The question was recently posed on a mailing list asking whether there was any book that covered the Exchange 2003 security model in depth.

The question came up for the poster because of a recent video that is making the rounds on youtube and elsewhere (http://www.thewebsiteisdown.com). In that video, an errant system administrator deletes a message from his bosses Sent Items folder, so that the boss cannot verify that the administrator was told something specific.

Can that happen??? Well - yes. And it isn't unique to Exchange Server. And yes, that administrator should be fired.

A savvy Exchange administrator, who also has appropriate permissions in Active Directory, can assign herself permissions at any level of an Exchange organization - per mailbox, per mailbox store, per storage group, per server, or for the entire Exchange organization.

While the backend permission sets have expanded dramatically in Exchange Server 2007, the store and user permissions are still quite similar to Exchange Server 2003. There are three whitepapers at Microsoft that can help you learn about the various permissions and how they work within themselves and within Active Directory:

Exchange Server 2003 Technical Reference Guide

Working with Active Directory Permissions in Microsoft Exchange Server 2003

Working with Store Permissions in Microsoft Exchange 2000 and 2003

Another resource is Alain Lissoir's web site. Alain wrote a couple of great white papers on scripting in Exchange 2000 and 2003 and they contain some excellent security related resources.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

I'm in the process of tech-reviewing an important book (you'll want it on your shelf once it is released), and one of the things I did today was spend a while figuring out how to do Attribute Scoped Queries in PowerShell. If you develop in C# or C++, or use adfind to do your searches, those tools have supported ASQs for a long time.

I use PowerShell quite a bit for Exchange Server 2007+ maintenance tasks, but I am no expert when it comes to all of the various .NET Framework classes and methods available. In the past, when you've needed to search for all the members of a particular group (using the 'member' attribute) or all of the members of a particular address list (using the 'showInAddressBook' attribute), those particular searches could be very slow and quite inefficient.

With the Windows Server 2003 Domain Functional Level, the ASQ capability becomes available. Using a DirectorySearcher object, you can specify a particular group or a particular address book or (anything else that leads to a multi-valued attribute) and execute an efficient search against the sources to find their components. In this example, you can easily find the members of the 'Domain Admins' group in your domain (note, this is an easy one - there are others that are likely more significant for you).

$group  = New-Object System.DirectoryServices.DirectoryEntry( `
    "LDAP://CN=Domain Admins,CN=Users,DC=essential,DC=local")
$source = New-Object System.DirectoryServices.DirectorySearcher

$source.SearchRoot  = $group
$source.SearchScope = [System.DirectoryServices.SearchScope]::Base
$source.Filter      = "(objectClass=*)"

$source.PropertiesToLoad.Add("member")
$source.PropertiesToLoad.Add("sAMAccountName")

$source.AttributeScopeQuery = "member"

$results = $source.FindAll()

$results

One caveat: when searching for members of a group, ASQ does not work for the primaryGroup! So if you do a search for "Domain Users", it is likely that you will receive no responses in your result. This is NOT an error.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

I've brought up a number of new clients on Exchange 2007 recently, and a common issue is this event log warning:

Event Type:      Warning
Event Source:    MSExchangeIS Mailbox Store
Event Category:  General 
Event ID:        1025
Date:            7/18/2008
Time:            10:26:40 AM
User:            N/A
Computer:        EXCHANGE
Description:
An error occurred on database "StorageGroup\Database".
 Function name or description of problem: Restrict/SetSearchCriteria
Error: 1162 Warning: fail to apply search optimization to folder (FID 4-3DBEABE)   Retrying without optimization. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If you spend time on Internet search engines, you'll find lots of bad advice about running an Isinteg to eliminate these, or running an offline defragmentation to get rid of these. At best, those are temporary solutions. I finally had seen so many of these, I asked Microsoft about them. Here is the answer from the horse's mouth:

You have an application that is trying to perform a search using restrictions against a users search folders and this could be a time based query, etc.We will do two types of searches (1 fast optimized search if the indexes are there, 1 slow find) which takes a long time and will chew up processor time for store if your user has a ton of items in their folders (more than 5,000 items per folder). This is just telling you that we are performing an un-optimized search against that table in the store. They cannot be suppressed.

