Email Compliance

671

concern in the private sector include Sarbanes-Oxley, SEC Rules 17a-3 and 17a-4 (which
require broker-dealers to create and retain certain records), Gramm-Leach-Bliley, and the
Health Insurance Portability and Accountability Act (HIPAA). The public sector is subject
to the Freedom of Information Act and the Federal Information Security Management Act
(FISMA), among others. For public- and private-sector organizations, protection of pri-
vacy information is a primary concern, as well.

Internal.

Internal compliance is a means of risk mitigation for an organization; examples
of risks to be mitigated include corporate liability (criminal or civil), financial loss, privacy
breaches, disclosure of intellectual assets, discrimination/harassment, or breach of client/
attorney privilege.
By all estimates, the total cost of compliance is steep—a $25 billion price tag in 2005 for
the securities industry, according to the Securities Industry Association (SIA)—but the penal-
ties for noncompliance can be much steeper, including stock exchange de-listing, multimillion-
dollar fines, and even prison terms. By some estimates, up to 90 percent of the compliance
costs are staff-related. The functionality introduced in Exchange Server 2007 reduces the com-
plexity and lowers the effort required for compliance to meet the needs of many organizations
of all sizes.
As defined by Microsoft, the primary capabilities required by an email compliance solution
are as follows:

Message retention.

Also defined as the email life cycle (ELC), this includes not only func-

tionality to automatically retain email for specified time periods based on specified crite-
ria, but the ability to search for and retrieve retained email when required. This capability
is particularly important for legal discovery and public-sector access to information
requests, as the penalties for noncompliance can be extremely steep. It does no good if the
records have been retained but can’t be located when required.

Controlled access.

Not only must organizations retain specified email as required for
compliance purposes, but they also must protect private information and keep data secure
from unauthorized access. Organizations need to be able to protect data from unautho-
rized access or inadvertent disclosure, both in transit and at rest.

Information and process integrity.

This capability can include classifying email based on
content and processing email according to its classification. It also may include automat-
ically copying compliance personnel on relevant email, as well as creating “ethical fire-
walls” to prevent conflict-of-interest scenarios, such as communication between stock
brokers and market-research personnel in a financial institution.
Corporate email policy is the most important component of any email compliance imple-
mentation. This component is not a technical document, but a business policy; it should
include compliance measures created by your compliance or risk officers based on the relevant
laws and regulations for your industry. The email policy also should address areas of risk and
potential liability, particularly in the areas outlined at the beginning of this section.

81461.book Page 671 Wednesday, December 12, 2007 4:49 PM

672


Chapter 16


Planning Exchange Server 2007 Compliance

Messaging Records Management

Exchange Server 2007 introduces messaging records management (MRM). This feature pro-
vides the message-retention capability defined in the previous section of this chapter, giving
users and the organization the ability to retain or remove messages as required for company
policy compliance, government regulations, or legal needs. When the retention limit for an
email is reached, it can be deleted or archived, an event can be logged, or the message can be
flagged for user attention. MRM also can be combined with message classification and trans-
port rules to provide a comprehensive email compliance solution.
Messaging records management is composed of the following components:


Managed folders (default and custom)


Managed content settings


Managed folder mailbox policies


Managed Folder Assistant

Implementing Compliance Technologies


Organizations implement some technologies to enforce policy and impose certain behavior
on end users. For example, your organization may wish to enforce retention periods or delete
or restrict messages based on content. The technologies discussed in this chapter can fall into
this category, especially messaging records management.
The introduction of a feature set, such as messaging records management or message clas-
sification, may not always be well received by users, who may see it as an intrusion or an
obstacle to doing their job. In many cases, this resistance is the result of an unclear or non-
existent email policy, insufficient communication to end users regarding the purpose of the
new features, lack of upper-management sponsorship, or all of those elements. If you design
and present your messaging records management deployment as an aid to the organization
rather than as an obstacle to be overcome, then you are much more likely to achieve a suc-
cessful implementation that meets the needs of the organization.
If you don’t have a clearly defined corporate email policy endorsed by the upper management
of your organization, you’re essentially implementing the compliance solutions discussed
here by flying by the seat of your pants. As a result, the implementation will likely be a failure
in the long run.
With a compliance implementation (and any other technology implementation, for that mat-
ter), the technology needs to meet the requirements of the business; the business should not
have to adapt to the technology.

81461.book Page 672 Wednesday, December 12, 2007 4:49 PM

Messaging Records Management

673

Messaging records management is managed through the Exchange Management Console
(EMC) mailbox work center, as shown in Figure 16.1.

