messages from that mailbox. A mail−enabled user has no mailbox in your Exchange system. Rather, a mail−
enabled user has an e−mail address outside your Exchange system. A mail−enabled user can log on to your
Windows 2003 network and act as any other Windows 2003 user. However, such a user must send and receive
messages in another messaging system. When a mailbox−enabled user sends a message to a mail− enabled
user, Exchange sends the message to the mail−enabled users external e−mail address.
Mail−enabled users are new to Exchange. They make it easy to deal with Windows 2003 users who want to
use an external e−mail account.
Dont confuse mail−enabled users with contacts (custom recipients in Exchange 5.5). Contacts point to
addresses that are external to your Exchange system, just like mail−enabled users. However, thats all they do.
There is no Windows 2003 user connected with a contact.
To start, Ill show you how to create and manage a new mailbox−enabled user. After that, Ill show you how to
create and manage a mail−enabled user.
Note Youll notice that here I use the term user rather than user account. An Exchange user is a Windows 2003
user account that has been either mailbox− or mail−enabled.
Creating and Managing Mailbox−Enabled Users
This is a pretty complex section. Creating a mailbox−enabled user is a piece of cake, but managing one isnt so
easy. Because a mailbox−enabled user is both a Windows 2003 and an Exchange 2003 user, the management
interface for such a user is full of mind−boggling and sometimes diverting detail. Youll spend a good deal of
time in this section doing hands−on tasks, but youll also devote considerable effort to understanding the
dizzying array of management options available for mailbox− enabled users.
In this section, we first create a mailbox−enabled user. Then we take a look at all of the management options
available for each user on the user Properties dialog box.
Creating a Mailbox−Enabled User
Lets create a mailbox−enabled user for Jane Dough, a securities consultant for a major multinational
conglomerate. Because Jane doesnt exist as a user, well first have to create her user account to
mailbox−enable that account.
To start, right−click the Users container and select New > User from the pop−up menu. The New Object −
User dialog box opens (see Figure 11.13). Fill in at least your users first and last names. Each field that youre
filling in contains a property or, more specifically, an attribute of the user. The users full name is
automatically created. Notice in Figure 11.13 that the system uses the last_name, first_name middle_initial.
format for display names that I created in the section Setting the Default Format for Display Names earlier in

this chapter. Finally, enter a user login name. The preWindows 2000 name is automatically created.
Creating and Managing Mailbox−Enabled Users
274
Figure 11.13: Using the New ObjectUser dialog box to create a new user account
Click Next and enter a password for the user. Click Next again and view and accept the creation of an
Exchange mailbox (see Figure 11.14). This is where you choose whether or not to mailbox− enable this user.
Note that you can change the default mailbox alias and select the server and mailbox store on which the
mailbox will be created. Click Next, and then Finish on the last page of the New Object − User dialog box.
Figure 11.14: Mailbox−enabling a new user
Find your new user in the Users container, and double−click it (see Figure 11.15). This opens the Properties
dialog box for your new user. If the dialog box doesnt show the new users e−mail address yet, close the dialog
box and wait a few minutes for the Recipient Update servers to create the address.
You dont have to create a new user account and mailbox−enable the user at the same time. You can deselect
the Create an Exchange Mailbox option on the New ObjectUser dialog box (see Figure 11.14, shown earlier),
create the user account, and then mailbox−enable the user later. To mailbox−enable an existing user account,
right−click the account in the Users container and select Exchange Tasks. A wizard will then guide you
through the mailbox−enabling process.
Tip When a user account has been mailbox−enabled, how do you get rid of the mailbox? Just
open the Exchange Task Wizard (right−click the user and select Exchange Tasks from the
menu that pops up) and select Delete Mailbox. To delete a user account, whether its
mailbox−enabled or not, select it and either press the Delete key or right−click it and select
Delete from the menu that pops up.
Creating and Managing Mailbox−Enabled Users
275
Managing Mailbox−Enabled Users
Okay, now lets take a tour of the user Properties dialog box shown previously in Figure 11.15. Before we
begin that tour, I need to talk a bit about the property pages on the dialog box that are relevant to Exchange
and those that are not.
Figure 11.15: The Properties dialog box for a new user
Exchange−relevant means that a property page contains e−mail−specific attributesattributes that provide

