There is a project running at the company I work for to separate one of the areas of the business into their own entity. Among other things this rebranding exercise also includes changing their primary email addresses.

For several versions of Exchange Server now we’ve had the capability to manage email addresses for recipients by using policies. In Exchange Server today these are referred to as Email Address Policies.

In this article I’ll provide an overview of the key concepts of email address policies and demonstrate some examples of how they can be used. The screenshots are from Exchange 2010, so this will look different if you’re running Exchange 2013 or later. However, the concepts are the same, so you can still learn from this article anyway.

The Exchange Server 2010 Default Email Address Policy

Any Exchange 2010 organization will have one email address policy named “Default Policy”. You can view this in the Exchange Management Console under Organization Configuration -> Hub Transport, in the Email Address Policies tab.

Exchange 2010's default email address policy
Exchange 2010’s default email address policy

One of my gripes with managing email address policies in the console is that you can’t open a Properties view to see how they are configured. However you can right-click and choose Edit to achieve the same outcome.

The first thing you’ll notice that the default policy is not scoped to any particular recipient container, so it will apply to any object in Active Directory. The other thing you’ll notice is that the policy will apply to “All recipient types”, not a limited subset of the available types such as mailboxes, contacts, or groups.

Scope of the default email address policy in Exchange 2010
Scope of the default email address policy in Exchange 2010

At the next dialog you get a chance to preview the results of the conditions in the email address policy.

Exchange Server Email Address Policies
Previewing the results of email address policy conditions

If you preview the default email address policy you should see all mail-enabled objects in the organization returned.

Exchange Server Email Address Policies

At the next dialog you’ll see the email addresses that the policy will apply to those recipients that fall within the scope of the policy.

Email addresses applied by the default email address policy
Email addresses applied by the default email address policy

So the outcome of this policy is that it will apply an email address of alias@exchangeserverpro.net (because alias is used if nothing else is specified) to any recipient type.

When are Exchange 2010 Email Address Policies Applied?

But when does the email address policy apply? At the next dialog we can see the schedule options for the email address policy.

Email address policy schedule options
Email address policy schedule options

The options we can choose from are:

  • Do not apply – the email address policy will be created (or edited) but not applied to the recipients that fall within its scope
  • Immediately – the email address policy will be applied immediately to the recipients that fall within its scope
  • At the following time – the email address policy will be applied at the nominated time. This is convenient if you are preparing the email address policy in advance of a scheduled change (such as the rebranding exercise I mentioned earlier)

Something you need to be aware of is that no matter which of the above options you pick right now, the email address policy will continue to be assessed and applied to recipients on an ongoing basis in the future each time a recipient is created or modified.

So for example when a new mailbox is created the email address policies are assessed and applied accordingly. Similarly, if you modify an existing mailbox user, for example to change their alias or move it to another database, the email address policies will be reassessed for that recipient.

For that reason you want to be sure that any email address policy that exists in your organization is ready to be applied to recipients.

Creating a New Email Address Policy with the Exchange Management Console

Click New E-Mail Address Policy to start creating a new policy.

New Email Address Policy
New Email Address Policy

For this example I’ve narrowed the scope of the email address policy to just one particular OU for “Example Corp”, the new business entity.

Select recipient container for new email address policy
Select recipient container for new email address policy

If that particular OU contained users in other companies I could also narrow the scope down based on Company or Department attributes, but in this example I don’t need to. Clicking Preview shows me the one user that exists in that OU so far.

Email address policy conditions
Email address policy conditions

Next I’ll add an SMTP address of %m@example.com to the policy (%m = “alias”).

Configuring SMTP addresses for an email address policy
Configuring SMTP addresses for an email address policy

Note that whatever domain you choose to use here needs to have already been configured as an Accepted Domain for the organization. If you haven’t already done so you can switch back to the Exchange Management Console and add the domain without having to cancel your new email address policy wizard.

Finally I will choose not to apply the email address policy just yet, so that I can demonstrate some scenarios for this.

Choosing when to apply the email address policy
Choosing when to apply the email address policy

Finally, click New to create the email address policy. If it all goes well you’ll see a successful completion message.

Completing the new email address policy wizard
Completing the new email address policy wizard

Note that the completion dialog reveals the PowerShell commands used behind the scenes to perform the task. This will be relevant later when we look at an example of creating an email address policy in PowerShell.

Applying Email Address Policies

Now let’s check the results. Because I chose not to apply the policy yet the user Amy Lawrence does not have an @example.com email address yet.

Email addresses before the policy is applied
Email addresses before the policy is applied

If I move another mailbox user into the same OU, they also do not have the email address policy applied.

User moved into OU
User moved into OU

Jo Rigby’s email addresses haven’t changed just because her OU membership changed.

No change to email addresses yet
No change to email addresses yet

However, if I modify Jo Rigby’s recipient properties, such as adding the new company name, and apply that change…

Modifying recipient properties to trigger email address policies
Modifying recipient properties to trigger email address policies

…the new SMTP address is immediately applied by the policy, because modifying and saving any change to a recipient triggers policy assessment.

SMTP addresses after email address policy is applied
SMTP addresses after email address policy is applied

If I simply wish to apply the email address policy to all of the users in that OU I can right-click the policy and choose Apply, and choose to apply it immediately or at a scheduled time.

Manually applying an email address policy
Manually applying an email address policy

Now Amy Lawrence also has the new @example.com email address without me having modified any of her other recipient properties, because I manually triggered the application of the policy.

SMTP addresses after email address policy is applied
SMTP addresses after email address policy is applied

You may wonder how primary SMTP address is determined when two policies are potentially valid for a recipient. The answer to that question is in the priority value of each policy. The policy with the highest priority will apply, but only that one policy applies.