FIGURE 16.1


Messaging records management through EMC

The following cmdlets are available for configuring and managing MRM through the
Exchange Management Shell (EMS):


Get-ManagedContentSettings


Get-ManagedFolder


Get-ManagedFolderMailboxPolicy


New-ManagedContentSettings


New-ManagedFolder


New-ManagedFolderMailboxPolicy


Remove-ManagedContentSettings


Remove-ManagedFolder



Remove-ManagedFolderMailboxPolicy


Set-ManagedContentSettings


Set-ManagedFolder


Set-Mailbox

81461.book Page 673 Wednesday, December 12, 2007 4:49 PM

674

Chapter 16


Planning Exchange Server 2007 Compliance


Set-MailboxServer


Set-ManagedFolderMailboxPolicy


Start-ManagedFolderAssistant



Stop-ManagedFolderAssistant

MRM Requirements

To apply a managed folder mailbox policy to a mailbox, that mailbox must reside on an Exchange
Server 2007 computer. Mailboxes that have a managed folder mailbox policy applied to them can
be accessed via Exchange Server 2007 Outlook Web Access, Outlook 2007, and Outlook 2003
SP2. Outlook 2003 SP2 clients can access the mailbox but will not have access to all the features
that are available to Outlook 2007 clients. For example, Outlook 2003 SP2 clients do not see the
managed-folder comments as configured in the EMC or EMS.

Accessing mailboxes that have managed folder mailbox policies assigned to
them with clients running versions of Outlook older than Outlook 2003 SP2 is

not supported.

Planning MRM

Once a corporate email policy is defined, your MRM deployment can be planned, using the
policy as a framework. The steps to deploy MRM are as follows:

1.

Create managed folders

2.

Create managed content settings


3.

Define managed folder mailbox policies

4.

Apply managed folder mailbox policies

5.

Configure the Managed Folder Assistant

Managed Folders

Managed folders are default and custom folders within mailboxes that have MRM enabled. Man-
aged folders are created, then managed content settings are applied to them as required to satisfy
corporate email policy. For example, if the corporate email policy states that messages pertaining
to client projects are retained for two years and messages containing data covered by a piece of leg-
islation that has been introduced named the Privacy Act are retained for 90 days, you would create
managed custom folders for this purpose.
Managed folders are the most visible portion of messaging records management to end
users. They can’t be moved, deleted, or renamed by end users, and all managed custom folders
appear in the user’s mailbox under a top-level folder named Managed Folders. The managed
folders folder also can’t be moved, deleted, or renamed by end users or administrators.

81461.book Page 674 Wednesday, December 12, 2007 4:49 PM

Messaging Records Management

675


Managed Default Folders

Managed default folders are folders created in a user’s mailbox by default with or without
MRM implemented. These folders include the Inbox, Sent Items, and Deleted Items folders,
among others. A complete list of the default folders in a standard Exchange Server 2007 instal-
lation is shown in Figure 16.2.

FIGURE 16.2

Managed default folders

You can create new managed default folders for use in MRM to apply unique settings to
certain groups of users. For example, you might want to create a new managed default folder
of Inbox type named One-Year Retention with a retention period of one year. The One-Year
Retention default folder could then be assigned to users who need those settings rather than
the settings assigned to the standard Inbox folder.

New instances of managed default folders always display with the standard
default name. For instance, in the example outlined earlier, users with the
One-Year Retention folder assigned to them would see the folder in their
mailbox as Inbox (as the folder is of the Inbox type) rather than the One-Year

Retention name assigned to it on creation.

Only one managed default folder of any type (Inbox, for example) can be
assigned to a mailbox. This is because you can’t assign more than one managed
default folder of any folder type in any one managed folder mailbox policy, and

you can assign only one managed folder mailbox policy per mailbox.


81461.book Page 675 Wednesday, December 12, 2007 4:49 PM

676

Chapter 16


Planning Exchange Server 2007 Compliance

Managed Custom Folders

Managed custom folders are created for the express purpose of MRM and appear in a mail-
box’s folder list separately from default folders, under a special default folder named Managed
Folder. They are created through the Exchange Management Console or the Exchange Man-
agement Shell and assigned to users or groups of users. These folders are displayed in Outlook
2007 with a special folder icon, as shown in Figure 16.3. The managed folders are displayed
similarly in Exchange Server 2007 Outlook Web Access.

FIGURE 16.3

Managed custom folders in Outlook 2007

Using Managed Folders

With managed folders, as with many other end-user-facing features, less is generally better.
Keeping the number of managed folders to a minimum will make your end users happier and
simplify ongoing management of your Exchange Server 2007 system. If users have an over-
whelming number of managed folders in their mailboxes, they will find them difficult to use
and will be more likely to try to find ways to work around them.

