Creating Tenants for Exchange 2010 SP2 Multi Tenant

Printer-friendly versionPDF version
Exchange 2010

Exchange 2010 SP2 has been released! Sucks for some of us using /hosting since there isn’t really a good migration path other than doing a forest migration. Anyways, SP2 has been released and we get the EMC back, and also some more roles such as the unified messaging role!

Most automation software [as of 1/2/2012] do not support SP2 yet. Some that currently do are ExtendASP, and I believe Machsol will in a couple of weeks. Personally I have not used either.

Anyways you can still separate your tenants manually without using a automation software but it is more complex and requires more steps than Exchange /hosting did. You will have to create multiple address lists and also use custom attributes. You can read the documentation at Download: Exchange 2010 SP2 Multi-Tenant Scale Guidance …

Note: Lync is supposed to be coming out with a hosting pack and requires a specific active directory organizational unit structure to work. I do not have this information so you may want to wait if you plan on deploying Lync Hoster pack with Exchange 2010 SP2.

Here are some things you will need to create:

  • A tenant organizational unit
  • Accept SMTP domain
  • Global Address List
  • Address List for “All Rooms”, “All Users”, “All Contacts” and “All Groups”
  • Offline Address Book
  • Address Book Policy

I am currently working on a powershell script to automate this process and will post it once I finish. Below are the commands to create what you need. Just replace some of the things such as the name of the tenant I used along with the domain names. Also I used CustomAttribute1 but you can of course use any of the custom attributes [1-15].

Create an OU for the tenant. I placed mine under a OU called 'Tenants’


  • I used the parent OU as 'Tenants'. Lync has certain requirements for the hoster pack that I haven't read yet.
  • Be sure to change the domain to your local domain name
  • Each user must have the address book policy assigned to the user for that specific Tenant
  • Each user must also have the CustomAttribute1 set to the Tenant name
  • Each user must have the UPN suffix set for that specific Tenant

Import-Module ActiveDirectory
$connect = "LDAP://<domain controller>/OU=Tenants,DC=cloud,DC=local"
$ad = [ADSI]$connect
$ou = $ad.Create("OrganizationalUnit", "ou=New Tenant 1")

Now you must create the UPN:

Set-ADForest -Identity cloud.local -UPNSuffixes @{Add=""}


Create Accepted Domain

New-AcceptedDomain -Name "New Tenant 1" -DomainName -DomainType:Authoritative

Create Global Address List

New-GlobalAddressList -Name "New Tenant 1 - GAL" -ConditionalCustomAttribute1 "New Tenant 1" -IncludedRecipients MailboxUsers -RecipientContainer "cloud.local/Tenants/New Tenant 1"

Create All Rooms Address List

New-AddressList -Name "New Tenant 1 - All Rooms" -RecipientFilter "(CustomAttribute1 -eq 'New Tenant 1') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')" -RecipientContainer "cloud.local/Tenants/New Tenant 1"

Create All Users Address List

New-AddressList -Name "New Tenant 1 - All Users" -RecipientFilter "(CustomAttribute1 -eq 'New Tenant 1') -and (ObjectClass -eq 'User')" -RecipientContainer "cloud.local/Tenants/New Tenant 1"

Create All Contacts Address List

New-AddressList -Name "New Tenant 1 - All Contacts" -RecipientFilter "(CustomAttribute1 -eq 'New Tenant 1') -and (ObjectClass -eq 'Contact')" -RecipientContainer "cloud.local/Tenants/New Tenant 1"

Create All Groups Address List

New-AddressList -Name "New Tenant 1 - All Groups" -RecipientFilter "(CustomAttribute1 -eq 'New Tenant 1') -and (ObjectClass -eq 'Group')" -RecipientContainer "cloud.local/Tenants/New Tenant 1"

Create the Offline Address Book

New-OfflineAddressBook -Name "New Tenant 1" -AddressLists "New Tenant 1 - GAL"

Create the Email Address Policy

New-EmailAddressPolicy -Name "New Tenant 1 - EAP" -RecipientContainer "cloud.local/Tenants/New Tenant 1" -IncludedRecipients "AllRecipients" -ConditionalCustomAttribute1 "New Tenant 1" -EnabledEmailAddressTemplates "",""

Create the Address Book Policy

New-AddressBookPolicy -Name "New Tenant 1" -AddressLists "New Tenant 1 - All Users", "New Tenant 1 - All Contacts", "New Tenant 1 - All Groups" -GlobalAddressList "New Tenant 1 - GAL" -OfflineAddressBook "New Tenant 1" -RoomList "New Tenant 1 - All Rooms"

Create the First User

$c = Get-Credential
$u = New-Mailbox -Name 'Tenant 1 User 1' -Alias 'tenant1user2' -OrganizationalUnit 'cloud.local/Tenants/New Tenant 1' -UserPrincipalName '' -SamAccountName 'tenant1user2' -FirstName 'Test' -Initials '1' -LastName 'User 2' -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy 'New Tenant 1'

Set-Mailbox $u -CustomAttribute1 "New Tenant 1"

Be sure to run Update-OfflineAddressBook after creating everything. Also when creating mailbox users you must put the tenant’s name in the mailbox CustomAttribute1.

Keep in mind there can be other settings that need to be set to make sure your users do not have access to other tenants. This is where the automation software comes in with creating group policies that make sure some users (like RDP users) cannot access or see the other tenants, not to mention the fact that it would just make your life easier.



*UPDATED* 3/17/2012

Below are the changes:

  • Fixed error that was caused by entering the display name as 'Lastname, First'. It will now set the Name to 'Firstname Lastname' and set the DisplayName to what you specify, even if it is with a comma.


