ActiveRoles 7.3 Exchange Resource Forest Management Administration Guide
ActiveRoles 7.3 Exchange Resource Forest Management Administration Guide
One Identity Active Roles 7.3
Exchange Resource Forest
Management Administration Guide
Copyright 2018 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity do not make any commitment to update the information contained
in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting
information.
Active Roles Exchange Resource Forest Management Administration Guide
Updated - June 2018
Version - 7.3
Contents
Solution Overview 5
Understanding the problem 5
Understanding the solution 7
AutoProvision 8
Synchronize 9
Synchronized properties 9
Substituted properties 10
Back-synchronized properties 10
Deprovision 10
AutoProvision of distribution list manager 11
Mailbox type conversion 11
Technical description 12
Policy Object 14
Policy settings 14
Container for new shadow accounts 14
Default description for new shadow accounts 14
Attribute to store a reference to shadow account 15
Synchronized properties 15
Substituted properties 16
Back-synchronized properties 20
Policy actions 20
Scheduled Task 22
Examples of Use 28
About us 36
Contacting us 36
Technical support resources 36
Solution Overview
l Understanding the problem
l Understanding the solution
l Technical description
AutoProvision
The AutoProvision process creates a shadow account in the Exchange forest upon:
Then, the AutoProvision process creates a linked mailbox associated with that shadow
account, designating the user from the accounts forest as the linked master account for
that mailbox.
To maintain a link between the master account and shadow account, Exchange Resource
Forest Management assigns the globally unique identifier (GUID) of the shadow account to
a certain attribute of the master account (the adminDescription attribute by default).
Normally, the AutoProvision process creates a shadow account with the same name as the
name of the user from the accounts forest. In case of a name conflict, a different name is
used to ensure the uniqueness of the shadow account’s name.
Synchronize
The Synchronize process includes the following functions:
l Updating certain properties of shadow accounts based on changes to master accounts
l Substituting certain properties of master accounts with properties of shadow
accounts
l Updating certain properties of master accounts based on changes to shadow accounts
Synchronized properties
When you update certain properties of a master account, Exchange Resource Forest
Management updates those properties in both the master account and shadow account.
These properties are referred to as synchronized properties.
Exchange Resource Forest Management performs synchronization of properties upon:
l Creation of shadow accounts
l Modification of master accounts
Thus, modifying personal or organization-related properties of a master account also
results in updating those properties of the shadow account. This function ensures that
changes to master accounts are properly reflected in the directory used by the Exchange
messaging system. For the default list of synchronized properties, see Synchronized
properties later in this document. You can configure Exchange Resource Forest
Management to synchronize additional properties or remove individual properties from
synchronization.
l When retrieving property values for a master account, Active Roles returns the
property values of the shadow account linked to the master account.
l When modifying properties for a master account, Active Roles actually updates the
properties of the shadow account linked to the master account.
For the default list of substituted properties, see Substituted properties later in this
document. You can configure Exchange Resource Forest Management to extend that list.
Back-synchronized properties
When you change certain properties of a shadow account, Exchange Resource Forest
Management changes those properties in both the shadow account and master account.
These properties are referred to as back-synchronized properties. By default, the list of
back-synchronized properties consists of a single property—mail (E-mail Address), and
can be modified.
When a back-synchronized property of the shadow account has changed, Exchange
Resource Forest Management replicates the change to the master account. The ability to
replicate property changes from the shadow account to the master account is helpful in a
situation where certain properties are administered on the shadow account rather than the
master account.
Deprovision
The Deprovision process performs the deprovision operation on the shadow account once
the master account is deprovisioned. This causes Active Roles to execute the
deprovisioning policies that are in effect on the shadow account to deprovision the linked
mailbox of the master account. Note that the mailbox deprovisioning policies must be
applied to the container that holds shadow accounts rather than master accounts.
In Active Roles , you can undeprovision the deprovisioned master account. However, this
may not undeprovision the shadow account (and, therefore, undeprovision the linked
mailbox). For undeprovisioning master accounts to have an effect on shadow accounts, the
Technical description
Exchange Resource Forest Management extends the mailbox management capabilities
of Active Roles in the case of resource forest topology. This topology option assumes
that you have:
l At least one Active Directory forest containing logon-enabled user accounts for your
organization, referred to as an accounts forest. The accounts forest does not have
Exchange Server installed, nor does it need to have the Active Directory schema
extended with the Exchange Server attributes.
l An Active Directory forest with Exchange Server, referred to as the Exchange forest,
to hold mailboxes for user accounts from the accounts forest.
l Trust relationships configured so that the Exchange forest trusts the accounts forest.
