$&#@!

Users of Outlook Live ask about how they can block bad words.  We have changed how we do this in R3 with supervision policies... and this is described well here:

http://help.outlook.com/en-us/140/dd451086.aspx 

I can also supply a list of typical bad words if anyone wants it... just drop me a note!

Enjoy!

Jonny

Customers ask me about this all of the time, so I wanted to share here what I have been telling them.  There is often confusion over what it can and cannot do, what the alternatives are.  Thanks to Richard Wakeman from our MS Services group and Erik DesBois from our Exchange team for consulting with me in preparing this post!

So here we go...note that some of my recommendations are my opinions, yours may of course vary as I do not pretend that I can guess what will work best for any given institution :)

Microsoft Identity Lifecycle Manager (ILM) 2007 provides an integrated solution for managing the entire lifecycle of user identities and their associated credentials. It provides identity synchronization from schools directory, and user provisioning into Live@edu.  It is a product that a lot of education institutions have had great success with in synchronizing their Active Directory user accounts with Live@Edu Hotmail LiveIDs, and it is a solution that Microsoft is introducing to our Live@Edu Exchange Labs customers with an early adopter version of our Exchange Labs Management Agent (ELMA) for ILM over the next 2 months or so.

This is not to say you cannot use ILM today, one of our partners, the Oxford Computer Group has rolled out ILM in a way that provides a csv file to, and then drives, the CSV Import tool, it just cannot do password synchronization.  This actually may or may not be an issue for colleges depending on what their approach is for SSO...remember we offer support there too.

The ELMA provides synchronization of a number of mailbox attributes including Display Name, contact details and extended attributes such as department which is useful for identifying school affinity.  ILM is an advanced solution for provisioning Exchange Labs accounts.  We typically only suggest adoption of ILM by our most technologically savvy customers.  Of those, most are initially deployed by one of our capable partners.  Our partners do have programs in place for quick starts onto ILM.  These usually last about three days onsite.

Besides ELMA, we are delighted to be able to provide a number of other, powerful yet simple to set up alternatives to support Exchange Labs mailbox provisioning:

• A comprehensive Web UI that allows an administrator to manage their Mailboxes and Distribution Groups on an individual basis.
• A Remote PowerShell interface, an extensible command-line shell and scripting language which supports granular interaction with the Exchange Labs service on a bulk mailbox basis if required.
• A dedicated CSV Import tool that can be used for the bulk creation, updating and deleting of mailboxes.

There are pros and cons to all of these approaches, and with some effort, they can be interchangeable, happy to discuss any of them with you in some more detail.

I hope that makes sense and helps in your planning

Jonny

Dynamic Distribution Groups serve a purpose, but they are not for everyone.  They tend to be used more for communicating with bigger groups of people in an organization or sometimes when you do not want people to be able to browse group membership...because that is the challenge with them, a user browsing the Exchange Global Address List cannot expand the group membership; membership only gets expanded by Exchange when it needs to work out who is in the group based on a filter calculation.

So that leaves us with regular Distribution Groups where of course membership can be viewed/expanded if permitted, but presents its own unique challenge in that adding uses to a regular Distribution Group can take a long time if there are many users to add.  This is where our friend PowerShell comes in :)  It is really straight forward to manage groups memberships with a basic few lines of code and a csv file.

The PowerShell command to add a mailbox/contact/mailuser (e.g. John Doe) to a group (e.g. AllStudents) is:

Add-DistributionGroupMember -Identity AllStudents -Member 'John Doe'

...and to remove a mailbox/contact/mailuser (e.g. John Doe) from a group (e.g. AllStudents) is:

Remove-DistributionGroupMember -Identity AllStudents -Member 'John Doe'

As Technet shows, you can actually use a variety of ways to identify the user and group to add or remove them.  So for example

Add-DistributionGroupMember -Identity AllStudents@contoiso.edu -Member john.doe@contoso.edu

...will also work.

"But I have 50,000 users." I hear you say...what can PowerShell do to help me?  Well that is where basic scripting skills come in...and I have just spent 15 minutes knocking up sample (use at your own risk) scripts that takes a simple csv file that I created in Excel, and uses the information in it to add users to groups and remove users from groups.  There are only 2 columns...

