Yesterday I met with a school district that has many tens of thousands of students in it across a lot of schools.  The district HQ manages IT for all of those schools with a primarily centralized staff, and several mobile personnel who do break/fix on-site.  A common issue in schools is also a very fundamental one: users forgetting their passwords.  So we had a discussion about how to delegate password reset permissions to nominated individuals in the schools… specifically the librarians in this case.

If you have not already looked at Role Based Access Controls in Outlook Live, you should do… you will find that there is a lot to learn and a lot you can do… enough for more than a few posts on the topic.  On the topic of delegating the password reset functionality, we deal with this here.  I went over this guidance yesterday with the customer, and the response was “great, but we have 50 librarians to delegate this permission to, how can we do this in bulk?”

There are 2 ways to do this… I will let you decide which one you like best.

OPTION #1: Assign a role to a security enabled group

Normally when you create a group on Outlook Live, in the background it is created as a Universal Group.  There are two types of distribution groups: mail-enabled universal distribution groups and mail-enabled universal security groups. Mail-enabled universal distribution groups can be used only to distribute messages. Mail-enabled universal security groups can be used to grant access permissions to resources in Active Directory, and they can also be used to distribute messages.  If you use the Admin interface in the Exchange Control Panel (ECP), you can only create the former group type; you will need the latter to assign a role to it.  You can however manage membership of the group in the ECP.

To create a mail-enabled universal security groups, you will need to do this in PowerShell:

New-DistributionGroup -Name librarians -Alias librarians -DisplayName "Librarians" -Type Security

You can then follow the directions we provide in the guidance, and in step 3 use the Librarians alias to assign the role.  The –user parameter accepts a mailbox or a Universal Security Group.

OPTION #2: Assign individual roles to a bunch of individuals

I used to be a systems admin many moons ago, and scripting was always a friend to me…. so I decided to look once again at how working with csv files could help out.  First of all however, I laid the groundwork by creating the custom role… this is a one off thing… simply follow steps 1 and 2 in the guidance.

Then I created a simple csv file that contained the aliases of the users I wanted to assign the new custom role to; for example:

Alias
jonnyc
jacks
jennyj

…the key elements you will need to build into the script are as follows:

Read the fields pertaining to the users you want to assign the permission to into an array ($Records).  I use import-csv for this:

$records = import-csv -Path $UsersFile -OutVariable string -ErrorAction

Build a For…Each Loop to process each row in the array and run it through the New-ManagementRoleAssignment cmdlet.  PowerShell is a fairly  flexible environment to work with, and you can create and work with array rows on the fly (e.g. $User)

foreach ($user in $records)
{
    $this_alias = $user.alias

    # assign the role to the user - assigning result to variable to avoid listing the new object
    %{Invoke-Command -Session $Session1 {param ($this_alias) New-ManagementRoleAssignment -Name "$this_alias Password Reset" -Role PasswordManagement_Custom -User $this_alias} -arg $this_alias} > $results
}

You will see that I have created an unique role assignment name for every user… this is because the process demands this.

So, I hope this helps!  Don’t forget get-help is your friend here.  To write a script that removes the assignment, there is another cmdlet you can use: Remove-ManagementRoleAssignment

Jonny

I had a long conversation with a customer the other day during a workshop I was doing.  The topic of conversation got around to managing distribution groups programmatically through PowerShell – not just creating them (something I have dealt with separately) but also setting group properties.

We went through the Standard Distribution Group properties interface, and looked at how these settings could be set through PowerShell instead.  See the UI for this below…

Here is the list we came up with… I am using a group called Chess as an example, and some random names:

…all of these settings can be viewed in some more detail by entering get-help set-distributiongroup in PowerShell.  You will also find that we have not yet updated our TechNet site with some of this stuff… this is because the underlying technology (Exchange 14) is still in beta… more documentation to come of course…

Happy scripting!

Jonny

While browsing the Office Live team blog, I came across a post by David Alexander detailing a video recorded by a high-school student called Maurice.

Given that the commentary had an educational scenario bias, I thought it would be relevant to repost this content here… Maurice does a nice job and provides us with some good food for thought.

Jonny

For those customers that are using Office Live Workspaces, you should know that we have recently updated the service to contain some new key features.  I lifted the description of these from the Office Live Team blog.

Folders –To simplify organization, now you can use folders to manage files within workspaces. We know many of you were creating new workspaces whenever you needed to group related documents, so we’re really happy about this feature.

