ZCS Administrator's Guide, Network Edition 5.0 (Rev 5.0.19 September 2009)
Table of Contents Previous Next Index


Managing User Accounts

Managing User Accounts
You create accounts and configure features and access privileges from either the administration console or using CLI commands. The following are some of the account tasks you perform from the administration console:
See the Zimbra administration console Help for information about how to perform these tasks from the administration console.
The following CLI commands are also available to help facilitate account management.
The CLI zmprov command can be used to manage accounts, aliases, distribution lists, and Calendar resources. Most of the zmprov functions are available from the administration console.
The CLI zmmailbox command can be used for mailbox management. This command can help you provision new mailboxes, debug issues with a mailbox, and help with migrations. You can invoke zmmailbox from within zmprov.
The CLI zmaccts command runs a report that lists all the accounts, their status, when they were created and the last time anyone logged on. The domain summary shows the total number of accounts and their status.
The CLI zmmailboxmove command is used to move a mailbox.
The CLI zmmboxsearch is used to search across mailboxes to find messages and attachments that match specific criteria and then save copies of these messages to a directory.
See “Zimbra CLI Commands” for information about how to use these commands.
Setting up and Configuring Accounts
You can configure one account at a time with the New Account Wizard or you can create many accounts at once using the Bulk Provisioning Wizard.
Configuring One Account
The administration console New Account Wizard steps you through the account information to be completed. Before you add user accounts, you should determine what features and access privileges should be assigned. You can configure the following type of information:
Features and preferences available for this specific account. Changes made at the account level override the rules in the COS assigned to the account
For a description of the features see Customizing Accounts, Setting General Preferences and Password Rules.
If the COS you assign is configured with the correct functionality for the account, you do not need to configure features, preferences, themes, zimlets, or advanced settings.
Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the end-user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.
Configuring Many Accounts at Once
You can provision up to 500 accounts on once using the Bulk Account Wizard from the administration console. The wizard takes you through the steps to upload a .csv file with the account information and then provisions the user accounts. These accounts are configured with a user name, display name and password (optional). The accounts are automatically assigned the domain default COS.
You create a .csv file with the account information. Each row in the file is an account entry. The account information is configured as
 
The account name cannot have spaces or use symbols. You can type a period (.) between words. For example: john.smith@example.com.
The password is optional. If you do not provide a password, a random password is generated for the account. When users log in the first time, they are prompted to change the password.
If you do not add the password to the .csv file, the comma after the display name field must be included. For example, user1@example.com,Jane Brown,
Batch Provisioning from the CLI Utility
For provisioning many accounts at once, you create a formatted text file with the user names. This file runs through a script, using the CLI command, zmprov. The zmprov utility provisions one account at a time.
Create a text file with the list of the accounts you want to add. Each account should be typed in the format of ca (Create Account), email address, empty password. For example, ca name@company.com ‘’
Note: In this example, the empty single quote indicates that there is no local password.
When the text file includes all the names to provision, log on to the Zimbra server and type the CLI command:
zmprov <accounts.txt>
Each of the names listed in the text file will be provisioned.
Manage Aliases
An email alias is an email address that redirects all mail to a specified mail account. An alias is not an email account. Each account can have unlimited numbers of aliases.
When you select Aliases from the Manage Addresses Overview pane, all aliases that are configured are displayed in the Content pane. From Aliases you can quickly view the account information for a specific alias, move the alias from one account to another, and delete the alias.
You can view and edit an account’s alias names from the account view.
Class of Service
Class of Service (COS) determines what default attributes an account has and which features are enabled or denied. The COS controls features, mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pools for creation of new accounts.
A default COS is automatically created during the installation of Zimbra Collaboration Suite. A COS is global and does not need to be restricted to a particular domain or set of domains. You can modify the default COS to set the attributes to your email restrictions, and you can create multiple COSs.
Each account is assigned one COS. You can create a domain COS and have all accounts created on that domain automatically assigned this COS. You can create numerous COSs and specify which COS(s) are availably for a domain. If the domain does not have a COS defined, the default COS is automatically assigned when an account is created.
Note: If you delete a COS that accounts are currently assigned, the accounts are automatically assigned the default COS.
Assigning a COS to an account quickly configures account features and restrictions. Some of the COS settings can be overridden either by global settings or by user settings. For example:
Whether outgoing messages are saved to Sent can be changed from the Zimbra Web Client in the user’s Preferences.
Note: Some COS settings assigned to an account are not enforced for IMAP clients.
Setting Default Time Zones
The default time zone setting that is displayed in the account’s Preferences tab is used to localize the time for received messages and calendar activities in the standard Web client. When using the standard Web client, the time zone on the computer is not used to set the time a message is received or for calendar activities. The time zone setting in the Preferences>General tab is. When using the advanced Web client, the time zone setting on the computer is used as the time stamp for received messages and for calendar activities, not the time zone setting on the General tab.
Because the advanced Web client and the standard Web client do not use the same time zone source to render messages, you may notice that the same message has a different time when displayed in one or the other client. You can avoid this by having the computer time zone and the Web client time zone set to the same time.
Distributing Accounts Across Servers
In an environment with multiple mailbox servers, the class of service is used to assign a new account to a mailbox server. The COS Server Pool tab lists the mailbox servers in your Zimbra environment. When you configure the COS, you select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.
Note: You can assign an account to a particular mailbox server when you create an account in the New Account Wizard, Mail Server field. Uncheck auto and enter the mailbox server in the Mail Server field.
Changing Passwords
If you use internal authentication, you can quickly change an account's password from the Account’s toolbar. The user must be told the new password to log on.
If you want to make sure users change a password that you create, you can enable Must Change Password for the account. The user must change the password the next time he logs on.
Password restrictions can be set either at the COS level or at the account level. You can configure settings to require users to create strong passwords and change their passwords regularly, and you can set the parameters to lock out accounts when incorrect passwords are entered. See Setting Password Policy and Setting Failed Login Policy in the Managing End-User Mailbox Features chapter.
Directing Users to Your Change Password Page
If your ZWC authentication is configured as external auth, you can configure ZCS to direct users to your password change page when users change their passwords. You can either set this URL as a global setting or a per domain setting.
Set the zimbraChangePasswordURL attribute to the URL of your password change page. The Change Password link in the Preferences>General tab goes to this URL and when passwords expire, users are sent to this page.
This is changed from the zmprov CLI.
 