I created 2 separate scripts just for cleanliness...you will see that they are identical apart from one key line (and some comments).   I have also provided a csv file for you to use.

Usage is simple:

1. Start PowerShell CTP
2. enter:
   $LiveCred = Get-Credential
3. enter:
   your admin username and password to the popup dialog
4. to add group members enter, with the right drive paths:
   c:\add_to_dg.ps1 -LiveCredential $LiveCred -RemoteURL https://ps.exchangelabs.com/powershell/ -UsersFile "c:\groups.csv"
5. to remove group members enter, with the right drive paths:
   c:\remove_from_dg.ps1 -LiveCredential $LiveCred -RemoteURL https://ps.exchangelabs.com/powershell/ -UsersFile "c:\groups.csv"

The script creates and deletes a runspace for you...but if you terminate the script (DON'T CLOSE PowerShell) remember to do 'Get-RunSpace | Remove-RunSpace' to kill of any unwanted runspaces.

I did not include any advanced error handling or logging in my script just for the sake of time.  If you want to do this, there are some best practices in the CSV_Parser.ps1 file that you can get from the connect site, or here.

I have not yet covered how to bulk create Distribution Groups with PowerShell, and I wasn't planning to.  It is pretty straight-forward...and the scripts I provided in this post can be modified quite easily...commands you need are here.

Enjoy!

Jonny

This was an event that we ran for customers that were prepared to make the trip to Redmond, WA a few weeks back.  It was good to be able to meet some of you there.

I have just uploaded the presentations from the event to my SkyDrive...you can download them from here.

Enjoy!

Jonny

Hi folks,

For those of you that are in the test phase right now in Exchange Labs, one word of caution.  Do not use your real user data in testing.  There is a restriction in the Live service that controls the number of times an account can be created, deleted, and then recreated again.  This is currently set to 4 times...try and recreate a 5th time, and the action will be blocked.  You can get these accounts evicted so that the counter resets to zero, but this takes time...perhaps more than some of you have!

Use the samples I provided, and only use your real data when you are ready for real.

Jonny

Exchange mailboxes can have multiple attributes set against them...Department, State, Address, Phone Number, etc, but what if you need more than that?  Typical questions I have been asked are:

• How do I tag a mailbox as an Alumni
• How do I tag a mailbox as a male/female user
• How do I tag a mailbox as ...?

Using PowerShell, if you run the Get-Mailbox command against a mailbox (e.g. 'Get-Mailbox Jonny') you will produce a rather large list of complete set of attributes, and right in the middle of the list, you will see CustomAttribute1 thru CustomAttribute15, which if you have not used them until now, will be blank.  These attributes can be used to store more or less any data you want.  You can then tie things like Dynamic Distribution Groups, applications, or something else to them.  The only thing an admin cannot do is rename the attribute itself, nor can you create new attributes, so you will need to keep a note of what each custom attribute is for.

These attributes can be updated quite easily...here is an example of how:

Lets say you wanted to use CustomAttribute1 to tag Jonny's mailbox as an Alumni:

Set-Mailbox jonny -CustomAttribute1 'Alumni'

That's it.  You can also make reference to these attributes when doing bulk mailbox creation.

Jonny

I have had a few customers that are having trouble getting PowerShell up and running on their desktops.  The primary reason for this has been trying to run the incorrect version.  What you will need is the Windows PowerShell V2 Community Technology Preview (CTP) release and the WinRM 2.0 transport CTP release installed on your client computer.  Full instructions on how to get this are here. 

I hope this helps clarify things.

Jonny

A few days ago, a customer told me that the educational institution they support consists of multiple campuses, and that each of these campuses has its own brand identity; something that carries through to the DNS domains that have been set up to support them.  As far as student email is concerned, for the last number of years, they have provided two email addresses for each student: one that is associated with the parent institution, and one that is associated with the campus they are attending.  While there are two addresses, the campus email is just a proxy or alias for a mailbox that this actually on the parent institution's mail domain.  So for example:

Student name: Jack Jones
Institutional email address: jack.jones@contoso.edu (this is the actual mailbox)
Campus email address: jack.jones@ny.contoso.edu (this is an alias)

Ultimately, when a mail is sent to Jack Jones at his campus email address, the default reply will come from the parent address, so the branding will be lost unless Jack sets his "Have replies sent to" option for each mail he sends to his campus email.  Currently it is not possible in Exchange Labs to change the Primary SMTP address as it must match up with the Windows Live ID.