For example, new user Bob Winder in the Example Corp OU gets mailbox-enabled and only receives an @example.com SMTP address from the “Example Corp” policy, but doesn’t receive an @exchangeserverpro.net address from the default policy that is of a lower priority.

SMTP address for a new mailbox user
SMTP address for a new mailbox user

So each policy needs to contain all of the SMTP addresses that you intend those recipients to receive, so that new recipients get them all. You can’t rely on different email address policies to apply cumulatively.

Note: Email Address Policies are Additive Only

You may have noticed in the examples above that the prior SMTP address of @exchangeserverpro.net was not removed from the mailboxes, it was simply changed to being a secondary email address.

This is due to the behavior of email address policies in that they are additive only. An email address policy will not remove or overwrite an email address on a recipient.

If the recipient falls out of scope of the email address policy they will not have any email addresses removed from the account, though their primary SMTP address may change when a different policy applies. In the case of Jo Rigby, if she is moved out of that OU and her company attribute changed again (or any other modification made to trigger policy assessment) she reverts to an @exchangeserverpro.net primary SMTP address, but retains @example.com as a secondary address.

SMTP address changed after policy no longer applies
SMTP address changed after policy no longer applies

Nor will the removal of the email address policy entirely cause recipients to lose those email addresses.

Removing an email address policy
Removing an email address policy

Note that removing a policy causes those recipients to assess policies again. Amy Lawrence’s primary SMTP address changed back to @exchangeserverpro.net with no other recipient modification or manual applying of other policies required, but again she retained the @example.com secondary address.

SMTP addresses after email address policy is removed
SMTP addresses after email address policy is removed

Creating a New Email Address Policy with the Exchange Management Shell

There will be times when you find the options available in the console when creating a new email address policy are not suitable for your particular scenario. In those cases you can use the Exchange Management Shell to create a more specific filter for the email address policy.

Email address policies are created using the New-EmailAddressPolicy cmdlet. This cmdlet has a -RecipientFilter parameter that opens up a whole lot more possibilities (the documentation refers to Exchange 2007 but is unchanged for Exchange 2010) for defining the scope of your email address policies. Just be aware that it can’t be used in combination with some other parameters, all of which is spelled out here.

So let’s look at one example of creating an email address policy in PowerShell using the capabilities of -RecipientFilter.

To begin with I’ve removed the policy I created in the console earlier, and manually removed the @example.com addresses from those mailboxes to start over with a clean slate.

Example Corp users in their OU
Example Corp users in their OU

Now I’ll create the email address policy, using a recipient filter that checks display names for the string “(Example Corp)”. The new policy will have the following properties:

  • A name of “Example Corp”
  • A priority of 1
  • An email address template of “SMTP:%m@example.com” (the upper-case SMTP defines the primary SMTP address, lower-case would be a secondary SMTP address)
  • A recipient filter for the DisplayName attribute of “*(Example Corp)” (the * is a wildcard)

Running that as a command in the Exchange Management Shell looks like this:.

New-EmailAddressPolicy -Name "Example Corp" -Priority 1 -EnabledEmailAddressTemplates "SMTP:%m@example.com" -RecipientFilter {DisplayName -like "*(Example Corp)"}

Name                                    Priority                                RecipientFilter
----                                    --------                                ---------------
Example Corp                            1                                       DisplayName -like '*(Example Corp)'

Now the new email address policy has been created, but as before it has not yet applied to any recipients. To trigger the policy for the three Example Corp users I’m going to modify their display names to append “(Example Corp) to them. I’m just doing them individually here but you could script it if you had a lot of mailbox users to modify.

[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby (Example Corp)"

Jo now has the @example.com SMTP address assigned by the new policy.

[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl

DisplayName    : Jo Rigby (Example Corp)
EmailAddresses : {SMTP:Jo.Rigby@example.com, smtp:Jo.Rigby@exchangeserverpro.net}

And if I change her display name so it no longer has “(Example Corp)” in it, she reverts to the primary SMTP address @exchangeserverpro.net and retains the @example.com as a secondary SMTP address.

[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby"

[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl

DisplayName    : Jo Rigby
EmailAddresses : {SMTP:Jo.Rigby@exchangeserverpro.net, smtp:Jo.Rigby@example.com}

Hopefully this article has provided you a good understanding of how email address policies work in Exchange Server 2010, and given you some ideas on how you can use them in your own Exchange organization.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Belrhalia Amin

    Hello
    I have a question for you
    in exchange 2010 how are duplicate smtp addresses managed

  2. Mike Dittmar Fernandes

    Hey Guys,
    i still try to create a policy for firstname.lastname.lastname(2nd)@xxx.com

    my ideas like %g.%s.%s@xxx. com dont work!

    Please Help Me 😉

  3. Matt

    Just to be extra safe:
    If I click on “apply” on a policy with a whole domain as scope and with priority 3 it won’t overwrite the default address of users which are affected by other policies (priority 1 and 2) even though they are in the domain which is covered by policy 3, right?

  4. Tim

    Thought this through a bit and adding the ID variable before the set command would give me a visual validation that it is running and I can capture it in a transcript such like –

    start-transcript
    Import-Csv “C:\MP\hide.csv” | foreach {$_.id; set-remotemailbox -identity $_.ID -HiddenFromAddressListsEnable:$true}
    stop-transcript

    This will display to screen the job is active and server is not locked up or anything like that and the transcript will capture the action.

  5. Tim

    Hello –

    I would like to show the results to the screen (and ideally log file) when running something such as this to set address policy for some mailboxes.

