the ramblings of a crazed IT administrator
Posts tagged Exchange 2010
How to restrict a user from sending or receiving any emails
Mar 8th
I came across this interesting question over on technet last week:
Hi,
Is there a way to restrict Mailbox owner from sending internal and external mails?
Are there any restrictive permissions which can be set on the user object in AD which will deny the user from sending any mails from his mailbox. The user should be able to receive and read the mails from the mailbox.I have tried the option to set the sending limit of the user to 1 KB however i need to know if we can achieve this using permissions.
Mahendra
At first glance you may think that this is tricky to implement and requires messing around with permissions or server settings but as long as you are using Exchange 2007 or Exchange 2010 it is easy to implement (and more importantly, easy to manage!), and it is a great way to introduce how to work with Transport Rules.
Handy Exchange 2003 to Exchange 2010 Guide
Feb 19th
Just been reading this guide over at http://msexchangegeek.com and think that anyone who is planning an Exchange 2003 to Exchange 2010 migration should give it a read as it includes some additional steps to take that aren’t included in Microsoft’s Exchange Deployment Tool such as moving the OAB generation to the new server aswell as upgrading the address lists from LDAP filters to OPATH and upgrading Email Address Policies.
How to Restrict Access to Terminal Servers
Feb 3rd
After finally completing my Group Policy re-write for Windows 7 this week I have gone back to working on the plans for our migration to Exchange 2010. Currently we do use an Exchange 2003 server but only a few users are on it and it is only there to provide compatibility for a couple of specialised programs that are on our Terminal Servers. With the move to Exchange for all users possibly the biggest change will be that now all users have a Windows user account potentially allowing them access to the Terminal Servers when they shouldn’t have any.
In order to do this you could make use of the builtin group called ‘Remote Desktop Users’ which aslong as your using Windows 2003 R2 should have been setup when you installed the Terminal Servers role and by default has permission to connect remotely to any Terminal Server.
It is also possible to customise which users and groups can connect remotely to a Terminal Server so you make your life easier and reuse existing groups to control access, or setup multiple groups if you wanted to limit certain users from connecting to particular Terminal Servers. To do this you can either edit the Local Security Policy on each Terminal Server or apply the changes via Group Policy, the option you are looking for to set this via Group Policy can be seen below (the Local Policy method is also very similar to this and should be easy enough to find):
Enable the 'Allow log on through Remote Desktop Services' Option
Inside this you can add all the users and groups who should have remote access.
While this may seem like all that is needed and while all the users and groups specified can now logon to the Terminal Servers you apply this to you will likely also find that infact *any* user can still login to the Terminal Servers. To correct this we need to make one final change as by default anyone in the Users group can access the server due to the ‘Allow log on locally option’.
Remove the Users group from the 'Allow log on locally' option
While you might be concerned about the warnings given in the ‘Explain this’ tab advising you to not remove users, if you read the relevant section on the link provided it explains that it is safe to do this aslong as you dont remove important users from the list and aslong as users who should have access are granted permission to do so elsewhere.
Hopefully if this has all worked you now have a Terminal Services environment where only those users explicitly allowed can gain access.
Third time lucky
Jan 25th
Well, its been a few months since my old blog died when I cancelled the hosting and since I had to renew my domain this month I decided to go crazy and setup some new hosting and give this blogging thing another go.
Since I last posted anything i’ve started a new job, im now the systems administrator for www.interregs.com and www.lsi.edu. I get to play around with and manage all their servers (currently just 2 racks full but a third may arrive later this year when we deploy Exchange 2010 and WSS2010). All this is a great change of pace and a whole lot more fun than my previous job at www.cobweb.com, which, while teaching me a lot was a little too busy for my liking (try talking on the phone for 5-6 hours a day, 5 days a week!). While I do sometimes miss the chaos and banter of a busy office its certainly a lot nicer being my own master and I can finally start on my career path to becoming a BOFH 
So, as I trundle through the next few months/years(!?!), I’l be using this blog to post anything I find thats useful while I rollout our Windows 7 deployment, new Exchange 2010 server and then eventually a Sharepoint 2010 server aswell.
