There is a project running at the company I work for to separate one of the areas of the business into their own entity. Among other things this rebranding exercise also includes changing their primary email addresses.
For several versions of Exchange Server now we’ve had the capability to manage email addresses for recipients by using policies. In Exchange Server today these are referred to as Email Address Policies.
In this article I’ll provide an overview of the key concepts of email address policies and demonstrate some examples of how they can be used. The screenshots are from Exchange 2010, so this will look different if you’re running Exchange 2013 or later. However, the concepts are the same, so you can still learn from this article anyway.
The Exchange Server 2010 Default Email Address Policy
Any Exchange 2010 organization will have one email address policy named “Default Policy”. You can view this in the Exchange Management Console under Organization Configuration -> Hub Transport, in the Email Address Policies tab.
One of my gripes with managing email address policies in the console is that you can’t open a Properties view to see how they are configured. However you can right-click and choose Edit to achieve the same outcome.
The first thing you’ll notice that the default policy is not scoped to any particular recipient container, so it will apply to any object in Active Directory. The other thing you’ll notice is that the policy will apply to “All recipient types”, not a limited subset of the available types such as mailboxes, contacts, or groups.
At the next dialog you get a chance to preview the results of the conditions in the email address policy.
If you preview the default email address policy you should see all mail-enabled objects in the organization returned.
At the next dialog you’ll see the email addresses that the policy will apply to those recipients that fall within the scope of the policy.
So the outcome of this policy is that it will apply an email address of alias@exchangeserverpro.net (because alias is used if nothing else is specified) to any recipient type.
When are Exchange 2010 Email Address Policies Applied?
But when does the email address policy apply? At the next dialog we can see the schedule options for the email address policy.
The options we can choose from are:
- Do not apply – the email address policy will be created (or edited) but not applied to the recipients that fall within its scope
- Immediately – the email address policy will be applied immediately to the recipients that fall within its scope
- At the following time – the email address policy will be applied at the nominated time. This is convenient if you are preparing the email address policy in advance of a scheduled change (such as the rebranding exercise I mentioned earlier)
Something you need to be aware of is that no matter which of the above options you pick right now, the email address policy will continue to be assessed and applied to recipients on an ongoing basis in the future each time a recipient is created or modified.
So for example when a new mailbox is created the email address policies are assessed and applied accordingly. Similarly, if you modify an existing mailbox user, for example to change their alias or move it to another database, the email address policies will be reassessed for that recipient.
For that reason you want to be sure that any email address policy that exists in your organization is ready to be applied to recipients.
Creating a New Email Address Policy with the Exchange Management Console
Click New E-Mail Address Policy to start creating a new policy.
For this example I’ve narrowed the scope of the email address policy to just one particular OU for “Example Corp”, the new business entity.
If that particular OU contained users in other companies I could also narrow the scope down based on Company or Department attributes, but in this example I don’t need to. Clicking Preview shows me the one user that exists in that OU so far.
Next I’ll add an SMTP address of %m@example.com to the policy (%m = “alias”).
Note that whatever domain you choose to use here needs to have already been configured as an Accepted Domain for the organization. If you haven’t already done so you can switch back to the Exchange Management Console and add the domain without having to cancel your new email address policy wizard.
Finally I will choose not to apply the email address policy just yet, so that I can demonstrate some scenarios for this.
Finally, click New to create the email address policy. If it all goes well you’ll see a successful completion message.
Note that the completion dialog reveals the PowerShell commands used behind the scenes to perform the task. This will be relevant later when we look at an example of creating an email address policy in PowerShell.
Applying Email Address Policies
Now let’s check the results. Because I chose not to apply the policy yet the user Amy Lawrence does not have an @example.com email address yet.
If I move another mailbox user into the same OU, they also do not have the email address policy applied.
Jo Rigby’s email addresses haven’t changed just because her OU membership changed.
However, if I modify Jo Rigby’s recipient properties, such as adding the new company name, and apply that change…
…the new SMTP address is immediately applied by the policy, because modifying and saving any change to a recipient triggers policy assessment.
If I simply wish to apply the email address policy to all of the users in that OU I can right-click the policy and choose Apply, and choose to apply it immediately or at a scheduled time.
Now Amy Lawrence also has the new @example.com email address without me having modified any of her other recipient properties, because I manually triggered the application of the policy.
You may wonder how primary SMTP address is determined when two policies are potentially valid for a recipient. The answer to that question is in the priority value of each policy. The policy with the highest priority will apply, but only that one policy applies.
For example, new user Bob Winder in the Example Corp OU gets mailbox-enabled and only receives an @example.com SMTP address from the “Example Corp” policy, but doesn’t receive an @exchangeserverpro.net address from the default policy that is of a lower priority.
So each policy needs to contain all of the SMTP addresses that you intend those recipients to receive, so that new recipients get them all. You can’t rely on different email address policies to apply cumulatively.
Note: Email Address Policies are Additive Only
You may have noticed in the examples above that the prior SMTP address of @exchangeserverpro.net was not removed from the mailboxes, it was simply changed to being a secondary email address.