information about a user that other users can view, or attributes that are necessary to the proper functioning of
the electronic−messaging environment.
E−mail−specific attributes are attributes relating directly to a mailbox−enabled users mailbox. These include
limits on what can be stored in the mailbox, who can access it, and such. E−mail−specific property pages in
Figure 11.15 include these:
Exchange General•
E−mail Addresses•
Exchange Features•
Exchange Advanced•
Attributes that provide information about a user that other users can view are attributes that an Outlook user
can view. Figure 11.16 shows the Properties dialog box for user Jane Dough that opens when you click on her
name in the Address Book that is part of the Outlook client. (See Chapter 10, A Quick Overview of Outlook
2003, for a refresher on the Address Book.)
The General tab, which you can see in detail, and the other four tabs, which you cant, include a great deal of
the information that is administered and managed on various property pages of the user Properties dialog box,
shown earlier in Figure 11.15. Information carries over to the Outlook Address Book properties dialog box
(Figure 11.16) from the following property pages on the user Properties dialog box (Figure 11.15):
General•
Address•
Telephones•
Organization•
Member Of•
Creating and Managing Mailbox−Enabled Users
276
Figure 11.16: Viewing user attributes in the Outlook Address Book
So, as an Exchange Server 2003 manager, you should focus on 9 of the 20 property pages on the user
Properties dialog box. Does that mean that you dont have to worry about the other 11 pages? No such luck.
Although these pages focus heavily on Windows 2003 account attributes, you need to understand some of
them so that you can either use them when necessary or ask a Windows Server 2003 administrator to set up
certain attributes for you. These pages, which have attributes that are necessary to the proper functioning of

the electronic messaging environment, include
Account•
Profile•
Published Certificates•
Security•
Environment•
All right! Now, lets look at the 9 Exchange−specific property pages and the 5 property pages that cover
attributes necessary to the proper functioning of the Exchange environment that appear on the user Properties
dialog box. Well look at each property page in the order specified here. After I discuss the 14
Exchange−specific property pages, Ill quickly discuss the remaining 6 property pages on the user Properties
dialog box.
Note There are other ways to manage the mailboxes of mailbox−enabled users other than with
individual user property pages. Ill talk about these in Chapter 12. For now, suffice it to say
that these include setting storage parameters for an entire mailbox store and using Exchange
Servers Mailbox Manager.
E−Mail−Specific Property Pages
Exchange 5.5 administrators will find most of the mailbox management user interfaces that they are
accustomed to in the four e−mail−specific property pages. A number of property pages were displayed on
Exchange 5.5s mailbox dialog box. To avoid property page mania, Exchange 2003 adds only four
e−mail−specific property pages to the user Properties dialog box. Two of these pages, Exchange General and
Exchange Advanced, contain buttons that open seven additional property pages. Lets take a look at the four
e−mail−specific property pages on the Windows 2003 user Properties dialog box:
Creating and Managing Mailbox−Enabled Users
277
E−Mail Addresses
The E−Mail Addresses property page shows a mailboxs addresses for different types of messaging systems
(see Figure 11.11, shown earlier). As I noted in the earlier section Setting the Default Format for
Organizational E−Mail Addresses, two addressing defaults are created by default when you install Exchange
Server 2003: SMTP and X.400. These addressing defaults are then used to generate specific addresses for
each recipient.

Using the E−Mail Addresses property page, you can add a new address or manually change or even remove
an existing address. For example, I sometimes give certain users a second SMTP address that includes their
specific department. Adding, modifying, or removing addresses manually is fun, but not for those new to
Exchange 2003, both because its a little dangerous to play with addresses and because its sometimes not
enough to just add, change, or remove the address. You might also have to do some things in other areas
within Exchange and maybe even in external systems. Ill talk about all this stuff in Chapter 16, Advanced
Exchange Server Administration and Management.
You can also use the E−Mail Addresses property page to set an address of a particular type as the primary
address. The primary address is the one that appears in the From field of a message. It is also the return
address for replies to the message. You need two addresses of the same type to change the primary address. In
the case of my second SMTP address example, I leave the system−generated address as the primary address.
Exchange Features
You use the Exchange Features property page, shown in Figure 11.17, to enable and disable client−oriented
features such as wireless and Internet−based access to your Exchange server. Well look at this page again in
Chapter 14, Managing Exchange 2003 Services for Internet Clients and Chapter 19, Wireless Access to
Exchange Server 2003.
Figure 11.17: Using the Exchange Features property page to enable and disable various client access services
Creating and Managing Mailbox−Enabled Users
278
Exchange General
Now, click over to the Exchange General property page. The store holding the mailbox is shown in the
Mailbox Store field (see the left side of Figure 11.18). You cant change the mailbox store here; you have to
move a mailbox to change its store. Well get into moving mailboxes later in this book.
Figure 11.18: The Exchange General property page and its Delivery Restrictions property page that is opened
by clicking the Delivery Restrictions button
The alias for the users mailbox is shown immediately after the name of the mailbox store. You can change the
alias here, but that wont change the aliases used in Exchange addresses that have already been generated for
this mailbox. The change will affect any addresses added in the future.
Delivery Restrictions, Delivery Options, and Storage Limits
The three buttons on the Exchange General property page open subproperty pages for further setting

