hosted exchange

Add-MailboxPermission for Exchange 2010 SP1 /hosting - Give Full Access to Mailbox to Another User

If I remember correctly when /hosting came out you could use the Add-MailboxPermission as the domain administrator. It seems now with a later rollup [correct me if I'm wrong] you can no longer use this command because it gives you errors such as:

 The operation on mailbox "host.local/Microsoft Exchange Hosted Organizations/****/user01" failed because it's out of the current user's write scope. The object 'host.local/Microsoft Exchange Hosted Organizations/****/user01' must be within the read scope before and after it's modified. Can't perform the save operation.

    + CategoryInfo          : NotSpecified: (host.local/Micr...S/checkrequests:ADObjectId) [Add-MailboxPermission], TaskInvalidOperationException
    + FullyQualifiedErrorId :7F410251,Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission

   To fix this issue you must run the powershell as the organization administrator instead of the domain administrator.

Below is how you can accomplish this using remote powershell:

  • Launch Exchange Shell / Powershell
  • Run:

$c = Get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:///powershell -Credential $c

Import-PSSession $session -AllowClobber

Creating Tenants for Exchange 2010 SP2 Multi Tenant

Exchange 2010 SP2 has been released! Sucks for some of us using /hosting since there isn’t really a good migration path other than doing a forest migration. Anyways, SP2 has been released and we get the EMC back, and also some more roles such as the unified messaging role!

Most automation software [as of 1/2/2012] do not support SP2 yet. Some that currently do are ExtendASP, and I believe Machsol will in a couple of weeks. Personally I have not used either.

Anyways you can still separate your tenants manually without using a automation software but it is more complex and requires more steps than Exchange /hosting did. You will have to create multiple address lists and also use custom attributes. You can read the documentation at Download: Exchange 2010 SP2 Multi-Tenant Scale Guidance …

Note: Lync is supposed to be coming out with a hosting pack and requires a specific active directory organizational unit structure to work. I do not have this information so you may want to wait if you plan on deploying Lync Hoster pack with Exchange 2010 SP2.

Here are some things you will need to create:

Cannot bind parameter ‘RecipientFilter’ to the target. Exception setting “RecipientFilter”

Full error:

Invoke-Command : Cannot bind parameter ‘RecipientFilter’ to the target. Exception setting “RecipientFilter”: “Invalid filter syntax. For a description of the filter parameter syntax see the command help.

“((UserPrincipalName -like ‘*’) -and (Alias -ne ))” at position 67.”

At *:39341 char:29

+ $scriptCmd = { & <<<< $script:InvokeCommand `

+ CategoryInfo : WriteError: (:) [Set-EmailAddressPolicy], ParameterBindingException

+ FullyQualifiedErrorId : ParameterBindingFailed, Microsoft.Exchange.Management.SystemConfigurationTasks.SetEmailAddressPolicy


This error is caused by an invalid syntax when setting the RecipientFilter. Normally when using powershell commands you will enclose everything in quotes. This is not the case with the RecipientFilter. You must put the value in-between curly braces { }.


  • -RecipientFilter "((UserPrincipalName -like '*') -and (Alias -ne $null))"


  • -RecipientFilter {((UserPrincipalName -like '*') -and (Alias -ne $null))}

EmailAddressPolicy for Exchange 2010 /hosting [One organization, multiple primary domains]


If you are running Exchange 2010 in hosting mode then you will probably run across a client that wants everyone to be in the same organization so they can see everyone in the GAL, but also wants some users to have a primary domain that is different than others.

After messing with the ConditionalCompany and other Conditional fields I believe I found a better way to accomplish this without even having to mess with anything in Active Directory Users & Computers.

So the first thing you want to do is add the extra domain as an accepted domain:

  • New-AcceptedDomain -Name  -DomainName "My First Org"

Next you will want to create your email address policy. Instead of setting the conditional fields we are just going to set the RecipientFilter to something custom. Using the UserPrincipalName will allow us to apply this policy based on their UPN (also the accepted domain you just added).