*UPDATED* 3/16/2012

Below are the changes:

  • New powershell script to secure the root OAB container (Secure-DefaultOAB)
  • Modified New-Tenant script to put 'Username_Domain.ext' for the samAccountName. So if I created a domain called and a user called Jacob Dixon then it will set the samAccountName to: jdixon_itswapshopcom (20 characters max... if over then it will trim it automatically)
  • Modified New-Tenant script to no longer include an email address policy. Instead when creating a tenant the administraotr mailbox primary smtp address is set to
  • Modified New-User script with the same samAccountName changes as well not using an email address policy. Instead it will put the primary smtp address to <first initial><last name>@<domain>.<ext>. Example:
  • Modified New-Tenant to grant the ALL USERS group for that tenant to be able to download the OAB for that specific tenant.
  • Modified New-Tenant to specify the OAB when creating the user
  • Modified New-User to specify the OAB when creating the user


  1. IF you used the previous script then it did not secure the OAB. You must do this manually. Remove the 'MS-EXCH-DOWNLOAD-OAB' extended right from the Authenticated Users group on the root container and all OABs. Then you must grant the specific All Users group for that tenant the extended right 'MS-EXCH-DOWNLOAD-OAB' for that tenants OAB.
  2. The newest ZIP file is at the bottom of this article. It is labeled with todays date (3/16/2012). If you have any problems feel free to email me @ or post a comment here. Thanks!



*UPDATED* 3/3/2012

I have replaced the orginial New-Tenant powershell script and added one for removing tenants and adding new users.

Some of the changes I have done is changed the OU in the script to "Hosting" for the parent OU. In each script I wrote examples of how to use it. Also it now creates two security groups. One is "Organization Management" and the other is "All Users" under each tenant. When you use the script to create a new user it automatically adds it to the All Users group and grants ORganization Management security group full access to that user. From there you can write your own web interface so the Administrator user can make changes to people in the "All Users" group. You WILL NOT be able to use OWA/ECP online to make these changes. Exchange 2010 SP2 is not setup this way and is why you need a control panel.

If you have any problems please let us know! You will find the new scripts in a ZIP file at the bottom of the article

*UPDATED* 2/29/2012

I left out some important steps when I posted this article. I have updated the article and it now does not show the other address lists to the other users in Outlook.

I have also uploaded a powershell script I created. Keep in mind it doesn't do any error checking. It will create all the address lists, GAL, address book policies, and the administrator mailbox for you.

Be sure to run it rom the Exchange Shell and enter the commands before you run it:
Import-Module ActiveDirectory
Set-ExecutionPolicy RemoteSigned

Yes, release of Exchange 2010 SP2 closed the chapter of /hosting mode and all those providers using /hosting mode must have to migrate to on-premise mode if they want to stay in to competition. Also, it is the best time to upgrade to Exchange 2010 SP2 because it comes up with new and enhanced feature set. However, for smooth migration path one should consult with ISV's like MachSol which comes up with ready to go migration toolkit and provides comprehensive support. Furthermore, with respect to Exchange 2010 SP2 I would like to mention:

1. I did not find any information regarding ExtendASP support for Exchange 2010 SP2 including their official website.
2. MachSol announced MachPanel's support for Exchange 2010 SP2 last year in December and here you can read more about it at and

Hope it helps.


I have been in contact with ExtendASP and they do support Exchange SP2.
Machsol does support Exchange 2010 SP2 with MachPanel v.4.2 BUILD 31 which came out on Dec 27th.

I mentioned in the article that you should still go with a automation vendor as well.

Thanks for the comment!

Great write up! I'm working on this too now, thanks to microsoft.. I miss the /hosting switch already. Anyways, if you wanna send me your provisioning script I'll help you test it ;)

Every time I use any of these commands in a powershell instance, I just get errors.


Hey Mike!

Sorry these are not working for you :-(

First you want to make sure you are using the Exchange Shell instead of the powershell. If you are using powershell then you would first have to load the exchange shell snap-in.

Also for creating things in active directory you will require this to do it with powershell: 


Let me know if that helps!

Still no luck:

[PS] C:\Windows\system32>$ou = [ADSI]"LDAP://ou="Microsoft Exchange Tenants,dc=excelwebhost"
Unexpected token 'Microsoft' in expression or statement.
At line:1 char:34
+ $ou = [ADSI]"LDAP://ou="Microsoft <<<< Exchange Tenants,dc=excelwebhost"
+ CategoryInfo : ParserError: (Microsoft:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

[PS] C:\Windows\system32>

Ahhh!! Sorry I found a problem in my post. I had an extra quote in there. It should be like this:

$ou = [ADSI]LDAP://ou=Microsoft Exchange Tenants,dc=cloud,dc=local

I had a quote to the left of Microsoft. Thanks for catching that! You may also need to load the snapin by running: Add-PSSnapin Quest.ActiveRoles.ADManagement

running import-module activedirectory works for me, although I edited the code a bit but am using the same functions.

I must be stupid or something.

I've loaded the import module but I am still getting errors.

It's still telling me that I have invalid characters in the script.

Here's my OU code using the basic activedirectory module.

#### OU Creation
#Need AD Module
import-module activedirectory
#Connect to AD01 LDAP via adsi
$Connect = "LDAP://<AD SERVER>/OU=Hosted Organizations,DC=contoso,DC=com"
$AD = [adsi] $Connect
#User create method...
$OU = $AD.Create("OrganizationalUnit", $TenantOU)
#Add UPN suffix so that it can be added to users later
Set-ADForest -Identity -UPNSuffixes @{Add=$TenantBaseDomain}

I'm still trying to figure out how to:
- Grant access to ECP to some users.. Figure out which features don't work, disable those, or fix them, or whatnot.
- Remove or disable the emailaddresspolicy that is attaching the install/base organization email address from the default emailaddresspolicy. I've added creating email address policies to my tenant provisioning code so that they all get whatever domains attached that they need to their mailbox.
- Figure out how this should all mesh properly with the Lync hoster pack.. @_@

Thanks! I updated the page since I apparently left out a bunch of stuff. I used your method instead of the Quest AD powershell scripts

Hi, I am about to setup a multi tenant server and wondering how you got on making the script?

Hey. Thank you for the guidance .. But how about the Default Address List?


I never could get any of these scripts to work and ultimately abandoned my project.

It actually works fine. One thing is missing here, you need to apply the address list policy to the mailbox before it works. :-)


thank you for your clear tuto.
I followed everything, i have the correct result in owa but not in outlook 2010/2007 or 2003 !
Don't find why ?!!!

Agree with above, I followed the steps and even added the address list policy from mailbox settings. Works great in OWA, not Outlook though, they still see everyone.

I have updated the commands since I left out the recipient container. Doing this will hide the other address lists from other users. I also put in commands for the email address policy and creating a mailbox user.

