Debug Mailbox Manager policy application

In this article, I will show you how to use LDP to determine which Mailbox Manager policy is being applied to a user's mailbox. I had to do this when I found that a wrong Mailbox Manager policy was being used. The first will be some background information about Mailbox Manager. You probably already know about this component, but I think repeating it a bit will be more useful and the lesson will be more complete.

Let's look at an example with two mailbox manager policies created within an Exchange organization. Here we will use a really simple example to explain the debugging process. Imagine that there is a default policy, deleting incoming messages larger than 50KB in the Inbox folder, which will be applied to all user objects. Now imagine having another policy also delete the received messages in the Inbox folder but only for messages larger than 100KB in size. The intention here is to apply the second policy to members of the Managers group, whose objects are larger but limit the size of messages received. We will learn more about how this policy is applied to the Managers group below. This is the real reason why policies are not applied properly. Figure 1 illustrates how a Mailbox Manager - Inbox> 100KB policy will look like. The default policy has the same configuration, except the size value ( Size ) is 50 instead of 100.

Debug Mailbox Manager policy application Picture 1
Figure 1: Policy to delete mail in Inbox is larger than 100 KB.

You may still remember that the policies for receiving mail apply in priority order with priority 1 being the highest. The default mailing rule has the lowest priority value, meaning that is determined at the end. After each match, no more programs are implemented, only a single policy can be applied. For example, if the Mailbox Manager - Inbox> 100KB rule has a priority of 1 and Mailbox Manager - Inbox> 50KB has a priority of 2, any user applies the filtering rule for Mailbox Manager - Inbox> 100KB , messages larger than 50KB but less than 100KB will be unmarked in their Inbox folder. On the other hand, Mailbox Manager - Inbox> 50KB rules will not be applied to this user. Figure 2 shows our two policies in Exchange System Manager.

Debug Mailbox Manager policy application Picture 2
Figure 2: List of regulations for receiving mail.

Notice in Figure 1 that you will see that the policies are configured to transfer the marked messages to the Deleted Items folder, as well as send a message to the affected user. The last part is to configure the process schema for the mailbox manager and send a report to the administrator each time the process takes place. The configuration section is done on the Mailbox Management tab of the server object properties in Exchange System Manager as shown in Figure 3.

Debug Mailbox Manager policy application Picture 3
Figure 3: Mailbox Manager Schedule (Mailbox Manager Schedule).

There are two users in this organization, named User1 and User2. User1 is a regular user and the Inbox folder will be specified to delete messages larger than 50KB. User2 is a member of the Managers group, defined to delete messages larger than 100KB. User2 currently has 3 unread messages in Inbox, a 2MB attachment with a log file, a 95KB archive with a compressed file and finally a small 1KB message with no attachments. What happens when the next mailbox management program runs all night? User2, as a manager. Log in the next day via Outlook Web Access to see the screen look like the one below.

Debug Mailbox Manager policy application Picture 4
Figure 4: The mailbox management process is incorrect.

As you can see, a message from System Attendant tells User2 that messages larger than 50KB have been moved to the Deleted Items folder. Why is that? User2 is a member of the Managers group so it is specified that only messages larger than 100KB will be delivered. Obviously a wrong policy is being applied and below I elaborated on which method of verifying policies is really effective. As mentioned in the example above, although everything seems quite simple, the basic principle is the same. The method below uses the LDP.EXE program. You can find LDP.EXE in the Windows 2003 Support Tools, or on the Windows 2003 CD in the SupportTools folder.

Here's how to use LDP to verify which mailbox manager policy applies to a mailbox.

1. Run LDP.EXE.
2. Select the Connection menu, then select Connect from the options list displayed.
3. In the Connect window, enter the name of a Domain Controller to connect to. All other settings are at default values. Click OK when done.
4. Back at the main LDP window, you should now see a connection made to the Domain Controller when the right pane is filled with information. Go to the Connection menu again, but this time use the Bind option.
5. In the Bind window, enter the appropriate authentication information to link to the Domain Controller, then click OK.
6. Return to the LDP main screen again. The right pane will show that you have successfully verified, the screen looks like the following.