The point of all of this is that this is a scenario that is supported in Exchange Labs that you can build by using Accepted Domains.  An accepted domain is any SMTP namespace for which an Exchange Organization sends and receives email.  I will cover different things you can do with accepted domains in more detail as time passes because there are a number of clever things you can do with them...but in this case, and in the screencast I recorded, I want to look at the scenario described above.  Instructions are also on Technet here.

Double click to view the video in full screen

download

Jonny

What better way to start a blog entry than to use someone else's fine words:

"Unlike regular Exchange Labs distribution groups that contain a defined set of members, the membership list for a dynamic distribution group is calculated every time that a message is sent to the group. This calculation is based on the filters and conditions that you define. When an e-mail message is sent to a dynamic distribution group, it is delivered to all recipients in the organization that match the criteria defined for that dynamic distribution group."
http://technet.microsoft.com/en-us/exchangelabshelp/cc546291.aspx 

I just did a screencast of me creating a Dynamic Distribution Group ion my Exchange Labs service in PowerShell.  Dynamic Distribution groups can save a lot of time for administrators in that in certain scenarios, and with smart use of mailbox attributes to store information about users and base your group membership on, you can have 'set it and forget it' groups that manage themselves.

double click to watch in full screen

download

Jonny

• I record the videos using Camtasia Studio - a simple to use, yet fantastic product for doing all sort of video related work.  I use it to create a WMV file from my screen captures.
• I set the resolution of my screen to 800x600 during the recording...although Camtasia can do a resize afterwards if you have done something larger.
• I use a ZOOM Handy Recorder H2 plugged into my laptop - another brilliant piece of kit.  It sits about 20 inches from me on my desk, but you can still hear me breathing :)
• I upload all of my videos to my account on http://silverlight.live.com, which in turn provides me with a download URL and an iFrame statement that I embed into the HTML of my blog. Best of all the SilverLight site allows me to stream so you all get a better experience.
• I use Windows Live Writer to keep my blog going...which of course is running on http://spaces.live.com.
• I use a public folder on my Skydrive, to share out files and so on.

At some point, I am going to have a fiddle around with Expression Encoder, which will allow me to do more funky video overlays and controls...some day I'll get round to it...

So I hope that helps

Jonny

...and vice versa?  This is a question that I have been asked a lot now that many of my customers are now at that all-important mailbox provisioning stage.

Currently if you host your student mailboxes on Exchange Labs and keep your faculty and staff mailboxes on, say, an on-campus Exchange mail solution, the two systems cannot 'see' each other and are unaware of each other's existence.  So for example, when a student looks at their Global Address List in Outlook, all they see is other student contact details; there is however a way in which you can provide contact details for faculty and staff right into the student GAL.

Exchange Labs Contacts contain the e-mail addresses and other information for users who exist outside of an Exchange mail domain.

The way this works is a mail administrator takes a snapshot of the faculty/staff contact information they would like students to see in their GAL; this is created as a CSV file.  This CSV file is then laid out in such a way that it can be used by the CSV Import tool supplied for use with Exchange Labs, or with PowerShell.  The administrator then creates a collection of contacts in the student Exchange Labs mail domain.  These contacts do not have mailboxes or anything like that in the student domain, think of them just as you would contacts you may have stored for your own personal use in your own mail client, except they are visible to everyone.  Once you have created these contacts, you can keep them up to date on a scheduled basis using the Update or Delete actions in conjunction with CSV Import or PowerShell.

So what about the 'vice versa'?  What if you want students to appear as contacts in your faculty/staff mail system.  This is achieved in much the same way.  Many email solutions such as Exchange allow you to create shared contacts for those accounts that do not have mailboxes locally.  The same file that you use to create student mailboxes on Exchange Labs can be re-purposed to create contacts on whatever system you are running on-campus.