This is due to the behavior of email address policies in that they are additive only. An email address policy will not remove or overwrite an email address on a recipient.
If the recipient falls out of scope of the email address policy they will not have any email addresses removed from the account, though their primary SMTP address may change when a different policy applies. In the case of Jo Rigby, if she is moved out of that OU and her company attribute changed again (or any other modification made to trigger policy assessment) she reverts to an @exchangeserverpro.net primary SMTP address, but retains @example.com as a secondary address.
Nor will the removal of the email address policy entirely cause recipients to lose those email addresses.
Note that removing a policy causes those recipients to assess policies again. Amy Lawrence’s primary SMTP address changed back to @exchangeserverpro.net with no other recipient modification or manual applying of other policies required, but again she retained the @example.com secondary address.
Creating a New Email Address Policy with the Exchange Management Shell
There will be times when you find the options available in the console when creating a new email address policy are not suitable for your particular scenario. In those cases you can use the Exchange Management Shell to create a more specific filter for the email address policy.
Email address policies are created using the New-EmailAddressPolicy cmdlet. This cmdlet has a -RecipientFilter parameter that opens up a whole lot more possibilities (the documentation refers to Exchange 2007 but is unchanged for Exchange 2010) for defining the scope of your email address policies. Just be aware that it can’t be used in combination with some other parameters, all of which is spelled out here.
So let’s look at one example of creating an email address policy in PowerShell using the capabilities of -RecipientFilter.
To begin with I’ve removed the policy I created in the console earlier, and manually removed the @example.com addresses from those mailboxes to start over with a clean slate.
Now I’ll create the email address policy, using a recipient filter that checks display names for the string “(Example Corp)”. The new policy will have the following properties:
- A name of “Example Corp”
- A priority of 1
- An email address template of “SMTP:%m@example.com” (the upper-case SMTP defines the primary SMTP address, lower-case would be a secondary SMTP address)
- A recipient filter for the DisplayName attribute of “*(Example Corp)” (the * is a wildcard)
Running that as a command in the Exchange Management Shell looks like this:.
New-EmailAddressPolicy -Name "Example Corp" -Priority 1 -EnabledEmailAddressTemplates "SMTP:%m@example.com" -RecipientFilter {DisplayName -like "*(Example Corp)"} Name Priority RecipientFilter ---- -------- --------------- Example Corp 1 DisplayName -like '*(Example Corp)'
Now the new email address policy has been created, but as before it has not yet applied to any recipients. To trigger the policy for the three Example Corp users I’m going to modify their display names to append “(Example Corp) to them. I’m just doing them individually here but you could script it if you had a lot of mailbox users to modify.
[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby (Example Corp)"
Jo now has the @example.com SMTP address assigned by the new policy.
[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl DisplayName : Jo Rigby (Example Corp) EmailAddresses : {SMTP:Jo.Rigby@example.com, smtp:Jo.Rigby@exchangeserverpro.net}
And if I change her display name so it no longer has “(Example Corp)” in it, she reverts to the primary SMTP address @exchangeserverpro.net and retains the @example.com as a secondary SMTP address.
[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby" [PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl DisplayName : Jo Rigby EmailAddresses : {SMTP:Jo.Rigby@exchangeserverpro.net, smtp:Jo.Rigby@example.com}
Hopefully this article has provided you a good understanding of how email address policies work in Exchange Server 2010, and given you some ideas on how you can use them in your own Exchange organization.
Hello
I have a question for you
in exchange 2010 how are duplicate smtp addresses managed
Hey Guys,
i still try to create a policy for firstname.lastname.lastname(2nd)@xxx.com
my ideas like %g.%s.%s@xxx. com dont work!
Please Help Me 😉
Just to be extra safe:
If I click on “apply” on a policy with a whole domain as scope and with priority 3 it won’t overwrite the default address of users which are affected by other policies (priority 1 and 2) even though they are in the domain which is covered by policy 3, right?
Thought this through a bit and adding the ID variable before the set command would give me a visual validation that it is running and I can capture it in a transcript such like –
start-transcript
Import-Csv “C:\MP\hide.csv” | foreach {$_.id; set-remotemailbox -identity $_.ID -HiddenFromAddressListsEnable:$true}
stop-transcript
This will display to screen the job is active and server is not locked up or anything like that and the transcript will capture the action.
Hello –
I would like to show the results to the screen (and ideally log file) when running something such as this to set address policy for some mailboxes.
Import-Csv “C:\address.csv” | foreach-object {set-mailbox -identity $_.ID -EmailAddressPolicyEnabled:$true}
Running this will execute but just go to command prompt.
Can it be displayed to screen when running? Can the action be exported or written out to a log file to show what it did?
Some cmdlets support the use of the -Verbose switch, and will output more information when running. Not all of them though.
If Set-Mailbox doesn’t show anything when you use -Verbose you would just need to write a script that outputs what you want to see instead.
Thanks Paul – verbose works but generates a lot of “background” information rather than scroll the user list. Can a switch be added to send the results to a file ?
