Exchange Server 2010 Email Address Policies

There is a project running at the company I work for to separate one of the areas of the business into their own entity. Among other things this rebranding exercise also includes changing their primary email addresses.

For several versions of Exchange Server now we’ve had the capability to manage email addresses for recipients by using policies. In Exchange Server 2010 these are referred to as Email Address Policies.

In this article I’ll provide an overview of the key concepts of email address policies and demonstrate some examples of how they can be used.

The Exchange Server 2010 Default Email Address Policy

Any Exchange 2010 organization will have one email address policy named “Default Policy”. You can view this in the Exchange Management Console under Organization Configuration -> Hub Transport, in the Email Address Policies tab.

Exchange 2010's default email address policy
Exchange 2010's default email address policy

One of my gripes with managing email address policies in the console is that you can’t open a Properties view to see how they are configured. However you can right-click and choose Edit to achieve the same outcome.

The first thing you’ll notice that the default policy is not scoped to any particular recipient container, so it will apply to any object in Active Directory. The other thing you’ll notice is that the policy will apply to “All recipient types”, not a limited subset of the available types such as mailboxes, contacts, or groups.

Scope of the default email address policy in Exchange 2010
Scope of the default email address policy in Exchange 2010

At the next dialog you get a chance to preview the results of the conditions in the email address policy.

Previewing the results of email address policy conditions

If you preview the default email address policy you should see all mail-enabled objects in the organization returned.

At the next dialog you’ll see the email addresses that the policy will apply to those recipients that fall within the scope of the policy.

Email addresses applied by the default email address policy
Email addresses applied by the default email address policy

So the outcome of this policy is that it will apply an email address of alias@exchangeserverpro.net (because alias is used if nothing else is specified) to any recipient type.

When are Exchange 2010 Email Address Policies Applied?

But when does the email address policy apply? At the next dialog we can see the schedule options for the email address policy.

Email address policy schedule options
Email address policy schedule options

The options we can choose from are:

  • Do not apply – the email address policy will be created (or edited) but not applied to the recipients that fall within its scope
  • Immediately – the email address policy will be applied immediately to the recipients that fall within its scope
  • At the following time – the email address policy will be applied at the nominated time. This is convenient if you are preparing the email address policy in advance of a scheduled change (such as the rebranding exercise I mentioned earlier)

Something you need to be aware of is that no matter which of the above options you pick right now, the email address policy will continue to be assessed and applied to recipients on an ongoing basis in the future each time a recipient is created or modified.

So for example when a new mailbox is created the email address policies are assessed and applied accordingly. Similarly, if you modify an existing mailbox user, for example to change their alias or move it to another database, the email address policies will be reassessed for that recipient.

For that reason you want to be sure that any email address policy that exists in your organization is ready to be applied to recipients.

Creating a New Email Address Policy with the Exchange Management Console

Click New E-Mail Address Policy to start creating a new policy.

New Email Address Policy
New Email Address Policy

For this example I’ve narrowed the scope of the email address policy to just one particular OU for “Example Corp”, the new business entity.

Select recipient container for new email address policy
Select recipient container for new email address policy

If that particular OU contained users in other companies I could also narrow the scope down based on Company or Department attributes, but in this example I don’t need to. Clicking Preview shows me the one user that exists in that OU so far.

Email address policy conditions
Email address policy conditions

Next I’ll add an SMTP address of %m@example.com to the policy (%m = “alias”).

Configuring SMTP addresses for an email address policy
Configuring SMTP addresses for an email address policy

Note that whatever domain you choose to use here needs to have already been configured as an Accepted Domain for the organization. If you haven’t already done so you can switch back to the Exchange Management Console and add the domain without having to cancel your new email address policy wizard.

Finally I will choose not to apply the email address policy just yet, so that I can demonstrate some scenarios for this.

Choosing when to apply the email address policy
Choosing when to apply the email address policy

Finally, click New to create the email address policy. If it all goes well you’ll see a successful completion message.

Completing the new email address policy wizard
Completing the new email address policy wizard

Note that the completion dialog reveals the PowerShell commands used behind the scenes to perform the task. This will be relevant later when we look at an example of creating an email address policy in PowerShell.

