There is a project running at the company I work for to separate one of the areas of the business into their own entity. Among other things this rebranding exercise also includes changing their primary email addresses.
For several versions of Exchange Server now we’ve had the capability to manage email addresses for recipients by using policies. In Exchange Server 2010 these are referred to as Email Address Policies.
In this article I’ll provide an overview of the key concepts of email address policies and demonstrate some examples of how they can be used.
The Exchange Server 2010 Default Email Address Policy
Any Exchange 2010 organization will have one email address policy named “Default Policy”. You can view this in the Exchange Management Console under Organization Configuration -> Hub Transport, in the Email Address Policies tab.
Exchange 2010's default email address policy
One of my gripes with managing email address policies in the console is that you can’t open a Properties view to see how they are configured. However you can right-click and choose Edit to achieve the same outcome.
The first thing you’ll notice that the default policy is not scoped to any particular recipient container, so it will apply to any object in Active Directory. The other thing you’ll notice is that the policy will apply to “All recipient types”, not a limited subset of the available types such as mailboxes, contacts, or groups.
Scope of the default email address policy in Exchange 2010
At the next dialog you get a chance to preview the results of the conditions in the email address policy.
Previewing the results of email address policy conditions
If you preview the default email address policy you should see all mail-enabled objects in the organization returned.
At the next dialog you’ll see the email addresses that the policy will apply to those recipients that fall within the scope of the policy.
Email addresses applied by the default email address policy
So the outcome of this policy is that it will apply an email address of alias@exchangeserverpro.net (because alias is used if nothing else is specified) to any recipient type.
When are Exchange 2010 Email Address Policies Applied?
But when does the email address policy apply? At the next dialog we can see the schedule options for the email address policy.
Email address policy schedule options
The options we can choose from are:
- Do not apply – the email address policy will be created (or edited) but not applied to the recipients that fall within its scope
- Immediately – the email address policy will be applied immediately to the recipients that fall within its scope
- At the following time – the email address policy will be applied at the nominated time. This is convenient if you are preparing the email address policy in advance of a scheduled change (such as the rebranding exercise I mentioned earlier)
Something you need to be aware of is that no matter which of the above options you pick right now, the email address policy will continue to be assessed and applied to recipients on an ongoing basis in the future each time a recipient is created or modified.
So for example when a new mailbox is created the email address policies are assessed and applied accordingly. Similarly, if you modify an existing mailbox user, for example to change their alias or move it to another database, the email address policies will be reassessed for that recipient.
For that reason you want to be sure that any email address policy that exists in your organization is ready to be applied to recipients.
Creating a New Email Address Policy with the Exchange Management Console
Click New E-Mail Address Policy to start creating a new policy.
New Email Address Policy
For this example I’ve narrowed the scope of the email address policy to just one particular OU for “Example Corp”, the new business entity.
Select recipient container for new email address policy
If that particular OU contained users in other companies I could also narrow the scope down based on Company or Department attributes, but in this example I don’t need to. Clicking Preview shows me the one user that exists in that OU so far.
Email address policy conditions
Next I’ll add an SMTP address of %m@example.com to the policy (%m = “alias”).
Configuring SMTP addresses for an email address policy
Note that whatever domain you choose to use here needs to have already been configured as an Accepted Domain for the organization. If you haven’t already done so you can switch back to the Exchange Management Console and add the domain without having to cancel your new email address policy wizard.
Finally I will choose not to apply the email address policy just yet, so that I can demonstrate some scenarios for this.
Choosing when to apply the email address policy
Finally, click New to create the email address policy. If it all goes well you’ll see a successful completion message.
Completing the new email address policy wizard
Note that the completion dialog reveals the PowerShell commands used behind the scenes to perform the task. This will be relevant later when we look at an example of creating an email address policy in PowerShell.
Applying Email Address Policies
Now let’s check the results. Because I chose not to apply the policy yet the user Amy Lawrence does not have an @example.com email address yet.
