Exchange administrative tools and Active Directory: Not as close as they once were

In the beginning, Exchange had ADMIN.EXE and its own directory service and could care less about Active Directory. Then Exchange 2000 became best buddies with AD followed by a gradual separation of responsibilities as the world became more complex. Now we have split permissions models and it's not as straightforward to manage AD accounts and Exchange objects from the same place. Unless software can solve the problem...

When Exchange became the first front-line server application to embrace Active Directory with the release of Exchange 2000, Microsoft provided the functionality to allow administrators to work with the Exchange-specific attributes for mail-enabled objects through the then brand-new AD Users and Computers console. When the Exchange management tools are installed on a server, three tabs are added to AD Users and Computers to display attributes grouped under Exchange General, Exchange Advanced, and Exchange Features. The integration eased the movement from the older Exchange 5.5 administration model and hid some of the perceived complexity of dealing with Active Directory.

Up to and including Exchange 2003, you were able to create, modify, or delete Exchange mailboxes, distribution groups, and contacts from AD Users and Computers because the installation of the Exchange management tools adds the components such as maildsmx.dll to the system to enable the display specifiers that expose the Exchange attributes and tasks in the console. It was also possible to make the Exchange tabs available to AD Users and Computers without installing the full set of the Exchange management tools.

Microsoft removed the ability to manage Exchange recipients in AD Users and Computers in Exchange 2007, largely because of the advent of PowerShell and the decision to consolidate Exchange business logic in the set of PowerShell cmdlets that are called by the Exchange management tools. AD Users and Computers doesn’t use PowerShell, so it made sense to remove its ability to create or delete recipients, even if this decision infuriated many administrators at the time because they now needed to use two tools to work with mail-enabled objects.

The demand to support a clear separation between Active Directory management and Exchange management is another reason why Exchange disappeared from AD Users and Computers. Small deployments probably have one or two people who do everything and the notion of separating responsibilities for managing Active Directory and Exchange doesn’t have much value. Things are more complex in large enterprises and that’s why Microsoft supports a split permissions model in Exchange 2010 and Exchange 2013 that is, in turn, based on Role Based Access Control (RBAC). A split permissions model is relatively uncommon but is extraordinarily useful to those who need to use it.

Apart from the last lingering vestige in the form of the much-reduced Exchange Toolbox, Exchange 2013 does not use MMC. Instead, the browser-based Exchange Administration Center (EAC) takes center stage for both on-premises and Exchange Online deployments.

Given the influence of cloud services over much of software engineering today, a transition to browser-based tools was inevitable. I didn’t like EAC very much when I first started to use it but now consider it to be as good as EMC in most respects and better in some. Sure, EAC still misses out some of my favorite EMC features like the PowerShell learning tools, but you don’t need to install any software to use EAC as it runs on just about any browser-capable device that can support a modern version of IE, Chrome, Firefox, or Safari. EAC is also quicker at dealing with large numbers of mailboxes and other objects than EMC ever was and includes new useful functionality like Administrator Alerts.

If you’re looking to upgrade from Exchange 2003, you might have to change your account management processes to reflect the new modus operandi. You might even be interested in software that automates the account creation process. If so, you could do far worse than considering the free Z-Hire Active Directory, Exchange, Lync User Creation Tool, which supports Exchange 2007, Exchange 2010, and Exchange 2013. Fellow MVP Paul Cunningham considers this to be “a nice, simple tool to use.” Sounds like a good deal!

Follow Tony @12Knocksinna

Discuss this Blog Entry 1

on Jun 10, 2015

All these mentioned ADUC features, that came with Windows 2000 and Exchange 2003 are available for current versions.
The tool doing the job is our ADO++ or the Web-Version ADOplusWeb. It offers an ADUC like view on your Active Directory and gives you the ability to add ad users and give them a Exchange Mailbox and enable them in Lync in one step. Compared to z-Hire, it has a more user-friendly interface. Additional features are: manage Exchange delegations, out-of-office-management, restore deleted user, RBAC GUI for Exchange and Lync, log user changes in a SQL-database.
Test versions at

Please or Register to post comments.

What's Tony Redmond's Exchange Unwashed Blog?

On-premises and cloud-based Microsoft Exchange Server and all the associated technology that runs alongside Microsoft's enterprise messaging server.


Tony Redmond

Tony Redmond is a senior contributing editor for Windows IT Pro. His latest books are Office 365 for Exchange Professionals (eBook, May 2015) and Microsoft Exchange Server 2013 Inside Out: Mailbox...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×