Attached is a powershell script to automate a lot of this for you. See the top of the article for instructions. If you have any trouble let me know and I will try to be more prompt than I have been! 

Thanks again!

- Jacob

Hi JDixon,

I have used your script which is lovely and simple. However in Outlook it still shows all users. Is there anything I have missed?


When you create new users are you putting in the customattribute1, applying the address book policy to the user, and placing them in the correct OU?

Thanks for the reply, at the moment I have not created any additional users for the test tenant/s. Just using the Administrator account which is created using your script, which as you would know does have the customattribute1 set and the policy applied. OWA works a treat as this user cannot see any of the other 40+ users/groups. However in Outlook the user sees everything.

Thanks for the time you have put into this. Its a great help.


I tested this again and it is working in my environment. Could you email me some pictures of the GAL in outlook, your AD OU structure, and the user section in the Exchange 2010 management console?

You can email them to:

Hello. Mine does exactly the same thing. OWA is OK, but Outlook shows all the other address lists.

Ok so you used the script which created the OU's, the Address Lists, the Address Book Policy, and the first Administrator user for you automatically right?

If you create a new profile using that Administrator it created it shows all the other address lists for the other Tenants?

I'm trying to see what I have missed here because I'm using Outlook 2010 and my Tenants only see their own users and their own address lists

Yes, that is correct. I have read the scale guidance from MS. Is Security Groups / Universal Groups still needed? Earlier we had a Exchange 2010 SP1 multi tenant setup, where Address List Segregation were used based on groups.


Yes you are supposed to have security groups but from what I gathered from the document is they are to be used for external applications and such for that specific tenant. SP2 uses address book policies to seperate the tenants

Tried your script, error out with this message:

The following exception occurred while retrieving member "Create": "The server is not operational.


When you specify the -Domain parameter you must put your local domain. You are getting that because it wasn't able to contact your domain controller.

In my lab it was: cloud.local

So I had to be able to resolve cloud.local to the domain controller.

That fixed me up. It did everything but now I am a little lost as to where to go next. The admin account it created has no control over that tenant's email address's.

You can login to the ECP with the newly created administrator account to manage that tenant's email address's. If you are still lost, you might check out some books on exchange 2010. Here is a good free ebook I found that might help you out:

@ingram Sorry this is actually incorrect. With SP2 you can only manage a mailbox if you are part of the organization management security group. The problem is that gives you access to manage everyone.

This is a good reason why you need your own web interface to manage specific tenants. With my new script it creates a security group for each tenant called "Organization Management". Also when you use the script to create a new user it adds the user to All Users and grants Organization Management full access.

This is where you would right a program or web application that people would login to. So you would right something that basically says if the logged on user is in the Organization Management security group of that Tenant then allow the user to modify options of the other users.

With your new script it creates a security group for each tenant called "Organization Management" and administrator.but using this administrator not able to create or delete usermail box from the ECP.Eventhough i have Organization Management(not bulit in one.

I was able to log in to the ECP with the new admin account which has a Windows 2000 login name of administrator2. but if I try to login with the new tenant domain domain\administrator with password doesn't yield any results. When I log into the ECP, i can only manage the admin's mailbox.


I haven't even checked into that. Really in this situation you want to design your own ECP and disable the built in one. Also you will want the users to login using the UPN instead of domain\username.

My script simply just creates a user named Administrator for that domain. It doesn't assign any permissions that allows it to manage that tenant.

Thanks for pointing this out and I will try to modify it.


In the meantime did you get the script to work and the GAL to seperate in Outlook? I have tested this again in my environment and I cannot see any other address list of any other Tenant in Outlook or OWA. As long as you have the receipient containers set on the address lists, the CustomAttribute1 on the users, the address book policy set, and the UPN set right for the Tenant you should not see anything but other users in the same Tenant

I would also like to point out that you shouldn't really do this article in a production environment. You need something more proven and solid like Citrix CloudPortal, ExtendASP, Parallels, etc. I know they cost but they provide all the capabilities you will need to resell these services and manage these services (plus more).

This article was simply to attempt to seperate it according to the document released by Microsoft (and to play around lol ). Since Microsoft doesn't give very detailed information this is basically my attempt to mimic the seperation of Tenants with Address Book Policies.

Hello. I have just checked all of that, and it is all OK. But still, i see all the other tenants address lists in Outlook. Can't figure out why ..

One more thing. My problem is that all the other address lists, is shown in the 'All Address List' container in Outlook. The address list container for all is also only this: "/" and nothing more. What to do?

Yeah I am not using this in a production environment. Just testing stuff.

Hey all. I have just found this:

From Technet:
Do not run CAS role on a Global Catalog - doing so results in Active directory being used for NSPI, not the Address Book Service, bypassing all of the logic built in to the feature

So you can’t use ABP’s if Exchange is installed on a GC as NSPI is provided by AD, not Address Book Service

Thanks for the answer. That answered the problem I was having with Outlook. The problem I have now is removing GC from my DC that Exchange is installed on, completey breaks outlook anywhere since to my knowledge, Exchange will only communicate with the DC it's installed on and it will not authenticate outlook anywhere clients. So what do you think is the best way around this issue?

Hi JDixon and everyone else.

Sorry in the delay in getting back, I have been busy. As a test I have installed exchange on a hyper-v VM and retested. As per the above post it is working. In Outlook I do not see the other users same with OWA. Exchange cannot be on a GC. Thanks for the script it is really useful and will save alot of time with entering commands.

The only thing I would like to see is a modified script for adding individual users without it creating OU, address lists etc. Just specify a username and password etc and it will autofil the rest.

Thanks for the all the work Jdixon.



Glad you figured it out! Also thanks for sharing the issue with installing it on a GC. I will modify the existing script, add one to remove tenants and also create mailboxes.


last year I did setup an exchange 2010 that is behind an TMG sp2 for use in an multi tenency enviorment, and I have to sya that is working as it should.our customers access their mails with OWA, or POP or IMAP.
now we have a new customer that want to use outlook any where, and my question is,
can we do this? I mean becuse there is not an globle address list and each customer has his own GA and OAB, how can we configure the exchange and TMG for autlook anywhere access?

It all worked perfectly when i removed the GC role from the Exchange server. Thank you for the script.