However, you need to remember that your users are professionals just like you; they simply
have different areas of expertise. Their goal, just like yours, is to do their job; your goal needs
to be to design an MRM implementation that allows your end users to do their jobs. They are
your customers, after all.

81461.book Page 676 Wednesday, December 12, 2007 4:49 PM

Messaging Records Management

677

Creating Managed Folders

Exercise 16.1 outlines the steps required to create a managed custom folder for a project
named Project 237 using the Exchange Management Console and a second managed custom
folder for Privacy Act data using the Exchange Management Shell.

A good approach to take is to determine which managed folders can be used by your entire
organization, using your corporate email policy as a guide and keeping this number to an
absolute minimum. Then, using these folders as a baseline, design additional folders as
required to meet the needs of specific departments or sections in your organization.
And, at all times, you need to keep it lean and mean; just because you can create hundreds
of managed folders doesn’t mean you should.

EXERCISE 16.1

Creating Managed Custom Folders

Managed custom folders can be created using either the Exchange Management Console GUI
or with PowerShell via the Exchange Management Shell. Let’s walk through the steps to create

folders using both methods.

Using the Exchange Management Console

In this section of the exercise, we will create a managed custom folder using the Exchange
Management Console.

1.

Select Start 

All Programs 

Microsoft Exchange Server 2007, and then click on Exchange
Management Console. Within the Exchange Management Console, expand the Organiza-
tion Configuration work center, select the Mailbox subnode, and then select the Managed
Custom Folders tab in the result pane, as shown here.

81461.book Page 677 Wednesday, December 12, 2007 4:49 PM

678

Chapter 16


Planning Exchange Server 2007 Compliance

2.

In the action pane for the Managed Custom Folders tab, select New Managed Custom

Folder to start the New Managed Custom Folder wizard.

3.

In the New Managed Custom Folder wizard shown below, enter

Project 237

in the Name
field. (Note that the display name for Outlook is set to the same value as the Name field
by default; these can be configured differently if required.) In the comment field, enter

Email content related to Project 237; to be retained for two years

. Then click New.

4.
On the Completion screen of the New Managed Custom Folder wizard, confirm that the
command completed successfully, and click Finish.
5. Back in the Exchange Management Console result pane, verify that the newly created
Project 237 folder is listed on the Managed Custom Folders tab as shown here.
EXERCISE 16.1 (continued)
81461.book Page 678 Wednesday, December 12, 2007 4:49 PM
Messaging Records Management
679
Managed Content Settings
Managed content settings are applied to managed folders to control the life cycle of items in
users’ mailboxes by controlling retention, applying actions to content no longer needed, and
journaling relevant content to a storage location outside the mailbox.
Managed content settings can be defined for either existing default folders or newly cre-

ated managed folders. Retention settings as well as journaling parameters are defined; all
settings are defined per managed folder. Retention settings include the length of retention
(in days), the definition of when retention starts, and the action to be taken at the end of
retention.
The following settings are available for defining when the retention period starts:

When delivered, end date for calendar, and recurring tasks

When item is moved to the folder
In addition, the following actions can be performed at the end of the retention period:

Move to the Deleted Items folder

Move to a managed custom folder
Using the Exchange Management Shell
Now we will create a second managed custom folder, this time using PowerShell.
1. Select Start  All Programs  Microsoft Exchange Server 2007, and then click on
Exchange Management Shell. In the Exchange Management Shell, enter the following
cmdlet and press Enter:
New-ManagedFolder -Name 'Privacy Act' -FolderName 'Privacy Act' -StorageQuota
'unlimited' -Comment 'Email content containing data covered by the Privacy Act;
to be retained for 90 days'
2. Verify the output of the cmdlet as shown here.
The newly created folder also can be seen in the Exchange Management Console GUI (you
may have to refresh the view by pressing F5).
EXERCISE 16.1 (continued)
81461.book Page 679 Wednesday, December 12, 2007 4:49 PM
680
Chapter 16