    Import-Csv “C:\address.csv” | foreach-object {set-mailbox -identity $_.ID -EmailAddressPolicyEnabled:$true}

    Running this will execute but just go to command prompt.

    Can it be displayed to screen when running? Can the action be exported or written out to a log file to show what it did?

    1. Avatar photo
      Paul Cunningham

      Some cmdlets support the use of the -Verbose switch, and will output more information when running. Not all of them though.

      If Set-Mailbox doesn’t show anything when you use -Verbose you would just need to write a script that outputs what you want to see instead.

      1. Tim

        Thanks Paul – verbose works but generates a lot of “background” information rather than scroll the user list. Can a switch be added to send the results to a file ?

          1. Tim

            Thanks again Paul. That would be too easy – tried that. Blank 1k file – but it does make the file. Interesting that somethings in powershell show the results and some don’t (as this example). What am trying to do I get complete blank results displayed although the command does work – just need the proof for change control and backout purposes.

          2. Avatar photo
            Paul Cunningham

            If you need proof then you need to write script logic that checks the value, attempts the change, catches errors, validates the outcome, logs all that to something you can look at later, etc.

            That’s all possible in PowerShell, it’s just not build in to the cmdlets themselves. You need to write the script logic to wrap around the task.

  6. Jason

    Hi Paul,

    Great article.
    We wanted to change users from Firstname.Lastname@domain.com.au to Alias@domain.com.au
    We have added the new email addresses into the policy and set them as default but now wish to remove the old format email addresses from the users.

    Do you know what we could use as a power shell script to remove the firstname.lastname format?
    I saw a post from another forum where you can remove addresses if they have a whole domain you wist to remove:
    $users=get-mailbox -resultsize unlimited

    foreach($user in $users){

    $user.EmailAddresses | where{$_.AddressString -like ‘*@olddomain.com’}| foreach{

    Set-mailbox $user -EmailAddresses @{remove=$_}

    }

    }

    But how would you change it to use the first and last name variables? (%G & %S)

    1. Avatar photo
      Paul Cunningham

      %G and %S are variables in the email address policy syntax. You’re working in PowerShell, it won’t recognize those. But you’re pulling the $user object, so the properties are there (e.g. $user.FirstName and $user.Lastname – you might want to double check those, but you get the idea).

  7. Alan

    Hi there,

    I have been struggling with this issue for a week now, I have tried anything I could think of or found online, but I still don’t get the result and can’t solve it. Let me try my best to elaborate the situation, and hopefully you can grab my hand. Here is how it goes:

    In our company we have ,for example, the domain wash.com. Under this domain, in EMS Server 2010, we have two accepted domains: sparkling.com and greatshiningcarwash.com. There are some distribution groups created under both accepted domain addresses, and all the distribution groups are communicating and contacting with other local or internal groups and objects (users).

    Distribution groups with the domain sparkling.com can, also, communicate with outsiders, like will.smith@gmail. However, distibution gropus with the domain greatshingingcarwash.com CAN NOT.

    All the groups have Universal scope; all the domains have Authoritative type; “Require that all senders are authenticated” box has been unchecked for all the groups in Mail Flow Settings; the greatshiningcarwash.com has been set as reply; spellings are correct in everything everywhere; and still nothing.

    I don’t know if saying this helps, but it seems that the company is not using any email address policy, and even the default policy is FALSE.

    Any help or advise or though would be appreciated.

    1. Avatar photo
      Paul Cunningham

      What is the actual problem? It’s not clear what you mean. Distribution groups don’t communicate with anyone. They receive email and disperse it to their members.

      What exactly are you trying to do? What is the outcome you’re expecting? What outcome are you seeing instead?

  8. Dave Tammi

    Hi Paul,

    Is there any way to estimate how long it will take to apply a policy to 4000 users? What affect the time to complete?

  9. Nick

    Hi all,
    I am trying to create a new setup as part of a project for a customer, on E2010.
    The current setup is the following:
    Email address policies :
    Priority 1 – For all groups and dynamic groups, add smtp entry as @internal.domain1.com
    Priority 2 – For all ex employees of domain2 company(based on custom attribute) add firstname.lastname@domain2.com and firstname.lastname@domain1.com
    Priority 3 – all recipients get alias@domain1.com and firstname.lastname@domain1.com
    Default (lowest) – the only entry here is @domain1.com (this is weird…..)

    I am trying to introduce a newly bought domain3.com in email addresses. I have setup all the other pre-reqs (accepted domains, connectors, etc.), but im unsure which of the above policies i should modify?
    Should i go about and modify only the Priority 3 one, adding alias@domain3.com and firstname.lastname@domain3.com . as secondary entries? Should i also modify the Priority 2 one, for the ex-employees of domain2.com to also include domain3.com addresses?

    Im afraid that if I only modify priority3 policy, since its for all recipients, it will also affect contacts/DLs, etc? I just dont want it to break anything, to an irreversible state..

    I can see that a DL that would be affected by the policy1 settings is also affected by the policy3 or the default settings, so if i modify policy3 and manually apply, it will add SMTP entries?
    my DLs only have address@internal.domain1.com now…. and i cant figure it out how.

    1. Avatar photo
      Paul Cunningham

      Email address policies are not cumulative. Only one policy applies to a recipient at any given time, but the recipient might have other SMTP addresses that were previously added by a different policy (because policies only ever add addresses, they never remove them). So the short answer is, you would need to add the new domain to every policy that is applying to the recipients you want to add the new domain to. If you only add the new domain to policy 3, only those recipients that policy 3 applies to will get the new domain.