No problem! I updated it recently. Does a lot more and better structured if you want to check it out

Can someone give me a guidance on how to remove GC role from Exchange server.
I have one server with DC/GC/Exchange2010 all roles installed on it and now is having the same ABP not working in Outlook issue.

Hi jdixon,

I hope all is going good. I was curious if you had a chance to look at the additional scripts you mentioned? It would be a life saver, well time saver. More then happy to pay or donate as it is such a great script you have already provided!


Update on scripts, I've spoke with jdixon, and he is currently working on enhancing the current script, as well as creating a couple of new scripts, including one to create users. They will be posted when completed


I have supplied with updated scripts for creating the tenants, adding new users, and removing tenants. We do this for free but who doesn't love donations lol :-)

Anyways let me know how the new scripts work for you.

Please keep in mind you won't be able to manage tenants using OWA. Exchange wasn't really built that way for this. This is where a automation control panel or you creating your own website for managing Tenants.

In the scripts I did create two universal security groups and auto add the users to a "All Users" group and auto add the administrator to the "Organization Management" group. When creating new users it will also grant "Organiation Management" group for that tenant Full Access to the user mailbox. From there is where you can write something using those security groups for letting the administrator tenant user manage it

I want to install the exchange server 2010 sp2 in such a way so that i can satisfy multi tenant mode.. can any one help me in this?

my mail id is please do reply as soon as possible.


Install Exchange 2010 SP2 like you would install a normal on-premsis Exchang server. Then you will use address book policies for seperating the tenants and active directory organizational units.

I have just uploaded new scripts to aid in this process

Install Exchange 2010 SP2 like you would install a normal on-premsis Exchang server. Then you will use address book policies for seperating the tenants and active directory organizational units.

I have just uploaded new scripts to aid in this process

Thanks Jdixon,

Look like good scripts! I will give them a proper test during this work week and let you know how it all goes. Thanks for doing all that. Let me know how I can donate.


David M,

Hey, just letting you know, Jdixon and I are administrators and authors here. If you are interested in donating, there is a donate button in the right column of this page.


Very useful information. Can anyone advise though on what needs to be done (if anything extra) to ensure Outlook clients in cached mode download the correct Offline address book. What do I set the default OAB to be on a mailstore basis (and will this have any effect)?

Any help appreciated...


I have updated the scripts that will secure the OAB. I also posted what needs to be done to make sure this happens.

Also I made a mistake (maybe a few....) where I didn't specify the OAB when creating the users. The scripts now do this. It sets the OAB on each user when creating the user.

Hi all,

Is this the correct script to make the exchange server 2010 sp2 as multi tenant. I want to know the actual script which makes the exchange server 2010 sp2 as multi tenant.

I have made the exchange server 2007 as multi tenant manually. Now i am looking for the script which can do the same thing with the exchange server 2010 sp2 as well.

Please do reply me @






Please do reply me as soon as possible.....waiting for your reply...

thanks in advance.

These scripts will create the address lists, gal, OAB, and address book policies along with the organization units in AD.

There is not a "correct" script to do this that Microsoft provides. Everyone may do it a little different but follows the guidelines that Microsoft provided.


This script will successfully create the OU's, and all the exchange objects you will need to get started with your mult-tenant setup. After running these scripts you can setup Outlook or OWA (as long as not installed on a GC) and you will notice you cannot see the other users or their distribution groups or other address lists

Here are some other things you may want to do:

  • Modify OU security
  • Setup web application so users can modify their settings such as passwords and any other AD settings (Manager, Office, Address, etc).



Great article; a HUGE head start making sense out of Exchange multi-tenant provisioning. Thanks!

Consider posting these scripts to TechNet Script Repository; I think lots of folks would be interested in them.

Found one little bug: New-User.ps1 uses $DisplayName for both Display Name & Full Name attributes. If you want your Display Names in Lastname, Firstname format, this causes 2 problems:

1. The Full Name is also in Lastname, Firstname format.

2. AD escapes the "," to become "\," in the DN. The script doesn't escape the comma, and fails when it tries to query AD for the account just created.

I'm modifying it to concatenate Firstname & Lastname to avoid both problems. Don't know if there are other characters that have to be escaped in DNs, however. (And I'm enough of a PS noob that I'm not sure I could handle that yet anyway!)


Thanks for pointing that out! I will look into it.

Funny thing... I'm a PS noob too! hahaha. I have plenty of experience with C# so I guess that kinda helps me a little. A more advanced PS scripter could of wrote this much better than myself :-)

Anyways I will probably look into that tomorrow or Sunday to get that fixed for you. In the meantime I posted some updated scripts that drops the use of a EAP and sets the primarysmtpaddress when creating the user. The reason I did this is because using a EAP will put the local accepted domain in the list of email addresses.

Also I updated it to secure the OAB so other tenants cannot see. Of course you must first follow the instructions I posted in the update.


Thanks again fro pointing out the bug. I updated the script and you can now enter the display name with a comma or without. So it will always set the name to "Firstname Lastname" but allow you to set the Display Name however you like.

Not sure what happened in my reply but I was saying I fixed the scripts. You can now enter the display name as 'Lastname, Firstname' and it will still set the name to 'Firstname Lastname'.

Supply values for the following parameters:
TenantName: John Doe
Password: ChangeMe!2012
Created new organizational unit. [OU=John Doe,OU=Hosting]
Added to the forest upn suffixes
Created the Accepted Domain
Couldn't find organizational unit " Doe". Make sure you have typed the name correctly.
At C:\Users\Administrator.OURDOMAIN\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\\ char:31
+ $steppablePipeline.End <<<< ()
+ CategoryInfo : NotSpecified: (0:Int32) [New-GlobalAddressList], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 47C1C782,Microsoft.Exchange.Management.SystemConfigurationTasks.NewGlobalAddressList

If I run a Get-AcceptedDomain, I see that it's successfully added:

Name DomainName DomainType Default
---- ---------- ---------- ----- Authoritative True
John Doe Authoritative False

So I suspected that the New-GlobalAddressList line is failing to run, however if I run it manually, it works.

Any ideas?


Strange. I tried it in my environment and it created everything successfully (of course my domain isn't but that shouldn't make a difference).

Now did it successfully create the OU in Active Directory? Does ' Doe' exist?