Planning Exchange Server 2007 Compliance

Delete and allow recovery

Permanently delete

Mark as past retention limit
Creating Managed Content Settings
Now that we’ve created some managed custom folders, we can configure content settings for
these folders. Content settings define the retention policies for the folder and the actions to be
taken at the end of the retention period.
As with all other features of Exchange Server 2007, the Exchange Management Con-
sole GUI is derived from and is a subset of PowerShell as provided in the Exchange Man-
agement Shell. This means that, although most functions can be performed through the
management console, you will almost certainly find it necessary to learn the PowerShell
cmdlets that are being invoked. Doing so will enable you to leverage PowerShell to script
and automate management tasks, which in many cases is the only practical approach in
a typically complex enterprise environment (which is why this book shows you how to
perform each task with both the management console and the equivalent PowerShell
cmdlets).
We are going to focus on defining managed content settings for custom folders here. The
methodology for creating content settings for default folders is essentially identical.
Exercise 16.2 outlines the steps to create managed content settings for the managed folders
created in Exercise 16.1. We will create the content settings for the Project 237 folder using the
GUI and for the Privacy Act folder using a PowerShell cmdlet.
EXERCISE 16.2
Creating Managed Content Settings
As with managed folders, the managed content settings can be configured with either the
Exchange Management Console or the Exchange Management Shell. In this exercise, we will
walk through the steps involved in both methods.

Using the Exchange Management Console
1. Start the Exchange Management Console using Start  All Programs  Microsoft
Exchange Server 2007. Within the Exchange Management Console, expand the Organi-
zation Configuration work center, select the Mailbox subnode, and then select the Man-
aged Custom Folders tab in the result pane. Highlight the Project 237 folder, then select
New Managed Content Settings.
81461.book Page 680 Wednesday, December 12, 2007 4:49 PM
Messaging Records Management
681
2. On the Introduction page of the New Managed Content Settings wizard shown here, enter
Retain for 2 years as the name of the managed content settings. Select the Length of Reten-
tion Period (Days) check box, then enter 730 in the retention field. Select When Item Is Moved
to the Folder in the Retention Period Starts pull-down, and set the action to Move to the
Deleted Items Folder. Finally, select Next to continue to the wizard’s next screen.
3. On the Journaling page of the wizard, click Next.
4. On the Configuration Summary page of the wizard, verify the configuration and click New.
5. On the Completion page, verify that the operation completed successfully and then click
Finish to exit the wizard and return to the Exchange Management Console.
Using the Exchange Management Shell
In this section we will create managed content settings for the Privacy Act folder, in this case
using Retain for 90 Days as the name and setting the retention period to 90 days.
1. Start the Exchange Management Shell from Start  All Programs  Microsoft Exchange
Server 2007. At the PowerShell prompt, enter the following cmdlet and then press Enter.
new-ManagedContentSettings -Name 'Retain for 90 days' -FolderName 'Privacy Act' -
RetentionAction 'MoveToDeletedItems' -AddressForJournaling $null -
AgeLimitForRetention '90.00:00:00' -JournalingEnabled $false -
MessageFormatForJournaling 'UseTnef' -RetentionEnabled $true -LabelForJournaling
'' -MessageClass '*' -MoveToDestinationFolder $null -TriggerForRetention
'WhenMoved'
EXERCISE 16.2 (continued)

81461.book Page 681 Wednesday, December 12, 2007 4:49 PM
682
Chapter 16

Planning Exchange Server 2007 Compliance
Managed Folder Mailbox Policies
Managed folder mailbox policies define logical groupings for deployment and management.
The policies are then applied to users’ mailboxes, deploying all the managed folders that are
linked to the policy to the applicable mailboxes in a single operation. As many managed folder
mailbox policies as necessary can be created, and each policy can contain as many managed
folders as required.
Although you can create as many managed folder mailbox policies as you
want and have them contain as many managed folders as you want, there
is a one-to-one relationship between managed folder mailbox policies and
mailboxes; only one managed folder mailbox policy can be assigned to any
one mailbox.
Defining Managed Folder Mailbox Policies
An administrator creates managed folder mailbox policies, either via the Exchange Management
Console GUI or with PowerShell cmdlets and scripts through the Exchange Management Shell.
Exercise 16.3 outlines the steps to create a managed folder mailbox policy incorporating
the managed folders and their content settings created in the previous exercises.
2. Verify the output of the cmdlet as follows:
EXERCISE 16.2 (continued)
81461.book Page 682 Wednesday, December 12, 2007 4:49 PM
Messaging Records Management
683
EXERCISE 16.3
Defining Managed Folder Mailbox Policies
In this exercise we will define managed folder mailbox policies using the managed folders
you created in the previous exercises.