With Exchange Resource Forest Management, you can use Active Roles to:
l Create a mailbox for a user account from the accounts forest.
You can create a mailbox when creating a user account in the accounts forest. It is
also possible to create a mailbox for a user account that already exists in the
accounts forest. As a result, Active Roles creates a disabled user account (shadow
account) with a linked mailbox in the Exchange forest, and associates the shadow
account and the mailbox with the user account (master account) held in the
accounts forest.
l View or change mailbox properties, and perform Exchange tasks, on a user account
from the accounts forest (master account) that has a linked mailbox in the
Exchange forest.
The pages for managing the master account include all Exchange properties and
tasks that are normally available when the mailbox resides in the same forest as the
managed user account. With Exchange Resource Forest Management, Active Roles
synchronizes the Exchange properties displayed or changed on the pages for
managing the master account with the properties of the linked mailbox.
l View or change the personal or organization-related properties of the master account
while having them synchronized to the respective properties of the shadow account.
When you use Active Roles to change the personal or organization-related properties
l Deprovision a master account while having Active Roles deprovision the master
account’s mailbox in the Exchange forest.
When you deprovision a master account, Exchange Resource Forest Management
causes Active Roles to apply the deprovisioning policies to both the master account
and shadow account. As a result, Active Roles makes all the necessary changes to
deprovision the mailbox. You can revert these changes by undeprovisioning the
master account.
l Delegate Exchange mailbox management tasks by applying Access Templates to
containers that hold master accounts.
For example, you can apply the “Exchange - Recipients Full Control” Access Template
to a container in the accounts forest, which enables the delegated administrator to
create, view or change linked mailboxes in the Exchange forest by managing master
accounts held in that container.
l Enable a master account to update membership list of a distribution group held in the
Exchange forest.
When you make a shadow account the manager or a secondary owner of a
distribution group and allow the manager or secondary owners to update membership
list, Exchange Resource Forest Management ensures that the corresponding master
account has sufficient rights to add or remove members from that group using
Exchange clients such as Microsoft Outlook or Outlook Web App.
Exchange Resource Forest Management also enables Active Roles to provide all these
administrative capabilities for linked mailboxes created by Active Roles with an earlier
version of Exchange Resource Forest Management or without Exchange Resource Forest
Management, or created by tools other than Active Roles . Exchange Resource Forest
Management schedules Active Roles to search the managed domains for linked mailboxes
whose master account:
l Is in the scope of the Exchange Resource Forest Management policy for
mailbox management
l Does not have a reference to the shadow account expected by Exchange Resource
Forest Management
For each master account that meets these conditions, Active Roles updates the master
account with a reference to the shadow account, thereby extending the capabilities of
Exchange Resource Forest Management to that master account and its linked mailbox. As a
result, the linked mailbox falls under the control of Exchange Resource Forest
Management.
Policy settings
The topics in this section cover the mailbox management policy settings.
Synchronized properties
The policy defines a list of properties to copy from the master account to the shadow
account. These properties are referred to as synchronized properties. When you use Active
Roles to set or change a synchronized property of a master account, the policy causes
Active Roles to set or change the value of that property on both the master account and
shadow account.
In addition, Exchange Resource Forest Management provides a scheduled task that copies
synchronized properties from every managed master account to the corresponding shadow
account. The task runs on a scheduled basis to ensure that each of the synchronized
properties of the shadow account has the same value as the corresponding property of the
master account. If a synchronized property of the shadow account has changed for
whatever reason, Active Roles changes that property back to the value found on the master
account. For further details, see Scheduled Task later in this document.