Yes. Look at how to pipe output to the PowerShell Out-File cmdlet. You may need to use -Append to get the result you want.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/out-file?view=powershell-6
Thanks again Paul. That would be too easy – tried that. Blank 1k file – but it does make the file. Interesting that somethings in powershell show the results and some don’t (as this example). What am trying to do I get complete blank results displayed although the command does work – just need the proof for change control and backout purposes.
If you need proof then you need to write script logic that checks the value, attempts the change, catches errors, validates the outcome, logs all that to something you can look at later, etc.
That’s all possible in PowerShell, it’s just not build in to the cmdlets themselves. You need to write the script logic to wrap around the task.
Hi Paul,
Great article.
We wanted to change users from Firstname.Lastname@domain.com.au to Alias@domain.com.au
We have added the new email addresses into the policy and set them as default but now wish to remove the old format email addresses from the users.
Do you know what we could use as a power shell script to remove the firstname.lastname format?
I saw a post from another forum where you can remove addresses if they have a whole domain you wist to remove:
$users=get-mailbox -resultsize unlimited
foreach($user in $users){
$user.EmailAddresses | where{$_.AddressString -like ‘*@olddomain.com’}| foreach{
Set-mailbox $user -EmailAddresses @{remove=$_}
}
}
But how would you change it to use the first and last name variables? (%G & %S)
%G and %S are variables in the email address policy syntax. You’re working in PowerShell, it won’t recognize those. But you’re pulling the $user object, so the properties are there (e.g. $user.FirstName and $user.Lastname – you might want to double check those, but you get the idea).
Hi there,
I have been struggling with this issue for a week now, I have tried anything I could think of or found online, but I still don’t get the result and can’t solve it. Let me try my best to elaborate the situation, and hopefully you can grab my hand. Here is how it goes:
In our company we have ,for example, the domain wash.com. Under this domain, in EMS Server 2010, we have two accepted domains: sparkling.com and greatshiningcarwash.com. There are some distribution groups created under both accepted domain addresses, and all the distribution groups are communicating and contacting with other local or internal groups and objects (users).
Distribution groups with the domain sparkling.com can, also, communicate with outsiders, like will.smith@gmail. However, distibution gropus with the domain greatshingingcarwash.com CAN NOT.
All the groups have Universal scope; all the domains have Authoritative type; “Require that all senders are authenticated” box has been unchecked for all the groups in Mail Flow Settings; the greatshiningcarwash.com has been set as reply; spellings are correct in everything everywhere; and still nothing.
I don’t know if saying this helps, but it seems that the company is not using any email address policy, and even the default policy is FALSE.
Any help or advise or though would be appreciated.
What is the actual problem? It’s not clear what you mean. Distribution groups don’t communicate with anyone. They receive email and disperse it to their members.
What exactly are you trying to do? What is the outcome you’re expecting? What outcome are you seeing instead?
Hi Paul,
Is there any way to estimate how long it will take to apply a policy to 4000 users? What affect the time to complete?
None that I’m aware of.
Hi all,
I am trying to create a new setup as part of a project for a customer, on E2010.
The current setup is the following:
Email address policies :
Priority 1 – For all groups and dynamic groups, add smtp entry as @internal.domain1.com
Priority 2 – For all ex employees of domain2 company(based on custom attribute) add firstname.lastname@domain2.com and firstname.lastname@domain1.com
Priority 3 – all recipients get alias@domain1.com and firstname.lastname@domain1.com
Default (lowest) – the only entry here is @domain1.com (this is weird…..)
I am trying to introduce a newly bought domain3.com in email addresses. I have setup all the other pre-reqs (accepted domains, connectors, etc.), but im unsure which of the above policies i should modify?
Should i go about and modify only the Priority 3 one, adding alias@domain3.com and firstname.lastname@domain3.com . as secondary entries? Should i also modify the Priority 2 one, for the ex-employees of domain2.com to also include domain3.com addresses?
Im afraid that if I only modify priority3 policy, since its for all recipients, it will also affect contacts/DLs, etc? I just dont want it to break anything, to an irreversible state..
I can see that a DL that would be affected by the policy1 settings is also affected by the policy3 or the default settings, so if i modify policy3 and manually apply, it will add SMTP entries?
my DLs only have address@internal.domain1.com now…. and i cant figure it out how.
Email address policies are not cumulative. Only one policy applies to a recipient at any given time, but the recipient might have other SMTP addresses that were previously added by a different policy (because policies only ever add addresses, they never remove them). So the short answer is, you would need to add the new domain to every policy that is applying to the recipients you want to add the new domain to. If you only add the new domain to policy 3, only those recipients that policy 3 applies to will get the new domain.
If we have a mail user (resource) with just a firstname i.e. support, and we update the default policy to change the primary SMTP address to be ‘firstname.lastname@newdomain.com’ (%g.%s@newdomain.com), is it intelligent enough to just create ‘support@newdomain.com’ or will I end up with ‘support.@newdomain.com’?
If you’re concerned, you can exclude that mailbox from the email address policy so that any changes don’t impact it. You can then manually set whatever email addresses it requires.
