Creating mail-enabled security groups

I recently had a customer that needed to create OUs and groups automatically. Some of these security groups needed to be mail-enabled. I was familiar with distribution groups, which were not an option in this case, so I had to discover a way to enable a security group through scripting.

I used UMRA to create the group and assign the mailbox. UMRA (User Management Resource Administrator) is an advanced scripting environment used for automating user provisioning in Active Directory, SAP, Lotus Notes, and other sysytems. It has the ability to execute scripts through the command line, utilize databases, and execute Powershell actions.

In UMRA I used 2 simple actions to create the group and mail enable it. A 3rd action was used as a label to handle errors on group creations. UMRA is designed to handle errors for any script action, which makes it a solid platform for development.

First, I created the group with a Create Group (AD) action. I defined the Domain (blacked out for protection), the destination OU, the domain controller name (DC), the Common Name and login name (SAM-Account-Name), and chose “Yes” for both Global and Security group settings. When the group is created UMRA will output the group’s ODN and an Active Directory Object to reference the new group.

Next, I used a Manage Exchange recipient mail addresses (2000/2003) action to mail-enable the group. This will not create a mailbox, but will allow all users assigned to the group to receive emails. I specified the %ActiveDirectoryObject% variable in the AD Object property and assigned the Alias and E-Mail addresses fields.

The E-mail addresses field can contain multiple values, but I only wanted to add one value. The values are defined by “SMTP:[email protected]” for the primary address and “smtp:[email protected]” for secondary or alias addresses. You can also specify X400 addresses among others.

I included a form on the UMRA script for testing, but you could use this as an Automation project or Mass project if you have a database or CSV file, respectively. I’ve also hard coded the values into the actions for testing purposes, but you could use variables instead.

The result is a group in Active Directory Users and Computers with the following Exchange email addresses. The first image is slightly after creation, the second is after the Exchange server updates the addresses.