Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Applying “housekeeping” retention policies to the end users

In my previous blog post I wrote about a basic retention policy for doing some basic housekeeping using Exchange 2010 retention policies. The last sentence of that post post reads:

All there’s is left to do is applying the policy to the remainder of the user base, but don’t forget to skip the CEO’s mailbox ;-)

Right now you’re probably thinking “Get-Mailbox | Set-Mailbox” does the trick. Obviously it does the trick; but I’ve got a couple more requirements.

  • The retention policy needs to be set on about 2500. If you’re like me that you rather spend halve a day writing a script than using that time to make the changes in the GUI. (+ I wouldn’t have something to blog about.)
  • I’ve got that CEO mailbox to exclude. I could of course easily exclude a single mailbox. Let’s make it a bit more future proof and ensure the scripts can deal with multiple exclusions.
  • It’s also a good idea to filter mailboxes out which already have a retention policy set. The policy will need to be applied to future mailboxes as well. Obviously I can request the service desk to update their user/mailbox creation procedures. However as an exchange admin I prefer to keep control. In other words we need something that we can run over and over again.
  • Lets go over the different sections of the script:

    First of all we start with defining the list of excluded mailboxes. I chose to use a lengthy way of doing so. This way I could add sufficient comments to ensure it’s really clear which VIPs we’re dealing with (as there is no logical connection between the alias and the user).

    # Defining the mbx to be excluded from the retention policy
    # You can add to the list as needed
    # However make sure you use the alias, not SamAccountName!
    $Exceptions = @() # Define array
    $Exceptions += "ABC123" # Casper
    $Exceptions += "DEF456" # Melchior
    $Exceptions += "GHI789" # Balthazar

    After Some more variable definitions, we convert the exclusion list form an array of strings to an array of mailbox object (needed later on in the script). Afterwards we print a list on screen showing the list of excluded mailbox.

    # Set more variables
    $RetPol = "Remove old deleted items and calendar entries"
    $TableCols = "Alias","DisplayName","RetentionPolicy"

    # Display Exclusions
    Clear-Host
    Write-Host "Retention Policies will NOT be changed for:" -ForegroundColor Red
    $Exceptions = $Exceptions | Get-Mailbox # Convert array of strings to array of mbx objects
    $Exceptions | ft $TableCols

    The next section does a query for mailboxes for which not Retention Policy has been set yet.

    # Exclude mbx which already have the retention policy set
    Write-Host "`nBuilding the list of mailboxes without a Retention Policy set" -ForegroundColor Green
    $MBX = @() # Define array
    $MBX += $(Get-Mailbox -ResultSize Unlimited | where {!$_.RetentionPolicy}) # Exclude mailboxes which have already a retention policy set
    $MBX | ft $TableCols
    Write-Host "`nPlease check if these counts seem realistic to you." -ForegroundColor Green
    Write-Host "# of mbx on the exclusion list:" $Exceptions.Count
    Write-Host "# of mbx without retention policy:" $MBX.Count

    We compare the array of mbxs without retention policy with the exception list. We converted the exception list earlier on to be able to compare of objects of the same type. The delta is the list of mailboxes we need to update. The PassThru-parameter is need to ensure our command returns mailbox objects because the Compare-Object command returns “difference objects” by default. The SideIndicator property on the other hand excludes results that are in $Exceptions but not $MBX, which can happen if you do some creative testing.

    # Exclude mbx on the exclusion list
    $MBX2Set = @() # Define array
    $MBX2Set += $(Compare-Object $MBX $Exceptions -PassThru | ? { $_.SideIndicator -eq "<="})
    $MBX2Set | ft $TableCols

    Last but not least we need to actually set the Retention Policies for the remaining mailboxes.

    #Setting RetentionPolicy
    Write-Host "`nSetting retention policy" -ForegroundColor Green
    if ($MBX2Set) {
        Write-Host "# of mbx to set retention policy for:" $MBX2Set.Count
        $MBX2Set | Set-Mailbox -RetentionPolicy $RetPol
        } else {
        Write-Host "No mailboxes to set!" -ForegroundColor Yellow
    }

    Screenshots of scripts don’t always offer a lot of added value, especially if they read “nothing to change” but at least one can admire the colors ;-)

    Image 20110826135117


    Posted 08-26-2011 2:40 by Koen Vermoesen

    Comments

    Exchange 2010 wrote Using the Scripting Agent to automate some basic “housekeeping” tasks
    on 08-31-2011 12:31

    Introduction Recently, Koen published an article about applying “housekeeping” retention policies to

    Events wrote TEC Europe 2011– Day 2
    on 10-18-2011 10:39

    Panel Discussion The day started with a panel discussion which we found very interesting. Unfortunately

    Jeff wrote re: Applying “housekeeping” retention policies to the end users
    on 11-14-2011 8:37

    Would it be possible to exclude based on AD group membership, rather than entering each alias in the scrip, or excluding from a specific DB?  We have multiple users that need to be excluded from the default policy, and are scattered all over the environment, but this could work if we could use a security group to do the exclude?

    Thanks,

    Jeff A. Waska

    Koen Vermoesen wrote re: Applying “housekeeping” retention policies to the end users
    on 02-01-2012 10:30

    Hi Jeff,

    I imagine you could use either the "new" Microsoft Active Directory cmdlets or the ones provided by Quest Activeroles.

    Regards,

    Koen

    Koen Vermoesen wrote re: Applying “housekeeping” retention policies to the end users
    on 02-01-2012 10:30

    Hi Jeff,

    I imagine you could use either the "new" Microsoft Active Directory cmdlets or the ones provided by Quest Activeroles.

    Regards,

    Koen