Another approach is to use the alias in the email address policy instead, e.g. alias@domain.com (which I think is %m@domain.com in a policy), and then set each recipient’s alias to the desired value. That’s worked well for me in the past.
Hi Paul/all,
I am adding a new accepted domain, in a customer’s Exchange2010/EOP setup.
Once i add them, i dont wish to create an email address policy, as this is to be done/edited at a later stage of the project.
Would i be able to test sending/recieving, by disabling the “automatically update email addresses based on e-mail address policy” checkbox only on my user mailbox, and manually adding the necessary SMTP entries ?
If yes to question above, would the rollback mean only eliminating the newly added SMTP entries, and checking the tickbox back?
Thanks in advance.
You can manually add secondary SMTP addresses without disabling the policy for a mailbox. It’s only if you want to modify the primary email address that you need to disable policies for that mailbox.
If you disable policies, then re-enable them later, the policy will never remove any addresses from the mailbox.
Thanks Paul,
So yeah, i want to also modify the primary (set as reply-to)
I will only test on my user, to see if the other setups i have done will allow email flow, using the newly added domains.
After re-checking the box on my user, i guess i will have to delete the manually added ones, to remove them? (as they are additive)
One other question if i may – Is there a comprehensive article on how the policies apply based on priorities? I have done some reading and its a bit unclear to me. The reason i ask is, later on in the project, i need to add the 2 domains specified above (if my tests go fine), as secondary SMTP addresses, and then even later, make one of them primary.
So i already have firstname.lastname@abc.com defined in a policy (priority 2 i believe, as priority 1 is internal.abc.com for DLs). I want to add firstname.lastname@123.com . would i be better off adding in the same policy, or should i create a new one ?
Also, my setup is usernames are by default created as first 2 letter of firstname and last name (yours would be PACU), and i see my DEFAULT policy only applies a X400 and a SMTP with entry “@abc.com”, does this one apply the default alias for all users?
Apologies if i am getting you confused in anyway, please let me know if i should detail more.
I believe i found the answer for the latter part, here : https://www.practical365.com/exchange-server/change-business-email-domain/ . It seems that my default setup, doesnt have the Email address local part selected, thus using the alias 😉 So in theory, in the near future, i probably just need to add @123.com here, and it will generate the aliases ? Do i need to manually apply by any chance?
Hey,
how can i remove from all mailbox smtp adress with specific format? By mistake i add by policy smtp alias in format alias@domain.com and now i want to remove it from all mailbox.
You can do it manually or you can write a script to do it.
We are preparing for the rebranding of the company which also includes changing the primary email addresses. We are going from first.last@internal.company.com to first.last_Initial@internal.company.com. I know I can create a policy for this but there are several who prefer firstname@internal.company.com. Can I set the policy and manually or run a script to create the email with first name only? Also will I need to manually add the email address for any future account with first name only?
Use a policy to configure the bulk of the users to the standard. For an exceptions you can disable them from using email address policies and manually add whatever email address they prefer.
For new accounts, yes usually you’ll need to manually deal with them. Mailboxes create with EAP enabled by default, so post-creation you could disable the mailbox for EAP and manually add the preferred address.
Thanks I will be making this happen today.
One additional question. I want to add the email addresses to all accounts but do not want it to be applied until the weekend. I will set the schedule for that time. My question is will the addresses populate imediately but just not be enabled until the weekend or will they populate when the policy is applied?
I create the policy when I want it to take effect, just to be sure.
Need to change our domain from @domainname.com to @DomainName.com for vanity reasons. Were building a People/Phone list in sharepoint and all the domains are not uniform. Since policies are additive only is there any way to use one to achieve the formatting I want?
You’re just trying to change the case of the email address? You’ll probably need to write a script that disables email address policies for the mailbox, removes the lower case SMTP address, adds back the same address with the desired case, and then re-enables email address policies for the mailbox.
We’re migrating mailboxes to O365 in a hybrid configuration with Exchange 2013 and we need to change the primary email address for all users to a new address, but we cannot do that before migration for various reasons, so we have to perform it once all mailboxes are migrated to O365.
Is using a policy the right approach here? How is AAD Connect affected by this if at all? The 2013 hybrid will remain on-prem with no mailboxes and purely as an admin server post migration.
Thanks, Dan
Without knowing all the details of your scenario, a policy is always my preference for bulk email address changes and management.
Thanks Paul, I’ll do some further digging 🙂
I had a read through your O365 ebook and a few forums… Would the below pan out as easily as this? Just after the easiest and less impact to users of performing this post-migration.
1. New domain added into the O365 tenant and verified
2. Update the Exchange on-premise Email Address Policy to use the new email address
3. AAD Connect will now sync the updated “WindowsEmailAddress” property, which will in turn update any mail enabled objects “PrimarySMTPAddress” property in O365
4. All objects are now updated with the new email address using the new domain
Seems to easy… what have i missed? 🙂
Sounds like you’re planning to modify the existing EAP and have it apply to everyone in one go. That wouldn’t fly in most of the change management processes I’ve worked under.
