When you update certain properties of a master account, Exchange Resource Forest Management updates those properties in both the master account and shadow account. These properties are referred to as synchronized properties. For details, see Synchronized properties earlier in this document.
To verify the behavior of synchronized properties
You can review the updates to the account properties by using the Change History command on the master account and on the shadow account—the Change History results provide information on which properties were updated, what changes were made to the properties, who performed the update, and when.
When you view or change certain properties of a master account in an accounts forest, Exchange Resource Forest Management redirects the retrieval or change request to the properties of the shadow account in the Exchange forest. Such properties are referred to as substituted properties.
All the substituted properties that are mandatory for Exchange Resource Forest Management to work are listed in the Substituted properties section, earlier in this document. These properties used to store mailbox settings. As mailboxes are located in the Exchange forest, the updates to such properties need to be performed on the shadow accounts. Exchange Resource Forest Management implements a mechanism for capturing updates to substituted properties on the master account side and then applying those changes on the shadow account side.
You can view or modify some of the substituted properties on the Web Interface pages for managing Exchange recipient properties of a mailbox-enabled user account in the Accounts OU.
To view or change Exchange properties on the master account
Once you have completed these steps, your changes are applied to the shadow account associated with the master account you were administering. You can verify this by using the Change History command on the shadow account. The Change History results indicate that the changes were actually made to the properties of the shadow account, in the Mailboxes OU.
When you use Active Roles to deprovision a master account, Exchange Resource Forest Management causes Active Roles to deprovision the shadow accounts as well. In this way, Active Roles deprovisions the master account’s mailbox. You can verify this behavior by using the Active Roles Web Interface.
To deprovision a master account
Once you have completed these steps, the Deprovision command is performed not only on the master account but also on the shadow account. You can verify this by using the Deprovisioning Results command on the shadow account in the Mailboxes OU.
This section shows how Exchange Resource Forest Management facilitates delegation of the membership management task for distribution lists. To perform the procedures in this section, you need the following environment:
The following procedure demonstrates how to delegate the task of managing the DL membership list to the user account John Smith.
To delegate the membership management task
This opens the General Properties page for the shadow account.
This opens the Select Object dialog box allowing you to specify the manager account.
Although you have specified the shadow account as the manager of the group, Active Roles updates security settings on the group so that the master account is authorized to add or remove members from the group by using conventional tools such as Microsoft Outlook.
If you clear the Manager can update membership list check box, or change the manager of the group, Active Roles updates the security settings to revoke the former manager’s right to modify the membership list of the group.
After you have specified the shadow account as the manager of the DL group with the Manager can update membership list option, force Active Roles to give the manager rights to the master account by executing the scheduled task ERFM - Mailbox Management held in the Configuration/Server Configuration/Scheduled Tasks/Builtin container or wait for a scheduled run of that task. Then, you can verify that the master account can use Microsoft Outlook to add or remove group members, provided that Outlook is configured to connect to the mailbox for the John Smith user account: