Learn how to a build a cloud-first strategyRegister Now


Recipient Policies and AD Applications

Posted on 2011-04-28
Medium Priority
Last Modified: 2012-08-14
I have a question about recipient policies and applications that use Active Directory to authentication. We are about to change the default recipient policy in exchange 2000 and add a new recipient policy for a new set of users.
My question is, how will modifying default recipient policy affect Active Directory if all we do is a new SMTP address to it? Will it affect user log ons? Will it affect other applications that user AD?

As I understand it , changing the default policy affects AD globally, so in case it does_not  do what we want it to (although we´ve tested in a lab several times over) how can we roll-back the changes if we need to?
What should we consider before touching the recipient policies?

Thank you
Question by:mechanicus01
  • 2
  • 2
LVL 16

Expert Comment

by:Jon Brelie
ID: 35487136
you can apply new addresses using recipient policies, but you cannot remove them.  Keep this in mind.

Your best bet is to create a NEW policy and restrict it to users in a specific OU or Group.  Then TEST TEST TEST, before deploying live.

Recipient policies have no impact on AD authentication.


Expert Comment

ID: 35487143
Changing the SMTP addresses of a user account will not affect user logon names or any permissions set against the user objects or it's group membership.
What other applications that use AD do you have? You would only need to be wary of an application looking for a certain SMTP address format which may no longer be there for new accounts.


Author Comment

ID: 35510254
Thank you both for your comments.

Enphyniti:  what can´t newly added addresses be removed?

stuartgcameron:  We have a few applications that we developed in-house but none write to AD, they read-only apps.

What can you guys tell me about rolling-back the recipient policy modifications in case we have a problem when deploying? We plan to add a new SMTP Address  and delete the Primary SMTP address from the default policy, then create a new recipient policy with the deleted "authoritative" SMTP Address we deleted from the default policy. This so we can share the smtp namespace. Question is, how can we roll-back the changes ? Can we just re-create the deleted addresses and undo the added ones?

Thank you
LVL 16

Accepted Solution

Jon Brelie earned 2000 total points
ID: 35512885
They can, but not via policy.  Removing them from the policy will only prevent the addresses from propagating to new users.  It will not remove the existing addresses from users.  Email Address Policies addresses this issue in 2010.

IE:  removing a policy will leave all the addresses it created so you cannot 'remove the primary address' using recipient policies.  You can change it to be a new primary, but you cannot remove it.

It doesn't sound like you are trying to remove address from your existing users though... just change default behavior going forward, so you should be fine.  Also, you're not going to break anything if you make a mistake except auto-address generation, which should be easy to resolve.

Author Closing Comment

ID: 35735139
Thank you!

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question