Will most likely create a test policy identical to the existing one, add in a few users and apply the new email domain to the new test EAP. Check it works, make sure there aren’t any AD conflicts and then apply it across the entire user population. Only about 2,000 users, so hoping it’s not too much of an issue.
Paul,
What would cause a newly created policy not to work? I setup a new on using the steps listed here but even after applying the policy the new address is not added to the recipient in the OU
Usually means the filter you’ve written doesn’t include that recipient, or another higher priority policy is being applied.
I am creating user mailboxes with a email address , they are getting created but some weird email address are also created with a different domain name like I am creating a user 7809@domain-retail.com whih is an accepted domain but some other weird number are created with -98675@domain.com which is also accepted domain
is anything to do with email address policy
Very likely. Have you inspected your email address policies?
Paul, recently we migrated from 2003 to 2010. I did not really pay a lot of attention to the email address policy on 2003 simply because there was only a default policy. The email addresses have been firstname.surname@domain.com. It looks like after moving the mailboxes to 2010 the email addresses changed to alias@domain.com – obviousley because of the 2010 default policy. But also my colleague was told that the old addresses firstname.surename@domain.com have been missing. Since when are changes in email address policies removing stuff? I can’t believe that this was the case and happend because of the migration! Any ideas? Thanks
Sustain the great work and generating the group!|
nba 2k16 mt glitch 2016 http://classifieds.wcguru.com/item/308
I just edited my default E-Mail Address Policy removing an SMTP Address for the local Domain since it is not routable. My belief after reading this article was that existing accounts would not have the change affect their existing email addresses since “Note: Email Address Policies are Additive Only” The Policy removed the local domain SMTP address from all Recipients?
Running Exchange 2010-SP3
Correct, removing an address from a policy will not remove it from recipients.
Paul, I’m about to implement this change myself, and had the curious question asked if this would affect conversation view in outlook clients. I am going to test anyway, but was curious if you knew ahead of time if conversation view for client’s would change if their reply address was changing due to the address policy.
-John.
I can’t imagine that it would.
Pingback: Create Alias Address Exchange 2010 – How ot be in 2016
Hi again, just got it to work now. Checked eventviewer for errors and found event 1053
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN……
Had not set the new users to get inherited permissions.
Thanks anyway.
Hi, great instruction. I managed to do all of the above and everything works fine except Outlook anywhere for the new users. I can’t find any configuration differences between the users on the AD level but they just refuse to connect. If I test and just change the user credentials to an “old” user on my tablet it works fine. Unfortunately I don’t have any logs or anything of that nature (yet) since I am not very experienced with Exchange2010.
Is there any other step I have missed that I need to do to get these users to work?
Any pointer would be very appreciated.
/fredrik
What did you change?
Hi, i don’t know if i changed anything. I wanted to add a domain and create three users that would have xxx@newdomain.se as their defualt email. Did as the instruction above and all works just fine except outlook anywhere. When i try to connect with one of the new users my tablet just times out. I have successfully connected with an old user from the tablet so I am pretty sure it’s not the tablet.
You really suspect that it is some permission issue but I am far from an expert on exchange and I can’t find any config differences between an old user and the new one except for the email adress and the fact that new users are in a different OU as in the instructions above.
Very nice blog.
I am not seeing the below policy option in the exchange server.
1.MaxEmailHTMLBodyTruncationSize
2.MaxInactivityTimeDeviceLock.
3. RemoteWipe
Thanks in advance.
Basavaraja
Those things have nothing to do with Email Address Policies, which is the topic of this article.
Pingback: Message Tracking and Proxy Addresses
hi Paul,
Thans you for the article!
Only I got a question about the applied setting. There was an earlier question from someone, but I dined’ find an answer for my situation.
I created some email address policies with ems, but afterwards the setting was set as ” not applied “, but I noticed that the policy is applied for new mailboxes with matches the recipient filter. Also adjusting existing mailboxes with the automatic update setting on forced the email address to change as mentioned in the policy. So I did not find any difference, applied or not, same result!?! Do you know why?
Running 2010 sp3-ru7
Regards,
Michel
This is explained in the article in the section titled “WHEN ARE EXCHANGE 2010 EMAIL ADDRESS POLICIES APPLIED?”
Hi. Suppose you have an organization with 300 mailboxes and 100 of them have the check box UNchecked to Automatically update e-mail addresses based on e-mail policy? What would be the easiest course of action to have all of those accounts update with the newest SMTP Address in the new policy?
Thanks.
Ticking the box is the easiest, if you want them to be managed by the policy.
If not, manually update them via PowerShell.
https://www.practical365.com/manually-configuring-email-addresses-for-exchange-server-2013-recipients-using-powershell/
When using EMC, you get a chance to preview the results of the conditions in the email address policy. Is there an equivalent to doing this using EMS?
Do a Get-Recipient with the same filter conditions as your policy.
Hi Paul,
Excellent article as always !
We have an old e-mail policy that I don’t really understand, hope you could clarify it for me.
The policy was made by powershell, the recipients filter is “DisplayName -eq ‘@mustnotmatch!'” and under “Aplly Additional Inbound Domains” are about 30 different maildomains.