  10. Bealeki

    If we have a mail user (resource) with just a firstname i.e. support, and we update the default policy to change the primary SMTP address to be ‘firstname.lastname@newdomain.com’ (%g.%s@newdomain.com), is it intelligent enough to just create ‘support@newdomain.com’ or will I end up with ‘support.@newdomain.com’?

    1. Avatar photo
      Paul Cunningham

      If you’re concerned, you can exclude that mailbox from the email address policy so that any changes don’t impact it. You can then manually set whatever email addresses it requires.

      Another approach is to use the alias in the email address policy instead, e.g. alias@domain.com (which I think is %m@domain.com in a policy), and then set each recipient’s alias to the desired value. That’s worked well for me in the past.

      1. Andrew

        Hi Paul/all,
        I am adding a new accepted domain, in a customer’s Exchange2010/EOP setup.
        Once i add them, i dont wish to create an email address policy, as this is to be done/edited at a later stage of the project.

        Would i be able to test sending/recieving, by disabling the “automatically update email addresses based on e-mail address policy” checkbox only on my user mailbox, and manually adding the necessary SMTP entries ?

        If yes to question above, would the rollback mean only eliminating the newly added SMTP entries, and checking the tickbox back?

        Thanks in advance.

        1. Avatar photo
          Paul Cunningham

          You can manually add secondary SMTP addresses without disabling the policy for a mailbox. It’s only if you want to modify the primary email address that you need to disable policies for that mailbox.

          If you disable policies, then re-enable them later, the policy will never remove any addresses from the mailbox.

          1. Andrew

            Thanks Paul,
            So yeah, i want to also modify the primary (set as reply-to)
            I will only test on my user, to see if the other setups i have done will allow email flow, using the newly added domains.

            After re-checking the box on my user, i guess i will have to delete the manually added ones, to remove them? (as they are additive)

            One other question if i may – Is there a comprehensive article on how the policies apply based on priorities? I have done some reading and its a bit unclear to me. The reason i ask is, later on in the project, i need to add the 2 domains specified above (if my tests go fine), as secondary SMTP addresses, and then even later, make one of them primary.

            So i already have firstname.lastname@abc.com defined in a policy (priority 2 i believe, as priority 1 is internal.abc.com for DLs). I want to add firstname.lastname@123.com . would i be better off adding in the same policy, or should i create a new one ?

            Also, my setup is usernames are by default created as first 2 letter of firstname and last name (yours would be PACU), and i see my DEFAULT policy only applies a X400 and a SMTP with entry “@abc.com”, does this one apply the default alias for all users?

            Apologies if i am getting you confused in anyway, please let me know if i should detail more.

          2. Andrew

            I believe i found the answer for the latter part, here : https://www.practical365.com/exchange-server/change-business-email-domain/ . It seems that my default setup, doesnt have the Email address local part selected, thus using the alias 😉 So in theory, in the near future, i probably just need to add @123.com here, and it will generate the aliases ? Do i need to manually apply by any chance?

  11. Rafal

    Hey,

    how can i remove from all mailbox smtp adress with specific format? By mistake i add by policy smtp alias in format alias@domain.com and now i want to remove it from all mailbox.

  12. Marietta

    We are preparing for the rebranding of the company which also includes changing the primary email addresses. We are going from first.last@internal.company.com to first.last_Initial@internal.company.com. I know I can create a policy for this but there are several who prefer firstname@internal.company.com. Can I set the policy and manually or run a script to create the email with first name only? Also will I need to manually add the email address for any future account with first name only?

    1. Avatar photo
      Paul Cunningham

      Use a policy to configure the bulk of the users to the standard. For an exceptions you can disable them from using email address policies and manually add whatever email address they prefer.

      For new accounts, yes usually you’ll need to manually deal with them. Mailboxes create with EAP enabled by default, so post-creation you could disable the mailbox for EAP and manually add the preferred address.

      1. Marietta

        Thanks I will be making this happen today.

        1. Marietta

          One additional question. I want to add the email addresses to all accounts but do not want it to be applied until the weekend. I will set the schedule for that time. My question is will the addresses populate imediately but just not be enabled until the weekend or will they populate when the policy is applied?

          1. Avatar photo
            Paul Cunningham

            I create the policy when I want it to take effect, just to be sure.

  13. Robert Woods

    Need to change our domain from @domainname.com to @DomainName.com for vanity reasons. Were building a People/Phone list in sharepoint and all the domains are not uniform. Since policies are additive only is there any way to use one to achieve the formatting I want?

    1. Avatar photo
      Paul Cunningham

      You’re just trying to change the case of the email address? You’ll probably need to write a script that disables email address policies for the mailbox, removes the lower case SMTP address, adds back the same address with the desired case, and then re-enables email address policies for the mailbox.

  14. Dan

    We’re migrating mailboxes to O365 in a hybrid configuration with Exchange 2013 and we need to change the primary email address for all users to a new address, but we cannot do that before migration for various reasons, so we have to perform it once all mailboxes are migrated to O365.

    Is using a policy the right approach here? How is AAD Connect affected by this if at all? The 2013 hybrid will remain on-prem with no mailboxes and purely as an admin server post migration.

    Thanks, Dan

    1. Avatar photo
      Paul Cunningham

      Without knowing all the details of your scenario, a policy is always my preference for bulk email address changes and management.

      1. Dan

        Thanks Paul, I’ll do some further digging 🙂

      2. Dan

        I had a read through your O365 ebook and a few forums… Would the below pan out as easily as this? Just after the easiest and less impact to users of performing this post-migration.