Applying Email Address Policies

Now let’s check the results. Because I chose not to apply the policy yet the user Amy Lawrence does not have an @example.com email address yet.

Email addresses before the policy is applied
Email addresses before the policy is applied

If I move another mailbox user into the same OU, they also do not have the email address policy applied.

User moved into OU
User moved into OU

Jo Rigby’s email addresses haven’t changed just because her OU membership changed.

No change to email addresses yet
No change to email addresses yet

However, if I modify Jo Rigby’s recipient properties, such as adding the new company name, and apply that change…

Modifying recipient properties to trigger email address policies
Modifying recipient properties to trigger email address policies

…the new SMTP address is immediately applied by the policy, because modifying and saving any change to a recipient triggers policy assessment.

SMTP addresses after email address policy is applied
SMTP addresses after email address policy is applied

If I simply wish to apply the email address policy to all of the users in that OU I can right-click the policy and choose Apply, and choose to apply it immediately or at a scheduled time.

Manually applying an email address policy
Manually applying an email address policy

Now Amy Lawrence also has the new @example.com email address without me having modified any of her other recipient properties, because I manually triggered the application of the policy.

SMTP addresses after email address policy is applied
SMTP addresses after email address policy is applied

You may wonder how primary SMTP address is determined when two policies are potentially valid for a recipient. The answer to that question is in the priority value of each policy. The policy with the highest priority will apply, but only that one policy applies.

For example, new user Bob Winder in the Example Corp OU gets mailbox-enabled and only receives an @example.com SMTP address from the “Example Corp” policy, but doesn’t receive an @exchangeserverpro.net address from the default policy that is of a lower priority.

SMTP address for a new mailbox user
SMTP address for a new mailbox user

So each policy needs to contain all of the SMTP addresses that you intend those recipients to receive, so that new recipients get them all. You can’t rely on different email address policies to apply cumulatively.

Note: Email Address Policies are Additive Only

You may have noticed in the examples above that the prior SMTP address of @exchangeserverpro.net was not removed from the mailboxes, it was simply changed to being a secondary email address.

This is due to the behavior of email address policies in that they are additive only. An email address policy will not remove or overwrite an email address on a recipient.

If the recipient falls out of scope of the email address policy they will not have any email addresses removed from the account, though their primary SMTP address may change when a different policy applies. In the case of Jo Rigby, if she is moved out of that OU and her company attribute changed again (or any other modification made to trigger policy assessment) she reverts to an @exchangeserverpro.net primary SMTP address, but retains @example.com as a secondary address.

SMTP address changed after policy no longer applies
SMTP address changed after policy no longer applies

Nor will the removal of the email address policy entirely cause recipients to lose those email addresses.

Removing an email address policy
Removing an email address policy

Note that removing a policy causes those recipients to assess policies again. Amy Lawrence’s primary SMTP address changed back to @exchangeserverpro.net with no other recipient modification or manual applying of other policies required, but again she retained the @example.com secondary address.

SMTP addresses after email address policy is removed
SMTP addresses after email address policy is removed

Creating a New Email Address Policy with the Exchange Management Shell

There will be times when you find the options available in the console when creating a new email address policy are not suitable for your particular scenario. In those cases you can use the Exchange Management Shell to create a more specific filter for the email address policy.

Email address policies are created using the New-EmailAddressPolicy cmdlet. This cmdlet has a -RecipientFilter parameter that opens up a whole lot more possibilities (the documentation refers to Exchange 2007 but is unchanged for Exchange 2010) for defining the scope of your email address policies. Just be aware that it can’t be used in combination with some other parameters, all of which is spelled out here.

So let’s look at one example of creating an email address policy in PowerShell using the capabilities of -RecipientFilter.

To begin with I’ve removed the policy I created in the console earlier, and manually removed the @example.com addresses from those mailboxes to start over with a clean slate.