A note on Distribution Groups.  DG's also have SMTP addressed, for example AllPsychologyStudents@contoso.edu.  A DG will exist on one side of the overall Exchange Solution described above, but similarly, a contact can be created for this group on the other side of the solution in the same way as you would create a contact for a remote mailbox.  The other thing to note is that Distribution Groups can contain both users with mailboxes in the same mail domain, and contacts from another domain, so if you wanted to created a group for say a research project that contained both Faculty and Students, this is entirely possible.

Jonny

Just a quick one, that I don't think would trouble anyone to do...I just created a very short screencast on how you can create and manage a Distribution Group in Exchange Labs.  This is done though the Outlook Web Access UI.  I will follow up this screencast on a slightly more involved look at distribution groups when I look at Dynamic Distribution Groups.

doubleclick to view in full screen

download

Jonny  

There has been some confusion over this...admittedly even from my end.

The question that some customers have been asking is: Can a mailbox that has never been logged on to still receive email?  The concern is that newly enrolled students that have been supplied an email account by a college will miss out on communication from their college if they don't activate/log on to their account.  If you are testing out mailbox creation, and then straight away attempt to send a mail to a new mailbox, you may in fact get an NDR...but wait a few minutes, and it will work ok.  So when the student does finally pull themselves away from their summer vacation activities and gets around to access their new Exchange Labs email service for the first time, schools and colleges can rest assured that all communications sent to date will be in fresh inboxes waiting to be read.

Jonny

Customers that I speak with in Education sometimes manage many tens of thousands of student accounts, and from time to time want to make programmatic changes to some of the mailbox attributes either individually or in bulk.  These changes can spring from a number of needs, for example assigning a bunch of students to a class as they make their module elections, changing classes during a year, name changes do to changes in life circumstance, and so on...  Thinking about how these changes are actually effected, again it can vary.  Administrative staff may wish to work directly against the Exchange Labs mailboxes with a script they kick off manually, or they may create a script that is driven by some automated processes they set up in support of identity synchronization between a student records system, or LMS, or Active Directory and other connected systems where a student identity is maintained.

In the demo associated with this blog entry, I have a look at how PowerShell can be employed to make changes against mailbox attributes in bulk...the scenario I use is modifying the class that a bunch of students have been assigned to.  I use the 'Department' attribute to store this information, you might choose to use some other attribute that is available for you to write into.  The demo is based on info you can find here.

double click video to use full screen

download

Jonny

A topic that comes up fairly consistently when I speak with customers is the aim of providing an institutional email address for life. Something that will forever relate an individual to a school...first of all as students, then as alumni, and sometimes even as students again if they are a bona-fide lifelong learner, loyal to their alma mater to a fault :)

Anyone that works in education that has tried to deal with this knows the challenge of large numbers and an ever changing student population only too well...there can be sometimes be upwards of many tens of thousands of students enrolled at any given time, a new intake of several thousand each year, and a similar number graduating at the other end of the production line and leaving.  Names are not unique, so you can always expect repetition, if not in the same enrollment, almost certainly over time.

I have talked to colleges that deal with this in a number of ways, and I wanted to share these with you here for your consideration.  There is no one 'best way' but there are certainly some ideas here you may want to consider.

Some schools that do not have a strategy around an email address for life have asked me about simply reusing email addresses as they become free...so for example the John Smith that is currently using john.smith@my.contoso.edu graduates, freeing the name up for a future John Smith.  This is fine, but there are some considerations that need to be made here.  First of all, the LiveID service does not allow the deactivation and reactivation of an account more than 4 times...try to do more, and you will get blocked.  You can reset this counter back to zero, but to do this, you need to go further and actually evict the account which can sometimes be an extended process.

So I hope this all helps...your comments are invited if any of you have ideas that are not implied here and that work for you.

Jonny

Some customers I have spoke to recently wanted a little more guidance on how PowerShell can be used to remove Exchange Labs mailboxes from LiveIDs.  The technique that is used is very similar to the one used to create mailboxes, except of course you do not need to provide so much information in the CSV file.  I have provided the file I used as a sample on my SkyDrive.

I basically run the following commands, and leverage the CSV_Parser file that we provide to assist you with manipulating date from csv files.