properties. These pages enable you to set a range of attributes relating to messages and permissions:
Delivery Restrictions Sending and receiving messages takes network bandwidth. You can control bandwidth
usage by setting limits on the size of messages that a user can send and receive. As you can see on the right
side of Figure 11.18, shown earlier, you can choose to use the default limit for sent and received messages, or
set a specific limit for the mailbox. Ill talk about setting default size options in the next chapter.
In addition to setting message size limits, you can restrict the senders a mailbox can receive messages from.
The default, as you can see in Figure 11.18, is to accept messages from everyone. Alternatively, you can
choose to allow the mailbox to receive messages from a specific list of senders or from all senders but a
specific list. You must choose the senders from among users, groups, and computers in your Active Directory.
So, you cant use message restriction options to control messages from outside your Exchange organization
unless you enter a specific address as a contact in your Active Directory and then select that address. Ill talk
more about restricting messages to and from external mail systems in Chapter 13, Managing Exchange 2003
Internet Services.
Delivery Options Figure 11.19 shows the Delivery Options subproperty page of the Exchange General
property page. This ones pretty neat. You can grant another user permission to send messages on behalf of this
mailbox. The From field in Send on Behalf messages identifies both the person sending the message and the
Creating and Managing Mailbox−Enabled Users
279
individual on whose behalf the message was sent. Can you imagine going through and setting Send on Behalf
options for each user? Whew! But dont worry: Users can do it for themselves using their Exchange clients.
Figure 11.19: Using the Delivery Options property page to give other recipients special rights to a mailbox,
set a forwarding address, and limit the number of recipients a mailbox can send messages to at one time
The Forwarding Address option is quite neat too. With Exchange 5.5, users had to set up forwarding in their
Outlook clients. They can still do this, but Exchange 200x administrators now have the option of setting the
forwarding address, which, if nothing else, means that forwarding from Exchange environments should be
more accurate.
As with message restrictions in the last section, you can forward to an address only in your Active Directory.
So, you have to enter a contact for external addresses. Even so, this little addition alone is almost worth the
price of admission to Exchange Server 2003.
Some organizations have their mass mailers. These are people who write a message and then send it to

everyone that they can find on their corporate address list, either by picking everyones name or by using one
or more distribution lists. The Recipient Limits option on the Delivery Options property page lets you limit
the number of recipients that a mailbox user can send a message to. In computing this limit, a distribution
group is not equal to one recipient. Instead, it is equal to all the recipients on the list. This is a nice way to cut
down on all that internal spamming on your system. The default is a whopping 5,000 recipients. Ill show you
how to change the default in the next chapter.
Storage Limits Use the Storage Limits subproperty page of the Exchange General property page to either
accept the stores default maximum−size limits (youll learn how to set the default in the next chapter) or set
specific maximum limits for the mailbox. As shown in Figure 11.20, you can use any or all of three options
when setting limits. The mailbox user gets a warning when the first limit is reached and then on a specific
schedule thereafter until storage drops below the limit. Ill show you how to set the default warning message
schedule in the next chapter.
Creating and Managing Mailbox−Enabled Users
280
Figure 11.20: Using the Storage Limits property page to limit the amount of disk space available to a mailbox
and determine how deleted but retained items are handled
When the second limit is reached, the mailbox can no longer send mail. It can still receive mail, however,
because you might not want those who send messages getting a bunch of bounced message notifications just
because a mailbox user is a resource hog. The third limit prevents reception as well as sending of messages.
This option is useful when a user will be out of the office for an extended period and you dont want that
persons mailbox to fill up with gobs of unanswered messages.
Exchange 5.5 brought a great new concept to Microsoft messaging: deleted item retention. Essentially, when a
user deletes messages from the Deleted Items folder, the messages no longer show up in the folder but are
retained in the Exchange server message store for a specific time. Using an Outlook 2000 or 2003 client, a
user can retrieve deleted messages not yet deleted from the store. Ill show you how to set default deleted−item
retention parameters in the next chapter. You can use the Storage Limits property page to set retention
parameters for a specific mailbox. You can set the number of days that deleted items are kept on the mailboxs
Exchange server before they are automatically and finally deleted, or you can specify that items should not be
deleted until the store in which they are located has been backed up.
Exchange Advanced Properties Page