The following table provides the default list of synchronized properties. You can configure
the policy to synchronize additional properties or remove individual properties from
synchronization.
c (Country Abbreviation) physicalDeliveryOfficeName (Office
Location)
co (Country)
postalCode (ZIP/Postal Code)
company (Company)
postOfficeBox (Post Office Box)
countryCode (Country-Code)
sAMAccountName (Logon Name (pre-
department (Department)
Windows 2000))
displayName (Display Name)
sn (Last Name)
givenName (First Name)
st (State/Province)
homePhone (Home Phone)
streetAddress (Street Address)
initials (Initials)
telephoneNumber (Telephone Number)
l (City)
title (Job Title)
mobile (Mobile Number)
url (Web Page Address (Others))
otherTelephone (Phone Number (Others))
Substituted properties
The policy defines a list of properties that appear on the master account but reflect the
properties of the linked mailbox or shadow account. These properties are referred to as
substituted properties. When you use Active Roles to view properties of a master account,
the policy causes Active Roles to retrieve the values of the master account’s substituted
properties from the shadow account. When you use Active Roles to set or change a
substituted property of a master account, the policy causes Active Roles to set or change
the value of that property on the shadow account.
The policy adds all the Exchange recipient properties to the default list of substituted
properties, which causes Active Roles to operate as if master accounts have those
properties although the accounts forest does not have Exchange Server installed (and,
therefore, does not have the Active Directory schema extended with Exchange recipient
properties).
The policy does not allow you to narrow down the list of substituted properties. However,
you can specify your custom list of substituted properties in addition to the default list. If
you do so, the resulting list of substituted properties includes all properties from both the
default list and your custom list.
adminDisplayName edsva-MsExch-AllowRecurringMeetings
altRecipient edsva-MsExch-AllRequestInPolicy
altRecipientBL edsva-MsExch-AllRequestOutOfPolicy
authOrig edsva-MsExch-ApplyEmailAddressPolicy
authOrigBL edsva-MsExch-ArchiveMailboxDatabase
autoReply edsva-MsExch-ArchiveMailboxEnabled
autoReplyMessage edsva-MsExch-ArchiveMailboxName
deletedItemFlags edsva-MsExch-ArchiveMailboxQuota
delivContLength edsva-MsExch-
ArchiveMailboxWarningQuota
deliverAndRedirect
edsva-MsExch-AutoReplyExternalAudience
deliveryMechanism
edsva-MsExch-AutoReplyExternalMessage
delivExtContTypes
edsva-MsExch-AutoReplyInternalMessage
displayNamePrintable
edsva-MsExch-AutoReplyState
dLMemDefault
edsva-MsExch-BookingWindowInDays
dLMemRejectPerms
edsva-MsExch-BookInPolicy-DN
edsva-MsExch-ProtocolSettings-IMAP4- edsva-MsExch-ProtocolSettings-
Enable ActiveSync-Enable
edsva-MsExch-ProtocolSettings-MAPI- edsva-MsExch-ProtocolSettings-
Enable ActiveSync-PolicyDN
edsva-MsExch-ProtocolSettings-OMA- edsva-MsExch-ProtocolSettings-IMAP4-
Enable Config
edsva-MsExch-ProtocolSettings- extensionAttribute15
UpToDateNotifications-Enable extensionAttribute2
edsva-MsExch-RejectMessagesFrom extensionAttribute3
edsva-MsExch- extensionAttribute4
RemoveForwardedMeetingNotifications
extensionAttribute5
edsva-MsExch-RemoveMoveRequest
extensionAttribute6
edsva-MsExch-
RemoveOldMeetingMessages extensionAttribute7
edsva-MsExch-RemovePrivateProperty extensionAttribute8
edsva-MsExch-RequestInPolicy-DN extensionAttribute9
edsva-MsExch-RequestOutOfPolicy-DN extensionData
edsva-MsExch- folderPathname
RequireSenderAuthentication formData
edsva-MsExch-ResourceCapacity forwardingAddress
edsva-MsExch-ResourceCapacity garbageCollPeriod
edsva-MsExch-ResourceCustomProperties heuristics
edsva-MsExch-ResourceDelegates-DN homeMDB
edsva-MsExch-RetentionComment homeMTA
edsva-MsExch-RetentionHoldEnabled importedFrom
edsva-MsExch-RetentionPolicy-DN internetEncoding
edsva-MsExch-RetentionUrl language
edsva-MsExch-RoleAssignmentPolicyDN languageCode
edsva-MsExch- legacyExchangeDN
ScheduleOnlyDuringWorkHours
mail
edsva-MsExch-SharedMailboxUsers
mailNickname
edsva-MsExch-SharingPolicyDN
mAPIRecipient
edsva-MsExch-StartDateForRetentionHold
mDBOverHardQuotaLimit
edsva-MsExch-TentativePendingApproval
mDBOverQuotaLimit
edsva-MsExch-
mDBStorageQuota
UMAnonymousCallersCanLeaveMessages
mDBUseDefaults
edsva-MsExch-UM-DialPlanDN msExchExpansionServerName
edsva-MsExch-UM-ExtensionNumbers msExchFBURL
edsva-MsExch-UM-FaxEnabled msExchTUIPassword