Example Corp users in their OU
Example Corp users in their OU

Now I’ll create the email address policy, using a recipient filter that checks display names for the string “(Example Corp)”. The new policy will have the following properties:

  • A name of “Example Corp”
  • A priority of 1
  • An email address template of “SMTP:%m@example.com” (the upper-case SMTP defines the primary SMTP address, lower-case would be a secondary SMTP address)
  • A recipient filter for the DisplayName attribute of “*(Example Corp)” (the * is a wildcard)

Running that as a command in the Exchange Management Shell looks like this:.

New-EmailAddressPolicy -Name "Example Corp" -Priority 1 -EnabledEmailAddressTemplates "SMTP:%m@example.com" -RecipientFilter {DisplayName -like "*(Example Corp)"}

Name                                    Priority                                RecipientFilter
----                                    --------                                ---------------
Example Corp                            1                                       DisplayName -like '*(Example Corp)'

Now the new email address policy has been created, but as before it has not yet applied to any recipients. To trigger the policy for the three Example Corp users I’m going to modify their display names to append “(Example Corp) to them. I’m just doing them individually here but you could script it if you had a lot of mailbox users to modify.

[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby (Example Corp)"

Jo now has the @example.com SMTP address assigned by the new policy.

[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl

DisplayName    : Jo Rigby (Example Corp)
EmailAddresses : {SMTP:Jo.Rigby@example.com, smtp:Jo.Rigby@exchangeserverpro.net}

And if I change her display name so it no longer has “(Example Corp)” in it, she reverts to the primary SMTP address @exchangeserverpro.net and retains the @example.com as a secondary SMTP address.

[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby"

[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl

DisplayName    : Jo Rigby
EmailAddresses : {SMTP:Jo.Rigby@exchangeserverpro.net, smtp:Jo.Rigby@example.com}

Hopefully this article has provided you a good understanding of how email address policies work in Exchange Server 2010, and given you some ideas on how you can use them in your own Exchange organization.

Comments

  1. Rusty Shackleford says

    Excellent article. This is one of the most complete ones I have read. I appreciate you covering how a new policy impacts existing email addresses and the impact of removing an email address policy.

  2. Filipp says

    Hi,
    really nice post. There’s only one Information I miss (and also can’t find on MS): What happens, if the Policy chooses an address, which is allready used by someone else. P.Ex. if you have your 2nd Jo Rigby (in the same OU). Will he get no Addresses then? Will he get Jo.Rigby2@example.com? Can you controll this behaviour?
    Best Regards
    Filipp

  3. Fred says

    Great article! This topic always gets a little fuzzy if I haven`t worked with it for a while. This cleares things up in a very pleasant way. Thank you for posting it this clear.

    Cheers,
    Fred

  4. Daryn says

    So just a verification, if I change the primary smtp address in the policy and hit “Do Not Apply”, it won’t apply anything then, it’s only going to do it to new accounts thereafter? I need to change ours but want to make sure it’s not going to go off to the races adding and changing everyone’s address, I don’t want to have to correct 20K users.

  5. Filipp says

    Hi,

    > I don’t want to have to correct 20K users.
    Hehe, that’s why many people hate EAPs. Okay, to be mor exact: It’s the uncertainty, what makes people hate it. That’s why I went over to deactivate “Autmatically update…”, that gives you certainty. Realy: What do you need automatic updates for? If I ever come to update EMail-Addresses for our users, I would _always_ do this with a customized script, where I can fully control what happens, and I would _never_ leave this over to some background process. What should be the adantage of it?

    JMSP

    Filipp

  6. nick says

    Ace article!
    Quick question:
    Is an email address policy a requirement as part of adding a new accepted domain? I am adding a new domain to accepted domains, but it’s only going to be used for 1 or 2 mailboxes. Can’t I just manually configure the SMTP address for those mailboxes?

  7. Tobias says

    After changing the policy from alias to firstname.lastname the out-of-office function was broken for all the users in Outlook and I can’t seem to fix it. It works in OWA.

    Do I need to make any change anywhere to make this work?

  8. RC says

    great article, thanks Paul …what would we do without you ? nothing else out on the web even close to as informative as this article on the subject…

  9. KCF says

    Thank you for the article Paul.