The Exchange Advanced properties page brings together a number of Exchange 2003 attributes that you
might need to modify (see Figure 11.21). Exchange 5.5 refugees will be happy to see that they can manage
many of their favorite Exchange attributes using this page. Lets look at these attributes in the order that they
appear on the page.
Creating and Managing Mailbox−Enabled Users
281
Figure 11.21: The Exchange Advanced property page
Simple Display Name
The Simple Display Name field is especially useful in certain multilingual Exchange environments. Exchange
clients and the Exchange System Manager show the simple display name when the full display name cant be
properly shown. For example, if a full display name is stored in a double−byte character set such as Chinese
Traditional or Korean, and if a particular copy of the client or the Exchange System Manager isnt set to
display the character set, the simple display name is shown in place of the full display name.
Hide from Exchange Address Lists
Select Hide from Exchange Address Lists to prevent a mailbox from showing up in the various address lists
supported by Exchange. Generally, you want to hide a mailbox from the Address Book to protect a particular
mailboxs privacy or when it is used by custom−programmed applications rather than by human users.
Downgrade High−Priority Mail Bound for X.400
Check this box to prevent the mailbox from sending X.400 mail at high priority. If the mailbox user attempts
to send a message destined for an X.400 system at high priority, the Exchange Server downgrades the priority
to Normal. You use this option to ensure that messages to X.400 mail systems conform with the older 1984
X.400 standard.
Custom Attributes, ILS Settings, and Mailbox Rights
Now lets focus on the subproperty pages on the Exchange Advanced properties page that you view by
clicking the button bearing their names.
Custom Attributes You use the Custom Attributes property page, shown in Figure 11.22, to fill in custom
information for a mailbox. For example, you can use one of the custom fields to hold the Employee ID for the
user of the mailbox. You would, of course, use the same custom field for the same item for each users
mailbox. You can rename the attributes, but it requires digging deeply into Active Directory. I talk a little
Creating and Managing Mailbox−Enabled Users

282
about how you go about digging in Chapter 16.
Figure 11.22: Setting custom attributes for a mailbox
ILS Settings Microsofts Internet Locator Service (ILS) is designed to make it easier for users to find each
other so that they can hold electronic discussions or conferences. You enter information about the mailbox
users ILS server and account on the dialog box that pops up when you click ILS Settings. ILS runs as a
Windows 2003 service.
Mailbox Rights You use the Mailbox Rights property page to establish or change permissions for the
mailbox. Figure 11.23 shows the default mailbox access permissions granted to the user for whom the
mailbox is created. SELF is an Active Directorywide groupthat is, it is not limited to any specific domain in
Active Directory. SELF has a range of rights, including Exchange−specific rights. When a user is created, that
user is added to the group. Members of the group SELF get the default mailbox permissions shown in Figure
11.23 by virtue of belonging to the group. These permissions apply only to the users mailbox, not to all
mailboxes.
Creating and Managing Mailbox−Enabled Users
283
Figure 11.23: Using the Mailbox Rights property page to view and modify permissions on the mailbox
Warning The following is intended to be instructional only. Dont change any permissions unless youre very
sure you know what youre doing.
The permissions listed in the Permissions For SELF box are fairly self−explanatory. However, to be sure that
were all on the same page, Table 11.1 is a list of the permissions and a brief explanation of their functions.
Table 11.1: Permissions
Permission Description
Delete mailbox storage If allowed, the user or group may delete the mailbox itself.
Read permissions The user or group can read the permissions granted to the mailbox.
Change permissions The user or group can change mailbox permissions.
Take ownership The user or group can take ownership of the mailbox.
Full mailbox access The user or group can access the mailbox and all its contents, including all
subfolders.
Associated external account The account, which is a Windows Server 2003 account outside the Windows

2003 forest where your Exchange system resides, may access the mailbox.
Special permissions (not
visible in Figure 11.23)
Special permissions are the mechanism by which the object SELF is granted
Read and Full Mailbox Access permissions.
Tip If you see only the group SELF on the Mailbox Rights property page, thats because the users
mailbox has yet to be created. Yeah, I know, Exchange said it was creating the mailbox, but it
lied. The mailbox isnt created until the first message is sent to the user. So, to see all the groups
Creating and Managing Mailbox−Enabled Users
284
that have permissions on the mailbox, just send a message to the user and then close and reopen
the Mailbox Rights property page. Alternatively, if you sent yourself a message back in Chapter
10, look at the Mailbox Rights property page for your mailbox.
Scroll through the Name field at the top of the Mailbox Rights property page, and find and select the group
Exchange Admins. Notice that the group has permissions that allow it to fully administer the mailbox, but not
to access the messages in it. Those permissions were inherited from the permissions set on the Exchange
organizational container (mine is Barry Gerber and Associates) when you delegated control to Exchange
Admins back in Chapter 8.
You probably wont need to grant others permissions to a mailbox very often. As I noted in Chapter 10, users
can grant others access to all or part of their mailboxes right inside Outlook. So, why might you want to give
others permissions to a mailbox? One reason would be to create a shared mailbox. Maybe you want people to
send help desktype messages to a mailbox and then have several staff members access the mailbox to read the
messages and resolve problems. Or a specific department might want to collaborate using a common mailbox.
You could do these sorts of tasks using a secure public folder, but a mailbox might work better in some cases.
So, to give other users permissions to access a mailbox, click Add on the Mailbox Rights property page. Then
use the Select Users, Computers, or Groups dialog box to pick the users or groups allowed access to the
mailbox (see Figure 11.24).
Figure 11.24: To give others permissions to a mailbox, select them from the Select Users, Computers, or
Groups dialog box.
The Advanced button on a Mailbox Rights property page allows you to give additional permissions to an