Cut/Copy/Paste–Want to copy a document or file to another workspace? We’ve replaced the File/Move feature with Cut/Copy/Paste to make it even easier to manage your files.

More storage–We are increasing your storage capacity to 5GB. You keep telling us you need more so… ask no more!

Eight new languages – We are expanding to Eastern Europe with the addition of Hungarian, Romanian, Lithuanian, Serbian Latin, Ukrainian, Slovak, Latvian, and Slovenian. That brings our total to 28 languages in 52 countries! Be sure to tell your friends, family, and colleagues around the globe to check out Office Live Workspace.

There is also a nice video here that you can watch to find out some more, and specifically on how we have now started building in Silverlight support.

Jonny

I am working with a customer who is building a self-service web application that allows users to register their own LiveID/Mailbox on Live@edu; something I hope to be able to share more about at some point soon.  A question came up today about the PowerShell cmdlet that is needed to create the account on our end.

The functioning of this cmdlet has changed a little since we first shipped Exchange Labs (now Outlook Live).  It now requires that the password string be passed as a secure string, and in plain text… so now the complete action is a 2-liner at a minimum.  An example is below for your reading pleasure.

$Password = ConvertTo-SecureString '<string>' -AsPlainText -Force

new-mailbox -Name <string> -Password $Password -WindowsLiveID <string> -ResetPasswordOnNextLogon <number> -FirstName <string> -LastName <string> -DisplayName <string>

Thus:

$Password = ConvertTo-SecureString 'MyPassword' -AsPlainText -Force

new-mailbox -Name JonnyC -Password $Password -WindowsLiveID jonnyc@contososchool.info -ResetPasswordOnNextLogon 0 -FirstName Jonny -LastName Chambers –DisplayName “Jonny Chambers”

More to come, as I say.

Jonny

Some customers may have noticed in Outlook Web Access for Outlook Live that the Tasks folder has disappeared.  This is in fact the case, but Tasks in OWA will return sun-tanned and ready for action again in our next service iteration, R4, several months from now.  In the meantime however, Tasks is/are (?) still completely accessible and usable through MAPI and ActiveSync.

The reason for this is because of the major over-haul we gave the web interface during the recent service upgrade to get Firefox and Safari working at a par with Internet Explorer.  We had to make some hard choices here given the resource constraints that affect any software project, including our own… hopefully you will agree we made the right priority choice?

Thanks!

Jonny

Related to my previous post on creating groups from a csv file, I thought I would take this one stage further and also think about how you can populate the group with members.

In this case, I am keeping the csv file simple… a simple pairing of a group alias with a user alias:

Group,Name
Chess,JSmith
Chess,JJones
Computer,JSmith

…just like the last post…the key elements you will need to build into the script are as follows:

Read the pairs pertaining to the groups and members you want to create into an array ($Memsfile).  I use import-csv for this:

$Memsfile = import-csv -Path c:\mems.csv -OutVariable string

Build a ForEach Loop to process each row in the array and run it through the Add-DistributionGroupMember cmdlet. 

foreach ($Mem in $MemsFile)
{
    $this_name                       = $Mem.Name
    $this_DistributionGroup     = $Mem.DistributionGroup

# add mailbox to distribution group - assigning result to variable to avoid listing the new object
%{Invoke-Command -Session $Session1 {param ($this_name,$this_DistributionGroup) Add-DistributionGroupMember -Identity $this_DistributionGroup -Member $this_Name}-arg $this_name,$this_DistributionGroup} > $results

}

I hope this helps! Of course you can also use the same techniques and even csv file to remove distribution group members… just change Add-DistributionGroupMember to Remove-DistributionGroupMember.

Jonny

Some customers make extensive use of standard distribution groups in Outlook Live to organize and communicate with users.  Just like it is possible to create and manage mailboxes with CSV files… the same is true of groups, and you can write a script to do this.  You should use CSV Parser as a guide here.

Assuming a csv file that looks like this…

Name,Alias,DisplayName,Type
Chess,Chess,Chess Club,Security
Computer,Computer,Computer Club,Security

…the key elements you will need to build into the script are as follows:

Read the fields pertaining to the groups you want to create into an array ($Records).  I use import-csv for this:

$records = import-csv -Path c:\groups.csv -OutVariable string

Build a For…Each Loop to process each row in the array and run it through the New-DistributionGroup cmdlet.  PowerShell is a fairly  flexible environment to work with, and you can create and work with array rows on the fly (e.g. $Group)

foreach ($group in $records)
{
    $this_name                 = $group.name
    $this_alias                   = $group.alias
    $this_displayname       = $group.displayname
    $this_type                   = $group.type

# create distribution group - assigning result to variable to avoid listing the new object
%{Invoke-Command -Session $Session1 {param ($this_name,$this_alias,$this_displayname,$this_type) New-DistributionGroup -Name $this_name -Alias $this_alias -DisplayName $this_displayname -Type $this_type}-arg $this_name,$this_alias,$this_displayname,$this_type} > $results

}

I hope this helps!

