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox" to type "Microsoft.Exchange.Configuration.Tasks.RecipientIdParameter"."

0

Hello,

To help us troubleshoot the issue, can you answer, is DC5.mydomain.com a global catalog?

0

It is a global catalog. I ended up getting past the previous error message with some slight script modification and by inserting a Start-Sleep command to deley the script by 60 seconds. Now the resource mailbox is getting created successfully, however I am still receiving the following error and resource delegates fail to get assigned.

Cannot open mailbox /o=my org/ou=Exchange Administrative Group (FYDIB0LF23SPDLT)/cn=Configuration/cn=Servers/cn=MBX1/cn=Microsoft System Attendant.

Here is an updated copy of my script:

$exchangeServer = "myexchangeserver.com" # TODO: Modify me

try
{
    $usersIdentity = ($Context.TargetObject.Get("adm-CustomAttributeText8")).Split(',')
}
catch
{
    $Context.LogMessage("No users to grant Delegates permissions to", "Error") # TODO: modify me
    $usersIdentity = $NULL
}

# Disable the Target User
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

Start-Sleep -s 60

Enable-Mailbox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN -Room

$resourceMailBox = Get-MailBox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN | Select-Object DistinguishedName
if ($usersIdentity -ne $NULL)
{
   foreach ($userIdentity in $usersIdentity)
    { 
        Set-CalendarProcessing -Identity $resourceMailBox.DistinguishedName -ResourceDelegates $usersIdentity -DomainController $domainControllerFQDN
    }
}
Remove-PSSession -Session $session
0

Hello,

The error The operation couldn't be performed because object 'mydomain.com/Adaxes/adaxes resource mb3' couldn't be found on 'DC5.mydomain.com'. is caused by delays in replication, and inserting Start-Sleep commands that give some time for replication to complete is a good choice in this case. However the time interval that you chose, 60 seconds, is, probably, too much. We reduced it to 10 seconds, which should be quite enough.

The error Cannot open mailbox /o=my org/ou=Exchange Administrative Group (FYDIB0LF23SPDLT)/cn=Configuration/cn=Servers/cn=MBX1/cn=Microsoft System Attendant. is also caused by replication. The thing is that the Set-CalendarProcessing cmdlet uses the nearest available DC to write information to Active Directory, and that specific DC may not have enough time to replicate information that a mailbox has already been created for the user.To remedy the issue, we inserted one more Start-Sleep command before calling this cmdlet.

If any of these errors still persist, try increasing the time intervals for the Start-Sleep commands.

Here's our modified version of the script:

$exchangeServer = "ExchangeServer.com" # TODO: Modify me

try
{
    $usersIdentity = ($Context.TargetObject.Get("adm-CustomAttributeText8")).Split(',')
}
catch
{
    $Context.LogMessage("No users to grant Delegates permissions to", "Error") # TODO: modify me
    $usersIdentity = $NULL
}

# Disable the Target User
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

Start-Sleep -s 10

$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session

Enable-Mailbox -Identity '%distinguishedName%' -DomainController $domainControllerFQDN -Room

Start-Sleep -s 30

if ($usersIdentity -ne $NULL)
{
    for ($i = 0; $i -lt $usersIdentity.Length; $i++)
    {
        $usersIdentity[$i] = $usersIdentity[$i].Trim()
    }

    Set-CalendarProcessing -Identity '%distinguishedName%' -ResourceDelegates $usersIdentity -DomainController $domainControllerFQDN
}
Remove-PSSession -Session $session
0

Thank you. I was able to get it working after my previous post by implementing the additional Start-Sleep command after the "Enable-Mailbox" section of the script.

Related questions

0 votes
1 answer

Hallo Everyone I've seen the Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights: https://www.adaxes.com/questions/ ... . Example: User: Peter.Steinmann Identity: Which Mailboxes AccessRights: FullAccess Kind regards,

asked Jul 6, 2022 by Sandberg94 (340 points)
0 votes
1 answer

We'll be updating over 14K accounts with data (adding data to a virtual attribute) using a scheduled task but I don't want the updates to trigger Business Rules and flood the Adaxes log with entries. Is there an easy way to prevent this?

asked Apr 12, 2022 by sandramnc (870 points)
0 votes
1 answer

Hi there. I'm trying to work out the best way to create a shared mailbox, which will automatically create a group based on the shared mailbox name, and then add ... the delegation of the shared mailbox. Any advice/scripts etc will be much appreciated. Thanks

asked Aug 27, 2014 by ColinB (180 points)
0 votes
1 answer

I need a specific user, when requesting another user to join a group, to have an approval sent to the AD management team. I tried to create a "Business Rule", but I'm getting an "Access Denied" error. Any idea what this could be?

asked Aug 20 by fgmello (40 points)
0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (700 points)
3,501 questions
3,193 answers
8,145 comments
547,392 users