View an Account’s Mailbox
View Mail in Accounts lets you view the selected account’s mailbox content, including all folders, calendar entries, and tags. When you are in an account, you can mouse over or right click on a folder to see the number of messages in the folder and the size of the folder. This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account.
Any View Mail action to access an account is logged to the audit.log file.
Reindexing a Mailbox
Mail messages and attachments are automatically indexed before messages are deposited in a mailbox. Each mailbox has an index file associated with it. This index file is required to retrieve search results from the mailbox.
If a mailbox's index file becomes corrupt or is accidentally deleted, you can re-index the messages in the mailbox from the administration console.
Text searches on an account might or might not fail with errors when the index is corrupt. You cannot count on a user reporting a failed text search to identify that the index is corrupt. You must monitor the index log for messages about corrupt indexes. If the server detects a corrupt index, a message is logged to the Zimbra mailbox.log at the WARN logging level. The message starts with Possibly corrupt index. When this message is displayed, the administrator must correct the problem. In many cases correcting the problem may mean reindexing the mailbox.
Reindexing a mailbox's content can take some time, depending on the number of messages in the mailbox. Users can still access their mailbox while reindexing is running, but because searches cannot return results for messages that are not indexed, searches may not find all results.
Changing an Account’s Status
Account status determines whether a user can log in and receive mail. The account status is displayed when account names are listed on the Accounts Content pane.
The following account statuses can be set:
Active. Active is the normal status for a mailbox account. Mail is delivered and users can log into the client interface.
Maintenance. When a mailbox status is set to maintenance, login is disabled, and mail addressed to the account is queued at the MTA. An account can be set to maintenance mode for backing up, importing or restoring the mailbox.
Locked. When a mailbox status is locked, the user cannot log in, but mail is still delivered to the account. The locked status can be set, if you suspect that a mail account has been hacked or is being used in an unauthorized manner.
Closed. When a mailbox status is closed, the login is disabled, and messages are bounced. This status is used to soft-delete an account before deleting the account from the server. A closed account does not change the account license.
LockOut. This is set automatically when users who try to log in do not enter their correct password and are then locked out of their account. You set a specified number of consecutive failed login attempts that are allowed before they are locked out. How long the account is locked out is set by COS or Account configuration, but you can change the lockout status at any time.
Deleting an Account
You can delete accounts from the administration console. This removes the account from the server, deletes the message store, and changes the number of accounts used against your license.
Note: Before you delete an account, you can run a full backup of that account to save the account information. See the Backup and Restore chapter.
Moving a Mailbox
Mailboxes can be moved between Zimbra servers that share the same LDAP server. You can move a mailbox from either the administration console or use the CLI command, zmmailboxmove to move a mailbox from one server to another without taking down the servers.
The mailbox move process goes through the following steps:
Puts the mailbox into maintenance mode. In this mode, incoming and outgoing messages are queued but not delivered or sent, and the user will be temporarily unable to access the mailbox
After the mailbox is moved to a new server, a copy still remains on the older server, but the status of old mailbox is closed. Users cannot log on and mail is not delivered. You should check to see that all the mailbox contents were moved successfully before purging the old mailbox.
Moving a Mailbox using the CLI command
To move a mailbox to a new server using the CLI command, type
zmmailboxmove -a <email@address> -ow -s <servername> -t <movetoservername>
To purge the mailbox from the old server, type
zmmailboxmove -a <email@address) -po.
The mailbox and its contents and references are deleted from the server.
Managing Distribution Lists