In other words, ignore them. You may have users that have far too many items in their primary folders (Calendar, Tasks, Inbox, Sent Items, Deleted Items) and you can get rid of these messages if you get them to clean those up. But it may not be worth your time and energy.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

In 2004, I wrote an article Why Can't I Have Outlook and Exchange on the same Computer? It applied to versions of Exchange prior to Exchange Server 2007. When written, E12 (Exchange 2007) was still quite early in development at MSFT...

Today, times and situations have changed.

With Exchange Server 2007, in fact, the export-mailbox command is only supported on 32-bit machines. This means that you must run export-mailbox on a 32-bit Vista or XP computer where the Exchange Management Tools have been installed, along with Outlook! Amazing.

And, in fact, there are times where Outlook (or the CDO/MAPI binaries) will be required to be executed on an Exchange server to get certain tools to work, including OABinteg and MFCmapi.

Prior to Exchange Server 2007, installing Outlook on an Exchange Server would replace certain DLLs that Exchange required with stub libraries that Outlook used instead. This could break Exchange severely.

Those problem DLLs are gone in Exchange Server 2007. This gives us clear sailing for Outlook and Exchange on the same computer - both servers and workstations.

Thanks to Dave Goldman and Ben Winzenz, both of Microsoft, for answering my questions on this topic.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Almost everyone has, at one time or another, wished that you could have multiple copies of Outlook running at the same time. After all, opening another mailbox within Outlook doesn't give you windows toast and calendar pops, etc.

The standard answer has always been "run Outlook for your primary mailbox and use OWA for all the other mailboxes", which works; but well, OWA just isn't Outlook.

That's still the official answer.

However, early this year a hacker known as "H.O.G." (for HammerOfGod) released a tool known as ExtraOutlook! This tool actually modifies the Outlook executable and causes Outlook to NOT check to see if another Outlook is running.

If you are "plug-in free", this is a great tool and it works really well.

However, it confuses quite a number of plugins (such as Xonbi) that attempt to open a "default MAPI profile" and find two (or more) running instead of just one.

I'm sure that modifying the Outlook executable puts you straight in the "not supported" arena as well. But if you need the tool - you probably don't care.  :-)

Give it a go. No promises, but it has worked for me.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

I was recently (ok, this morning) trying to find out about a vbscript (actually WMI) error that I was getting, with little success. However, in doing so, I found this forum posting: http://www.tutorials-win.com/WindowsServer/Services-Windows/

This irritates me a great deal. Matheiu Chateau, whoever he is, has taken one of my scripts and taken the credit for it.

I originally published that script in 2006, in my blog posting Finding Services Using non-System Accounts. I am MORE than happy that people use it. And I'm MORE than happy that other people recommend it. But doing so without giving proper credit is just wrong. If I could've located an e-mail address for him, I would've written him a scathing e-mail.

grrr....

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

I don't often just link to another blog posting for MY blog posting, but this one deserves it. It's not new, but last year fellow Exchange MVP Glen Scales wrote a script which allows you to export large mailboxes to ANSI PSTs.

It does this by copying each item in a source mailbox to a destination PST; when the destination PST is too big (i.e., 1.8 GB in size) the PST is closed and a new one opened. So a mailbox of 10 GB would take 6 PSTs to dump.

In the past, the only real way to handle this with ANSI PSTs was to manually configure a date range for archiving, or selectively export specific folders. This is a real win!

So, see Glen's post: Exporting a mailbox larger then 2 GB and spanning it across multiple PST files with a script.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

On Exchange Server 2007, especially post service pack 1 (I ran into this problem while installing service pack 1 update rollup 2), it appears that some of the assemblies (that is, parts of the various Exchange programs) are "signed with Authenticode". This is basically a public/private key infrastructure (PKI) supported by Microsoft to allow people to verify that the various Exchange programs have not been tampered with.

At this moment, you are either thinking "So what?" or "Sounds like a good idea."

Personally, I'm in the "sounds like a good idea" camp. But I'm not sure that the concept is fully baked.

Consider this: part of any PKI infrastructure is a way to indicated when a particular key is no longer valid. Without going into too many PKI details, a key is normally called a "certificate" and the way you check the validity of a key is by seeing if the key is on a CRL - a certificate revocation list.