Using the Exchange Management Console
1. Start the Exchange Management Console from Start  All Programs  Microsoft
Exchange Server 2007. Within the Exchange Management Console, expand the Organi-
zation Configuration work center, select the Mailbox subnode, then select New Managed
Folder Mailbox Policy from the action pane to start the New Managed Folder Mailbox Pol-
icy wizard.
2. On the first page of the New Managed Folder Mailbox Policy wizard, enter Company
Standard MRM Policy as the policy name, then click Add to open the Select Managed
Folder dialog.
3. In the Select Managed Folder dialog, select the Privacy Act and Project 237 managed
folders and click OK to return to the New Managed Folder Mailbox Policy wizard.
4. Back in the New Managed Folder Mailbox Policy wizard, click New to create the policy.
81461.book Page 683 Wednesday, December 12, 2007 4:49 PM
684
Chapter 16

Planning Exchange Server 2007 Compliance
Assigning Managed Folder Mailbox Policies to Users
Once created, managed folder mailbox policies can be assigned to users. The administra-
tor can assign the policies via the management GUI (the EMC). As with all procedures
performed in the EMC, you also can assign policies in PowerShell cmdlets and scripts,
incorporating powerful filtering and selection criteria for bulk user configurations and
modification of particular groupings of users (for example, you can apply a policy to all
human resources analysts).
The company-standard MRM policy created in Exercise 16.3 is assigned to a user with the
EMC GUI as follows:
1. Start the Exchange Management Console from Start  All Programs  Microsoft
Exchange Server 2007. Within the Exchange Management Console, select the Recipient
5. On the Completion screen of the wizard, verify that the operation completed successfully
with the proper parameters, and then click Finish to exit the wizard and return to the

Exchange Management Console.
Using the Exchange Management Shell
In this section of the exercise, we will be creating a second managed folder mailbox policy
using the New-ManagedFolderMailboxPolicy PowerShell cmdlet. This policy will contain only
the Privacy Act managed custom folder.
1. Start the Exchange Management Shell from Start  All Programs  Microsoft Exchange
Server 2007. At the PowerShell prompt, enter the following cmdlet and then press Enter:
new-ManagedFolderMailboxPolicy -Name 'Privacy Act Compliance Policy' -
ManagedFolderLinks 'Privacy Act'
2. Verify that the output of the cmdlet looks as shown in the following image:
EXERCISE 16.3 (continued)
81461.book Page 684 Wednesday, December 12, 2007 4:49 PM
Messaging Records Management
685
Configuration work center. Highlight the user the policy that will be assigned to in the
Results pane then select Properties from the Action pane.
2. In the Properties dialog of the mailbox, select the Mailbox Settings tab. Highlight Mes-
saging Records Management as shown in Figure 16.4, then click Properties.
FIGURE 16.4 Accessing MRM settings for a user
3. In the Messaging Records Management dialog, select the managed folder mailbox policy
checkbox, then click Browse to access the Select Managed Folder Mailbox Policy dialog.
4. In the Select Managed Folder Mailbox Policy dialog, select the Company Standard MRM
Policy entry, then click OK to return to the Messaging Records management dialog.
5. Once you’re back in the Messaging Records Management dialog, click OK to set the pol-
icy and return to the mailbox’s Properties dialog. Click OK to close the Properties dialog
and apply the changes to the mailbox. Click Yes in the warning dialog advising of client
support for managed folders as shown in Figure 16.5 to return to the EMC.
Next you can assign the Privacy Act compliance policy to a user with PowerShell using the
Get-User and Set-Mailbox cmdlets. This is accomplished as follows: Start the Exchange Man-
agement Shell from Start  All Programs  Microsoft Exchange Server 2007. At the PowerShell

prompt, enter the following cmdlet and then press Enter:
Get-User | Where-Object {$_.RecipientType -eq "UserMailbox" -and $_.Title -eq
"Human Resources Analyst"} | Set-Mailbox -ManagedFolderMailboxPolicy "Privacy
Act Compliance Policy"
81461.book Page 685 Wednesday, December 12, 2007 4:49 PM
686
Chapter 16

Planning Exchange Server 2007 Compliance
FIGURE 16.5 Client version warning when assigning managed folder policies
You can confirm the assignment of the policy by typing Y at the confirmation prompt as
shown in Figure 16.6.
FIGURE 16.6 Assigning a managed folder with PowerShell
If the cmdlet is successful, no output is returned. You can confirm the setting of the policy
on the mailbox by running the following cmdlet:
Get-User | Where-Object {$_.RecipientType -eq "UserMailbox" -and $_.Title -eq
"Human Resources Analyst"} | get-Mailbox | Format-Table Name,
ManagedFolderMailboxPolicy
The output of this cmdlet should be similar to that shown in Figure 16.7.
FIGURE 16.7 Verifying managed folder assignments with PowerShell
Managed Folder Assistant
The Managed Folder Assistant is the core of the MRM solution and is configured at the mailbox
server level. It configures managed folders in users’ mailboxes and processes mailbox content
81461.book Page 686 Wednesday, December 12, 2007 4:49 PM
Messaging Records Management
687
based on the MRM configuration created by the administrator. By default, the Managed Folder
Assistant is configured to never run; a schedule must be set to enable regular processing of the
MRM configuration.
It’s best to run the Managed Folder Assistant during off-hours or other times

