Using PowerShell to Manage Groups, Part 1
New Exchange 2007 functionality brings convenience and power
September 24, 2007
PowerShell is gathering a great deal of importance in the Windows administration landscape now that Microsoft has decided to include PowerShell as a part of the base Windows OS, starting with Windows Server 2008. And if you're an Exchange Server administrator, you can bet that PowerShell is on your horizon. New to Exchange 2007 is the Exchange Management Shell (EMS), a collection of more than 370 commands that deal with Exchange objects. This new scripting functionality delivers a huge amount of potential for automating common administrative operations in Windows and particularly in Exchange.
One of the greatest aspects of Exchange 2007, therefore, is that you can now use PowerShell commands to create, edit, populate, and delete both standard and dynamic groups. Of course, you can continue to use the Exchange Management Console to work with groups, but sometimes it's just more convenient to use shell commands, as you'll see. Let's take a look at how PowerShell can simplify your management of groups in both Windows and Exchange.
Exchange Groups
Groups—or Distribution Groups (DGs), to use an older term—have always been important to Exchange. They provide a convenient method for collecting sets of users to which you want to address email (e.g., a mail-enabled DG) or to assign permissions over objects (e.g., a security group). To be mail-enabled, a DG must have an email address , and you can assign a security principal to a mail-enabled DG for both email and security purposes. In Exchange 2003, Microsoft added dynamic (or query-based) DGs: groups that Exchange expands on demand—by executing a query against Active Directory (AD)—to build group membership.
When you install Exchange 2007 on a server, you're also installing EMS. EMS not only extends the basic PowerShell environment with its Exchange-specific commands but also extends your ability to work with basic Windows objects (e.g., groups) so that they function properly in an Exchange environment. You can also install EMS along with the other Exchange 2007 management components on a Windows XP SP2 workstation—as long as you first install the prerequisites (i.e., PowerShell 1.0 and .NET Framework 2.0 or later). Currently, Microsoft doesn't support EMS on a Windows Vista workstation, although the company has indicated that it will soon support all the Exchange 2007 management components on Vista.
Windows Groups
Windows also supports groups in the absence of Exchange. In most cases, you use such groups to manage permissions over objects so that you can allocate permissions to a group rather than giving permission to each individual account. If you install PowerShell on a server, you can use a limited set of commands to work with basic groups. The available commands are Get-Group (for retrieving details about an existing Windows group) and Set-Group (for setting the properties of an existing Windows group).
You immediately notice a problem: There are no commands for creating a new group, removing a group, or adding members to a group. Windows forces you to perform these operations through the Microsoft Management Console (MMC) AD Users and Computers snap-in. In addition, these commands don't work with dynamic groups because those objects are specific to Exchange. However, these basic commands are compelling because you can use them to manipulate properties that are available through AD Users and Computers. For example, you can retrieve the properties of a group with a command such as
Get-Group ‘Editors’ | Format-List
Figure 1 shows the output. To update a property, you can use the command
Set-Group –id ‘Editors’ -DisplayName ‘Nice people who edit magazines’ -ManagedBy ‘Sam Smith’
However, the Set-Group command doesn't let you update membership information. You can update the WindowsEmailAddress property to add an SMTP mail address to the object, but that's not the same as mail-enabling a group for Exchange. Updating the WindowsEmailAddress property simply adds the address in the same way that Microsoft SharePoint adds email addresses to its objects so that email can be sent to them.
Enabling a Group
After you install EMS, you can use the Enable-DistributionGroup command to enable Windows groups work with Exchange. For example, to enable the Editors group, you would use the command
Enable-DistributionGroup -id ‘Editors’
Enabling a group means that you're updating its AD properties with all the data required to make the group fully functional in Exchange terms.
If you use the Get-DistributionGroup command to examine the group's properties afterward, you'll see a different set of properties than you see with Get-Group, as Figure 2 shows. The list of properties has expanded to support the full set of Exchange-enabled functionality. Exchange has created a primary SMTP address by reference to the email policy for the organization, and now available for management purposes are such properties as maximum receive size, maximum send size, accept messages from, and address list membership, as well as a set of 15 custom attributes.
You don't need to create a group in Windows before you enable it for Exchange. You can use the New-DistributionGroup command to create a fully provisioned Exchange group from scratch. For example, here’s how you would create the Editors group:
New-DistributionGroup -alias ‘Editors’ -name ‘Editors’ -Type Distribution -org ‘xyz.com/Exchange Users/Groups’ -DisplayName ‘Nice People who edit articles’ -SamAccountName Editors -ManagedBy ‘Tony Redmond’
Creating a group in this way gives you the same result you'd get if you created the group with Windows, then enabled it for Exchange.
If you need to disable a group and strip the Exchange properties, you can use the Disable-DistributionGroup command, as follows:
Disable-DistributionGroup -id ‘Editors’
Because this command can affect users or functionality that depends on the existence of the group's Exchange properties, EMS will prompt you to confirm that you really want to proceed, as you see in Figure 3.
Of course, to completely delete a group, you can use the Remove-DistributionGroup command. This command deletes the underlying AD object. For example:
Remove-DistributionGroup -id ‘Editors’
Working with Group Properties
You use the Set-DistributionGroup command to manipulate group properties (with the exception of group membership). For example,
Set-DistributionGroup -id ‘Editors’ -MaxReceiveSize 5MB -AcceptMessagesOnlyFromDLMembers‘Senior Executives’ -CustomAttribute15‘Important Group’
updates the group so that group members will receive messages only as large as 5MB and only from members of the Senior Executives group. This command also updates one of the custom attributes with text that you can use for other purposes (e.g., a criterion in a transport rule). If you want to be even more specific about who can send messages to the group, you can use the –AcceptMessagesOnlyFrom parameter to specify a user who can send messages to the group. You can also combine the –AcceptMessagesOnlyFrom and –AcceptMessagesOnlyFromDLMembers parameters to restrict messages from a single user and the members of a group. You can specify multiple entries in these parameters. For example,
Set-DistributionGroup -id ‘Editors’ -AcceptMessagesOnlyFrom ((Get-DistributionGroup ‘Editors’). AcceptMessagesOnlyFrom + ‘Alan Smith’)
This code fetches the current value of the AcceptMessagesOnlyFrom property and appends a new user to it, then uses the updated list as the new value for the property.
Stay Tuned
We've only begun to explore the convenience of using PowerShell to work with Windows and Exchange groups. In Part 2, I'll dive further into the topic by showing you how to use shell commands to maintain group memberships and work with dynamic groups. Now that Microsoft has given you a complete set of commands to work with groups in Exchange 2007, the only question is how and when you'll begin to take advantage of those commands' power.
About the Author
You May Also Like