object. Click Advanced and then double−click the object you want to view or manage. As Figure 11.25
shows, you can actually change the user or group to whom the permissions are granted, and you can choose
how the permissions are to be applied. If an object has inherited permissions that were set higher up in the
Exchange hierarchy, the Change button and the Apply Onto field are grayed out and therefore unchangeable.
Check this out by clicking Advanced on the Permissions property page and then double−clicking Exchange
Admins. See Figure 11.23 (shown previously) for the location of the Advanced button.
Creating and Managing Mailbox−Enabled Users
285
Figure 11.25: Using the Permission Entry dialog box to view or change the object to which permissions will
apply
Property Pages That Provide Information Useful to Users
Now lets turn to the property pages that arent e−mail−specific and that include information end users will
encounter in one place or another as they move through your Exchange and Windows 2003 system. I think
that Exchange managers are more attuned than Windows 2003 administrators to users and to both how they
perceive this information and how they might use it. Additionally, Exchange administrators managed this
information in Exchange 5.5. Therefore, I believe that Exchange managers should administer this information
or at least be intimately involved in its administration. Lets take a brief walk through these property pages.
General
As you can see back in Figure 11.15, you use the General property page to set basic attributes for a user.
Leaving out the attributes that I discussed in the previous section, Creating a Mailbox−Enabled User, the
General properties page includes the following attributes:
Description A brief description of the user.
Office Some way of identifying the users office, such as the office number.
Telephone number The telephone number that you want other users to see in the Outlook Address Book.
Click Other to add more telephone numbers for the user. These other numbers are not available to other users
through the Outlook Address Book. You could make them available through custom applications that access
Active Directory.
E−mail The users SMTP address, automatically displayed in this field.
Web page The users web page. The Other button works as it does for the telephone number.
Tip

Creating and Managing Mailbox−Enabled Users
286
When creating a new account and mailbox, you dont have to fill in every last lovin field on every property
page. Only the First and Last names and login name fields on the General property page must be filled in.
Address
The Address properties page is designed to hold the users mailing address. These attributes were part of the
Exchange 5.5 directory. They are now standard Windows 2003 attributes. As I mentioned previously, I still
believe that Exchange 2003 managers should be heavily involved in supporting this property page.
Telephones
As you might expect, you manage a users telephone numbers on the Telephones property page. The page has
room for five phone numbers. The defaults are these:
Home•
Pager•
Mobile•
Fax•
IP Phone (an Internet IP addressbased phone)•
You can change the defaults.
The Telephones property page also includes a text box for notes. Exchange 5.5 managers will be happy to see
that this pretty much keeps intact the content of the Phone/Notes property page of the Exchange 5.5 mailbox
Properties dialog box.
Organization
You use the Organization property page to record information about the users status in your organizations
hierarchy. See Jane Doughs Organization property page on the left side of Figure 11.26. Here you can set the
following user information:
Title•
Department•
Company•
Manager•
Creating and Managing Mailbox−Enabled Users
287

Figure 11.26: Using the Organization property page to show a users place in an organizations
corporate hierarchy
You can also view the names of the individuals who directly report to the user. Jane Dough has no direct
reports. However, she does have a manager: me. If you look at my Organization property page on the right
side of Figure 11.26, youll see that she is listed in the Direct Reports box. Thats because Ive set myself as her
manager on her Organization property page.
This is a big improvement over Exchange 5.5s Organization property page. With 5.5, you had to jump through
too many hoops to produce essentially the same information that you see here. Of course, neither 5.5 nor 2003
works if you have one of those dysfunctional organizations where people are expected to serve multiple
masters. Thats a joke, sort of.
Member Of
The Member Of property page is used to add users to groups. You can add users to security groups or to
distribution groups. You dont have any distribution groups yet, so you cant do it now; in Figure 11.27,
however, Im adding my mailbox to a distribution group that I sneakily created while you were otherwise
occupied. I just tabbed over to the Member Of property page, clicked Add, typed in sneakily in the Enter
Object Names To Select field, and clicked Check Names. Exchange System Administrator found the group
Sneakily Created Distribution Group and replaced sneakily with the groups full name. Then I clicked OK and
I immediately became a member of the distribution group. Well get into creating distribution groups later in
this chapter in the section Managing Distribution Groups.
Figure 11.27: Adding a user to a distribution group
Property Pages Essential to the Proper Functioning of Exchange
A number of property pages contain an attribute here or there that you need to be aware of when managing
mailbox−enabled users. I discuss these next:
Account
A good deal of the contents of the Account property page appeared in NT 4s User Manager for domains.
Much of advanced security functionality, such as the kind of encryption used for the password, is also
managed on the Account property page. As should be obvious in Figure 11.28, much of whats on this page
relates to Windows 2003 security. The page is important for Exchange 2003 managers mainly because it is
where the user logon name is managed.
Creating and Managing Mailbox−Enabled Users