of low server load, as it can be a resource-intensive process, particularly the
first time it is run against a mailbox store. Also, Microsoft recommends to not
run the Managed Folder Assistant at the same time as backups or online data-
base maintenance.
The Managed Folder Assistant is configured through the MRM tab of the mailbox server’s
Properties dialog as accessed through the Server Configuration work center. The MRM tab
and the folder assistant’s Schedule dialog are shown in Figure 16.8.
FIGURE 16.8 Configuring the Managed Folder Assistant through the EMC
Configuring the Managed Folder Assistant
The Managed Folder Assistant is configured on each mailbox server, either through the EMC
GUI or by using the Set-MailboxServer PowerShell cmdlet through the EMS. Exercise 16.4
walks you through the steps.
81461.book Page 687 Wednesday, December 12, 2007 4:49 PM
688
Chapter 16

Planning Exchange Server 2007 Compliance
EXERCISE 16.4
Configuring the Managed Folder Assistant
To apply the policies we have assigned to the users, you need to configure the Managed
Folder Assistant. Let’s walk through the steps to do that, using both the management GUI and
PowerShell.
Using the Exchange Management Console
1. Start the Exchange Management Console from Start  All Programs  Microsoft
Exchange Server 2007. Within the Exchange Management Console, expand the Server
Configuration work center, then select the Mailbox subnode. Highlight the mailbox
server to be configured in the Results pane, then select Properties from the server section
of the Action pane.
2. In the Properties dialog for the mailbox server, select the Messaging Records Manage-
ment tab. Select Use Custom Schedule from the schedule drop-down menu, then click

Customize.
3. In the Schedule dialog, select the 6 a.m. and 7 a.m. time slots for all days so that the
schedule is configured as shown here, then click OK to create the schedule and return to
the Properties dialog for the mailbox server.
4. Back in the Properties dialog for the mailbox server, click OK to apply the changes and
return to the Exchange Management Console.
81461.book Page 688 Wednesday, December 12, 2007 4:49 PM
Message Classification
689
Message Classification
Although organizations have typically invested heavily in solutions protecting against threats
from inbound email such as malware (viruses, worm, Trojans, and phishing, for example) and
spam, little thought has been devoted to the compliance and intellectual-property risks of
Using the Exchange Management Shell
In this section of the exercise, we will be setting the Managed Folder Assistant schedule using
the Set-MailboxServer PowerShell cmdlet against the same mailbox server as we configured
previously through the management GUI. We will be changing the schedule from running
daily from 6 a.m. to 8 a.m. to running daily from 12 a.m. to 2 a.m.
1. Start the Exchange Management Shell from Start  All Programs  Microsoft Exchange
Server 2007. At the PowerShell prompt, enter the following cmdlet and then press Enter:
Set-MailboxServer -identity mailbox_server_name -ManagedFolderAssistantSchedule
"Sun.00:00-Sun.2:00","Mon.00:00-Mon.2:00","Tue.00:00-Tue.2:00","Wed.00:00-
Wed.2:00","Thu.00:00-Thu.2:00","Fri.00:00-Fri.2:00","Sat.00:00-Sat.2:00"
Note that mailbox_server_name is the name of the mailbox server configured previously
through the Exchange Management Console.
2. When the cmdlet is successful, no output is returned. The setting of the policy on the
mailbox can be confirmed by running the following cmdlet:
Get-MailboxServer -identity mailbox_server_name
The output of that cmdlet should be similar to the one shown here:
EXERCISE 16.4 (continued)