        1. New domain added into the O365 tenant and verified
        2. Update the Exchange on-premise Email Address Policy to use the new email address
        3. AAD Connect will now sync the updated “WindowsEmailAddress” property, which will in turn update any mail enabled objects “PrimarySMTPAddress” property in O365
        4. All objects are now updated with the new email address using the new domain

        Seems to easy… what have i missed? 🙂

        1. Avatar photo
          Paul Cunningham

          Sounds like you’re planning to modify the existing EAP and have it apply to everyone in one go. That wouldn’t fly in most of the change management processes I’ve worked under.

          1. Dan

            Will most likely create a test policy identical to the existing one, add in a few users and apply the new email domain to the new test EAP. Check it works, make sure there aren’t any AD conflicts and then apply it across the entire user population. Only about 2,000 users, so hoping it’s not too much of an issue.

  15. Andrew Moss

    Paul,

    What would cause a newly created policy not to work? I setup a new on using the steps listed here but even after applying the policy the new address is not added to the recipient in the OU

    1. Avatar photo
      Paul Cunningham

      Usually means the filter you’ve written doesn’t include that recipient, or another higher priority policy is being applied.

      1. pramod kumar

        I am creating user mailboxes with a email address , they are getting created but some weird email address are also created with a different domain name like I am creating a user 7809@domain-retail.com whih is an accepted domain but some other weird number are created with -98675@domain.com which is also accepted domain

        is anything to do with email address policy

  16. Mike

    Paul, recently we migrated from 2003 to 2010. I did not really pay a lot of attention to the email address policy on 2003 simply because there was only a default policy. The email addresses have been firstname.surname@domain.com. It looks like after moving the mailboxes to 2010 the email addresses changed to alias@domain.com – obviousley because of the 2010 default policy. But also my colleague was told that the old addresses firstname.surename@domain.com have been missing. Since when are changes in email address policies removing stuff? I can’t believe that this was the case and happend because of the migration! Any ideas? Thanks

  17. Nashty

    I just edited my default E-Mail Address Policy removing an SMTP Address for the local Domain since it is not routable. My belief after reading this article was that existing accounts would not have the change affect their existing email addresses since “Note: Email Address Policies are Additive Only” The Policy removed the local domain SMTP address from all Recipients?

    Running Exchange 2010-SP3

    1. Avatar photo
      Paul Cunningham

      Correct, removing an address from a policy will not remove it from recipients.

  18. John Hoye

    Paul, I’m about to implement this change myself, and had the curious question asked if this would affect conversation view in outlook clients. I am going to test anyway, but was curious if you knew ahead of time if conversation view for client’s would change if their reply address was changing due to the address policy.
    -John.

  19. Fredrik

    Hi again, just got it to work now. Checked eventviewer for errors and found event 1053

    Exchange ActiveSync doesn’t have sufficient permissions to create the “CN……

    Had not set the new users to get inherited permissions.

    Thanks anyway.

  20. Fredrik

    Hi, great instruction. I managed to do all of the above and everything works fine except Outlook anywhere for the new users. I can’t find any configuration differences between the users on the AD level but they just refuse to connect. If I test and just change the user credentials to an “old” user on my tablet it works fine. Unfortunately I don’t have any logs or anything of that nature (yet) since I am not very experienced with Exchange2010.

    Is there any other step I have missed that I need to do to get these users to work?

    Any pointer would be very appreciated.

    /fredrik

      1. Fredrik

        Hi, i don’t know if i changed anything. I wanted to add a domain and create three users that would have xxx@newdomain.se as their defualt email. Did as the instruction above and all works just fine except outlook anywhere. When i try to connect with one of the new users my tablet just times out. I have successfully connected with an old user from the tablet so I am pretty sure it’s not the tablet.

        You really suspect that it is some permission issue but I am far from an expert on exchange and I can’t find any config differences between an old user and the new one except for the email adress and the fact that new users are in a different OU as in the instructions above.

  21. basavaraja

    Very nice blog.
    I am not seeing the below policy option in the exchange server.
    1.MaxEmailHTMLBodyTruncationSize
    2.MaxInactivityTimeDeviceLock.
    3. RemoteWipe

    Thanks in advance.
    Basavaraja

    1. Avatar photo
      Paul Cunningham

      Those things have nothing to do with Email Address Policies, which is the topic of this article.

  22. Michel

    hi Paul,

    Thans you for the article!
    Only I got a question about the applied setting. There was an earlier question from someone, but I dined’ find an answer for my situation.

    I created some email address policies with ems, but afterwards the setting was set as ” not applied “, but I noticed that the policy is applied for new mailboxes with matches the recipient filter. Also adjusting existing mailboxes with the automatic update setting on forced the email address to change as mentioned in the policy. So I did not find any difference, applied or not, same result!?! Do you know why?

    Running 2010 sp3-ru7

    Regards,
    Michel

    1. Avatar photo
      Paul Cunningham

      This is explained in the article in the section titled “WHEN ARE EXCHANGE 2010 EMAIL ADDRESS POLICIES APPLIED?”

  23. Michael

    Hi. Suppose you have an organization with 300 mailboxes and 100 of them have the check box UNchecked to Automatically update e-mail addresses based on e-mail policy? What would be the easiest course of action to have all of those accounts update with the newest SMTP Address in the new policy?

    Thanks.

  24. James

    When using EMC, you get a chance to preview the results of the conditions in the email address policy. Is there an equivalent to doing this using EMS?

    1. Avatar photo
      Paul Cunningham

      Do a Get-Recipient with the same filter conditions as your policy.