edsva-MsExch-UM-IsEnabled msExchTUISpeed
edsva-MsExch-UM-LockedOut msExchTUIVolume
edsva-MsExch-UM-MailboxPolicyDN msExchUnmergedAttsPt
edsva-MsExch-UM- msExchUseOAB
OperatorExtensionNumber msExchUserAccountControl
edsva-MsExch-UM-PIN msExchVoiceMailboxID
edsva-MsExch-UM-PINResetOnFirstLogon oOFReplyToOriginator
edsva-MsExch-UM-SIPAddress pOPCharacterSet
edsvaSendAsTrustees pOPContentFormat
msExchHideFromAddressLists preferredDeliveryMethod
msExchHomeServerName protocolSettings
msExchIMACL proxyAddresses
msExchIMAddress publicDelegates
msExchIMAPOWAURLPrefixOverride publicDelegatesBL
msExchIMMetaPhysicalURL queryPolicyBL
msExchIMPhysicalURL replicatedObjectVersion
msExchIMVirtualServer replicationSensitivity
msExchInconsistentState replicationSignature
msExchMailboxFolderSet reportToOriginator
msExchMailboxGuid reportToOwner
msExchMailboxSecurityDescript securityProtocol
or serverReferenceBL
msExchMailboxUrl showInAddressBook
msExchMasterAccountSid submissionContLength
msExchMobileMailboxPolicyLink targetAddress
msExchOmaAdminExtendedSettings textEncodedORAddress
Back-synchronized properties
The policy defines a list of properties to copy from the shadow account to the master
account. By default, the list contains a single property, E-Mail Address (mail). When
the e-mail address has changed on the shadow account (which is normally the case
when Exchange Server creates a linked mailbox), the policy ensures that the e-mail
address is correctly set on the master account by copying the e-mail address form the
shadow account.
Policy actions
The mailbox management policy causes Active Roles to perform the following actions
depending on the change request submitted to the Active Roles Administration Service.
Request Actions
Create a new user with Active Roles creates the new user (in the accounts forest), and
mailbox then performs the following actions:
l Create a shadow account (in the Exchange forest), and
populate its properties with the data found in the request
l Create a linked mailbox using that shadow account, with
the new user (from the accounts forest) specified as the
linked master account
l Create a reference to the shadow account on the master
account
l Update the master account with the e-mail address of
the linked mailbox
When creating the shadow account or mailbox, Active Roles
executes all policies that are applied to the container that
holds the shadow account, including the mailbox auto-
provisioning policies (if any). To have an effect, mailbox auto-
provisioning policies must be applied to the container that
holds shadow accounts (rather than master accounts).
Create a mailbox for an Active Roles retrieves the properties of the existing user (in
existing user the accounts forest), and then performs the following actions:
l Create a shadow account (in the Exchange forest), and
populate its properties with the properties of the
existing user
l Create a linked mailbox using that shadow account, with
the existing user (from the accounts forest) specified as
the linked master account
l Create a reference to the shadow account on the master
account
l Update the master account with the e-mail address of
the linked mailbox
When creating the shadow account or mailbox, Active Roles
executes all policies that are applied to the container that
holds the shadow account, including the mailbox auto-
provisioning policies (if any). To have an effect, mailbox auto-
provisioning policies must be applied to the container that
holds shadow accounts (rather than master accounts).
Modify properties of a If the change request includes any changes to substituted
master account properties, Active Roles he requested changes to the
substituted properties of the shadow account. Next, Active
Roles makes the requested changes to the properties of the
master account, and then updates the synchronized properties
of the shadow account with the new property values found on
the master account.
Perform an Exchange Active Roles applies the Exchange task to the shadow account
task on a master of that master account.
account
Deprovision a master Active Roles deprovisions the master account, and then
account deprovisions the shadow account. When deprovisioning the
shadow account, Active Roles executes all deprovisioning
policies that are applied to the container that holds the shadow
account, including the mailbox deprovisioning policies. To
have an effect, mailbox deprovisioning policies must be
applied to the container that holds shadow accounts (rather
than master accounts).