81461.book Page 689 Wednesday, December 12, 2007 4:49 PM
690
Chapter 16

Planning Exchange Server 2007 Compliance
internal and outgoing email. Messaging records management can assist in dealing with these
issues for email at rest (residing in mailboxes), but depends to a large extent on end users and,
in some cases, administrators making decisions on the content of messages. These decisions
are typically focused on the designation of messages, particularly in the context of intended
use, audience, retention, etc.
Email classification is a technique for adding metadata and visual labels to email messages to
describe the intended use of or audience for a message to enable processes to make decisions
based on those designations. Message classifications are typically applied by the message sender
as a decision on the content of the email before sending. These classifications can denote the sen-
sitivity, intended distribution, retention periods, or other designations as required by an organi-
zation. If message classifications are deployed with some planning, they can offer a crucial piece
of an effective strategy for managing and controlling email by maintaining policy and ensuring
regulatory compliance.
Some examples of message classifications are Unclassified, Confidential, and Secret, while
other organizations may use designations such as Non-Business, Partner Confidential, Merg-
ers and Acquisitions, Privacy Act, etc.
As with managed folders, the number of message classifications should be
kept as low as possible. This aids in keeping the interface uncluttered for end
users, which will in turn encourage them to adopt the new functionality.
In Outlook 2007 and Exchange Server 2007 Outlook Web Access, the classification metadata
can be used to display visual labels in the form of a user-friendly description of the classification
for the recipients and the sender of the email.
Exchange Server 2007 message classifications are visible only in Exchange
Server 2007 Outlook Web Access and Outlook 2007. Message classifications
are visible to Outlook Web Access (OWA) clients by default, while Outlook

2007 requires additional configuration to make them visible.
The classification metadata also can be leveraged to perform actions on messages, through the
use of Exchange Server 2007 transport rules, to enforce company policy for compliance purposes.
For example, messages classified Company Internal that are sent to users outside your organization
can be blocked, with a copy sent to a compliance officer. Transport rules also can be used to apply
classifications to messages. For example, messages containing privacy information such as Social
Security numbers can have a Privacy Act classification applied to them using a transport rule.
Classifications are created on Exchange Server 2007 using PowerShell cmdlets, although
there are some predefined default classifications. The default user-accessible classifications in
Exchange Server 2007 Outlook Web Access are A/C Privileged, Company Confidential, and
Company Internal; these are shown in Figure 16.9.
81461.book Page 690 Wednesday, December 12, 2007 4:49 PM
Message Classification
691
FIGURE 16.9 Default message classifications as seen in OWA
It is worth noting that the message-classification labels seen in Figure 16.9 are just the dis-
play names of the classifications. The Display Name parameter defines the labels the sender
sees from the selection menu (Figure 16.9), while the SenderDescription defines the descrip-
tion that is shown to the sender in the composed message, as shown in Figure 16.10. The
RecipientDescription, as seen in OWA, is shown in Figure 16.11.
FIGURE 16.10 Message-classification sender description
FIGURE 16.11 Message-classification recipient description
81461.book Page 691 Wednesday, December 12, 2007 4:49 PM
692
Chapter 16

Planning Exchange Server 2007 Compliance
To create a new message classification you use the New-MessageClassification PowerShell
cmdlet in the Exchange Management Shell. The three required parameters are Name, DisplayName,
and SenderDescription, although RecipientDescription many times is set as well. If the

RecipientDescription is not set, the value for SenderDescription is used.
There also are third-party solutions that provide message-classification capa-
bility for Outlook. As with any technology, any evaluation of the message-
classification functionality in Exchange Server 2007 would be best served by
comparing it to other solutions that are available.
All configurable message-classification parameters are shown in Table 16.3, along with
their descriptions.
TABLE 16.1 Message-Classification Parameters
Classification Parameter Parameter Description
Common Parameters
DisplayName Specifies the display name for the message-classification
instance. The display name appears in Outlook 2007 and Out-
look Web Access and is used by the message sender to select
the appropriate message classification before they send a mes-
sage. The DisplayName parameter must contain 64 or fewer
characters.
SenderDescription Explains to the sender what the message classification is intended
to achieve and is used by Outlook and Outlook Web Access users
to select the appropriate message classification before they send a
message. The SenderDescription parameter must contain 1,024
or fewer characters.
RecipientDescription Explains to the recipient what the message classification is
intended to achieve and is viewed by Outlook and Outlook Web
Access users when they receive a message with this classification.
The RecipientDescription parameter must contain 1,024 or fewer
characters. If no value is set for this parameter, the description
entered for SenderDescription is used.
Locale Specifies a culture code to create a locale-specific version of
the message classification. You also must specify the Identity
parameter of the existing message classification when you