  25. Renggli Joerg

    Hi Paul,

    Excellent article as always !
    We have an old e-mail policy that I don’t really understand, hope you could clarify it for me.

    The policy was made by powershell, the recipients filter is “DisplayName -eq ‘@mustnotmatch!'” and under “Aplly Additional Inbound Domains” are about 30 different maildomains.

    Could you think about a scenario that for that policy?

    Thank you for your time
    Regards
    Joerg

    1. Avatar photo
      Paul Cunningham

      The filter makes it seem like someone has tried to ensure that the policy never matches any recipients.

      1. pramod

        i am creating mailboxes for the users but when i create them some unknown numbers come with the email addresses like -78654@domain.com is it because email address policy is not applied to that domain?

        1. Avatar photo
          Paul Cunningham

          If an email address is being automatically applied, then it is being applied by an email address policy. If you have multiple policies, then you need to work out which policy is applying to that user, and look at the email addresses that the policy is configured to apply. Also keep in mind that the policy can’t apply the same address to multiple users, so if there’s a conflict then it will append characters to the address to keep them unique.

  26. Pham Trung Duc

    Thanks Paul for your very great contribution !

  27. Merlyn Zong

    Paul, thanks for your contribution on email address policy.
    I have a question on how the sequence of Email Addresses works.
    I manage 2 Exchang 2010 organzation

    Policy (organzation 1)
    1. @b.com
    2. @a.com (reply)
    Email addresses:
    1. name1@b.com
    2. name1@a.com (reply)

    Policy (organzation 2)
    1. @b.cm (reply)
    2. @a.cm
    Email addresses:
    1. name1@a.cm
    2. name1@b.cm (reply)

    proxyAddresses of AD user propertity will have the same sequence as Email addresses. Because I need to use the vbs to get the proxyAddresses of each user, it will always use the first one of Email addresses in Exchange. I wonder can we have the addresses in order for the new user account, like name1@b.com or name1@b.cm will be the first address(reply).
    I know the new domain will be the first one in Email addresses if I create/modify the policy.

    1. Merlyn Zong

      correction:

      like name1@b.com or name1@b.cm will be the first address(reply).
      to:
      like the default reply address will be always the first one in Email addresses.

  28. david

    hi
    does the edit of the default email address policy in exchange 2010 affects all existing users?
    I want for now only the new users to obtain a different smtp address.

    regards
    david

    1. Avatar photo
      Paul Cunningham

      It will impact every user that the policy applies to. Take a look at the section of the article about when policies are applied.

  29. Diego

    Hi Paul,
    I’m trying to find a command to remove a secondary SMTP address on Exchange 2007. Set-Mailbox -EmailAddresses @{remove=”example@mydomain.com” is not working for me. I’m receibing the following output:

    ———————————————————————————————————
    Set-Mailbox : Cannot bind parameter ‘EmailAddresses’. Cannot convert the “Syste
    m.Collections.Hashtable” value of type “System.Collections.Hashtable” to type ”
    Microsoft.Exchange.Data.ProxyAddress”.
    At line:1 char:55
    + Set-Mailbox -Identity mydomainexample -EmailAddresses <<<< @{Remove="example@rootdomain.com"}
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBin
    dingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Exchang
    e.Management.RecipientTasks.SetMailbox

    ————————————————————————————————————–

    What I'm doing wrong? There's another command to perform this with powershell?

    Thnks in advance.

    Diego.

  30. Joe C

    That’s for the informative write up. I have a question about Distribution Groups. I cannot find a way to have the email address policy applied to the Distribution Groups even though I have the box checked off to automatically update email addresses based on the email address policy. Do I need to choose All Recipient Types when creating the policy?

    Is there a way in EMS to check if the policies are applied to the distro groups like you can with mailboxes? Thanks

  31. Ivan

    Hi Paul,

    I have a problem with “department” attribute for distribution groups.
    There is some DGs with department = DEPT1

    Also there is 2 EAP:
    Priority 1 – Catch all recipients with department = DEPT1 and assign %m@DEPT1.com
    Default – Catch all recipients and assign %m@default.com

    If I manually apply (via ECP) EAP with priority 1 then all DGs with department = DEPT1 will get @DEPT1.com addresses as it should be, but if I change one of those DGs, for example display name, default policy will set %m@default.com address.

    This occurs only with distribution groups, all users behave correctly.

    I have Exchange 2010 SP3 RU6. AD Forest 2008 r2 with no migrations in past.
    I will be appreciated for any advice.

  32. Liam Barry

    Great Article Paul,

    I need to add 350 SMTP secondary email address’.

    Can this be done via EAP ?

    All users are in the same OU. They have a primary SMTP that I do not want to change but need to add a secondary address.

    Thanks,
    Liam

    1. Avatar photo
      Paul Cunningham

      I’m not sure whether you mean add one secondary email address to 350 users or add 350 secondary email addresses to each user.

      But either way, yes.

      1. Liam Barry

        Sorry for the confusion:

        We need to add a new email address to all users in an OU. But this new email address should not be the primary SMTP address.

        1. Avatar photo
          Paul Cunningham

          Sure. Create an email address policy that contains the primary and secondary email addresses you want.

          Do it first on a test OU if you need to try it out.

  33. Shane Bryan

    Thanks Paul. That listed everyone. What i’m after is a list of people with the “Automatically update e-mail addresses based on e-mail address policy” option unticked on their profile.

    Is that doable do you think?

  34. Shane Bryan

    Hi guys. Is there a powershell command I can run to list the users not inheriting the default email address policy?

    We’re about to make a change and I want to know beforehand, how many user objects I will need to update manually.

    Cheers Shane.