Yeap, the OU exists. What's interesting is if I run the script again, without running Remove-Tenant then it works successfully. I am going to put some pauses into the script and see if it's a timing issue or related to AD replication.


Use the non-Exchange "Company" field for the tenant name instead of Custom Attribute 1, and modify the EAP (as used in the 3 Mar 2012 version of the script) to make the Company field the Condition that's checked by the EAP. Then call Enable-Mailbox against the user object (instead of New-Mailbox), to mail-enable the user.

In this way, you don't get the default alias@internal.local e-mail address, because the Default EAP will never be applied to the mailbox. This allows use of EAPs in compliance with MS's multi-tenant guidance, while eliminating the default address for which you removed EAPs in the 16 Mar 2012 version of the script.

Another advantage: If you host more than just Exchange, some users might be mail-enabled, while others might not. For non-mail-enabled users, you just programmatically skip the Enable-Mailbox part, or make it a separate script. If the Company field is already filled during initial provisioning, and the customer decides to opt for e-mail, the account is Exchange-ready after you run New-Tenant.ps1.

Hi JDixon,

Thanks for the scripts, I am testing it in my environment and so far so good. This is a very good time saver.

I think the next step would be Room or equipment mailbox and also taking a look into public folders.

Have you had the chance to take a look at theses two things ?



Hi Again,

Public folder segmentation works normally with the Public folder Management console, you can create subfolder and give permissions as you normaly do.

Also for resource mailbox or room mailbox, you can create them manually in the EMC and and the Custom Attibute and it is working fine. I didn't had the time to create a new scripts base on the new-user scripts for resource mailbox. But once the tenant is created you can use the EMC to finish your things.

A few tests and I will put this in prod and let you know guys !



Hi mate,

The issue I'm having trouble with is that when the two tenant sends email to each other they are sending internally. Is there a way or work around for the email to be sent externally.

I believe you must use a smart host to send mail to other tenants on the same server. Here is info on how to configure a smart host:

thanks for the quick reply. I'm able to send/receive emails from both tenants. But they are still being sent internally. I actually view the message details and see where it gets point and how it is sent. Is there a way to forward the email out to the internet and then redirect back in? , so it looks like an external email from the internet rather than an internal email.

Are you currently using a send-connector to send email, or are you using DNS? As far as I'm aware, using a send-connector will solve the issue you are having. The email you send from one tenant should go out the send-connector to your smart host on the internet, and then it will look up the mx records for the other tenant you are sending to, and send the email directly back to your server.

Ahh. Oks Thanks for the help. I'll give that a try tonight. I'll post back if this solution works. =]

Are you currently using a send-connector to send email, or are you using DNS? As far as I'm aware, using a send-connector will solve the issue you are having. The email you send from one tenant should go out the send-connector to your smart host on the internet, and then it will look up the mx records for the other tenant you are sending to, and send the email directly back to your server.

Hey, I tried what you said. By setting up a smart host to send to a smart host on the internet. But then thing is it's not leaving the exchange. The email is just sending it directly through to the other tenant without going out at all. ideas?


Hey I will setup a test and see what it does. In the mean time could you email me your send connector information to:

Open the Exchange shell and run: Get-SendConnector | fl > c:\sc.txt

and email the sc.txt

Looks like you must use a custom transport agent. Here is a link to someone else having the same problem and a product that solves the issue:

This is from the Microsoft Multi-Tenancy and Hosting Guidance for Exchange 2010 SP2:

Problem or Issue Description: Preventing name resolution of recipients and matching to directory entries from taking place when emails are sent between tenants.

Recommended Approach: It is recommended that you build and implement a custom transport agent on all Hub Transport servers in your organization that is able to determine that an e-mail is being sent between tenants on the same system, and re-routes the mail to deliver to a smart host elsewhere in the network, for subsequent routing back to Exchange.

This approach makes the message appear as having been received from the Internet, which prevents it being resolved to an internal recipient, though message header information may reveal some data, unless that is also re-written.

Because e-mail is delivered to the Internet through a Hub Transport server and then back through a Hub Transport server, there is the possibility that the e-mail could be delivered back to the same Hub Transport server that it was sent from. If this happens, then you get a message looping issue and the mail delivery will fail. In order to prevent this from occurring, we recommend that you create dedicated send connector and receive connector Hub Transport Servers.
Unsupported Solutions Any transport agent based solution that does not follow the guidelines provided at

Additional Comments: If you chose not to write the transport agent, ABPs will prevent the exposure of directory data in this scenario, preventing most data from being seen, but ABPs do not solve the issue of making the mail appear as though as it came from an external recipient (the display name will shows the resolved display name from the directory) nor do ABPs solve the issue of be able to reply to mails when the original senders mailbox is off-boarded (discussed elsewhere in this document).

Understanding Transport Agents -

Configure Internet mail flow for the multi-tenant organization -

Create an SMTP Send Connector -

Create an SMTP Receive Connector -

Tell Those Messages Where to Go By Using Exchange 2007 SP1 Transport Agents -

I have also tried the Smarthost to a barracuda and since the tenant's domain is considered like localhost for the exchange server it does send it internally. That is causing an issue with Out of office messages because it does responds with the internal notice instead of the external notice .. Still looking into it ..

There is some third party software for transport between tenants ... but it is too expensive around 3000$

I haven't looked into the Transport SDK much but from what I have seen is it doesn't look that difficult. I'll try to write a transport agent for this problem and post it when I get finished. Give me a few days and we will see! Thanks!

I have posted a transport agent I have been working on. It is in BETA. It will route emails out the send connector it creates, and it will also delete the internal OOF between tenants.

I have not put this through much testing so you may experience issues such as performance.

Please let me know any issues you have with it and I will try to fix it!


Great post thank you
you saved me from alot of work
Thanks again Keep it coming :)

I would like to know if anyone has tested any of this on an SBS2011 server? SBS2011 has Exchange 2010, but it is a GC and holds ALL FSMO roles.

None of this will work on SBS 2011. You need Server 2008 R2 and Exchange 2010 SP2.

SBS2011 is Server 2008 R2 with Exchange 2010 and I have applied SP2.

I was just wondering what the roadblocks would be.

This won't work if the CAS role is on a Global Catalog server, as mentioned here in one of the previous comments.

