Powershell Scripts to Export and Import Legacy Exchange X500 addresses

When migrating across AD forests or even performing an offline exchange migration the most over looked process is migrating the user’s legacy X500 address. The reason this is so important is because local email is delivered using the x500 address rather than the SMTP address normally associated with internet email. When you move the user from one unrelated exchange to another the X500 address is not migrated. This means that when users attempt to send an email to a previous contact in their name cache they will receive a bounce back and failed delivery. In order to prevent this situation occurring you can use Powershell to export the legacy X500 address to CSV and then import this into the new AD user object. If you do not have access to Powershell in the legacy domain you can use CSVDE to achieve the same objective.

Export the Legacy X500 Address


Get-ADUser -SearchBase “OU=legacyusers,DC=domain,DC=local” -Filter * -Properties SamAccountName,legacyExchangeDN | Select-Object SamAccountName,legacyExchangeDN | Export-CSV C:\UserExport.csv -NoTypeInformation


CSVDE -s <domain controller FQDN> -d “OU=legacyusers,DC=domain,DC=local” -p SubTree -l SamAccountName,legacyExchangeDN -r objectClass=user -f C:\UserExport.csv

Importing the Legacy Exchange X500 Address to New Domain

On a domain controller or a machine with Active Directory Powershell module installed, copy the UserExport.csv to the root of the C:\ drive

Create a Powershell Script file called legacyusers.ps1. In this file type the following code

Import-Module ActiveDirectory

$Input = Import-CSV C:\UserExport.csv

ForEach ($ADUser in $Input){

if ($ADUser.legacyExchangeDN){

Set-ADUser -Identity $ADUser.SamAccountName -add @{proxyAddresses=”X500:$($ADUser.legacyExchangeDN)”}



Save the file and execute on the domain controller. You can check this has worked by opening an affected AD user object in the new domain and viewing the Attribute proxyAddresses to ensure that this has been added successfully.

7 thoughts on “Powershell Scripts to Export and Import Legacy Exchange X500 addresses

  1. Hi Mark,
    this is very usfull post for me. But i have little problem. When i execute import procedure nothing happens.there is no error, but no entry eather. I use win2012, excecution policy set to unrestricted.
    Did i miss something?


    1. Hi Mario

      On the 2012 box does this have the active directory power shell module installed on it? Also on the CSV export can you confirm if it has values in the legacyExchangeDN and samAccountName columns for users?




      1. Hi,
        well, i just saw that scripts work. i was checking legacyexchangedn attribute, but script populate proxy address. did you have a real case scenario? I’ a am moving mailboxes, without forest trust, to another exchnage organization, and want to preserve legacyDN. When i create mailbox in new organization, new legacyexchnagedn is created, and not rewrited by script. scripts add old legacydn as x500 proxy addres. is this ok, will users have problems with bounced emails?


      2. Hi Mario. The script takes the legacyExchangeDN attribute from the old domain and then converts it into an X500 address. This then gets added to the proxyAddressess attribute in the new domain. My real world example was a similar set up to you where the new domain had a new exchange system that had new user email accounts created to mimic the legacy ones. The script gives the users the ability to use the nickname from their outlook to send internal email. Exchange uses X500 addresses to route internal mail rather than smtp addresses. So even though the smtp address is the same email will fail internally unless the X500 address is the same as the legacy. For obvious reasons we do not want to modify the new domain X500 address. HTH


    1. Hi
      Its not designed to be run on 365. What you could do is run it on your local AD and then use AADConnect to synchronise your users up to 365. The properties should then follow. Whether it would have the desired effect, I don’t know, but 365 AD is an AD service so in theory it should listen to the X500 addresses, It reads proxyAddresses attribute that’s a certainty.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s