Could you think about a scenario that for that policy?
Thank you for your time
Regards
Joerg
The filter makes it seem like someone has tried to ensure that the policy never matches any recipients.
i am creating mailboxes for the users but when i create them some unknown numbers come with the email addresses like -78654@domain.com is it because email address policy is not applied to that domain?
If an email address is being automatically applied, then it is being applied by an email address policy. If you have multiple policies, then you need to work out which policy is applying to that user, and look at the email addresses that the policy is configured to apply. Also keep in mind that the policy can’t apply the same address to multiple users, so if there’s a conflict then it will append characters to the address to keep them unique.
Pingback: add email domain to email policy exchange 2010 | Jason's Blog
Thanks Paul for your very great contribution !
Paul, thanks for your contribution on email address policy.
I have a question on how the sequence of Email Addresses works.
I manage 2 Exchang 2010 organzation
Policy (organzation 1)
1. @b.com
2. @a.com (reply)
Email addresses:
1. name1@b.com
2. name1@a.com (reply)
Policy (organzation 2)
1. @b.cm (reply)
2. @a.cm
Email addresses:
1. name1@a.cm
2. name1@b.cm (reply)
proxyAddresses of AD user propertity will have the same sequence as Email addresses. Because I need to use the vbs to get the proxyAddresses of each user, it will always use the first one of Email addresses in Exchange. I wonder can we have the addresses in order for the new user account, like name1@b.com or name1@b.cm will be the first address(reply).
I know the new domain will be the first one in Email addresses if I create/modify the policy.
correction:
like name1@b.com or name1@b.cm will be the first address(reply).
to:
like the default reply address will be always the first one in Email addresses.
hi
does the edit of the default email address policy in exchange 2010 affects all existing users?
I want for now only the new users to obtain a different smtp address.
regards
david
It will impact every user that the policy applies to. Take a look at the section of the article about when policies are applied.
Hi Paul,
I’m trying to find a command to remove a secondary SMTP address on Exchange 2007. Set-Mailbox -EmailAddresses @{remove=”example@mydomain.com” is not working for me. I’m receibing the following output:
———————————————————————————————————
Set-Mailbox : Cannot bind parameter ‘EmailAddresses’. Cannot convert the “Syste
m.Collections.Hashtable” value of type “System.Collections.Hashtable” to type ”
Microsoft.Exchange.Data.ProxyAddress”.
At line:1 char:55
+ Set-Mailbox -Identity mydomainexample -EmailAddresses <<<< @{Remove="example@rootdomain.com"}
+ CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBin
dingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Exchang
e.Management.RecipientTasks.SetMailbox
————————————————————————————————————–
What I'm doing wrong? There's another command to perform this with powershell?
Thnks in advance.
Diego.
That’s for the informative write up. I have a question about Distribution Groups. I cannot find a way to have the email address policy applied to the Distribution Groups even though I have the box checked off to automatically update email addresses based on the email address policy. Do I need to choose All Recipient Types when creating the policy?
Is there a way in EMS to check if the policies are applied to the distro groups like you can with mailboxes? Thanks
Hi Paul,
I have a problem with “department” attribute for distribution groups.
There is some DGs with department = DEPT1
Also there is 2 EAP:
Priority 1 – Catch all recipients with department = DEPT1 and assign %m@DEPT1.com
Default – Catch all recipients and assign %m@default.com
If I manually apply (via ECP) EAP with priority 1 then all DGs with department = DEPT1 will get @DEPT1.com addresses as it should be, but if I change one of those DGs, for example display name, default policy will set %m@default.com address.
This occurs only with distribution groups, all users behave correctly.
I have Exchange 2010 SP3 RU6. AD Forest 2008 r2 with no migrations in past.
I will be appreciated for any advice.
Great Article Paul,
I need to add 350 SMTP secondary email address’.
Can this be done via EAP ?
All users are in the same OU. They have a primary SMTP that I do not want to change but need to add a secondary address.
Thanks,
Liam
I’m not sure whether you mean add one secondary email address to 350 users or add 350 secondary email addresses to each user.
But either way, yes.
Sorry for the confusion:
We need to add a new email address to all users in an OU. But this new email address should not be the primary SMTP address.
Sure. Create an email address policy that contains the primary and secondary email addresses you want.
Do it first on a test OU if you need to try it out.
Thanks Paul. That listed everyone. What i’m after is a list of people with the “Automatically update e-mail addresses based on e-mail address policy” option unticked on their profile.
Is that doable do you think?
get-mailbox -Filter {EmailAddressPolicyEnabled -ne $true}
Hi guys. Is there a powershell command I can run to list the users not inheriting the default email address policy?
We’re about to make a change and I want to know beforehand, how many user objects I will need to update manually.
Cheers Shane.