288
Figure 11.28: The Account property page is used to manage a range of Windows 2003 security options.
Profile
The Profile property page is another page imported pretty much intact from NT 4s User Manager. As an
Exchange manager, your main interest in this page is likely to be in the script that is run when a user logs in to
your Windows 2003 network. Some programs, such as the third−party application Profile Maker, need to run
when the user first logs in. Profile Maker ensures that a users Exchange profile (see Chapter 10) is properly
created and remains as the Exchange administrator wants it to be. It is especially useful for roaming users.
You can run a program such as Profile Maker in the logon script. (See the Appendix, Cool Third−Party
Applications for Exchange Server and Outlook Clients, for more on Profile Maker.)
Note Oh yes, just for the record, the Profile in Profile Maker has nothing to do with the name of this
property page, which is about Windows 2003 profiles.
Published Certificates
You can view the security certificates that have been assigned to the user on the Published Certificates
property page. If and when you get into Exchange Advanced Security, youll see the certificates for this
service on this property page.
Security
You should treat the Security property page as you would the registry on your server or Active Directory.
Make changes with great care. You can see in Figure 11.29 that a number of groups have permissions on this
mailbox. Most of those permissions were inherited from upper−level containers. Some were granted
specifically for the user when the user was created.
Creating and Managing Mailbox−Enabled Users
289
Figure 11.29: The Security property page is used to modify permissions on the user object as a whole.
I wont go into great detail here, but I do want to talk about a couple of permissions, Receive As and Send As:
Receive As Allows the user or group granted the right for a mailbox to open the mailbox inside an Outlook
client. The user or group member operates out of their own mailbox. That person can read messages in any
mailbox to which Receive As permission has been granted, but this user can not send messages. To open an
additional mailbox in Outlook 2003, select Tools > E−Mail Accounts, click View Or Change Existing E−Mail
Accounts, and then click Next. Then be sure Microsoft Exchange Server is selected and click Change. On the

next page, click More Settings and tab over to the Advanced page on the dialog box that opens. Click Add in
the Mailbox area to select a mailbox to open in addition to your own. See Chapter 10 for more information.
Send As Allows the user or group granted the right for a mailbox to send messages from other mailboxes to
which the user or group has rights so it appears that the messages came from the Send As mailbox. This right
can be useful when, for example, you want an administrative assistant to send messages from their own
mailbox that appear to have come from a corporate mailbox (such as President at Barry Gerber and
Associates). The right is exercised inside the Outlook 2003 mailbox of the user by using the From field, which
is exposed by clicking the down arrow next to the Options field on a message and selecting From. (You can
also select the Blind cc field here.) Once you choose this option, the From field will show on all new
messages until you deselect it. Send As rights should be granted with care. They can be dangerous in the
wrong hands, such as when a disgruntled employee sends out a nasty message that appears to have come from
some innocent persons mailbox.
You might be wondering why Send As and Receive As permissions are granted on the Security property page
and not on the Exchange Advanced/Mailbox Rights property page. Exchange 2003 was designed to better
protect user mailboxes from the prying eyes of rogue Exchange administrators than Exchange 5.5 did. As I
noted back in the section Mailbox Rights, Exchange administrators (for example, members of the Exchange
Admins group that we created back in Chapter 8) arent given access to user messages. And, although
Exchange administrators can administer mailbox rights, they can not administer the Security property page
that contains Receive As and Send As permissions. Only a user with permissions to change objects in the
Creating and Managing Mailbox−Enabled Users
290
Active Directory Users and Computers Users container can modify attributes on the Security property page.
Theres nothing to stop someone from giving such permissions to the group Exchange Admins. The key point
is that someone other than a member of that group must grant the permissions. Ill go into all of this in Chapter
18, Exchange Server System Security.
Warning The Send on Behalf Of option, which can be set by a user in an Outlook client or by an administrator
on the Delivery Options property page, is quite different from the Send As option, which you can set
on the Security property page for a user. Send on Behalf Of lets a user send a message for another
user while also identifying the actual sending user. Send As lets the user of one mailbox send a
message as though it came from another mailbox, without any hint that the other mailbox didnt send