Undeprovision a Active Roles undeprovisions the master account and then
deprovisioned master undeprovisions the shadow account. Once the shadow account
account has been undeprovisioned, the master account’s mailbox
reverts to the state it was in before the master account was
deprovisioned.
For undeprovisioning master accounts to have an effect on
shadow accounts, the container that holds deprovisioned
master accounts must be in the scope of the Built-in Policy -
ERFM - Mailbox Management Policy Object (or a copy of
that Policy Object).
Delete a master account Active Roles deletes the master account, and then performs
the “Disable mailbox” task on the shadow account.
Scheduled Task
Exchange Resource Forest Management includes an Active Roles scheduled task that
complements the mailbox management policy to enforce synchronization of master and
shadow account properties, and to capture existing linked mailboxes whose master account
is put under the control of that policy. The scheduled task object is in the
Configuration/Server Configuration/Scheduled Tasks/Builtin container. The name
of the object is ERFM - Mailbox Management. The task is scheduled to run on a daily
basis. Normally, you do not need to modify that scheduled task.
The operation of the task affects only the user accounts that are in the scope of the Built-
in Policy - ERFM - Mailbox Management Policy Object (or a copy of that Policy
Object). When run, the task performs the following actions on each of those user accounts:
l If the user account does not have a linked mailbox, then skip over that user account.
l If the user account has a linked mailbox but does not store a reference to the shadow
account of that mailbox, then create the reference to the shadow account on that
user account.
This action enables Exchange Resource Forest Management to administer exiting
linked mailboxes, possibly created using an earlier version of Exchange Resource
Forest Management or without the use of Exchange Resource Forest Management.
This action ensures that the shadow account properties are updated with the latest
changes to the master account properties and vice versa.
l If the shadow account is the manager (or a secondary owner) who can update
membership list of a particular group, then the task checks that group to see if the
master account can update membership list as well, and, if necessary, gives the
master account the right to update membership list.
This action synchronizes the group manager rights of the master account with the
group manager rights of the shadow account, thereby enabling the mailbox logon
account (which is the master account) to add or remove members from distribution
lists by using Outlook or Outlook Web App.
l Prerequisite conditions
l Applying the Policy Object
l Upgrade from an earlier version
Prerequisite conditions
This section summarizes the prerequisite conditions that must be met before you deploy
Exchange Resource Forest Management.
l Administration Service
l Web Interface
l Active Roles console
You can install these components on member servers in an accounts forest or in the
Exchange forest. For installation instructions, see the Active Roles Quick Start Guide.
l In the Exchange forest, a domain that hold computers running the Mailbox
server role
l In each accounts forest, the domains that hold the users you want to administer with
Active Roles
When registering a domain, you are prompted to choose which account you want the
Administration Service to use to access the domain. You can either specify a so-called
override account or let the Administration Service use its service account. With either
option, the account must have sufficient rights in the domain you are registering. At a
minimum, the account must have the following rights:
l Member of the Account Operators domain security group
l In case of Exchange 2010 or 2013, member of the Recipient Management role
group in the Exchange forest (see “Access to Exchange Server/Exchange 2010” or
“Access to Exchange Server/Exchange 2013” in the Active Roles Quick Start Guide),
and enabled for remote Exchange Management Shell (see “Support for remote
Exchange Management Shell” in the Active Roles Quick Start Guide)
l In the Exchange forest, read access to Exchange configuration data (see “Permission
to read Exchange configuration data” in the Active Roles Quick Start Guide).
Out of the box, the Policy Object has all policy settings configured. You can use the Active
Roles console to view or change policy settings as needed.
For detailed description of the policy settings, see Policy settings earlier in this document.
1. Inspect your current configuration of Quick Connect for Exchange Resource Forests,
and note down the existing policy settings such as:
l The container for new shadow accounts, identified by the Default Mailbox
OU policy parameter.
l The default description for new shadow accounts, identified by the Shadow
account description policy parameter.
l The attribute to store a reference to shadow account, identified by the
Attribute to store back link policy parameter.
l The list of synchronized properties, identified by the Synchronized
Attributes List policy parameter.
l The custom list of substituted properties (if any)), identified by the
Substituted Attributes List policy parameter.
l The list of back-synchronized properties, identified by the Back-
synchronized attributes list policy parameter.