    1. Avatar photo
      Paul Cunningham

      Sort of… The recipient filters on the email address policies can be used to filter Get-Recipient cmdlet results… so I guess one way to look at it would be:

      [PS] U:>$filter = (Get-EmailAddressPolicy “POLICY NAME”).RecipientFilter
      [PS] U:>Get-Recipient -Filter $filter

  35. Chris F.

    Very informative write up. Thanks very much. One of the issues we have when creating mailboxes, being a large organization is when we have more than one person with the same first initial and last name. For example, jsmith@corp.com. Logically the next jsmith would be jsmith2 , etc. However, when we hit magic number 10 it gives us something like jsmith1b984c@corp.com. I assume this is like a hex representation but would really like it if it would just keep incrementing 10, 11, 12,13, etc. without having to manually edit the newly created address to correct it. Any help would be appreciated.

    Thank you.
    Chris

  36. Gareth Gudger

    Thanks for the great article Paul.

    How can you tell what Address Policies the user is receiving aside from examining the SMTP addresses? Not seeing anything in Get-Mailbox or EMC/EAC to indicate which policies are actually applying to the user.

    Thanks!

  37. Mike S

    Looks like at some point the mailbox checkbox to apply the policy gets turned on for some accounts while on Exchange 2007 however not until the mailbox is actually moved (modified seems to be the trigger) to Exchange 2010 does the address policy update and make the change. We have exported the SMTP addresses to have a reference in case a user goes incorrect after the move and we need to restore their Primary SMTP. Odd but workable.

  38. Mike S

    Thanks for the confirmation. We are reviewing patch levels on the servers and settings now to try and determine the cause. We have 600 accounts out of the 4500 affected so a MS call may be needed. If something is found I will post.

  39. Mike S

    Nice article. I have a scenario not covered. Exchange 2007 has 4500 users. Added Exchange 2010 servers to the mix to prepare for a migration. Address policy applies based on a specific custom attribute 1 value as default however about 10 percent of the accounts have the auto update address unchecked in EMC to allow a custom address to be used as default SMTP. When we “local move” the mailbox the address box becomes checked and a new primary SMTP based on the existing policy applies as default. We need to manually remove the check and reset the custom address. How can a user be moved without the address policy turning back on if originally unchecked? Thanks.

    1. Avatar photo
      Paul Cunningham

      I’ve never noticed that behaviour before, so I’m not sure how to avoid it. Will see what I can find out.

    2. Avatar photo
      Paul Cunningham

      Just did a quick test of a 2007 -> 2010 move and did not see the same behaviour. Maybe review your move request logs/reports or open an MS support case to dig deeper.

  40. Ramon

    Great article Paul.

    One question: I’ve migrate my exchange server from 2003 to 2010

    Before that, if I sent a document pdf by email from my multi-function printer using the alias (without @mydomain.com) in the to: field, the server sent the email.

    Now, in 2010, if I use the alias doesn’t work, but if I use alias@mydomain.com it works.

    Some ideas..

    Thanks in advance

    Ramon

    1. Avatar photo
      Paul Cunningham

      Exchange 2010 won’t accept an invalid address as the “From” address. An alias without the @domain.com is not a valid address. So the solution is to make sure your devices (or any other application) that is going to use the Exchange 2010 server for SMTP is using a valid address.

  41. Andre

    Great article Paul Thanks.
    Is there any mecanism that will allow you to mass remove the no longer valid secondary email addresses.

      1. Andre

        Is there any sample script anywhere we could modify or do we need to become Powershell script experts

        1. Roger Johnson

          Here is a really basic version of a script to do this. Basically you pull in the proxy addresses that are NOT part of the domain yuo want to remove, the take that variable and make that the new proxyaddresses value.

          $o = Get-Mailbox -Identity {user}
          $address = $o.emailaddresses |where {$_.proxyaddressstring -notmatch “domain to remove}” -AND $_.prefixstring -ne “x400”}
          Set-Mailbox -Identity {user} -EmailAddresses $address

          you can expand that in all kinds of ways with some basic looping. I cleaned up a large number of users using this model, both old E2k X400 addresses and SMTP addresses. With a little work you could do prefix removals as well (if you go decide to do a mass change of the prefix for a domain.)

  42. James

    Excellent article, thank you for the clear and concise details!

  43. Luke

    Paul,

    I have a policy that was setup to add Full Access Permission for two admin users to have access to any new mailbox that is created by a previous administrator that no longer works for this company. I can’t seem to find out where that policy would be in place. I would like to edit that policy to remove his user and replace it with mine. This seems to be the location for that, but I am not seeing any options for it.

    1. Avatar photo
      Paul Cunningham

      That is not an email address policy. My guess is they’ve added permissions at the database level (run “Get-MailboxDatabase | Get-ADPermissions” and look through the output).

      What you’re proposing is not ideal, in my opinion. I always grant and then remove mailbox permissions as required on a case by case basis, rather than leave a persistent ACL in place.

  44. Pradeep kumar

    Hi Paul,

    Is there any possibility in Exchange 2010 if we can create email policy with “SAMAccountname@domain.com”.

    In my case Alias name and SamAccountname are different.

    Thank you!

  45. Lucky Hamu

    I have a quick question that I applied email address policy for our new domain but when user receives email from external domain the address shows the secondary domain email address. kindly guide how to set this policy default that shows in new domain entry while receive email.

    1. Avatar photo
      Paul Cunningham

      A sender can still send to a valid secondary address on your mailbox. There’s nothing about Email Address Policies that can change that.

  46. KCF

    Thank you for the article Paul.