That is 1 road block, but SBS is limited in many ways that would likely cause problems. I think there is a 75 user limit, SBS server must be primary dc, and other weird licensing issues.

It definitely would not be recommended or supported by Microsoft

Well, I was wondering if anyone had tried because SBS2011 already has the CAS role on a GC. So it would appear that M$ has made some changes to make that work.

As for the 75 user limit, the 2 entities involved don't even total 20 users, so this would never be an issue on this server.

The nice thing about licensing on SBS is that you don't actually install the user licenses, you just tell SBS that you have them.

@Tom Menasco

You've not described your exact requirements. But if they're cozy enough to be willing to split an SBS, they each know that the other exists. So the illusion that each company owns the system, which we need to maintain in true multi-tenancy scenarios, likely doesn't apply here. My guess is that, as far as Exchange is concerned, the most important thing you need is the ability to send and receive for 2 external domains. That's easy. But, ideally, you should also be able to create 2 GALs, and have 2 e-mail address policies. While the techniques have changed, that, too, has been do-able since Exchange 4.0...I've done it with EX 4.0, 5.5 and 2003. (Still working on it with EX2010SP2!)

That said, my SBS multi-tenant experience is limited to supporting 2 external domains, and no other separation, on SBS 2008 R2. But I can't fathom why 2 ABPs and EAPs would be a problem on SBS 2011. The only multi-tenancy feature that's new in EX2010SP2 is multiple ABPs, anyway. So if that didn't work, as long as your clients don't care if they see each others' names on the GAL, it's a problem you don't have to solve. Actually, my 2 clients *liked* having everyone's name in the 2 companies handy because one was a vendor to the other.

As for whether it's supported, well hard to say. My guess is that MS would work with you. But anyone who's ever had a microbusiness client knows that support boundaries have to be viewed as elastic!

Multi-tenancy, in general, is a fuzzy support boundary across all of Microsoft, because every one of their (and others') current products was designed with single-tenancy in mind. Yet MS can't afford to turn its back on multi-tenancy and the cloud.

AD, Exchange, SharePoint, SQL, et al, support very well-defined user and computer objects. But Tenant objects are, today, make-believe. They are syntheses of repurposed, customized, single-tenant objects that we're largely on our own to figure out how to configure and support.

The MS EX2010SP2 multi-tenancy white paper linked to at the top of this page certainly reinforces that view! For that matter, so does the flip-flop on EX2010 /HOSTED vs EX2010SP2. They don't know what they're doing yet, either!

Today, multi-tenancy is an elaborate hack.

I don't think that will change in Microsoft [ProductNameHere] v.Next, but if Microsoft is as serious about the cloud as they say they are, then hopefully, by v.NextAfterThat we'll see baked in multi-tenancy.

In my opinion, then, and only then, can MS afford to tighten support multi-tenancy boundaries. And then, only for v.NextAfterThat.

@Tom Menasco

OK, I've re-read the bit about the GC & ABP's. So you won't be able to use this to separate the GALs on SBS, and MS no longer supports hacking ACLs to do this. So that's something you won't be able to do. If that's a dealbreaker, they'll each need their own system, or else one, or the other, or both, need to use an Exchange cloud provider in lieu of on-premises.

The rest, however, should work.

JRV, Thanks for the detailed information.

Yes, these two entities will have no real issue seeing each other listed in the GAL. So I will look at the best method to make this happen.

I mainly support small businesses, most of them are SBS, which means that I don't really get time to dig deeply into the bowels of Exchange.

Anyway of working around the Global Catalog issue. I have a single server setup. Everything works great in OWA but with outlook the gal shows everyone. Also the OAB can't be downloaded. Any suggestions. Thank in advance.

I had to resetup the environment with a seperate server as the global catalog to correct this. Changing the GC didn't seem to work.

I resetup from scratch new dc as global catalog and exchange as member server. All seems to work accept for downloading offline address book files in outlook when you hit send/recieve. Any luck on solving this issue? Thanks

To correct this the there wasn't an address book associated with the database.
In your Mailbox Databases you need to associate an offline address book.
You achieve this from the properties of your mailbox databases inside organization management -> Mailbox -> Database Management -> Right Click Properties -> Client settings

Once adding the default offline address book. I ran the update address book and then restarted the exchange file distribution service. I few minutes later outlook via rpc over http successfully downloaded the address book.

Hopefully helps someone beat my head against the wall for a couple days.

In my environment the client don't download the OAB. I have a dedicate Mailbox DB for each tenant. The client returns "An object cannot be found". I have tried to add the Default Offline Address book to the DB but this not help me.
Thank ou in advance.


You may want to try the latest scripts since I added some things.

First when the scripts creates the OAB it removes the authenticated users permissions from it and adds the AllUsers@ group to the security permissions for read.

Next when it creates the user it will assign the offline address book to the mailbox. Do a Get-Mailbox <identity> to see if the OAB is set.

For a multi-tenant environment I don't think it would be very scalable to use a mailbox database per tenant. There is a limit to how many databases you can have.

I ran the script Secure-DefaultOAB same days ago.
The new mailboxes have the parameter OfflineAddressBook set correctly.
The MailboxDatabase have the parameter OfflineAddressBook not set.

For test purpose I'm using a standalone workstation.

My error is the same
"while doing a Send/Receive you see the error message: Task 'Microsoft Exchange Server' reported error (0x8004010F): 'The operation failed. An object could not be found.'"

I have tried to add SRV recordfor autodiscover but not works.

Any Ideas?

Solved. The problem was the autodiscover.

First of all I would like to thank you for this article. Really, really, great stuff.

Second, if I don't use mailbox db per tenant what would be the best solution to limit total storage space for a tenant's mailboxes. Ok, one solution is to simply track this info externally but is there any way to do this through Exchange?

Thanks in advance.

you could set the limits on singol mailbox. With PS script you can set this parameters easy. Regards. Simone

The scripts are for On-Premises mode and not /hosted mode right?

Correct. Theses scripts are for On-Premises mode.

Just wanted to say we grabbed the scripts today (5/9/12) and they all worked perfectly. After futzing with this for a couple of hours trying to do it by hand, I appreciate the time you put in to build these ... Maybe MS should send you some royalties :)

Let me start by saying THANK YOU! This script is awesome. I am posting this just in case anyone else needs the described functionality.

