Automating User Mailbox Creation

The trick to creating Exchange 2000 user mailboxes via scripting is in the CDOEXM libraries.

Bill: Is there a way to create a mail-enabled user account in Windows 2000 with a VB script. I wrote a script that creates the account, places the account in the right OU, creates an e-mail address and places the user in the right group. I can't figure out the mail-enable part. There must be a way to do this all in one script.
—Eric

Eric: I'm going to assume that you're using Exchange 2000 since you used the expression "mail-enable" the user. I'm also going to assume that you mean "mailbox-enable" the user rather than just assigning an SMTP address to the account.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The trick to creating a user mailbox is to run your code on a machine with the Exchange admin tools installed so you can get access to the CDOEXM libraries. You can run the script on an Exchange server or you can install the Exchange tools on your workstation. Then, all you need to do is add a few lines to your script that define the mailbox server for the user and to create the mailbox.

You'll need to know the Distinguished Name of the mailbox store. The simplest way to get this is to copy the HomeMDB attribute of an existing mailbox-enabled user as long as the new users you create will use the same mailbox server. Dump the attributes of an existing user using the LDP browser from the Support Tools or use LDIFDE with the following syntax:

ldifde -d cn=existinguser,ou=someou,dc=domain,dc=root -f con

The -f con directs the output to the console. Here's an example for a user
called Tom Hanks in the standard Users container in a domain called
Company.com:

ldifde -d "cn=tom hanks,cn=users,dc=company,dc=com" -f con

Here's an example of the listing:

HomeMDB: "CN=Mailbox Store (W2K3-EX1), _
   CN=First Storage Group," & _
  "CN=InformationStore,CN=w2k3-EX1,CN=Servers, _
   CN=Phoenix," & _
  "CN=Administrative Groups,CN=company, _
   CN=Microsoft Exchange," & _
  "CN=Services,CN=Configuration,DC=company,DC=com"

You said that your script already created the user account, but just for the sake of example, here's some quick ADSI code that creates a new user object in Active Directory under the default Users container:

userName = "Tom Hanks"
tempPassword = "Green$Mile"

splitName = Split(userName, " ")
firstName = lcase(splitName(0))
lastName = lcase(splitName(1))
logonName = left(firstName,1) & lastName
upnName = LogonName & UPNDomain

Set RootDSE = GetObject("LDAP://RootDSE")
domainDN = RootDSE.Get("DefaultNamingContext")
Set userContainer = GetObject("LDAP://cn=users," & _
   domainDN)

set newUser = userContainer.Create("user", "cn=" & _
   userName)
newUser.SamAccountName = logonName
newUser.SetInfo

newUser.FirstName = firstName
newUser.LastName = lastName
newuser.DisplayName = userName
newUser.Description = "Test User"
newUser.AccountDisabled = FALSE
newUser.SetPassword(tempPassword)
newUser.SetInfo

Okay, here's where we create the user's mailbox. The trick here is remembering that VBScript doesn't know diddly about an ADSI object or a CDOEXM object, so you can create a new instance of the ADSI object and use it with a CDOEXM method call and it all "just works." Here's the code:

MBXStoreDN = "CN=Mailbox Store (W2K3-EX1), _
    CN=First Storage Group," & _
   "CN=InformationStore,CN=w2k3-EX1,
    CN=Servers,CN=Phoenix," & _
   "CN=Administrative Groups,CN=company, _
    CN=Microsoft Exchange," & _
   "CN=Services,CN=Configuration,DC=company,DC=com"

Set exchUser = newUser
ExchUser.CreateMailbox MBXStoreDN
ExchUser.SetInfo

At this point, wait a little bit for the Recipient Update Service to apply
the SMTP address onto the user and you're ready to send mail to the account.
You can check the attributes in Active Directory Users and Computers.

Let me know how this works for you...

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Thu, Oct 1, 2009 Drew Lawrence, KS

I'm running a script very very similar to this, all the syntax is correct, everything runs beautifully...however, the user cannot receive mail!!! I get a bounce back saying it could not be delivered. However, when I logon as the user in our webmail system and SEND mail it works. Just cannot recieve!! Any ideas???

Wed, Jul 5, 2006 phil Anonymous

When I use your MBXStoreDN code I get the following error:

D:\Scripting\ad\createusers.vbs(204, 38) Microsoft VBScript compilation error: Unterminated string constant

It points to this part of the code:

MBXStoreDN = "CN=Mailbox Store (maiulserver1), _ (the underline)

Any idea how to fix?

thanks

Tue, May 9, 2006 Chris Anonymous

This is the most concrete how to on programmatically adding mail enabled users to active directory that I've seen and I've spent the last couple of days researching this. The "ldifde -d" command is great. That alone tells you just about everything you need to know in creating User objects in active directory. Thanks.