Sort of… The recipient filters on the email address policies can be used to filter Get-Recipient cmdlet results… so I guess one way to look at it would be:
[PS] U:>$filter = (Get-EmailAddressPolicy “POLICY NAME”).RecipientFilter
[PS] U:>Get-Recipient -Filter $filter
Very informative write up. Thanks very much. One of the issues we have when creating mailboxes, being a large organization is when we have more than one person with the same first initial and last name. For example, jsmith@corp.com. Logically the next jsmith would be jsmith2 , etc. However, when we hit magic number 10 it gives us something like jsmith1b984c@corp.com. I assume this is like a hex representation but would really like it if it would just keep incrementing 10, 11, 12,13, etc. without having to manually edit the newly created address to correct it. Any help would be appreciated.
Thank you.
Chris
Thanks for the great article Paul.
How can you tell what Address Policies the user is receiving aside from examining the SMTP addresses? Not seeing anything in Get-Mailbox or EMC/EAC to indicate which policies are actually applying to the user.
Thanks!
Looks like at some point the mailbox checkbox to apply the policy gets turned on for some accounts while on Exchange 2007 however not until the mailbox is actually moved (modified seems to be the trigger) to Exchange 2010 does the address policy update and make the change. We have exported the SMTP addresses to have a reference in case a user goes incorrect after the move and we need to restore their Primary SMTP. Odd but workable.
Thanks for the confirmation. We are reviewing patch levels on the servers and settings now to try and determine the cause. We have 600 accounts out of the 4500 affected so a MS call may be needed. If something is found I will post.
Nice article. I have a scenario not covered. Exchange 2007 has 4500 users. Added Exchange 2010 servers to the mix to prepare for a migration. Address policy applies based on a specific custom attribute 1 value as default however about 10 percent of the accounts have the auto update address unchecked in EMC to allow a custom address to be used as default SMTP. When we “local move” the mailbox the address box becomes checked and a new primary SMTP based on the existing policy applies as default. We need to manually remove the check and reset the custom address. How can a user be moved without the address policy turning back on if originally unchecked? Thanks.
I’ve never noticed that behaviour before, so I’m not sure how to avoid it. Will see what I can find out.
Just did a quick test of a 2007 -> 2010 move and did not see the same behaviour. Maybe review your move request logs/reports or open an MS support case to dig deeper.
Pingback: Confluence: ServTIE - Correu Electrònic
Pingback: Exchange 2013: Manually Configure Email Addresses Using PowerShell
Great article Paul.
One question: I’ve migrate my exchange server from 2003 to 2010
Before that, if I sent a document pdf by email from my multi-function printer using the alias (without @mydomain.com) in the to: field, the server sent the email.
Now, in 2010, if I use the alias doesn’t work, but if I use alias@mydomain.com it works.
Some ideas..
Thanks in advance
Ramon
Exchange 2010 won’t accept an invalid address as the “From” address. An alias without the @domain.com is not a valid address. So the solution is to make sure your devices (or any other application) that is going to use the Exchange 2010 server for SMTP is using a valid address.
Great article Paul Thanks.
Is there any mecanism that will allow you to mass remove the no longer valid secondary email addresses.
You’d just need to write a PowerShell script to do that.
Is there any sample script anywhere we could modify or do we need to become Powershell script experts
There might be. I’ve never looked for one.
Here is a really basic version of a script to do this. Basically you pull in the proxy addresses that are NOT part of the domain yuo want to remove, the take that variable and make that the new proxyaddresses value.
$o = Get-Mailbox -Identity {user}
$address = $o.emailaddresses |where {$_.proxyaddressstring -notmatch “domain to remove}” -AND $_.prefixstring -ne “x400”}
Set-Mailbox -Identity {user} -EmailAddresses $address
you can expand that in all kinds of ways with some basic looping. I cleaned up a large number of users using this model, both old E2k X400 addresses and SMTP addresses. With a little work you could do prefix removals as well (if you go decide to do a mass change of the prefix for a domain.)
Excellent article, thank you for the clear and concise details!
Paul,
I have a policy that was setup to add Full Access Permission for two admin users to have access to any new mailbox that is created by a previous administrator that no longer works for this company. I can’t seem to find out where that policy would be in place. I would like to edit that policy to remove his user and replace it with mine. This seems to be the location for that, but I am not seeing any options for it.
That is not an email address policy. My guess is they’ve added permissions at the database level (run “Get-MailboxDatabase | Get-ADPermissions” and look through the output).
What you’re proposing is not ideal, in my opinion. I always grant and then remove mailbox permissions as required on a case by case basis, rather than leave a persistent ACL in place.
Hi Paul,
Is there any possibility in Exchange 2010 if we can create email policy with “SAMAccountname@domain.com”.
In my case Alias name and SamAccountname are different.
Thank you!
I have a quick question that I applied email address policy for our new domain but when user receives email from external domain the address shows the secondary domain email address. kindly guide how to set this policy default that shows in new domain entry while receive email.
A sender can still send to a valid secondary address on your mailbox. There’s nothing about Email Address Policies that can change that.
Thank you for the article Paul.
Is it possible for a deleted address policy to break and continue to issue addresses to users? I have several users that have addresses associated with a dead and removed domain. The addresses repopulate if I delete them. Looking at the user I see they belong to 2 email address policies (get-mailbox “user” | select-object policiesincluded). Yet I can only validate the existence of 1 policy based on its GUID. I cannot locate a GUID to match the other policy in my email address policy list.