The first time a managed and signed assembly loads, Windows Server needs to check and see whether the key (certificate) the assembly is signed with is valid. How does it do that? By checking the CRL - at Microsoft. Specifically, at http://crl.microsoft.com/pki/crl/products/CSPCA.crl.

Even if you are in the "sounds like a good idea" camp, you may be asking "what's wrong with that"?

So I'll tell you - many environments do not allow their mailbox servers to talk to the internet (just to the hubs and to clients on specific networks). Many environments do not allow their hub transport servers to talk to the Internet (just to the mailbox and client access and e-mail gateway servers). Etc. etc. In fact, controlling and minimizing access using IPSec to specific servers has long been considered a best practice.

But it won't work with Exchange Server 2007 any more. When installing rollup 2 on a mailbox server, the "Microsoft Exchange Service Host" will fail to start. It will simply time out. No error messages. No log messages. No nothing.

I suspect that it could be any Exchange service that has this problem. This was just the one I happened to run into.

Debugging this was painful. Eventually, after a couple of hours, you do a "netstat -an" and say WTF???!!! in regards to a SYN-SENT to crl.microsoft.com and then you can start backtracking. This is not really documented directly (that is, that an Exchange server has to be able to access the Internet), but there is some information in KB 944752.

You may also find that if you are using a non-NAT proxy that this doesn't work for you. More on that in my next blog post.

Bottom line: after installing patches on your Exchange server, your Exchange server will have to "check in at home" before those patches can start running and you'll have to enable Internet access for that to happen. After they've "checked in", you can disable Internet access again.

What a management nightmare.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Update on June 19, 2008; for those folks who want for at least some of their Exchange servers to be fully isolated from the Internet, there is a workaround. See KB 936707. However, an easier (and apparently undocumented) workaround is to put crl.microsoft.com in your local hosts file - and point it to localhost (127.0.0.1)!

Sorry for the dead-silence this past week...between meetings and parties and certification tests and working and talking....it was a busy time at Tech-Ed.

(One of my editors is peeved at me - I missed a chapter deadline too!) :-(

So, I'm just going to ramble on here for a bit...

Lots of folks say that Orlando in June is just "too hot". I guess that depends on where you are coming from. I flew down from virginia, and I think that it was cooler in Orlando than it was in Virginia - of course, Virginia was going through a "heat wave". But I found Orlando quite comfortable for the entire week.

However - when I was doing my daily run (ok, it's a jog - I about three and a half miles a day and it takes me 45 minutes - you can figure out that I'm slow!) - there is no question that the humidity was higher. I always sweat - but not quite so much as I did there!

On Monday night, I met with an editor from O'Reilly Media plus a whole bunch of Active Directory folks - collectively "Team A/D" for O'Reilly (those that were present at Tech-Ed anyway). I'm doing tech.review on a couple of A/D books these days. There were some old faces and some new faces - a really good time with a bunch of geeks. Speaking of geeks - expect to hear about GEEC '09 this week from those fine folks at NetPro who bring you DEC (Directory Experts Conference).

Tech-Ed itself ran Tuesday through Friday. I won't bore you with what you've probably already read elsewhere.

But, as expected, Windows 2008 was big news, IIS 7.0, and SQL 2008. Nothing surprising there. Hyper-V of course.

I spent a lot of time talking about deployments, upgrades, and migrations with lots of customers. I think the message behind read-only DCs and server-core has confused a bunch of folks; as has the "story" behind Hyper-V. Many people thought that with server-core coming that they HAD to use it. And lots of folks didn't understand that server-core doesn't support the .NET Framework (and thus it doesn't support PowerShell or the .NET extensions to IIS 7.0!).

Most folks also didn't understand that Hyper-V doesn't do much by itself - it takes an OS to layer on top of it. oh! And NT 4.0 is NOT supported on Hyper-V. That doesn't mean it doesn't work - but it isn't supported (ok ok - NT 4 isn't officially supported anyway - but this means that the Hyper-V folks have not "qualified" NT 4.0 to work properly on Hyper-V - if you want that, you have to stay with Virtual Server 2005).