create a new locale-specific version. Values for the Locale
parameter are the string names listed in the Culture Name col-
umn in the Microsoft .NET Class Library class reference that is
available at />81461.book Page 692 Wednesday, December 12, 2007 4:49 PM
Message Classification
693
Dependencies of Message Classification
The primary dependencies of message classification in Exchange Server 2007 are Active Directory
and the messaging client used. In the following sections, we’ll go over each of these in turn.
Active Directory Configuration Container
Message classifications, like all Exchange Server 2007 configurations, are stored in Active
Directory; in particular, in the Configuration container in the path Configuration/Services/
Other Parameters
Identity Used to create a translated version of an existing message classifi-
cation. You also must specify the Locale parameter. The Identity
parameter can take a string value, which is the Name value of an
existing message classification.
Name Specifies the administrative name for the message classification
instance. The name is used to administer the message classifica-
tion instance. When you specify a name that includes spaces,
you must enclose the whole name in quotation marks. The Name
parameter must contain 256 or fewer characters.
ClassificationID Used to specify a classification ID of an existing message classi-
fication that you want to import and use in your Exchange orga-
nization. Used if you are configuring message classifications
that span two Exchange forests in the same enterprise.
DomainController To specify the fully qualified domain name of the domain con-
troller that writes this configuration change to Active Directory,
include the DomainController parameter on the command. This
parameter is not supported on computers that have the Edge

Transport server role installed, as the Edge Transport server
role only writes to and reads from the local Active Directory
Application Mode (ADAM) instance.
TemplateInstance Uses the configuration of an existing template to create an iden-
tical copy of the object on a local or target server.
UserDisplayEnabled Used to specify whether the values that you entered for the
DisplayName and RecipientDescription parameters are dis-
played in the recipient
’s Outlook message. If this parameter is
set to $false, messages sent to recipients that have this classi-
fication do not display any classification information.
TABLE 16.1 Message-Classification Parameters (continued)
Classification Parameter Parameter Description
81461.book Page 693 Wednesday, December 12, 2007 4:49 PM
694
Chapter 16

Planning Exchange Server 2007 Compliance
Microsoft Exchange/<Organization>/Transport Settings/Message Classifications/<Locale>.
The classifications can be verified using ADSI Edit (ADSIEdit.msc), as shown in Figure 16.12.
As you can infer from Figure 16.12, message classifications are locale-specific (language-
specific). This means that you can have several locale-specific versions of the same classifi-
cation, presented to users in their own language as determined by their client locale settings.
If a localized version is not available for the locale of the user, the default message classifi-
cation is used.
Messaging Client
As stated previously, Exchange Server 2007 message classifications are set by the message sender
on outgoing messages in Outlook 2007 and Exchange Server 2007 Outlook Web Access.
FIGURE 16.12 Message classifications in Active Directory
Message classifications are configurable only in Outlook 2007 and Exchange

Server 2007 Outlook Web Access, and are visible only to recipients using those
same clients; they are not visible or configurable in Outlook 2003 or earlier or
in earlier versions of Outlook Web Access.
Figure 16.13 shows the same message that was pictured in Figure 16.11, but from an Outlook
2003 client; as you can see, the message classification metadata is not visible in Outlook 2003.
81461.book Page 694 Wednesday, December 12, 2007 4:49 PM
Message Classification
695
FIGURE 16.13 Message classifications in Outlook 2003
Configuring Message Classifications for Different Locales
You can create localized versions of an existing message classification to accommodate multi-
lingual environments. When a message is classified and sent, Exchange Server 2007 first deter-
mines the language of the recipient by examining the recipient’s mailbox. If Active Directory
contains a message classification in the corresponding language, it attaches that classification to
the message. If a language match is not found, Exchange determines the locale of the recipient
by examining the recipient mailbox’s locale property. If there is no match for the specific locale
of the recipient Exchange Server 2007 looks for a culture-neutral version, such as es for es-MX,
(Spanish-Mexico) or fr for fr-CA (French-Canada). Finally, if no language-specific or culture-
neutral match is found, the default message classification is used regardless of its locale.
Localized message classifications are created with the New-MessageClassification
cmdlet, using the Identity parameter to identify the existing classification and the Locale
parameter to indicate the locale of the new classification. For example, to create a Spanish ver-
sion of a message classification named Privacy, you would use the following cmdlet:
New-MessageClassification -Identity Privacy -Locale es-ES -DisplayName "España
Example" -SenderDescription "Este es el texto de la descripción"
To view message classifications in the Exchange Management Shell for locales other than
the default, you must use the Get-MessageClassification cmdlet with the
IncludeLocales parameter set to True. For example:
Get-MessageClassification -IncludeLocales:$true
Configuring Message Classifications for Outlook 2007

For Outlook 2007 users to be able to set message classifications, the classifications must
be exported from Active Directory to an XML file, and this file made accessible to Out-
look 2007 clients. There is an Exchange Server 2007 PowerShell script named Export-
OutlookClassification.ps1 provided for this purpose; this script is located in the
<install_drive>:\Program Files\Microsoft\Exchange Server\Scripts directory on the
Exchange Server 2007 computer.
81461.book Page 695 Wednesday, December 12, 2007 4:49 PM