Check Exchange configuration Change

I describe my goal

My goal is to monitor all configuration change in my Exchange Environment

For that I will need to build some Custom resources to do this job (I know how to create Custom resource)
By default the mof is run with the Local System Account, with this account the resource will not be able to connect to the Exchange
The custom resource must be able to connect to Exchange, and be able to read and write value in Exchange, the resource or the mof must be run with a user that have permission in Exchange

There an Example command
I want to collect the value on DeletedItenRetetion for the mailboxDatabase MDB01

$D = Get-MailboxDatabase $MDBname | Select DeletedItemRetention 

How I can pass this Exchange user to be able to execute the resource
All test that I have done failed,


This is more an Exchange question, I guess. How would you manually connect to, and query, an Exchange server while providing alternate credentials? For example, do the commands support the use of alternate credentials by using a parameter? In other words, whatever commands you need to run must themselves support the use of alternate credentials.

HI Don

I know that the problem is not exchange problem but it is a credential with the Exchange Permission problem
Many Exchange cmdlet support credential, but many don’t
Get-mailbox can be run with a credential
Get-MailboxDatabase cannot
IF DSC found the value is false DSC will call the Set-TargetRessource
To run this king of cmdlet
Set-MailboxDatabase -DeletedItemRetention 30

Is it possible to run the DSC Agent with an alternate credential? IF yes
All exchange cmdlet can be run with this user it will be simpler


No, I don’t believe the Local Configuration Manager can be safely run under an alternate account. Keep in mind that it isn’t an “agent” or “service.”

I don

Do you think if a create a PSSession with an alternate Credential (with Exchange Permission) in the Module and pass the PSSession with my Exchange CMDlet that I will be able run the cmdlet as the Exchange Admin user ?

If this solution work, what do think about performance and the load on the Exchange server? I will have a lot of custom resources that will use the PSSession. The PSSession cannot be see between each object that I want to configure in the Configuration Document I think.
Is the PSSession can be see between resources?
We have more than 40 servers and more than 50,000 mailboxes on that boxes


I think you’re trying to use DSC for something that it was not designed for. Don, please correct me if I’m wrong. My understanding is that DSC has been designed to configure, monitor and correct the state of computers or devices. That is why the agent is running as local system to make local changes on computers or connect to devices related to the computer like network switches.

The configuration drift you’re trying to prevent in Exchange sounds more like a rights or delegation issue. If only an configuration management system or handful of trained admins would be able to create and change mailboxes you wouldn’t require another system to monitor configuration drift and change values back. If you don’t have a configuration management system deployed you could still setup a scheduled task on a central system which runs a PowerShell controller script with the correct credentials to enumerate the mailboxes every day and revert changes of specify settings back to expected values.

Just my 2 cents.


Hi Daniel

Thank for your response

The particularity of Exchange, it is because some configurations are local on the server and other configuration are store in Active Directory. To be able to read, modify those configuration you need to have some rights in Exchange.

Example if you want to check some attribute about one mailboxDatasase you need to get-Malboxdatabase –SomeAttributs as example. (This information are store in AD). After, if the configuration has drift, DSC will call the Set Function in the Custom Resource and the set function will use the Exchange cmdlet set-MailboxDatabase –SomeAttributes XYZ to configure this setting as the initial configuration

The DSC cannot Read or Write the Exchange configuration because the LCM run as Local System Account on the Exchange Server et the LCM have no permission to access AD.
Exchange use the remote execution to pass the PowerShell cmdLet

Yes effectively if we don’t find any solution with DSC, we have SCOM and we will pull the Exchange configuration with the SCOM and compare the configuration and if the configuration drift, another script will adjust the Drift with the initial configuration.

For now we prefer try to find a solution with DSC, if we can find some solution, because we have also other environments Hyper-V and other programs that we want to use with DSC
We have created many DSC Custom resources to install all Exchange prerequisite, because we need only local Administrator for that

Thank Alot