How to Convert a Distribution List into a Mailbox

Sometimes, an organization/administrator might have the need to convert a Distribution Group (DG) (or Distribution List) into a normal mailbox or a shared mailbox. Reasons for this vary, but the most common one is when an organization has the need to start sending emails as that DG.

 

Unfortunately, there is no native way of achieving this. But it is completely achievable and straightforward. The best way is to:

1. Write down the DG’s LegacyExchangeDN. To do so, you can run the cmdlet: Get-DistributionGroup “DG_name” | Select LegacyExchangeDN;
2. Delete the DG;
3. Create a (shared) mailbox with the same SMTP address;
4. Add the DG’s legacyExchangeDN as an X500 address to the new mailbox.

I am not going into detail of what the legacyExchangeDN is and how or why it is used as this is already well documented all over the Internet. As a quick overview, the auto-complete cache in Outlook and in OWA uses the value of the legacyExchangeDN attribute to route email messages internally. If the value changes, the delivery of email messages may fail with a 5.1.1 NDR.

 

If you already deleted the DG and have no way of retrieving its legacyExchangeDN, you have two options:

1. Clear the auto-complete cache (straightforward but most of the times not the best approach);
2. Manually create an X500 proxy address for the old legacyExchangeDN attribute for the DG.

To create an X500 proxy address, you need to use an NDR you have received when emailing the DG, which should contain the recipient’s address such as:

IMCEAEX-_O=LetsExchange_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=f6a32c0ab0e64f33b2a7b3f9a48c2da6@nunomota.pt

From here, make the following changes based on the recipient address in the NDR:

• Replace any underscore character (_) with a slash character (/);
• Replace “+20” with a blank space;
• Replace “+28” with an opening parenthesis character;
• Replace “+29" with a closing parenthesis character;
• Delete the “IMCEAEX-“ string;
• Delete the “@nunomota.pt” string;
• Add “X500:” at the beginning.

After you make these changes, the proxy address will look similar to:

X500:/O=LetsExchange/OU=Exchange Administrative Group (FYDIBOHF23SPDLT)/CN=Recipients/CN=f6a32c0ab0e64f33b2a7b3f9a48c2da6

Create Folder on Users’ Mailboxes

One could think that the Exchange Online and Exchange 2013 New-MailboxFolder cmdlet would allow administrators to create folders on other users’ mailboxes. Unfortunately this is not the case...

 

Basically RBAC (Role Based Access Control) only allows the administrator to run this cmdlet on the mailbox it owns. As we can see below, RBAC has an implicit recipient read and write scope set to Self:

 

So can we create a new role based on MyBaseOptions and update the ImplicitRecipientReadScope to OrganizationConfig? Once again, unfortunately no... You see, if you read the Understanding management role scopes TechNet article, it states that:

 

“You can't change the implicit scopes defined on management roles. You can, however, override the implicit write scope and configuration scope on a management role. When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies.”

 

By the way, the exact same thing applies to the Get-MailboxFolder cmdlet... The good news for this cmdlet is that we can simply use the Get-MailboxFolderStatistics cmdlet to list all folders in any mailbox we want.

 

 

So, as far as I know, there is nothing we can do to make this cmdlet work for other mailboxes the administrator does not own. So is there a way to create folders for other users? Yes, using Exchange Web Services (EWS) script!    :)

 

I have written a few EWS scripts to perform certain actions on mailboxes that are not possible using the native Exchange cmdlets. To achieve this, I am not going to re-invent the wheel as there is already a great script by David Barrett to do exactly what we want. For more information on his script, please check his blog article PowerShell: Create folders in users' mailboxes.

Exchange 2013 EAC Performance Console

Almost 3 years ago, on my Exchange 2010 ECP Performance Console article on MSExchange.org, I explored the Performance Console of the Exchange Control Panel in Exchange 2010. Did you know that this console is still present in Exchange 2013?

 

This console, which is not visible by default, provides numerous counters regarding the performance of the EAC. We can use it to check how long it takes to authenticate a user, how many PowerShell cmdlets have been invoked and even how long the server took to process requests, and much more.

 

To enable it, we have to manually edit the web.config file located at:

%ExchangeInstallPath%\V15\ClientAccess\ecp\web.config

 

Open the file with Notepad and look for the "appSettings" section, right in the first few lines. In there we will find the following key:

 

<!-- Set ShowPerformanceConsole to "true" to show ECP's Perf Console: -->
<add key="ShowPerformanceConsole" value="false" />

 

 

As the comment explains, all we have to do to enable the console is update the value of the ShowPerformanceConsole key from false to true. Save the file, run the usual IISRESET /NOFORCE to restart IIS and we are good to go!

 

If we now log in to the EAC, we will have a Performance console link:

 

Clicking on this link opens the console itself:

 

 

To learn more about this console, check my Exchange 2010 ECP Performance Console article at MSExchange.org.

Updating AADSync Scheduled Task

If you ever need to update AADSync’s scheduled task, it is likely that you will need to update the credentials it runs under. When you do that, and if you do not assign the correct permissions, you might get the following error message:

 

This is because the account used does not have the required permissions. Make sure you add it to the local Admins group and to the local ADSyncAdmins group.