Email addresses before the policy is applied
If I move another mailbox user into the same OU, they also do not have the email address policy applied.
User moved into OU
Jo Rigby’s email addresses haven’t changed just because her OU membership changed.
No change to email addresses yet
However, if I modify Jo Rigby’s recipient properties, such as adding the new company name, and apply that change…
Modifying recipient properties to trigger email address policies
…the new SMTP address is immediately applied by the policy, because modifying and saving any change to a recipient triggers policy assessment.
SMTP addresses after email address policy is applied
If I simply wish to apply the email address policy to all of the users in that OU I can right-click the policy and choose Apply, and choose to apply it immediately or at a scheduled time.
Manually applying an email address policy
Now Amy Lawrence also has the new @example.com email address without me having modified any of her other recipient properties, because I manually triggered the application of the policy.
SMTP addresses after email address policy is applied
You may wonder how primary SMTP address is determined when two policies are potentially valid for a recipient. The answer to that question is in the priority value of each policy. The policy with the highest priority will apply, but only that one policy applies.
For example, new user Bob Winder in the Example Corp OU gets mailbox-enabled and only receives an @example.com SMTP address from the “Example Corp” policy, but doesn’t receive an @exchangeserverpro.net address from the default policy that is of a lower priority.
SMTP address for a new mailbox user
So each policy needs to contain all of the SMTP addresses that you intend those recipients to receive, so that new recipients get them all. You can’t rely on different email address policies to apply cumulatively.
Note: Email Address Policies are Additive Only
You may have noticed in the examples above that the prior SMTP address of @exchangeserverpro.net was not removed from the mailboxes, it was simply changed to being a secondary email address.
This is due to the behavior of email address policies in that they are additive only. An email address policy will not remove or overwrite an email address on a recipient.
If the recipient falls out of scope of the email address policy they will not have any email addresses removed from the account, though their primary SMTP address may change when a different policy applies. In the case of Jo Rigby, if she is moved out of that OU and her company attribute changed again (or any other modification made to trigger policy assessment) she reverts to an @exchangeserverpro.net primary SMTP address, but retains @example.com as a secondary address.
SMTP address changed after policy no longer applies
Nor will the removal of the email address policy entirely cause recipients to lose those email addresses.
Removing an email address policy
Note that removing a policy causes those recipients to assess policies again. Amy Lawrence’s primary SMTP address changed back to @exchangeserverpro.net with no other recipient modification or manual applying of other policies required, but again she retained the @example.com secondary address.
SMTP addresses after email address policy is removed
Creating a New Email Address Policy with the Exchange Management Shell
There will be times when you find the options available in the console when creating a new email address policy are not suitable for your particular scenario. In those cases you can use the Exchange Management Shell to create a more specific filter for the email address policy.
Email address policies are created using the New-EmailAddressPolicy cmdlet. This cmdlet has a -RecipientFilter parameter that opens up a whole lot more possibilities (the documentation refers to Exchange 2007 but is unchanged for Exchange 2010) for defining the scope of your email address policies. Just be aware that it can’t be used in combination with some other parameters, all of which is spelled out here.
So let’s look at one example of creating an email address policy in PowerShell using the capabilities of -RecipientFilter.
To begin with I’ve removed the policy I created in the console earlier, and manually removed the @example.com addresses from those mailboxes to start over with a clean slate.
Example Corp users in their OU
Now I’ll create the email address policy, using a recipient filter that checks display names for the string “(Example Corp)”. The new policy will have the following properties:
- A name of “Example Corp”
- A priority of 1
- An email address template of “SMTP:%m@example.com” (the upper-case SMTP defines the primary SMTP address, lower-case would be a secondary SMTP address)
- A recipient filter for the DisplayName attribute of “*(Example Corp)” (the * is a wildcard)
Running that as a command in the Exchange Management Shell looks like this:.