A distribution list is a group of email addresses contained in a list with a common email address. When users send to a distribution list, they are sending to everyone whose address is included in the list. The address line displays the distribution list address; the individual recipient addresses cannot be viewed. Only administrators can create, change, or delete distribution lists.
The maximum number of members in a distribution list is 1000 recipients. The 1000 recipients include addresses in distribution lists that are nested within a distribution list. Senders do not receive an error when they send a message to a distribution list with more than 1000 members, but the message is not sent to more than 1000 recipients.
When a Zimbra user’s email address is added to a distribution list, the user’s account Member Of tab is updated with the list name. When a distribution list is deleted or the removed, the distribution list is automatically removed from the Member Of tab.
The Hide in GAL check box can be enabled to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.
Using Distribution Lists for Group Sharing
Distribution lists can be created as group lists so that users can quickly share their contact lists, calendars, and Zimbra documents with everyone on the list. Everyone has the same share privileges that the user defines. When new members are added to the group distribution list, they are automatically granted the same shared privileges as other members of the group. When members are removed from the group distribution list, their share privileges are revoked.
If you create a distribution list for sharing and do not want the distribution list to receive mail, you can disable the Can receive mail checkbox.
Create Distribution List Aliases
A distribution list can have an alias. This is set up from the administration console, Distribution List Alias tab.
Managing Resources
A resource is a location or piece of equipment that can be scheduled for a meeting. The resource has its own mailbox address and can accept or reject invitations automatically. Administrators do not need to monitor these mailboxes on a regular basis. The contents of the resource mailboxes are purged according to the mail purge policies.
User accounts with the Calendar feature can select resources for their meetings.
You create resources and manage their use from the administration console. A Resource Wizard guides you through the resource configuration, including designating the type of resource, the scheduling policy, the location, and a description. When you create a resource account, a directory account is created in the LDAP server.
To schedule a resource or location, users invite the equipment and/or location to a meeting. When they select the resource, they can view the notes about the resource and view free/busy status for the resource, if set up. When the meeting invite is sent, an email is sent to the resource account, and, if the resource is free, the meeting is automatically entered in the resource’s calendar and the meeting is shown as Busy.
Searching for Addresses
The Search bar offers three search options:
The Search field can be used to quickly find specific accounts, aliases, distribution lists, resources and domains.
Help Search is a powerful unified search to find answers to common questions. When you click Help Search, the Zimbra wiki, forums, and documents are searched. The results are displayed in a new window with links to the information.
The Advanced search feature lets you create a complex query to search for addresses by domain or server. Individual mini-search panes let you select the criteria for the search. The Advanced Attributes pane can be configured to search for the last login time in a date range or for account that have never logged in.
If you do not know the complete name, you can enter a partial name. Partial names can result in a list that has the partial name string anywhere in the information. You can also use the Zimbra mailbox ID number to search for an account. To return a search from a mailbox ID, the complete ID string must be entered in the search.
The results of a search display in the Content pane and the total number of items found are displayed on the right side of the toolbar.
In the Navigation pane, the Searches section includes predefined search queries. Click on the search and the results are immediately displayed in the Content pane. You can search for inactive accounts, locked out accounts, and accounts by status.
When you create a query in either Search or Advanced Search, you can save the search. Click the small disk icon after Help Search. You give the search a name and it is saved to our Search section in the Navigation pane.

Managing User Accounts

Table of Contents Previous Next Index
ZCS Administrator's Guide, Network Edition 5.0 (Rev 5.0.19 September 2009)
Copyright © 2009 Zimbra Inc.