    Is it possible for a deleted address policy to break and continue to issue addresses to users? I have several users that have addresses associated with a dead and removed domain. The addresses repopulate if I delete them. Looking at the user I see they belong to 2 email address policies (get-mailbox “user” | select-object policiesincluded). Yet I can only validate the existence of 1 policy based on its GUID. I cannot locate a GUID to match the other policy in my email address policy list.

    I’m open to suggestions. Thank you so much.

    1. Avatar photo
      Paul Cunningham

      I guess its possible but I’ve never seen it happen. You could open ADSIEdit and see if the policy is still visible in there.

      1. KCF

        Thank you for the suggestion. But alas … no. I found only the policies that I would expect to find with ADSIEdit. Does Exchange maintain a hidden EAP? It appears that all our user objects list 2 policies in their PoliciesIncluded attribute – the default EAP and one other EAP. It that the norm? What do you find with your users?

  47. RC

    great article, thanks Paul …what would we do without you ? nothing else out on the web even close to as informative as this article on the subject…

  48. Tobias

    After changing the policy from alias to firstname.lastname the out-of-office function was broken for all the users in Outlook and I can’t seem to fix it. It works in OWA.

    Do I need to make any change anywhere to make this work?

      1. Tobias

        Broken = … server is not available at the moment. Please try again later.

        The server is available and the Ctrl + Outlook test shows success.

  49. Jacky

    This was very helpful. How did the world get anything done before Google?!?

  50. nick

    Ace article!
    Quick question:
    Is an email address policy a requirement as part of adding a new accepted domain? I am adding a new domain to accepted domains, but it’s only going to be used for 1 or 2 mailboxes. Can’t I just manually configure the SMTP address for those mailboxes?

  51. Dinesh

    Thx Paul. Excellent article as always! Keep up the good work man 🙂

  52. Filipp

    Hi,

    > I don’t want to have to correct 20K users.
    Hehe, that’s why many people hate EAPs. Okay, to be mor exact: It’s the uncertainty, what makes people hate it. That’s why I went over to deactivate “Autmatically update…”, that gives you certainty. Realy: What do you need automatic updates for? If I ever come to update EMail-Addresses for our users, I would _always_ do this with a customized script, where I can fully control what happens, and I would _never_ leave this over to some background process. What should be the adantage of it?

    JMSP

    Filipp

  53. Daryn

    So just a verification, if I change the primary smtp address in the policy and hit “Do Not Apply”, it won’t apply anything then, it’s only going to do it to new accounts thereafter? I need to change ours but want to make sure it’s not going to go off to the races adding and changing everyone’s address, I don’t want to have to correct 20K users.

  54. Fred

    Great article! This topic always gets a little fuzzy if I haven`t worked with it for a while. This cleares things up in a very pleasant way. Thank you for posting it this clear.

    Cheers,
    Fred

  55. Tore Meum

    Hi Paul.

    Great article.
    What if your user has a double first-name or last-name, and want to use . in between all names? (e.g. john.phillip.doe@example.com) Default firstname.lastname will just give you johnphillip.doe@example.com…?

    Any suggestions on that one?

    Best Regards
    Tore

  56. Filipp

    Hi,
    really nice post. There’s only one Information I miss (and also can’t find on MS): What happens, if the Policy chooses an address, which is allready used by someone else. P.Ex. if you have your 2nd Jo Rigby (in the same OU). Will he get no Addresses then? Will he get Jo.Rigby2@example.com? Can you controll this behaviour?
    Best Regards
    Filipp

      1. Marc LeBlanc

        Is there any way to change this behaviour, so that it’ll use a different format, such as firstnamelastname@example.com instead of appending the 2?

        Thank you for everything you’ve published; I use your articles on a regular basis.

  57. Chandru R

    Hi Paul,

    Excellent article. Thanks

  58. Aaron

    Thank you very much. Helped a lot. Greetings from sunny Switzerland.

  59. J Jones

    Are you sure they get applied anytime an object is changed. I have a policy to make all domain users
    firstname.lastname@domain.com but when HR changes someone’s name in AD, the policy is not applied to the change.

    1. Avatar photo
      Paul Cunningham

      Changes made in AD Users & Computers don’t cause the policy to reassess.

      1. Sai

        I am trying to check if there is a way we can force a reassessment of policy.

        My Requirement – When First/Last Name Changes New Primary SMTP should be set accordingly.

        Can i simply disable and enable the Mailbox account ? This is prod…will i lose anything ?

        Thanks,
        Sai

        1. Avatar photo
          Paul Cunningham

          If you disable the mailbox all of the Exchange attributes are removed and the mailbox is marked for deletion in the database. So I do not recommend doing that.

          Email address policies are re-evaluated any time a change is made to the mailbox using Exchange management tools.

        2. Filipp Geyer

          Hi,

          there’s a cmldet update-recipient, which should reaply Address Policies (together with other stuff like updating Addresslist-Membership etc), if the relevant Attributes were not changed with Exchange Management Shell. Give it a try…

          Regards

          Filipp

  60. shafeeque

    very good article. thank you paul ,

  61. Turbomcp

    Thanks paul

  62. Rusty Shackleford

    Excellent article. This is one of the most complete ones I have read. I appreciate you covering how a new policy impacts existing email addresses and the impact of removing an email address policy.

    1. Sagar

      Totally agreed.
      Reading this in year 2016 as I have to take over a new project and provide support.
      Just got the access to the Exchange server and got overwhelmed by the Email Server Policies. I was searching all over the internet for simple explanation.
      But finally found the simple and nicely explained article here. Thanks a lot Paul.
      Amazed how you take out time to make these articles in between your consultations.

Leave a Reply