New-EmailAddressPolicy -Name "Example Corp" -Priority 1 -EnabledEmailAddressTemplates "SMTP:%m@example.com" -RecipientFilter {DisplayName -like "*(Example Corp)"}
Name Priority RecipientFilter
---- -------- ---------------
Example Corp 1 DisplayName -like '*(Example Corp)'
Now the new email address policy has been created, but as before it has not yet applied to any recipients. To trigger the policy for the three Example Corp users I’m going to modify their display names to append “(Example Corp) to them. I’m just doing them individually here but you could script it if you had a lot of mailbox users to modify.
[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby (Example Corp)"
Jo now has the @example.com SMTP address assigned by the new policy.
[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl
DisplayName : Jo Rigby (Example Corp)
EmailAddresses : {SMTP:Jo.Rigby@example.com, smtp:Jo.Rigby@exchangeserverpro.net}
And if I change her display name so it no longer has “(Example Corp)” in it, she reverts to the primary SMTP address @exchangeserverpro.net and retains the @example.com as a secondary SMTP address.
[PS] C:\>Set-Mailbox Jo.Rigby -DisplayName "Jo Rigby"
[PS] C:\>Get-Mailbox Jo.Rigby | select displayname,emailaddresses | fl
DisplayName : Jo Rigby
EmailAddresses : {SMTP:Jo.Rigby@exchangeserverpro.net, smtp:Jo.Rigby@example.com}
Hopefully this article has provided you a good understanding of how email address policies work in Exchange Server 2010, and given you some ideas on how you can use them in your own Exchange organization.
About Paul Cunningham
Excellent article. This is one of the most complete ones I have read. I appreciate you covering how a new policy impacts existing email addresses and the impact of removing an email address policy.
Thanks paul
very good article. thank you paul ,
Are you sure they get applied anytime an object is changed. I have a policy to make all domain users
firstname.lastname@domain.com but when HR changes someone’s name in AD, the policy is not applied to the change.
Changes made in AD Users & Computers don’t cause the policy to reassess.
Thank you very much. Helped a lot. Greetings from sunny Switzerland.
Hi Paul,
Excellent article. Thanks
Hi,
really nice post. There’s only one Information I miss (and also can’t find on MS): What happens, if the Policy chooses an address, which is allready used by someone else. P.Ex. if you have your 2nd Jo Rigby (in the same OU). Will he get no Addresses then? Will he get Jo.Rigby2@example.com? Can you controll this behaviour?
Best Regards
Filipp
Yes, it will append the 2 in the first case.
Hi Paul.
Great article.
What if your user has a double first-name or last-name, and want to use . in between all names? (e.g. john.phillip.doe@example.com) Default firstname.lastname will just give you johnphillip.doe@example.com…?
Any suggestions on that one?
Best Regards
Tore
Great article! This topic always gets a little fuzzy if I haven`t worked with it for a while. This cleares things up in a very pleasant way. Thank you for posting it this clear.
Cheers,
Fred
So just a verification, if I change the primary smtp address in the policy and hit “Do Not Apply”, it won’t apply anything then, it’s only going to do it to new accounts thereafter? I need to change ours but want to make sure it’s not going to go off to the races adding and changing everyone’s address, I don’t want to have to correct 20K users.
Hi,
> I don’t want to have to correct 20K users.
Hehe, that’s why many people hate EAPs. Okay, to be mor exact: It’s the uncertainty, what makes people hate it. That’s why I went over to deactivate “Autmatically update…”, that gives you certainty. Realy: What do you need automatic updates for? If I ever come to update EMail-Addresses for our users, I would _always_ do this with a customized script, where I can fully control what happens, and I would _never_ leave this over to some background process. What should be the adantage of it?
JMSP
Filipp
Thx Paul. Excellent article as always! Keep up the good work man
Ace article!
Quick question:
Is an email address policy a requirement as part of adding a new accepted domain? I am adding a new domain to accepted domains, but it’s only going to be used for 1 or 2 mailboxes. Can’t I just manually configure the SMTP address for those mailboxes?
Yes you can do it that way.