the message itself. If you worry about users sending embarrassing messages that look like they came
from another user, then Send on Behalf Of is a far safer option than Send As. If both options are
granted to a user, Send As will override Send on Behalf Of.
Environment
The Environment property page includes a number of attributes relating to Windows 2003 startup. The only
one of these that you might find useful has to do with starting a program when a user logs in. You can specify
the program on this page. As I pointed out earlier in the section Profile, you can also start a program in the
users logon script.
Property Pages Peripherally Related to Proper Functioning of Exchange
Weve covered all but six of the property pages on the user Properties dialog box. This remaining group of
pages has little to do directly with Exchange server. Ill cover them quickly:
Dial−In You set parameters here for the users dial−in to Windows 2003s remotely, including enabling or
disabling dial−in, and whether the user is called back at a specific phone number for security purposes.
Object This page contains information about the user as an object. This includes the objects name and class,
the dates it was created and modified, and its initial and current update sequence number, which tell you how
many times the object was updated.
Terminal Services Profile This is where you set a home directory to be used when the user logs in through a
Windows 2003 terminal server session and give permission to actually log in to the terminal server.
COM+ This page is of special use to application developers. An Exchange−related application might use this
page, but most Exchange administrators will want to leave its administration to developers and Windows
administrators.
Remote Control You set the capability for another to remotely view and control the users terminal server
session here. This works only under Terminal Services.
Sessions This is another terminal serveroriented property page where you set session termination and
reconnection parameters.
Creating and Managing Mailbox−Enabled Users
291
Creating and Managing Mail−Enabled Users
As youll remember, a mail−enabled user is a Window 2003 user with an external e−mail address, a user
without an Exchange mailbox. Exchange routes messages sent by a mailbox−enabled user to the mail−enabled

users external e−mail address.
Mail−enabled users are a lot like mailbox−enabled users. So, Im going to move quickly through this section,
pointing out only differences between the two types of Windows 2003 users.
Creating a Mail−Enabled User
To create a mail−enabled user, create a user just as you did in the section Creating a Mailbox−Enabled User
earlier in this chapter, but dont accept the creation of an Exchange mailbox. Then, when the user has been
created, right−click the user and select Exchange Tasks. This opens the Exchange Task Wizard. Click over to
the Available Tasks page, shown in Figure 11.30, and select Establish E−Mail Addresses. Then click Next to
move to the next wizard page, Establish E−Mail Addresses.
Figure 11.30: Choosing to mail− enable a user using the Exchange Task Wizard
You use the Establish E−Mail Addresses page of the Exchange Task Wizard, shown in Figure 11.31, to add
an e−mail address for your mail−enabled user. Youre offered an alias for the user, an opportunity to enter the
users e−mail address and select an Exchange administrative group where the user will be managed. To enter
the e−mail address, click Modify.
Figure 11.31: Using the Exchange Task Wizard to manage the alias, external e−mail address, and
Creating and Managing Mail−Enabled Users
292
administrative group attributes of a new mail−enabled user
This opens the New E−Mail Address dialog box, shown in Figure 11.32. Select the type of address that youre
going to enter (Im selecting SMTP Address). Click OK to open the properties dialog box for the type of
address you want to create. In my case, the Internet Address Properties dialog box opens (see Figure 11.33).
Figure 11.32: Using the New E−mail Address dialog box to specify the kind of e−mail address to be created
for a mail−enabled user
Figure 11.33: Using the Internet Address Properties dialog box General property page to enter the e−mail
address for a mail−enabled user with an SMTP address
Enter the address for your mail−enabled user. You can use the Advanced property page, shown in Figure
11.34, to override default settings that you made on your Exchange server regarding Internet mail. Well get
into all this stuff in Chapter 13.
Creating and Managing Mail−Enabled Users
293

Figure 11.34: Using the Internet Address Properties dialog box Advanced property page to override Exchange
server Internet mail defaults for a mail− enabled user
When youve finished working with the address, click Next and then click Finish on the final wizard page.
Thats it. Youve created your first mail−enabled user. Now lets move on to the management of mail−enabled
users.
Tip At some point, you might need to mail−disable a user. To do so, open the Exchange Task
Wizard and select Delete E−Mail Addresses. To delete a user account, whether its mail−enabled
or not, select it and either press the Delete key or right−click it and select Delete from the menu
that pops up.
Managing Mail−Enabled Users
In the container Active Directory Users and Computers\Users, find and double−click the mail− enabled user
that you just created. Figure 11.35 shows the Properties dialog box for my new user, John Wilson. Because
Wilson is a Windows 2003 user, all of his property pages but the e−mail−specific pages are exactly the same
as they are for a mailbox−enabled user. Even the e−mail−specific pages are quite similar to those for a
mailbox−enabled user. So, this is going to be a very quick trip.
Creating and Managing Mail−Enabled Users
294
Figure 11.35: The Exchange General property page for a mail−enabled user
The Exchange General property page for mail−enabled users is a combination of the Exchange General page
for mailbox−enabled users and the Delivery Restrictions subproperty page of the Exchange General property
page for mailbox−enabled users. Wow! Thats a mouthful, but it actually makes sense. For a refresher, take a
look at Figure 11.35 and the section Managing Mailbox−Enabled Users, especially Figure 11.18, earlier in
this chapter.
The Exchange Advanced property page, shown in Figure 11.36, contains one field that needs some
explaining, Use MAPI Rich Text Format. If this option is selected for an Exchange mailenabled user,
messages sent to the user by mailbox−enabled users can contain such attributes as color, bold, and italic text.
By default, mailbox−enabled users send messages to mail−enabled users in plain text. Of course, the
mail−enabled users messaging system or e−mail client must support messages with MAPI attributes for all
this to work. Well encounter this field again when dealing with Exchange contacts later in this chapter. Thats
because both mail−enabled users and contacts have external e−mail addresses that might or might not support