For instructions on how to access policy parameters, see the “Set Up and Apply the
Policy Objects” topic in the Quick Connect for Exchange Resource Forests
Administrator Guide.
2. Uninstall the earlier version of the ERFM add-on from the system.
NOTE: If ERFM (Exchange Resource Forest Management) is installed on the Active
Roles 6.x version, it must be uninstalled before installing Active Roles 7.3, as ERFM is
now part of the product. Failure to uninstall ERFM may result in conflicts and issuese-
place this text with a description of a feature that is noteworthy.
3. Upgrade to Active Roles version 7.3. For upgrade instructions, see the Active Roles
7.3 Quick Start Guide.
4. Adjust the policy settings in the Exchange Resource Forest Management Policy Object
to match the settings you noted down in Step 1, and then link that Policy Object to the
containers that hold the master accounts you managed using Quick Connect for
Exchange Resource Forests. For instructions on how to configure and link that Policy
Object, see Applying the Policy Object earlier in this document.
After you have performed these steps, Exchange Resource Forest Management recognizes
the existing master accounts, enabling Active Roles to manage their linked mailboxes in
the same way as when using Quick Connect for Exchange Resource Forests.
To expedite the recognition of the existing master accounts, you might execute the
Exchange Resource Forest Management scheduled task without waiting for its scheduled
run: In the Active Roles console, navigate to the Configuration/Server
Configuration/Scheduled Tasks/Builtin container, right-click the task ERFM -
Mailbox Management in that container, point to All Tasks, and then click Execute.
Examples of Use
l Configuration
l Mailbox creation
l Account modification
l Account deprovisioning
l Membership management delegation
l Mailbox type conversion
Configuration
The examples in this chapter assume the following configuration of Exchange Resource
Forest Management:
l Accounts is the name of an organizational unit in a managed domain of an
accounts forest.
l Mailboxes is the name of an organizational unit in a managed domain of the
Exchange forest.
l The the Built-in Policy - ERFM - Mailbox Management Policy Object is linked to
the Accounts OU.
l In the policy settings, the Mailboxes OU is selected as the container for new shadow
accounts. Other policy settings are not modified so they have the default values.
In other words, the Accounts OU holds user accounts that are under the control of
Exchange Resource Forest Management; the Mailboxes OU is intended to hold new
shadow user accounts. Once a user account in the Accounts OU is mailbox-enabled, a
shadow account along with a linked mailbox is created in the Mailboxes OU and
associated with the user account from the Accounts OU, to provide access to the mailbox.
Under these assumptions, the following examples are considered:
l Creating a user account in the Accounts OU, with the option to create a mailbox
for that user
l Creating a mailbox for an existing account from the Accounts OU
Mailbox creation
This section demonstrates how Exchange Resource Forest Management automates creation
of mailboxes in the Exchange forest for user accounts held in an accounts forest. The
following examples are considered:
l Creating a new user account with a mailbox
l Creating a mailbox for an existing user account
1. In the Web Interface, select the Accounts OU, and then choose the New
User command.
2. Fill in the fields on the pages for creating a user account.
3. Select the Create an Exchange mailbox check box, modify the alias if necessary,
and click Browse to select the appropriate mailbox database.
4. Complete the pages for creating the user account.
As a result, a new shadow account with a linked mailbox is created in the Mailboxes OU.
The user account you have created in the Accounts OU is specified as the linked master
account for that mailbox.
1. In the Web Interface, select the user account in the Accounts OU, and then choose
the Create User Mailbox command.
2. On the Mailbox Settings page, modify the alias if necessary, and click Browse to
select the appropriate mailbox database.
3. Click Finish.
As a result, a new shadow account with a linked mailbox is created in the Mailboxes OU.
The user account you selected in the Accounts OU is specified as the linked master
account for that mailbox.
Account modification
This section demonstrates how Exchange Resource Forest Management handles the
changes you make to a master account. Making changes to certain properties results in
updating data in both the master account and shadow account, whereas modification of
some other properties only updates data in the shadow account. Therefore, two examples
are considered:
l Making changes to synchronized properties
l Making changes to substituted properties
1. In the Web Interface, select a mailbox-enabled user account held in the Accounts
OU, and then choose the General Properties command.
2. On the General tab, make changes to the First name or Last name field.
3. Go to the Organization tab and make changes to the Title, Department, or
Company field.