Wed, Apr 19, 2006 Anonymous Anonymous

Remember run it on Exchange Server or on server with Exchange Admin tools !

Wed, Apr 6, 2005 Anonymous Anonymous

Excellent

Tue, Mar 23, 2004 Mario Emond France

Excellent ! Clear and simple. Just a problem that I don't have solution at the moment. I have 3 exchanges servers 5.5, 2000 and 2003 (uni-directional), we are migrating all account on the 2003. When I try that method, I got a error message when I create the mailbox..."there is no Connection Agreement configure to export this ricipient to the exchange 5.5 server. ID no: c1034a1b", the exchange server should be turn off in 3 months but during the time I need to bypass this warning to create mailbox on the 2003 server, some one has and Idea ???

Tue, Dec 23, 2003 Laurent Bardy Fribourg, Switzerland

I'm back... And I've found solution to my problem. Finally ! If you generate a new user account object with the following command (in the previous message there had been an HTML rentrascription problem in this forum, I actually wrote the following command, of course :) "exchUser := GetObject('WinNT://Server/UserName, User') as IADsUser')" you get an Com object with a Windows NT4.0 interface that have fare less attributes and methods that can be used compared to a corresponding user account objet with a Windows 2000 & AD interface. I have replaced this code with the following in order to get a user account object with a Windows 2000 interface and everything works fine now : exchUser := GetObject('LDAP://cn=LastName FirstName,OU=OuName,DC=DomainName1,DC=DomainName2,DC=DomainName3') as IADsUser;

Regards, Laurent

Tue, Dec 23, 2003 Laurent Bardy Fribourg, Switzerland

Excellent ! Clear and simple. Just a problem that I've been searching solution for hours. All code examples I've found FIRST create a user account and THEN create an attach mailbox container to it. Unfortunately it does not work for existing user accounts that you want to add at a later time a new mailbox. When you write the critical code (for ADSI and CDOExm object aggregation) 'exchUser := newUser As IMailBoxStore;' (Delphi) (corresponding to 'Set exchUser = newUser' in VB) assuming that exchUser contains a user account created earlier in other process (for example with 'exchUser := GetObject('WinNT:///, User') as IADsUser') you get (in Delphi but it should certainly also be the case in VB) the following error : ''Interface not supported". I'd like to add in my application a command in order to create and attach a mailbox to an already existing user accont at a later time. But because of this error it doesn't work. Any idea ? Many thanks !

Laurent Bardy, Fribourg, Switzerland

Wed, Oct 22, 2003 Keith LA

there is a great scipt for this in the "Windows Scripting Solutions" website. But, you have to be a subscriber to see it. My question... we are running W2k AD. We have a 2 way trust to another domain. They are not in our AD. We create the AD account and Mailbox on our end and then disable the AD account, the mailbox stays active. Under the security tab we need to grant send as and receive as permissions to the user account in the other domain. How do you set those permissions. Also, under the mailbox rights tab, we need to add that user account and an admin account from the other domain to have full mailbox rights. The user account also needs to have the external account checked. How to you do that?. Here is an example of some of my code I was trying. Thanks for any help.
'set read access under security tab.
Set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee = "dnrdomain\" & TrusteeName
objACE1.AccessMask = ADS_RIGHT_GENERIC_READ
objACE1.AceFlags = 0
objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED

'Adds Receive_as rights to the account in the dnrdomain under security tab
Set objACE3 = CreateObject("AccessControlEntry")
objACE3.Trustee = "dnrdomain\" & TrusteeName
objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE3.AceFlags = 0
objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE3.ObjectType = RECEIVE_AS

Wed, Oct 22, 2003 Anonymous Anonymous

Excellent

Wed, Oct 22, 2003 Sunny Sharma London

Hi Bob,

Great Article! I have an additional line of code that will enable the immediate exchange logon attribute. This allows eager users to logon straight away and not have to wait for the RUS to completely finish what it has to do!

' Enable immediate-logon for the user
exchUser.Put "msExchUserAccountControl", 2

exchUser.SetInfo

The RUS will still need to do its thing, but I find that this helps.

Regards,

Sunny ;-)

Tue, Oct 21, 2003 Anonymous Anonymous

Excellent

Tue, Oct 21, 2003 Anonymous Anonymous

good

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.