The script is built for an automatic default of if the user's name is John Doe the e-mail address is set to In my hosting environment it is important for me to be able to set the alias to or even if necessary.
So what I did to fix this, is edit the new-user.ps1 file to the following.

In the upper section I added a parameter called $Alias like so.
[parameter(Position=0, Mandatory = $true)]
[String] $Domain,

[parameter(Position=1, Mandatory = $true)]
[String] $TenantName,

[parameter(Position=2, Mandatory = $true)]
[String] $FirstName,

[parameter(Position=3, Mandatory = $true)]
[String] $LastName,

[parameter(Position=4, Mandatory = $false)]
[String] $Alias,

[parameter(Position=5, Mandatory = $true)]
[String] $DisplayName,

[parameter(Position=6, Mandatory = $true)]
[String] $Password,

[parameter(Position=7, Mandatory = $true)]
[Bool] $ResetOnLogon
in the function "CreateUser" just below the parameters, I changed "$alias = $FirstName.Trim().Substring(0,1).ToLower() + $LastName.Trim().ToLower()" to this:
if (!$alias) {
$alias = $FirstName.Trim().Substring(0,1).ToLower() + $LastName.Trim().ToLower()
this allows me to specify a "-alias" switch when running the script, or if I don't specify "-alias" it defaults to the original

Hope this helps anyone who needs it.

I just followed your instructions, skipping the custom attribute usage and everything is working perfectly. Am I missing something, will this break down the road?

I don't know why that is working for you but you need the custom attribute usage. This is how you properly segregate your customers. If you notice in the address lists they are searching based on that custom attribute.

I would say it's searching based on the OU. Otherwise, why specify the OU at all?


It seems WebsitePanel now supports Exchange 2010 SP2! If you don't know WebsitePanel is opensource. You can check it out here:     



Hello again, and thank you for your scripts. I have a problem regarding the Public Folder and the GAL. I have successfully segmented the public folders by CustomAttribute1, but i don't see the folders in the GAL. Have tried the following cmdlet:

Set-GlobalAddressList "GAL" -RecipientFilter {((CustomAttribute1 -eq 'XXX') -and (ObjectClass -eq 'user' -or ObjectClass -eq 'publicFolder'))}

But i still only see the users and not the Public Folders in the GAL. Any thoughts?


Thank you so much for your posting.  Would you be willing to contact me directly about helping us implement a multi-tenant environment from scratch?  Reading through the entire posting convinced me that doing without expertise in house may be over our heads.



Thank you so much for your posting.  Would you be willing to contact me directly about helping us implement a multi-tenant environment from scratch?  Reading through the entire posting convinced me that doing without expertise in house may be over our heads.



I sent you an email but if you want you can contact me at

I experienced the issue where Address Book Policies worked fine through OWA but would show all address books and all users when using Outlook 2010. My environment consists of 8 servers: 2 DC, 2 CAS, 2 HT, and 2 MB servers. I am not running my CAS servers on a DC/GC but yet I still experienced this problem. I beat my head into the wall for a few hours until I ran across someone saying "Any Client Device or Client Software access Active Directory directly for Directory Access then ABP won’t work." My folly was that I was running Outlook 2010 on one of the DC servers initially and then later installed Outlook on one of the HT servers to test that it wasn't the DC that causing the issue. Once I installed Outlook 2010 on a client workstation, Address Book Policies worked fine. I am therefore assuming that Outlook on a DC uses a GC directly when it is sitting on one, and an HT also uses a GC directly as evidenced under Properties/System Settings of the HT. I spent several hours chasing a problem that wasn't really a problem except for where I was running Outlook. Hope this helps some people as I see a lot of people out there experiencing this issue and everyone blames the "CAS on DC" problem but that is obviously not the only scenario that causes this issue.

i have just 1 question, White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007 pubished some years ago this guide still valid?,
in Exchange 2010 SP2 can we follow this document for Active Directory Paritoning?

Kind Regards

Any body help for following error:

The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.

Please Urgent

Check that you have:

Import-Module ActiveDirectory

before any use of AD cmdlets (such as Get-ADUser)

hi all,

any body help me on the following resolution,
i am creating user with this scripts, user created successfully with following order
First Name: mekail Last Name: Khan email created i want to change email account with following order
First Name: Mekail Last Name: Khan
any body provide me solution?



I get an error when trying to create a new tenant:
"...A value can't be provided automatically for the "Server..."

The full output from the powershell is below, I would appreciate any help:


Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run C:\Files\TenantScripts\New-Tenant.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r
Created new organizational unit. [OU=Hosting]
Created new organizational unit. [OU=GannonsLAWLLP,OU=Hosting]
Added to the forest upn suffixes
Created the Accepted Domain
Created the Global Address List
Created the All Rooms address list
Created the All Users address list
Created the All Contacts address list
Created the All Groups address list
A value can't be provided automatically for the "Server" mandatory parameter. Specify an explicit value for the paramet
er and try again, or add the Verbose parameter to obtain more information about the failure.
At C:\Users\Administrator.SMARTITDECISION\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\server10.smartitdecisions
.com\ char:31
+ $steppablePipeline.End <<<< ()
+ CategoryInfo : InvalidData: (:) [New-OfflineAddressBook], InvalidOperationException
+ FullyQualifiedErrorId : 6F83D20B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewOfflineAddressBook

Hi jdixon,

I like your script, it's nice! :)

Is there a reason why you don't add the UPN to the tenants OU?

You can do it like so:
Set-ADObject -Identity ',ou=hosting,dc=cloud,dc=local' -Add @{uPNSuffixes=''}


I just haven't modified the script.

Yes you should be using the UPNSuffixes attribute on the OU. It really would be better practice. I've been in the middle of a datacenter migration (on going) and haven't had time to update these scripts nor update the transport agent that I was working on.

I plan on making a windows application to do all this for you instead of running scripts.


Hi Jacob, thanks AGAIN AND AGAIN for these scripts!

If you do write a GUI for this, I'm sure it will be appreciated. But please keep the scripts available, too, as your project evolves, because they're a good tool for understanding what needs to be done, and for copying snippets of known-working code.

Noob comment/question..

