7.2 Managing Microsoft Exchange Mailboxes

The Active Directory driver can be configured to create, move, and delete Microsoft Exchange mailboxes for users in Active Directory. Mailboxes are managed by setting and removing the value for the homeMDB attribute on the user object. This attribute holds the Distinguished Name of the Exchange Private Message Database (MDB) where the mailbox resides. The driver manages mailboxes on Exchange servers that are in the same domain as the driver only.

There are several different ways to manage Exchange mailboxes. The default configuration manages mailboxes through policy decisions made in the Subscriber Command Transformation policy. When a user meets the given conditions, a mailbox is created, moved, or removed. The import file gives you three choices for mailbox management:

When you use the entitlement method for provisioning, a user is granted or denied a mailbox based on the entitlement set on the user in the Identity Vault. The entitlement holds the Distinguished Name of the MDB and a state value that tells the driver whether the entitlement is granted or revoked. The entitlement itself is managed by the User Application or the Role-Based Entitlements driver. In either case, the external tool grants (or revokes) the right to the mailbox, the Subscriber Command Transformation policy translates that right into an add-value or remove-value on the homeMDB attribute and the driver shim translates the change to homeMDB into the proper calls to the Exchange management system.

If you are using entitlements and have multiple MDBs in your organization, you use the User Application to decide which MDB is to be assigned to a given user. The role of the Identity Manager driver is to respond to the entitlements placed on the user object, not to put them there. If you are using the User Application, you are given a list of Exchange MDBs to choose from as the workflow item flows through the approval process. If you are using Role-Based entitlements, the MDB is assigned to the group that holds the role for the user.

When you use the policy-based method for provisioning, the Subscriber Command Transformation policy uses information about the state of the user object in the Identity Vault to assign the MDB. The driver shim translates the change into the proper calls to the Exchange management system. The default policy uses a simple rule for assigning the mailbox. It assumes that there is only one MDB and that all users that have come this far through the policy chain should be assigned to that MDB. Because the rules for assigning different MDBs vary widely from company to company, the default configuration does not attempt to establish a “right way” of doing it. You implement your own policies simply by changing the default assignment rules. You use DirXML® Script if statements to define the conditions for mailbox assignments and the do-set-dest-attribute command for the homeMDB attribute to effect the change. You can get a list of Exchange MDBs by using the ADManager.exe tool or by your own means.

When it is not managing Exchange mailboxes, the driver will synchronize the user’s e-mail address and mail nickname.

There are other ways to manage the Exchange mailbox. For instance, you could extend the schema of the Identity Vault to hold the homeMDB information and use basic data sychronization to assign the mailbox to the user in Active Directory. In this case, you would use your own tool to make assignments in the Identity Vault.

The default policy works well for simple mailbox assignment to a single MDB. If you want the policy to reflect more complex rules demanded in your environment, the policy must be changed.