  • New-EmailAddressPolicy -Organization ORGANIZATIONNAME -NameDOMAINNAME -EnabledEmailAddressTemplate SMTP:@NEWDOMAIN -RecipientFilter {((UserPrincipalName -like '*@NEWDOMAIN') -and (Alias -ne $null))}

Completed Example:

Removing an Organization (Remove-Organization)

 In order to remove an Organization from Exchange 2010 multi-tenant you must first delete all mailboxes from the organization. You can delete most of them through the ECP (Exchange Control Panel), but you will still be left with the administrator mailbox you are using, DiscoverySearchMailbox, and some others.

First you must find your organization you want to remove. You can do this by typing:

  • Get-Organization

Next you want to remove all mailboxes from the organization. Like I said above you can delete most of them using ECP or you can remove all the mailboxes quickly by typing:

  • Get-Mailbox-Organization"<ORG NAME HERE>"| Remove-Mailbox

Now that all mailboxes are removed you can type this to remove the organization: 

  • Remove-Organization -Identity "<ORG NAME HERE>"

Give it a minute and you should be able to do another Get-Organization and notice that your organization is gone! I took a picture for your viewing pleasure: 


Exchange 2010 SP1 Multi-Tenant (Step 3 of 3)

Configuring Mailflow


Here is the issue. If you use DNS to route your mail then you will have a problem with sending emails between organizations. In order to make this work you must create a send connector that routes the traffic to and from the organizations. Another way to solve this problem is to use a smart host:

New-SendConnector -Name "Internet" -Usage "Custom" -AddressSpaces "SMTP:*;1" -IsScopedConnector $false -SmartHosts x.x.x.x,x.x.x.x -DNSRoutingEnabled $false -SmartHostAuthMechanism "None" -UseExternalDNSServersEnabled $false -SourceTransportServers "Exchange Server"

New Send Connector


Receive Connector:


Now we must tick the Anonymous box on the default receive connector so internet users can send to the Exchange Server:

Set-ReceiveConnector -PermissionGroups 'AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers' -Identity 'LABDCEX\Default LABDCEX'

Receive Connector


Setting External FQDN


Our next step will be to make sure we put the external FQDN on all of the virtual directories.



Exchange 2010 SP1 Multi-Tenant (Step 2 of 3)

Creating New Organizations

Hosted Exchange uses “Service Plans” to control what organizations have access to what features. With service plans you can turn features on or off like POP, MAPI, ActiveSync, and even mailbox sizes. So open Windows Explorer and browse to:

c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ServicePlans

You will notice that there are sample service plans and CSV files called “ServicePlanHostingRemap”. It is very important you do not use the samples because they can be replaced with updates. Just simply copy a sample and rename it. Then open the HostingRemap file and put in something for the ProgramId and OfferId. The last one is for the name of the filename.

Service Plan

Next you will want to go to the Exchange Shell to create a new organization. So type:


  • $c = Get-Credential
  • New-Organization -Name "My Lab Domain" -DomainName -Location en-US -ProgramId Lab -OfferId 2 -AdministratorPassword $c.password

New Organization



The Parameters:


Exchange 2010 SP1 Multi-Tenant (Step 1 of 3)

Finally Microsoft has came out with Exchange server that could
support multiple organizations without the need of HMC or manually
making changes in ADSIEDIT or Active Directory. I have actually not
used HMC before but found that trying to segregate address list and
GALs manually in Exchange 2007 was a pain.

What is not available

  • Exchange Management Console

  • Public Folders

  • Unified Messaging Server role (can install on different machine)

  • GalSync

  • Federation

  • Business-to-Business features such as cross-premises message
    tracking and calendar sharing

  • IRM

  • Outlook 2003 support

  • Edge Transport Server role

  • Same forest upgrade from Exchange 2007

  • Resource forest

  • Parent-child domains

  • Discontiguous namespace

  • Disjoint namespace

I know that most get upset at the Exchange Management Console not
being available anymore but I find that the shell commands are really
simple and easy (especially with the help of Google and Microsoft
help pages).

You can still easily create new users/mailboxes using the Exchange
Console Panel through OWA. We will get to that in a little bit.

Subscribe to hosted exchange