Membership management delegation
This section shows how Exchange Resource Forest Management facilitates delegation of the membership management task for distribution lists. To perform the procedures in this section, you need the following environment:
- Exchange Resource Forest Management configured as described in the Configuration section earlier in this document.
- A mailbox-enabled user account named John Smith created by Active Roles in the Accounts OU, so the shadow account for that user account exists in the Mailboxes OU.
- For the user account John Smith, on a computer in the accounts forest, Microsoft Outlook configured to connect to the mailbox of that user account.
- A mail-enabled group named DL, representing a certain distribution list, created in the Mailboxes OU.
The following procedure demonstrates how to delegate the task of managing the DL membership list to the user account John Smith.
To delegate the membership management task
- In the Active Roles Web Interface for Administrators, open the Exchange Properties page for the user account John Smith:
- Locate and select the Accounts OU.
- Select the user account John Smith in the list of objects held in that OU.
- Click the Exchange Properties command.
- On the Exchange Properties page, go to the Shadow Account tab, and click the Properties button on that tab.
This opens the General Properties page for the shadow account.
- On the General Properties page, click the Account tab and note down the pre-Windows 2000 logon name of the shadow account.
- In the Web Interface, open the Managed by tab for the DL group:
- Locate and select the Mailboxes OU.
- Click the DL group in the list of objects held in that OU.
- Click the Managed by tab on the General Properties page that appears.
- On the Managed by tab, click the Change button under the Manager box.
This opens the Select Object dialog box allowing you to specify the manager account.
- Use the Select Object dialog box to find and select the shadow account:
- In the Name box, type the name of the shadow account you noted down in Step 3.
- Click Search.
- Click Search.
- In the list of search results, click the name of the shadow account.
- Click OK to close the Select Object dialog box.
- On the Managed by tab, click Save; then, select the Manager can update membership list check box, and click Save again.
Although you have specified the shadow account as the manager of the group, Active Roles updates security settings on the group so that the master account is authorized to add or remove members from the group by using conventional tools such as Microsoft Outlook.
If you clear the Manager can update membership list check box, or change the manager of the group, Active Roles updates the security settings to revoke the former manager’s right to modify the membership list of the group.
After you have specified the shadow account as the manager of the DL group with the Manager can update membership list option, force Active Roles to give the manager rights to the master account by executing the scheduled task ERFM - Mailbox Management held in the Configuration/Server Configuration/Scheduled Tasks/Builtin container or wait for a scheduled run of that task. Then, you can verify that the master account can use Microsoft Outlook to add or remove group members, provided that Outlook is configured to connect to the mailbox for the John Smith user account:
- Log on with the name and password of the John Smith account to the computer where Microsoft Outlook is configured to connect to the linked mailbox of that user account.
- Open Outlook and press Ctrl+Shift+B to display the Address Book.
- In the Address Book, double-click the DL group.
- On the General tab in the dialog box that appears, click Modify Members to add or remove members from the DL group.
Mailbox type conversion
This section demonstrates how to perform mailbox type conversion using Active Roles. The following scenarios are covered:
Converting a linked mailbox to a user mailbox
If a given mailbox from the Exchange forest is assigned to a user from an accounts forest (linked mailbox), then you can use Active Roles to convert that mailbox to the user mailbox type. After you convert the mailbox, the external user (formerly master account) can no longer access the mailbox. The mailbox can only be accessed by the user account that is associated with the mailbox in the Exchange forest (formerly shadow account).
To convert a linked mailbox to a user mailbox
- Open the Active Roles Web Interface for Administrators, and select the mailbox user account in the Exchange forest (shadow account).
- Click the Convert to User Mailbox command.
- Click OK in the confirmation message box that appears.
After mailbox conversion, the mailbox user account remains disabled. To enable the user account, set the user password by using the Reset Password command, and then click the Enable Account command.
Converting a user mailbox to a linked mailbox
For a user mailbox in the Exchange forest, you can use Active Roles to assign that mailbox to a user from an accounts forest. This configures the mailbox as follows:
- The mailbox type changes to the linked mailbox type.
- The user from the accounts forest becomes the master account for the mailbox.
- The user associated with the mailbox in the Exchange forest becomes the shadow account.
The domain of the user from the accounts forest must be registered with Active Roles (managed domain).
To convert a user mailbox to a linked mailbox
- Open the Active Roles Web Interface for Administrators, and select the user mailbox in the Exchange forest.
- Click the Convert to Linked Mailbox command.
- Click Change under the Linked master account field, and select the user from an accounts forest.
- Click Finish.
As a result of these steps, the master account is assigned to the mailbox and the mailbox user in the Exchange forest becomes the shadow account, linked with the master account. If the master account is in the scope of the Exchange Resource Forest Management policy, the properties of the master account and shadow account are synchronized in the same way as when you configure a mailbox-enabled user in an accounts forest by using the Exchange Resource Forest Management solution.