    Is it possible for a deleted address policy to break and continue to issue addresses to users? I have several users that have addresses associated with a dead and removed domain. The addresses repopulate if I delete them. Looking at the user I see they belong to 2 email address policies (get-mailbox “user” | select-object policiesincluded). Yet I can only validate the existence of 1 policy based on its GUID. I cannot locate a GUID to match the other policy in my email address policy list.

    I’m open to suggestions. Thank you so much.

  10. Lucky Hamu says

    I have a quick question that I applied email address policy for our new domain but when user receives email from external domain the address shows the secondary domain email address. kindly guide how to set this policy default that shows in new domain entry while receive email.

  11. Pradeep kumar says

    Hi Paul,

    Is there any possibility in Exchange 2010 if we can create email policy with “SAMAccountname@domain.com”.

    In my case Alias name and SamAccountname are different.

    Thank you!

  12. Luke says

    Paul,

    I have a policy that was setup to add Full Access Permission for two admin users to have access to any new mailbox that is created by a previous administrator that no longer works for this company. I can’t seem to find out where that policy would be in place. I would like to edit that policy to remove his user and replace it with mine. This seems to be the location for that, but I am not seeing any options for it.

    • says

      That is not an email address policy. My guess is they’ve added permissions at the database level (run “Get-MailboxDatabase | Get-ADPermissions” and look through the output).

      What you’re proposing is not ideal, in my opinion. I always grant and then remove mailbox permissions as required on a case by case basis, rather than leave a persistent ACL in place.

  13. Andre says

    Great article Paul Thanks.
    Is there any mecanism that will allow you to mass remove the no longer valid secondary email addresses.

        • Roger Johnson says

          Here is a really basic version of a script to do this. Basically you pull in the proxy addresses that are NOT part of the domain yuo want to remove, the take that variable and make that the new proxyaddresses value.

          $o = Get-Mailbox -Identity {user}
          $address = $o.emailaddresses |where {$_.proxyaddressstring -notmatch “domain to remove}” -AND $_.prefixstring -ne “x400″}
          Set-Mailbox -Identity {user} -EmailAddresses $address

          you can expand that in all kinds of ways with some basic looping. I cleaned up a large number of users using this model, both old E2k X400 addresses and SMTP addresses. With a little work you could do prefix removals as well (if you go decide to do a mass change of the prefix for a domain.)

  14. Ramon says

    Great article Paul.

    One question: I’ve migrate my exchange server from 2003 to 2010

    Before that, if I sent a document pdf by email from my multi-function printer using the alias (without @mydomain.com) in the to: field, the server sent the email.

    Now, in 2010, if I use the alias doesn’t work, but if I use alias@mydomain.com it works.

    Some ideas..

    Thanks in advance

    Ramon

    • says

      Exchange 2010 won’t accept an invalid address as the “From” address. An alias without the @domain.com is not a valid address. So the solution is to make sure your devices (or any other application) that is going to use the Exchange 2010 server for SMTP is using a valid address.

  15. Mike S says

    Nice article. I have a scenario not covered. Exchange 2007 has 4500 users. Added Exchange 2010 servers to the mix to prepare for a migration. Address policy applies based on a specific custom attribute 1 value as default however about 10 percent of the accounts have the auto update address unchecked in EMC to allow a custom address to be used as default SMTP. When we “local move” the mailbox the address box becomes checked and a new primary SMTP based on the existing policy applies as default. We need to manually remove the check and reset the custom address. How can a user be moved without the address policy turning back on if originally unchecked? Thanks.

  16. Mike S says

    Thanks for the confirmation. We are reviewing patch levels on the servers and settings now to try and determine the cause. We have 600 accounts out of the 4500 affected so a MS call may be needed. If something is found I will post.

  17. Mike S says

    Looks like at some point the mailbox checkbox to apply the policy gets turned on for some accounts while on Exchange 2007 however not until the mailbox is actually moved (modified seems to be the trigger) to Exchange 2010 does the address policy update and make the change. We have exported the SMTP addresses to have a reference in case a user goes incorrect after the move and we need to restore their Primary SMTP. Odd but workable.

  18. Gareth Gudger says

    Thanks for the great article Paul.

    How can you tell what Address Policies the user is receiving aside from examining the SMTP addresses? Not seeing anything in Get-Mailbox or EMC/EAC to indicate which policies are actually applying to the user.