1:Provide credentials for runspace
$LiveCred = Get-Credential

2:Provide use account with admin privileges
admin@domain.com

3:Execute Script
C:\csvparser\CSV_Parser.ps1 -LiveCredential $LiveCred -RemoteURL https://ps.exchangelabs.com/powershell/ -UsersFile "s:\csvparser\deletefile.csv"

I also recorded a short podcast of me using these commands for real...enjoy!

double click to view in full screen

download

Jonny

THE FOLLOWING ARTICLE DESCRIBES STEPS THAT DO WORK, BUT ARE UNSUPPORTED BY OUR SUPPORT TEAM,SO TRY THIS AT YOUR OWN RISK AND BE AWARE THAT YOU MAY LOSE YOUR LIVEIDs

now to qualify that... the tricky bit is the time you need to wait between cancelling your Hotmail service and re-enrolling for Exchange Labs.  Enrol for EL too soon, and you may end up with some orphaned accounts that are still associated with Hotmail and that may interfere with your EL activation.  How long should you wait?  Depends on the number of accounts, more than 24 hours is good... more than that?  Hard to say.  If you want to give this a go, and do not mind losing your LiveIDs, this article is for you :)

I have a number of customers that have been using the Hotmail Live@Edu service in their institution, and now would like to move onto Exchange Labs.  At the time of writing, Microsoft does not offer a bulk mailbox migration tool that will move mailboxes between Hotmail and Exchange Labs, a migration can however be carried out by users manually if they want to use PST files to achieve this.  What is possible, is re-associating LiveIDs that were originally created to use Hotmail with the Exchange Labs service; this will mean that users can keep the same username and password, and can retain access to any Office Live Workspaces/ SkyDrives/IM they may be using.  Hotmail mailboxes will be deleted however, so be aware of that.

So here are the steps to disassociate LiveIDs from Hotmail and re-associate with Exchange Labs that I was able to successfully test.  The only issue I had was with accounts that had never logged on. For those users, I had to do a password reset.

• Create a list of the current LiveIDs (email addresses) in a csv file.  This can be obtained in a number of ways...I used to the EduExpress tool to get mine from the existing set of accounts.
• Cancel their existing Hotmail service in domains.live.com by selecting ‘no mail’.  You will be warned that all existing mailboxes will get deleted. 
• Cancel the existing domains service so that it does not conflict with your forthcoming new enrollment with Exchange Labs.
• Enroll in live@edu again, selecting Exchange Labs as the preferred platform, and activate it using the link that is embedded in the invitation email.  You can use the admin account you used previously with your Hotmail service, or create a new account.
• Follow the instructions to configure your DNS for Exchange Labs.
• Use the CSV Import tool to import the existing Live IDs using the following instructions that can be found here.

You can also watch some of the screen captures I made while testing this for myself...not one of my better productions as it was spread across several days given the nature of the process, and I had to re-record some bits that I missed...but it did work :)

double click to view the video in full screen

download

It is always best practice to have more than one Exchange Labs administrator for your organization, and this is for a number of reasons including auditing for account changes, illness, you name it, just like it is usually a good idea to have a spare key for your house or car (I keep mine under the doormat - joking :)).  In Exchange Labs, there are 2 types of administrator, the Windows Live Admin Center admin (who by default is also an Exchange Admin) and the Exchange Admin, of which you can have more than one.  Exchange Admins are not able to modify your domain settings or even log into http://domains.live.com, they can only manage mailboxes and distribution lists, see here for more details.

To create an Exchange Admin, you essentially promote an existing LiveID on your domain into the role.  Doing this in PowerShell is very straight forward and is the approach I would recommend you take for the sake of time-saving...but if you don't feel like it, you can also use the CSV Import tool following the instructions here; if you want a demo of this let me know.

To see the demo in full size, double click the video screen.

download

For your convenience, here are the commands I used in the demo pasted below for you.

Connect to Exchange Labs Runspace
1. $LiveCred = Get-Credential
2. $rs = New-Runspace -Shell Microsoft.Exchange -ConnectionUri https://ps.exchangelabs.com/powershell/ -Credential $LiveCred  -Authentication Basic

:Create the new admin role for an existing LiveID
3. Invoke-Command {New-ManagementRoleAssignment -Name "Student Manager" -Role OrgManagement_Tenant -User admin2@students.exlablive.info} -RunSpace $rs

:Gracefully exit runspace
4. Remove-Runspace $rs

Thanks

Jonny