Saturday, July 1, 2017

Exchange Set Retention Policy Scheduled Task

My organization uses the same mailbox creation provisioning script for multiple Exchange environments through our ServiceNow application and we can't set the Retention Policy during mailbox creation because it would affect those other environments.

So I set up a scheduled task to grab all UserMailboxes without any policy applied, and set our custom policy.

Exchange on-prem doesn't have a the option to run Set-RetentionPolicy -IsDefault $true like Office365 does, so you either have to set the retention policy during mailbox provisioning or manually later on.

So, what we're gonna do is create a Task on our Exchange Management Tools server; you can set it directly on an Exchange server if you choose.

The task will run a PowerShell cmdlet that finds all UserMailboxes with no Retention Policy applied (newly created mailboxes) and it will then set our organization's Retention Policy.

Create a Service Account:

First, you'll want to create a Service Account in your domain, which will be used to run the scheduled task. It's best practice to use service accounts rather than your own account to run scheduled tasks, so if you ever leave your position and they deactivate your account, it won't break the task!

In your domain, create a new user called something like exchscriptaccount and set a super-strong password.

This account will need to be a member of the Recipient Management Role Group, otherwise it won't have permissions to make changes to mailboxes.

Next, add the newly created user to the Local Administrators Group on your Exchange Management Tools server or Exchange server if your running it from there. The scheduled task will need local admin rights to run PowerShell things, and since you have a super strong password, it's not an issue.

Creating The Task:

Create the scheduled task on the Exchange Management Server (or one of your Exchange Servers):

Open the Task Scheduler Control Panel, click Action > Create Task...

On the General tab:

Give it a name like Set Retention Policy

Click "Change User or Group..." hit "Locations" and switch to your domain, then search for your exchscriptaccount service account.

Check the box for "Run with highest privileges"

On the Triggers Tab:

Click "New..."

Set it for how often you need it to run. I run mine Daily at 12AM - no specific reason, but you do want it to run Daily.

On the Actions Tab:

Set the "Action" dropdown to "Start a program"

Under Program/Script, copy/paste the following:


In the "Add arguments" field, copy/paste the following:

-NonInteractive -WindowStyle Hidden -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; Get-Mailbox -Filter {retentionpolicy -eq $null -and recipienttypedetails -eq 'usermailbox' } | Set-Mailbox -RetentionPolicy 'My Retention Policy'"

**Note** Change 'My Retention Policy' to the name of your policy. You can also change recipienttypedetails -eq 'usermailbox' to other types like LinkedMailbox if you have those.

In the Settings Tab:

Checkmark the following boxes:

- Allow task to be run on demand

- Stop the task if it runs longer than: 1 hour (if it runs longer than an hour, you got something wrong!)

- If the running task does not end when requested, force it to stop

Click OK when you have everything set.

Testing the Task:

In the main task window, right-click your new "Set Retention Policy" task, and click Run.

When it finishes running, you should have a (0x1) Last Run Result.

Check the properties on a newly created mailbox that you know didn't have the Retention Policy set, and it should now have your policy applied.

Now, Exchange will do the boring job of applying the policy for you :)

No comments:

Post a Comment