During one of my talks about upgrade/migration, I went through the entire set of domain functional levels, forest functional levels, Exchange functional levels, and how Outlook functionality was impacted. My head hurt by the time I was done with that talk. It is downright confusing by this point.

I was able to meet and talk with the folks from AppAssure, who have a killer product in their Replay for Exchange. I hope to talk more about that in the future.

I met with the VP from Wiley/Sybex who signed me up for the book I'm working on right now. Unfortunately, I was never able to connect with my current editor for the book. :-(

I also had the fine fortune to be able to meet with Tony Davis of the Simple-Talk online journal. I hope to be able to start doing some work with him soon.

Unfortunately, I didn't get to meet with any of my contacts with Penton Media (the Windows IT Pro/Outlook IT Pro) folks, and Diane from EMO wasn't able to come to Tech-Ed this year.

There were lots of new products and lots of old products. I was shocked to see Syncsort. For no reason whatsoever, really. I can just remember using them in my mainframe days, over 20 years ago....they are still alive and well. I didn't know they had made the transition to client/server.

I took six certification tests while I was there. They offer Tech-Ed attendees a discount for taking tests onsite: $50 per test. So instead of $750 for those tests, I only paid $300. I wasn't able to schedule the final one I need: 70-620 (Vista) because of scheduling conflicts but once I take that one (week after next, I think), I'll also finish up the two Windows Server 2008 MCITP certifications. I'm already "MCITP: Enterprise Messaging Administrator", those two will add "MCITP: Enterprise Administrator" and "MCITP: Server Administrator".

I'm looking forward to the class-work for the Microsoft Certified Master programs. I hope they will fit in the budget of a self-employed consultant! (Check here if you haven't heard about the Master's programs: http://www.microsoft.com/learning/mcp/master/products/default.mspx#EZ).

After the conference I hung around Orlando for a couple of extra days just to relax. It was a good time. I look forward to it next year.

Enough rambling for today. I best go try to bill a few hours tonight to help pay for this trip!

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Later this afternoon I'll be hopping in my car and heading for the airport to travel to Orlando for Tech-Ed 2008 IT Pro.

I'll be part of "ask the experts". I signed up for Exchange and PowerShell - somehow I ended up in Server 2008??!!

Come by and say "hi"!

One of the mailing lists I read and occaisionally post on is named ActiveDir. A lot of heavy-hitters in the AD world hang-out around there. I've learned quite a bit by lurking there.

A recent poster had wanted to create a few thousand accounts for testing purposes, and have them all follow a certain format for the samaccountname, the mailnickname, and the e-mail address. That's tough to do with the standard tools (if you are on Exchange 2007, with "new-mailuser" this can be done in a couple of lines of PowerShell, but the poster was on Exchange 2000).

Joe Richards ('joe'), author of admod and adfind (two truly invaluable tools - if you don't have them, get them), said that his admod tool was perfect for this, and offered up the following command line (you'll have to scroll to the right to see it all):

admod -add -autobase 40:cn=Test,ou=test,dc=eng,dc=myco,dc=com -counterstart 23001 -bmod cn={{*cnt*}}_{{*name*}},{{*parent*}} -expand -csv -kerbenc samaccountname::{{*cnt*}}_{{*name*}} mailnickname::{{*cnt*}}_{{*name*}} unicodepwd::MyPassword1! objectclass::user useraccountcontrol::512 msExchHomeServerName::"::"/o=Org/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=mail1"

So the basic assumption here is that 40 users are going to be created in a particular OU. The name of the users are going to be of the format 230xx_Test, the accounts are going to be enabled, have a password set, have a mailnickname set, and a particular Exchange server set.

(By the way - setting mailnickname and msExchHomeServerName will cause RUS to stamp a user object on Exchange 2000 and Exchange 2003. It's not documented. SSSssshhhhh.)

What can you say? That's an amazing command line. But in his post, joe made a negative comment about PowerShell, so I had to respond. (Completely friendly rivalry there...)