Jonny

Several customers I have spoken with recently want to use the CSV Parser PowerShell script with a CSV file to set the DisplayName attribute for user mailboxes to LastName, FirstName… for example: Smith, John.

To do this, you basically need to put double quotes around the field data… for example, you might end up with a csv file that looks like this:

Action,Type,Name,EmailAddress,FirstName,LastName,DisplayName,Password,ForceChangePassword
Add,Mailbox,JohnSmith,jsmith@contososchool.info,John,Smith,"Smith, John",111111,0
Add,Mailbox,JackJones,jjones@contososchool.info,jack,Jones,"Jones, Jack",111111,0

The trick is, if you are working on the csv file in Excel is that you should NOT include the quotes.  Excel will add these when you save the file as a CSV file.

You can then run CSV Parser as normal.  It pays to check the final format of the CSV file before you use it to run an upload... get the format the wrong way, and CSV Parser might fail, or you might get unwanted quotation marks in the Display Name.

Jonny

A topic that comes up in conversations I have with customers from time to time has to do with all of the different ways Exchange can be consumed as a service.  Well… m’colleague, Mark Garcia has just blogged on this here: http://blogs.technet.com/ucedsg/archive/2009/03/10/what-are-my-choices-for-exchange-server-in-the-cloud.aspx.

… and does an effective job of it I think!

I would add a few things in connection with what Mark has said:

An additional ‘cloud’ option: you can also consume Exchange through a partner/outsourcer-hosted service.  This has been available for a while… and I guess that in this shiny ‘new’ cloudy world you can easily see how service providers in this game could re-label what they are already doing :)

An additional consideration when comparing Outlook Live with other offerings: One thing that institutions that enroll with Live@edu/Outlook Live benefit from is that Mailbox and MailUser objects are associated with a corresponding and hard-linked LiveID.  With this LiveID, users can use services, aside from Outlook Live, that employ LiveID as an authentication mechanism; services such as SkyDrive and Office Live Workspaces.  This is not to say that you cannot create LiveIDs for Exchange users on other services; you can.  Simply create MailUsers for external contacts on another service in Outlook Live using an Accepted Domain.

I would be interested in hearing from you on any questions you might have, either here, or in response to Mark’s post.  As you can see, we offer a lot of flexibility in our deployment options, and as we are really only at the genesis of offering Exchange in the cloud, you can expect to see a lot more from us in the future that simplifies decision making.  The best thing to do is have a conversation with us, or your chosen trusted Microsoft partner, so that you can build out a solution that exceeds your expectations :)

Jonny

A customer asked me today if there is a quick way to modify an attribute across all of their mailboxes with the same value.  The attribute in question was PostalCode.

There are a several different ways to do this… probably the best way is to use the CSV Parser script with a csv file containing the updates… that way you will have a record of what was done.

But… having said that, it is possible to quickly fire through all of your users with a simple piped cmdlet.

example:

get-user | set-user -PostalCode "92345"

This will get all users, and one at a time pipe them through the set-user cmdlet, setting whatever you specify.

Use get-help to see what the available options are for the cmdlets.

Don’t forget that not all attributes are available for a user through set-user.  There is also set-CASMailbox and set-mailbox to explore and try.

Jonny

A customer asked me about the Conference Room post I made a few days back… and wondered if it is possible to restrict who can book a resource like this.

It is…

having a look at the set-mailbox documentation on Technet here: http://technet.microsoft.com/en-us/library/bb123981.aspx, you will see embedded in there amongst a load of optional parameters one called ‘-AcceptMessagesOnlyFromDLMembers’

This is how you use it, when logged onto PowerShell server-side:

set-mailbox confroom -AcceptMessagesOnlyFromDLMembers allstaff

where in my case, confroom is the mailbox name for the resource I want to set permissions for, and allstaff is the name of the Distribution Group I want to grant access to.

If instead you wanted to just manage permissions for individual mailboxes, you would use AcceptMessagesOnlyFrom:

          set-mailbox confroom -AcceptMessagesOnlyFromDLMembers jonnyc

Jonny