Great guide, but I have run into situation that the "New-AddressBookPolicy" cmdlet and GUI tab is missing. Followed the steps by the number, even reinstalled Exchange several times. No joy...still when using the cmdlet, get error indicating an invalid command. Ideas anyone?

Are you using Exchange SP2 on-premises?

Tj...well, I thought what was given to me was SP2, when in fact it was not. Fooled I am! Thanks for pointing this out.

Tj...well, I thought what was given to me was SP2, when in fact it was not. Fooled I am! Thanks for pointing this out.

thanks for the script! it helps a lot !!
I have just a problem. After creating the Tenants, the accounts, everything works well in OWA, but in outlook i Still see everyone (all the accounts of all the tenants).
I don't know I if missed something...
I'm using your last scripts.
I have also launch your Secure-DefaultOAB.

thanks for you help



thanks for the script! it helps a lot !!
I have just a problem. After creating the Tenants, the accounts, everything works well in OWA, but in outlook i Still see everyone (all the accounts of all the tenants).
I don't know I if missed something...
I'm using your last scripts.
I have also launch your Secure-DefaultOAB.

thanks for you help



thanks for the script! it helps a lot !!
I have just a problem. After creating the Tenants, the accounts, everything works well in OWA, but in outlook i Still see everyone (all the accounts of all the tenants).
I don't know I if missed something...
I'm using your last scripts.
I have also launch your Secure-DefaultOAB.

thanks for you help




well, I have found why it doesn't work... (outlook isolation)

So, first, you have to uncheck Global Catalog in the AD Sites and services, on the Exchange Server, in the NTDS Settings Properties. (there are some coments here about that).

I reboot.

After that I had a main problem... the Microsft Exchange Address Book was unable to start. With this error :

Unable to register the MSExchangeAB RPC interface. Failed with the error code The endpoint is a duplicate (1740)

I have that to resolve this issue :

To fix this locate this Registery:

"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters\NSPI interface protocol sequences]  and search for a port bind eg. 6004. DO NOT toutch this if the server is global catalog, if it have been global catalog in the past, you can delete the key and restart the server."

I reboot, and the service could start again (but the key I deleted is still here...). Don't really know what happened...

I have also find this article :

But I didn't test it.

Now the isolation works fine both in OWA, and outlook.

My conf : 2 servers. 1 AD with DC and GC, and an other one with Exchange 2011 on the same AD, but without GC (mandatory if we want to have the isolation on outlook).

Thanks again for the scripts. It's not easy to find informations about the way to do it...


i am running 5 Tenant Org. & i have created my environment with Sir Jacob provided scripts all tenant working fine, OWA /Outlook both are working good
you just remove root domain all address books i think your outlook related issue will resolve


Thanks for providing the scripts! Pretty nice work you did!

Anyone created distribution groups already? Are there some script availabile for that, how what do I need to take care, if I create a distribution group for a tenant manually?


Phil, have you been able to determine how to create a tenant specific distribution group yet? I am also wondering about this.

Hello Garth

Unfortunately not yet. I'm still trying to figure out how this can be done.

Anyone who can help to create a script for this?


hi guys - has anyone figured out how to create tenant distribution groups as yet?

Some guidance would really be appreciated

TIP: MS multi-tenant guidance says to disable scheduled OAB generation, but neither the document nor TechNet tells you how to do so with PowerShell. To disable scheduled OAB generation with PowerShell, append

-Schedule 'Never'

to the New-OfflineAddressBook command in the New-Tenant.ps1 script.

Thanks for all the wonderful script. I have a case with a tenant with multiple internet domain name, within the teanant, some users using and some using, and some with as primary SMTP and as the additional email address. Does the script would cater for this situation and how would be accomplish. Million thanks

Hi, Thanks all working fine for me.


Can you please give a guide step by step how to set up redirected autodiscover to allow using Exchange 2010 self cert?

Can you please add a script to add a Distribution List for a 'All Users in a Tenant'




K Maimon

Hi, Thanks all working fine for me.


Can you please give a guide step by step how to set up redirected autodiscover to allow using Exchange 2010 self cert?

Can you please add a script to add a Distribution List for a 'All Users in a Tenant'




K Maimon



I'm running into two errors when trying to run your script, but with a catch (please note that I've changed the actual param's, this is just an example):

First time I run New-Tenant.ps1 -Domain cloud.local -TenantName "My First Tenant" -TenantDomain "" -Password Password1

I get the error "Failed to create universal group Organization Management"

I run it again...

I get the error "Failed to create universal group All Users"

I run it AGAIN and everything works! Has anyone else experienced this? Thanks in advance!

hello dear

you should run before creating tenant

in exchange management shell
Import-module activedirectort
set-executionpolicy remotesigned
&then run new-tenant.ps1 script

hope this informative.


Do to the large number of comments on this page, comments will be closed.  Feel free to open a thread in our Exchange forums if you have any questions about this article.

These scripts were created to give you an idea on how to structure Exchange using Address Book Policies. Since there were so many responses I decided to create a custom control panel for myself and any others that may need one.

Currently the only free ones I could find was WebsitePanel. This has many features but did seem a little complicated to setup.

If you are looking for a control panel meant mostly for Exchange that has some additional features please take a look at my new control panel:


It supports Exchange 2010 SP2 with ABP and should work with Exchange 2013 but I have not tested with Exchange 2013.


There is also a forum where you can post any bugs, feature requests, or if you need installation assistance.


Let me know what you think!

Hi and thanks. I have setup the tenants manually just as you described in the first part of your tutorial. I have two separate domains and they seem to be independant from one another in owa and outlook. I have a question about your scripts. Can i run them now in my existing setup.
Would i run : ./new-tenant and so forth. Sorry if i misunderstood something. Thanks


The scripts were meant to show you the back end of how address book policies work. Since we got some many comments on this article I created a web portal to manage exchange free of charge. It does more than just exchange as well.
Check out:


The scripts were meant to show you the back end of how address book policies work. Since we got some many comments on this article I created a web portal to manage exchange free of charge. It does more than just exchange as well.
Check out:

I absolutely love your script. It was exactly what i needed for a customer who was looking to extend their existing Exchange 2010 environment, to be able to host it to smaller devisions with their own domain. They were not to be allowed to see anything of the productions environment and vice versa, It works great! Thanx a bunch for all your hard work!!!


Post new comment