MAPI attributes.
Creating and Managing Mail−Enabled Users
295
Figure 11.36: The Use MAPI Rich Text Format option is unique to Exchange recipients with external e−mail
addresses.
Tip Many e−mail clients, including Outlook, can send messages in HTML format. HTML is a better
format choice than MAPI rich text. You dont have to do anything to enable HTML message
formatting on your server; thats done on the users e−mail client. So, unless you know your
mail−enabled user can benefit from MAPI rich−text formatted messages, leave this item
unchecked.
Creating and Managing Distribution Groups
Distribution groups, also known as mail−enabled groups, are used to group together all four types of
Exchange recipients: users, contacts, public folders, and even other distribution groups. They are the
equivalent of Exchange 5.5s distribution lists.
New to the distribution group family with Exchange 2003 are query−based distribution groups. Ill talk about
them at the end of this section.
Creating a Distribution Group
To create a new distribution group, right−click the Users container in Active Directory Users and Computers,
and then select New > Group. The New Object − Group dialog box pops up, as shown in Figure 11.37.
Creating and Managing Distribution Groups
296
Figure 11.37: Using the New Object − Group dialog box to create a new distribution group
Figure 11.37 shows you how the dialog box looks immediately upon opening. This dialog box is used to
create both security and distribution groups. You can create three kinds of groups: domain local, global, and
universal. You can create a universal security group only after youve set your domain to native mode. (See
Chapter 6, Upgrading to Windows Server 2003 and Exchange Server 2003, for more on mixed− and
native−mode domains.) Thats why Universal is grayed out in Figure 11.37, where the default group type is
Security.
Universal groups, new to Windows 2003, make more sense than the local domain and global groups of NT 4,
which are carried over to Windows 2003 for the sake of compatibility. Local groups hold users and global

groups. Global groups exist simply to hold users and be included in local groups. Its kind of strange. A
universal group can hold users or other groups. Thats so much less complex. NT 4 domain controllers are
incapable of dealing with the deep nesting of universal groups. Thats why theyre not available in mixed mode
for security groups.
Okay, now select Distribution as the group type and name your group. I chose Managers for the name of my
group. Things should look pretty much as they do in Figure 11.38. Notice that distribution groups can be
universal.
Figure 11.38: Naming a new distribution group and specifying its scope
Creating and Managing Distribution Groups
297
In the next dialog box, youre offered the opportunity to create an e−mail address for your distribution group
(see Figure 11.39). Select Create an Exchange E−Mail Address and click Next. The last dialog box shows you
what is about to happen. Click Finish to create your new distribution group.
Figure 11.39: Accepting creation of an e−mail address and the location for the address
Managing Distribution Groups
In the section on managing mailbox−enabled users, you had a fair amount of exposure to the format of a range
of property pages. Because we were looking at the user Properties dialog box, we explored pages of varying
relevance to the functioning of Exchange Server 2003. In this section, were going to move pretty quickly
through the distribution group Properties dialog box, both because there are far fewer pages and because
youve seen some of the pages already. If I skip a page, the page has the same format and function as the same
page on the mailbox−enabled user Properties dialog box.
Any Windows 2003 Group Can Be Mail−Enabled or Mail−Disabled
You can mail−enable any group, including a security group. As with a distribution group, when you create a
security group, youre asked whether you want to give it an e−mail address. To e−mail−enable a group,
right−click it and select Exchange Tasks from the pop−up menu. Using the Exchange Task Wizard that pops
up, select Establish an E−Mail Address, and complete the wizard.
To mail−disable a group, use the Delete E−Mail Addresses option on the Exchange Task Wizard. To delete a
distribution group, select it and press the Delete key, or right−click it and select Delete from the pop−up
menu.
General

To open the Properties dialog box for your new distribution group, find and double−click it in the Users
container. The General property page shows naming, descriptive, e−mail, and group attributes. It also
provides a field for notes. As you can see in Figure 11.40, if you have the right permissions (remember, Im a
domain administrator), you can change the groups preWindows 2003 name, description, and e−mail address.
Creating and Managing Distribution Groups
298