Here is PowerShell code to do the same thing. As I shared in my response post - it's a few lines longer, but much easier to read!!! (If you wanted to do it all on one line - you could - but it would be impossible to read.)

function createUsers([string]$base,[string]$userPrefix,[string]$userSuffix,[string]$homeServer,[string]$password,[int]$baseCount,[int]$count)
{
	$objBase = [adsi]('LDAP://' + $base)
	[int]$top = $baseCount + $count
	for ([int]$i = $baseCount; $i -lt $top; $i++)
	{
		[string]$user = $userPrefix + $i.ToString() + $userSuffix
		$objUser = $objBase.Create("user", "cn=" + $user)
		$objUser.Put("sAMAccountName",       $user)
		$objUser.Put("mailNickName",         $user)
		$objUser.Put("msExchHomeServerName", $homeServer)
		$objUser.SetInfo()
		$objUser.psbase.Invoke("SetPassword",           $password)
		$objUser.psbase.InvokeSet("useraccountcontrol", 512)
		$objUser.psbase.CommitChanges()
	}
	$objBase = $null
}

createUsers 'ou=OUtest,dc=essential,dc=local' '' '_Test' `
	'/o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=WIN2003-EXCH' `
	'MyPassword1!' 23001 4

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Exchange has caught a lot of crap for publishing the fact that it doesn't work in branch office locations where only Windows Server 2008 read-only domain controllers (RODCs) are available. Exchange simply requires read-write domain controllers. It's a fact.

However, it's been a poorly kept secret that Windows XP and Windows Server 2003 don't work well either in branch locations with only RODCs. You have needed Vista or Windows Server 2008 in those locations for all things to be happy.

Until now: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients. KB 944043 fixes many of the issues with Windows XP (service pack 2 or service pack 3 only) and Windows Server 2003 (service pack 1 and service pack 2).

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

If you want to write client applications to run on computers that use MAPI or CDO (for example, web servers) and you don't want to install (or can't install) either the Outlook client or the Exchange management tools, then you need to install the MAPI/CDO libraries.

These were released just last week for Windows Server 2008 and Windows Vista. You can get them here.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

We consultants help each other out, of course. I know Exchange and Active Directory pretty well, but put me in front of Citrix or a big T/S farm or a PKI implementation - heck, I'll scream for help without any qualms whatsoever.

So, a consultant I share favors with called me this week - quite perplexed.

He was working at a company and they were working on a hardware migration - Exchange Server 2003 to Exchange Server 2003. They had a 50 GB store and a few hundred mailboxes.

This company had an onsite junior technician who wanted to help out, so my comrade-in-arms had given this junior tech a list of things to do, in order to prepare for the migration. Off the junior tech went to do them...

...and he came back and said "all done, but would you move the mailboxes? I don't feel comfortable with that...."

So....a couple hundred mailboxes moved later, and no more mailboxes would move. <scratch head>

Outlook connects, but no e-mail is being delivered to or from those folks who have been moved. <scratch head some more>

<investigate, investigate, investigate>

<give up>

<IM Michael on MSN Messenger...hey dude....>

So I remote in, and five minutes later, I'm laughing so hard I almost split a gut.

The instructions my friend had given the junior tech. included how to install Exchange Enterprise and to install service pack 2.

Well, the junior tech. couldn't find the media for service pack 2. So, almost correctly, the junior tech. assumed he could just install Exchange Standard and set the registry key so that it would support a larger mailbox store.

So that's what he did. A perfectly good Exchange Standard install and he set the "Database Size Limit in Gb" to 75 - no problem for a 50 GB store.

BUT....(you knew this was coming, right?)

....wait for it....

he forgot to install service pack 2

So the store would mount...say oops! too big....dismount.

Lather, rinse, repeat.

The moral of the story? Well, I guess there are a couple:

1) Trust...but verify - ensure that what you think was done was actually done. Like Gregory House says, "People always lie." I would add - even when they don't mean to (it isn't always malicious).

2) Use your Event log. If it is telling you things that don't make sense - see moral 1. Occam's Razor almost always applies.

3) It's ok to ask your friends for help. :-)

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Over three years ago, a  particular publisher in the computer field contracted me to write a book - which I did. They paid me for it, but they chose to never publish it. It was written with Exchange Server 2003 service pack 1 in mind - as you read the text, keep in mind that it was written long before E12/Exchange 2007 was even in beta. Here is a chapter from that book. These scripts will usually work with Exchange Server 2007 - except when they use CDO, CDOEX, or CDOEXM.