I’m open to suggestions. Thank you so much.
I guess its possible but I’ve never seen it happen. You could open ADSIEdit and see if the policy is still visible in there.
Thank you for the suggestion. But alas … no. I found only the policies that I would expect to find with ADSIEdit. Does Exchange maintain a hidden EAP? It appears that all our user objects list 2 policies in their PoliciesIncluded attribute – the default EAP and one other EAP. It that the norm? What do you find with your users?
great article, thanks Paul …what would we do without you ? nothing else out on the web even close to as informative as this article on the subject…
After changing the policy from alias to firstname.lastname the out-of-office function was broken for all the users in Outlook and I can’t seem to fix it. It works in OWA.
Do I need to make any change anywhere to make this work?
It depends on what “broken” means.
Broken = … server is not available at the moment. Please try again later.
The server is available and the Ctrl + Outlook test shows success.
This was very helpful. How did the world get anything done before Google?!?
Vendor doco. Newsgroups/forums. Trial and error.
Ace article!
Quick question:
Is an email address policy a requirement as part of adding a new accepted domain? I am adding a new domain to accepted domains, but it’s only going to be used for 1 or 2 mailboxes. Can’t I just manually configure the SMTP address for those mailboxes?
Yes you can do it that way.
Thx Paul. Excellent article as always! Keep up the good work man 🙂
Pingback: A Practical Guide to Implementing Incoming Email using the SharePoint Directory Management Service | Nauplius Applications
Hi,
> I don’t want to have to correct 20K users.
Hehe, that’s why many people hate EAPs. Okay, to be mor exact: It’s the uncertainty, what makes people hate it. That’s why I went over to deactivate “Autmatically update…”, that gives you certainty. Realy: What do you need automatic updates for? If I ever come to update EMail-Addresses for our users, I would _always_ do this with a customized script, where I can fully control what happens, and I would _never_ leave this over to some background process. What should be the adantage of it?
JMSP
Filipp
So just a verification, if I change the primary smtp address in the policy and hit “Do Not Apply”, it won’t apply anything then, it’s only going to do it to new accounts thereafter? I need to change ours but want to make sure it’s not going to go off to the races adding and changing everyone’s address, I don’t want to have to correct 20K users.
Great article! This topic always gets a little fuzzy if I haven`t worked with it for a while. This cleares things up in a very pleasant way. Thank you for posting it this clear.
Cheers,
Fred
Hi Paul.
Great article.
What if your user has a double first-name or last-name, and want to use . in between all names? (e.g. john.phillip.doe@example.com) Default firstname.lastname will just give you johnphillip.doe@example.com…?
Any suggestions on that one?
Best Regards
Tore
Hi,
really nice post. There’s only one Information I miss (and also can’t find on MS): What happens, if the Policy chooses an address, which is allready used by someone else. P.Ex. if you have your 2nd Jo Rigby (in the same OU). Will he get no Addresses then? Will he get Jo.Rigby2@example.com? Can you controll this behaviour?
Best Regards
Filipp
Yes, it will append the 2 in the first case.
Is there any way to change this behaviour, so that it’ll use a different format, such as firstnamelastname@example.com instead of appending the 2?
Thank you for everything you’ve published; I use your articles on a regular basis.
None as far as I know.
When is assigns first.last2@domain.com and eventually first.last@domain.com will the email address policy assign the now available address or does the fact that is now has an @domain.com address prevent this?
Hi Paul,
Excellent article. Thanks
Pingback: Exchange Server 2010 Email Address Policies « MidThought's
Thank you very much. Helped a lot. Greetings from sunny Switzerland.
Are you sure they get applied anytime an object is changed. I have a policy to make all domain users
firstname.lastname@domain.com but when HR changes someone’s name in AD, the policy is not applied to the change.
Changes made in AD Users & Computers don’t cause the policy to reassess.
I am trying to check if there is a way we can force a reassessment of policy.
My Requirement – When First/Last Name Changes New Primary SMTP should be set accordingly.
Can i simply disable and enable the Mailbox account ? This is prod…will i lose anything ?
Thanks,
Sai
If you disable the mailbox all of the Exchange attributes are removed and the mailbox is marked for deletion in the database. So I do not recommend doing that.
Email address policies are re-evaluated any time a change is made to the mailbox using Exchange management tools.
Hi,
there’s a cmldet update-recipient, which should reaply Address Policies (together with other stuff like updating Addresslist-Membership etc), if the relevant Attributes were not changed with Exchange Management Shell. Give it a try…
Regards
Filipp
very good article. thank you paul ,
Thanks paul
Excellent article. This is one of the most complete ones I have read. I appreciate you covering how a new policy impacts existing email addresses and the impact of removing an email address policy.
Totally agreed.
Reading this in year 2016 as I have to take over a new project and provide support.
Just got the access to the Exchange server and got overwhelmed by the Email Server Policies. I was searching all over the internet for simple explanation.
But finally found the simple and nicely explained article here. Thanks a lot Paul.
Amazed how you take out time to make these articles in between your consultations.