4. Click Save to apply your changes.
5. Locate the shadow account in the Mailboxes OU—the name of the shadow account is
identical to the name of the master account you have modified in the Accounts OU.
6. Choose the Properties command for the shadow account.
7. Examine data on the General and Organization tabs to verify that the changes you
have made to the master account are also applied to the shadow account.
You can review the updates to the account properties by using the Change History
command on the master account and on the shadow account—the Change History results
provide information on which properties were updated, what changes were made to the
properties, who performed the update, and when.
1. In the Web Interface, select a mailbox-enabled user account held in the Accounts
OU, and then choose the Exchange Properties command.
2. View or change the settings on the following tabs:
l General
l E-mail Addresses
Once you have completed these steps, your changes are applied to the shadow account
associated with the master account you were administering. You can verify this by using
the Change History command on the shadow account. The Change History results
indicate that the changes were actually made to the properties of the shadow account, in
the Mailboxes OU.
Account deprovisioning
When you use Active Roles to deprovision a master account, Exchange Resource Forest
Management causes Active Roles to deprovision the shadow accounts as well. In this way,
Active Roles deprovisions the master account’s mailbox. You can verify this behavior by
using the Active Roles Web Interface.
l In the Web Interface, select a mailbox-enabled user account held in the Accounts
OU, and then choose the Deprovision command.
Once you have completed these steps, the Deprovision command is performed not only
on the master account but also on the shadow account. You can verify this by using the
Deprovisioning Results command on the shadow account in the Mailboxes OU.
l Exchange Resource Forest Management configured as described in the Configuration
section earlier in this document.
l A mailbox-enabled user account named John Smith created by Active Roles in the
Accounts OU, so the shadow account for that user account exists in the
Mailboxes OU.
l For the user account John Smith, on a computer in the accounts forest, Microsoft
Outlook configured to connect to the mailbox of that user account.
l A mail-enabled group named DL, representing a certain distribution list, created in
the Mailboxes OU.
1. In the Active Roles Web Interface for Administrators, open the Exchange
Properties page for the user account John Smith:
l Locate and select the Accounts OU.
l Select the user account John Smith in the list of objects held in that OU.
l Click the Exchange Properties command.
2. On the Exchange Properties page, go to the Shadow Account tab, and click the
Properties button on that tab.
This opens the General Properties page for the shadow account.
This opens the Select Object dialog box allowing you to specify the manager
account.
Although you have specified the shadow account as the manager of the group, Active Roles
updates security settings on the group so that the master account is authorized to add or
remove members from the group by using conventional tools such as Microsoft Outlook.
If you clear the Manager can update membership list check box, or change the
manager of the group, Active Roles updates the security settings to revoke the former
manager’s right to modify the membership list of the group.
After you have specified the shadow account as the manager of the DL group with the
Manager can update membership list option, force Active Roles to give the manager
rights to the master account by executing the scheduled task ERFM - Mailbox
Management held in the Configuration/Server Configuration/Scheduled
l Converting a linked mailbox to a user mailbox
l Converting a user mailbox to a linked mailbox
1. Open the Active Roles Web Interface for Administrators, and select the mailbox user
account in the Exchange forest (shadow account).
2. Click the Convert to User Mailbox command.
3. Click OK in the confirmation message box that appears.
After mailbox conversion, the mailbox user account remains disabled. To enable the user
account, set the user password by using the Reset Password command, and then click
the Enable Account command.
l The mailbox type changes to the linked mailbox type.
l The user from the accounts forest becomes the master account for the mailbox.
l The user associated with the mailbox in the Exchange forest becomes the
shadow account.
The domain of the user from the accounts forest must be registered with Active Roles
(managed domain).
1. Open the Active Roles Web Interface for Administrators, and select the user mailbox
in the Exchange forest.
2. Click the Convert to Linked Mailbox command.
3. Click Change under the Linked master account field, and select the user from an
accounts forest.
4. Click Finish.
As a result of these steps, the master account is assigned to the mailbox and the mailbox
user in the Exchange forest becomes the shadow account, linked with the master account.
If the master account is in the scope of the Exchange Resource Forest Management policy,
the properties of the master account and shadow account are synchronized in the same
way as when you configure a mailbox-enabled user in an accounts forest by using the
Exchange Resource Forest Management solution.
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx
or call +1-800-306-9329.
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to-videos
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product