It's taken me over a week to translate this from Word 2003 to web format. It's not as easy to do as I thought!

You can find some earlier versions of these scripts already on the blog. The ones in this chapter tend to be a bit better implemented and debugged.

Enjoy!

Scripting Tasks 

I am going to show you some tools that I use, based on VBScript, that were developed by leveraging reusable components. A reusable component only has to be developed once. The name “reusable component” is just a fancy way of saying “a small piece of a program”. If properly designed, then this small program can then be plugged in to a larger program and used many times by many different programs. My philosophy of programming has always been “be lazy—only do the job once”. Some people, including myself, would refer to this as "being efficient".

The concept of building programs with reusable components is not the same as the concept of these programs being “recipes” that you have to “cook up” to be worthwhile for your environment. For the most part, I’ve tried to ensure that they are useful to you, in and of themselves. To do that, the scripts tend to be a little bit longer than a recipe-type script might be. Don’t let that scare you off—just dive right in and go for it!

I choose to develop in VBScript, with an occasional foray into JavaScript, because the Windows Scripting Host (WSH) that includes those two languages has been built into every Windows operating system since Windows 2000. It is also available for download and installation into Windows NT 4.0 and Windows 98 (I hope you don’t run into those in your environment—but just in case you do, the download is at http://www.microsoft.com/downloads/details.aspx?FamilyID=0a8a18f6-249c-4a72-bfcf-fc6af26dc390&DisplayLang=en). Jscript is the name of the Microsoft implementation of JavaScript. Jscript is a fairly complete language, and can be somewhat challenging to use, as a beginner. VBScript is syntactically very similar to Visual Basic, and is about as easy to learn as Visual Basic. VBScript has some limitations, but because it is so easy to learn, is used in many places.

The mere fact that the VBScript and JavaScript languages are included in every modern version of the Windows operating system makes them, in my mind, the tools of choice. Add to that, Internet Explorer will allow these languages to be embedded into web pages for client control, and Internet Information Server (IIS) will interpret these languages on the server for server control—well, they win hands down (granted, JavaScript and ECMA Script are standards and Apache has an ASP module—but those are add-ons and not part of the base products). There are many proponents of the cross-platform languages Perl and Python, which have a large number of modules enabling them to interface quite well with Windows. However, they require a separate install on every workstation and server that will use them and interfacing them with IIS requires a number of extra steps. On the other hand, they are fully developed languages with greater capabilities than those present in VBScript and JavaScript, with a correspondingly larger resource footprint.

There is a comprehensive reference guide available for both VBScript and JavaScript at http://microsoft.com/scripting, along with a huge library of code samples and the truly excellent ScriptOMatic, which can help you generate scripts of almost any type. An excellent book is VBScript in a Nutshell, Second Edition by Paul Lomax, et al (O’Reilly Media).

The Microsoft Scripting Host (MSH), code-named Monad, will be the replacement for WSH. It is currently in beta. Support for Monad will be built into Exchange 12 and it is planned to come as an add-on to Windows Vista and Windows code-named Longhorn. However, even when Monad is released, older scripts should continue. New features may require use of Monad, but all features should continue to work for quite some time.

Each of the scripts found in this chapter can be found at the author’s home page: http://www.msmithhome.com/.

Understanding WSH

You will not learn everything you need to know on how to author scripts in this chapter, but you will learn something of my philosophy of writing scripts and some key points important to scripting.

Exchange Scripting Technologies

As Exchange Server has grown and matured as a product, the various tools available for modifying Exchange and its objects have grown and matured as well. These technologies include:

Reusable Components

I have developed these scripts (as indeed, I develop most of my scripts) using include files that contain some routines that I use over and over again. Doing this has a number of advantages:

constants.vbs

From this listing, you can determine that you’ll be seeing scripts containing modifications to Active Directory properties and that you’ll make some WMI calls. In order to run these scripts in your environment, you’ll need to specify the flat (NetBIOS) name of an Exchange server in your environment in the ExchServer constant. Only one script has the requirement of being run on an Exchange server.

ado.vbs