Debug Mailbox Manager policy application Picture 5
Figure 5: LDP after connecting and successfully connecting.

7. Now, on the View menu, select Tree . In the Tree View window, leave the BaseDN field blank and click OK .
8. You should also note that in the left pane of the main LDP window, the Active Directory hierarchy is displayed. First expand the domain name by clicking on the + next to it. Next, continue to expand the objects in the following order to Recipient Policies : Configuration, Services, Microsoft Exchange, your Exchange organization name, Recipient Policies . You can see as shown in Figure 6.

Debug Mailbox Manager policy application Picture 6
Figure 6: LDP displays the mail receiving rules.

9. As you can see in Figure 6, just below the list of recipient rules (Recipient Policies) are our two example policies named Default Policy and Mailbox Manager - Inbox> 100KB . The trick is to clear the LDP right pane, you will see useful information briefly. To delete, go to the Connection menu, then select New .
10. Now, go back to each mailing policy. Start as Default Policy, just double-click it inside the LDP window. As a result, the right pane of the window will be filled with lots of information. The key line that we're interested in is the line that references this policy's objectGUID object, as shown in Figure 7.

Debug Mailbox Manager policy application Picture 7
Figure 7: objectGUID in Default Policy

11. You can see, the Default Policy objectGUID is 9c948cb6-784f-4521-b019-737064461c2a . Another trick in LDP is the ability to write window content to a text file via the Save As option on the Connection menu. You can build a text file of all objectGUID values ​​for your policies.
12. Now, repeat from step 10 for the remaining policies. In my case, another objectGUID object is 307656c9-4a80-41c7-ab33-0ca5da6244e3.
    
13. Once we have two objectGUID values ​​for mailing rules, we need to verify which rules apply to User2's mailbox. To do this, we need to check the properties on User2's account. Therefore, go back to the left pane of LDP, find the organizational unit (ie Organization Unit - OU) containing the user account. In my case, the 'Exchange Users' OU.
14. After selecting and expanding the Exchange Users OU, the list of user accounts within this OU is displayed in the left pane. As before, now is the right time to delete the right frame via the New option on the Connection menu.
15. Double click on the appropriate user account, in my case User2. As before, the right pane of LDP will show a wealth of information in this account. The line I like is one of the lines that contains the msExchPoliciesIncluded attribute as shown in Figure 8.

Debug Mailbox Manager policy application Picture 8
Figure 8: msExchPoliciesIncluded attribute.

16. Notice from Figure 8 that the objectGUID of the Mailbox Manager policy - Inbox> 100KB (307656c9-4a80-41c7-ab33-0ca5da6244e3) is not shown. There is only one policy GUID of the Default Policy, confirming that this policy is being applied to User2.

Of course, the question in this particular case is why the default policy is applied to the first case. The answer turned out to be simple: filtering rules for Mailbox Manager - Inbox> 100KB rules are not built to use distinguished names of Managers group, a point that is easily overlooked. In other words, to correctly apply a policy to a group, you must ensure full reference of the distinguished name of the group, such as 'Manager' as in this example. Therefore, in my example, the filter rule will notify that the user's Member Of attribute must be exactly matched with the following distinguished name:

CN = Managers, OU = Exchange Users, DC = ngh, DC = net

Figure 9 illustrates the window when using distinguished names in filtering rules.

Debug Mailbox Manager policy application Picture 9
Figure 9: Correct Mailbox Manager filter

After the change, rules can be applied and LDP is used to re-check the msExchPoliciesIncluded attribute for User2. The result is shown in Figure 10. You can see the highlighted line contains the objectGUID of the correct Mailbox Manager rule.

Debug Mailbox Manager policy application Picture 10
Figure 10: Exact match of msExchPoliciesIncluded attribute.

Summary

The specified debugging application can and will be completed by checking the applicable filtering rules. It is also useful to verify which policy Exchange is using by examining various attributes through LDP as introduced in this article.