ESET Mail Security 4 for Microsoft Exchange Server (EMSX) compares the number of mailboxes in the active directory to your license count, as seen in Figure 1-1 below. Each Exchange server's entire active directory is checked to determine the total mailbox count. There is no way to determine which mailboxes are protected and which ones are excluded from protection. Resource mailboxes (i.e. a conference room mailbox) will be tallied in the active directory count, unless accounts for these are disabled (click here for more details). Email aliases, system mailboxes (used only for internal purposes of MS Exchange Server), and disabled mailboxes are not tallied in the mailbox count. In a clustered environment, nodes with the clustered mailbox role are not tallied in the mailbox count. General mailboxes such as "info@", "support@", or "mail@" are counted if they are related to physical existing mailboxes. One exception, the mailbox is not counted if the address is an alias of another mailbox.
How do I determine the amount of Exchange enabled mailboxes?
To determine how many Exchange enabled mailboxes you have, you can either use:
- The EMSX Mailbox Count tool
- Active Directory custom search
A. EMSX Mailbox Count tool
Download the EMSX Mailbox Count tool and run it through the command line (enter the command
EMSX_VerifyMailboxCount.exe from the directory where you saved the tool) with one of the following parameters:
/count - displays the number of mailboxes
/names - displays the names of the users
/details - displays detailed description of each mailbox
/multiline - (together with
/details parameter) displays the multiline detailed description
B. Active Directory custom search
To determine the number of mailboxes using the Active Directory custom search, open Active Directory users and computers on the server. Right-click on the domain and click Find. From the Find drop-down menu select Custom search and click the Advanced tab. Paste in the following Lightweight Directory Access Protocol (LDAP) query and click Find Now (for Exchange 2013 the health mailboxes are not tallied in the count):
Why are my resource mailboxes tallied in the active directory mailbox count and what can I do about it?
The license verification mechanism in EMSX retrieves the number of mailboxes from the Active Directory and counts all physical mailboxes of Active Directory accounts. If an account with a physical mailbox exists within Active Directory but is disabled, it is not included in the count. If you have resource mailboxes such as a Room mailbox or Equipment mailbox that are not actually being used but accounts for these are enabled, they will be counted.
Based on the general settings recommendations for managing resource mailboxes, they should be configured in a certain way, specifically:
- Room mailbox: This is a mailbox to be assigned specifically to Meeting Rooms. Its associated user account will be disabled in Active Directory.
- Equipment mailbox: This is a mailbox specific to equipment, (i.e. TV, Projector, GPS, etc). As with a Resource mailbox, this kind of mailbox will create a disabled user in Active Directory.
The EMSX Algorithm does not count mailboxes with disabled accounts.
If the Administrator account is enabled, meaning that a mailbox that can receive email messages is assigned to this account, it could potentially be compromised by malware or an infected email. For this reason EMSX is designed to protect such a mailbox. If this mailbox is not being used, it could be disabled, and thus not counted.
ESET license verification is built only to check valid mailboxes for which an Antivirus and antispyware protection should be applied.
What happens if the number of mailboxes in my active directory exceeds my license count?
If the number of mailboxes in your active directory exceeds your license count, the following message will be entered into your Microsoft Exchange Server log, "Protection status changed due to exceeded number of mailboxes (count) covered by your license (count)." In the ESET Mail Security 4 main program window the Protection statuswill change to ORANGE. EMSX will inform you that you have 42 days before your protection is disabled (see Figure 1-4). If you receive such a notification, contact your sales representative to purchase additional licenses.
If 42 days have passed and additional licenses are not entered to cover the unprotected mailboxes, your Protection status will change to RED. EMSX will inform you that your protection has been disabled. If you receive such a notification, immediately contact your sales representative to purchase additional licenses.