    Thanks!

  19. Chris F. says

    Very informative write up. Thanks very much. One of the issues we have when creating mailboxes, being a large organization is when we have more than one person with the same first initial and last name. For example, jsmith@corp.com. Logically the next jsmith would be jsmith2 , etc. However, when we hit magic number 10 it gives us something like jsmith1b984c@corp.com. I assume this is like a hex representation but would really like it if it would just keep incrementing 10, 11, 12,13, etc. without having to manually edit the newly created address to correct it. Any help would be appreciated.

    Thank you.
    Chris

  20. Shane Bryan says

    Hi guys. Is there a powershell command I can run to list the users not inheriting the default email address policy?

    We’re about to make a change and I want to know beforehand, how many user objects I will need to update manually.

    Cheers Shane.

    • says

      Sort of… The recipient filters on the email address policies can be used to filter Get-Recipient cmdlet results… so I guess one way to look at it would be:

      [PS] U:\>$filter = (Get-EmailAddressPolicy “POLICY NAME”).RecipientFilter
      [PS] U:\>Get-Recipient -Filter $filter

  21. Shane Bryan says

    Thanks Paul. That listed everyone. What i’m after is a list of people with the “Automatically update e-mail addresses based on e-mail address policy” option unticked on their profile.

    Is that doable do you think?

  22. Liam Barry says

    Great Article Paul,

    I need to add 350 SMTP secondary email address’.

    Can this be done via EAP ?

    All users are in the same OU. They have a primary SMTP that I do not want to change but need to add a secondary address.

    Thanks,
    Liam

      • Liam Barry says

        Sorry for the confusion:

        We need to add a new email address to all users in an OU. But this new email address should not be the primary SMTP address.

        • says

          Sure. Create an email address policy that contains the primary and secondary email addresses you want.

          Do it first on a test OU if you need to try it out.

  23. Ivan says

    Hi Paul,

    I have a problem with “department” attribute for distribution groups.
    There is some DGs with department = DEPT1

    Also there is 2 EAP:
    Priority 1 – Catch all recipients with department = DEPT1 and assign %m@DEPT1.com
    Default – Catch all recipients and assign %m@default.com

    If I manually apply (via ECP) EAP with priority 1 then all DGs with department = DEPT1 will get @DEPT1.com addresses as it should be, but if I change one of those DGs, for example display name, default policy will set %m@default.com address.

    This occurs only with distribution groups, all users behave correctly.

    I have Exchange 2010 SP3 RU6. AD Forest 2008 r2 with no migrations in past.
    I will be appreciated for any advice.

  24. Joe C says

    That’s for the informative write up. I have a question about Distribution Groups. I cannot find a way to have the email address policy applied to the Distribution Groups even though I have the box checked off to automatically update email addresses based on the email address policy. Do I need to choose All Recipient Types when creating the policy?

    Is there a way in EMS to check if the policies are applied to the distro groups like you can with mailboxes? Thanks

  25. Diego says

    Hi Paul,
    I’m trying to find a command to remove a secondary SMTP address on Exchange 2007. Set-Mailbox -EmailAddresses @{remove=”example@mydomain.com” is not working for me. I’m receibing the following output:

    ———————————————————————————————————
    Set-Mailbox : Cannot bind parameter ‘EmailAddresses’. Cannot convert the “Syste
    m.Collections.Hashtable” value of type “System.Collections.Hashtable” to type ”
    Microsoft.Exchange.Data.ProxyAddress”.
    At line:1 char:55
    + Set-Mailbox -Identity mydomain\example -EmailAddresses <<<< @{Remove="example@rootdomain.com"}
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBin
    dingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Exchang
    e.Management.RecipientTasks.SetMailbox

    ————————————————————————————————————–

    What I'm doing wrong? There's another command to perform this with powershell?

    Thnks in advance.

    Diego.

  26. david says

    hi
    does the edit of the default email address policy in exchange 2010 affects all existing users?
    I want for now only the new users to obtain a different smtp address.

    regards
    david

Leave a Reply

Your email address will not be published. Required fields are marked *