This paper is to pull together information about the different types of Nexus Active Directory (AD) accounts available. ITSS may see some of the properties in Nexus mailboxes. has been enhanced to reflect this richness.

1. Account properties and general comments

All accounts have properties which are viewable in ITSS facilities. Some of what you see will differ depending on the account type.

  • Official sender email address
  • Expiry date
  • Last login
  • Spam filtering
  • Display name
  • Advertised in GAL (Global Address List)
  • Quota
  • Forwarding (if set on server)
  • Delegation ( if set on server)

Additional features are viewable to the owner from such as folder size, last time devices were 'active synced' to the mailbox. All mailbox accounts on Nexus are associated with one email address and that address must be unique. If that address is not normally routed by the Oxmails to that account, an automatic forward will be set up after each mailer table update, to route mail to where the Oxmails would send it. It has the form . This is usually seen for those departments for whom IT Services do not route mail eg Physics, Computer Science, Maths, Earth Sciences. See

2. Account types

2.1. Personal Mailbox associated with the Oxford SSO

  • All 'members' eg staff and students will have one primary account with a mailbox.
  • The personal primary account will always have a password. The account is used to identify a person for adding delegation to other accounts. The password must never be revealed to anyone else.
  • Listed as 'oxford' and 'nexus' in the ITSS information 'usernames'
  • Access can be 'Delegated' to others either personally for 'Sent on behalf of' or giving access to individual folders. Alternatively can set 'Send As' and access to the whole for directory tree at the personal request of the owner. This typically used for a secretary accessing the employer's mailbox.
  • Status 'UserMailbox' (for AD aficionados)
  • The expectation is that it will be 'Advertised in the GAL' so that Oxford colleagues can find you and that Outlook MAPI auto discover will work. Contact> if this is a problem.

2.2. Secondary account mailbox with SSO

  • Any member can have an additional or secondary account- although, as they are usually associated with a unit generic address, eg, they usually requested by ITSS.
  • For a secondary or project account where a password is needed
  • A password is needed when a mailbox is to be used with IMAP or Blackberry access
  • A password is needed when non-Nexus facilities are needed as well eg mail list ownership, linux, web space
  • Listed as 'nexus' but not 'oxford' in 'usernames'
  • Cannot be used to give centrally assigned delegate access to another account ie anyone acting as a delegate must use their personal account to access the secondary account not another secondary account eg if a secondary account 'ballenq' is set up, delegate access must be via a personal account eg fluf1234 not another secondary account.
  • Can be used either with the password or via Delegation.
  • May or may not be advertised in the GAL.
  • A separate Out -of-Office (OOF) can be set via OWA, by anyone with 'Full Access'. OOF cannot be set via Outlook though it can be by creating new profile eg Outlook 2010
  • Additional users must be registered with Registration ie the password must not be given to anyone who is not known to Registration.

2.3. Secondary account mailbox without SSO ('mailbox only' account)

  • Any member can have an additional or secondary account- although, as they are usually associated with a unit generic address, eg, they usually requested by ITSS.
  • A mailbox where no password is needed.
  • Only useful for Outlook/OWA and Sharepoint users (ie not IMAP, Blackberry)
  • Access is controlled by 'Delegation' set up via
  • The user logs in with their personal credentials- the 'delegate' permission allows them to access the account.
  • Typically used for accounts which have several people responsible for running a service eg
  • Typically associated with a unit generic address, although it can be used where a member has two different affiliations/roles and needs to keep correspondence separate.
  • Typical permissions are 'Full access' which allows access to all directories and Send As which allows sending as enquires@
  • This is ideal for an additional or shared account, as an additional password does not have to be managed.
  • May or may not be advertised in the GAL
  • A separate OOF/ Vacation can be set via OWA by anyone with 'Full Access'. OOF cannot be set via Outlook though it can be by creating new profile see Outlook 2010

2.4. Resource account

  • Any member can have a resource account- although, as they are usually associated with a unit generic address, eg, they usually requested by ITSS
  • For a room, projector, parking space, group calendar etc. It appears with the 'Room' or 'Equipment' icon in Outlook only. Will appear in 'All rooms' or 'All equipment' in the GAL.
  • A specialized mailbox-only secondary account
  • Account properties shows AccountLocked : True
  • Has an email address associated with it eg
  • The account has an 'owner', in this case called the 'Resource Manager'
  • Status is 'RoomMailbox' or 'EquipmentMailbox' (for AD aficionados)
  • 'Resource delegates' - people who can approve bookings, for example, can be added by <>
  • Restricting who can book a resource, can be set by the Resource Manager. But if say, all the members of a dept need to be added, the Nexus team can help requested via

2.5. 'Active Directory only' account (No mailbox)

  • Non University members 'cardholder' and 'virtual' status, still have an record in AD but have no mailbox. ( Status 'MailUser' for those who like the technical stuff ..)
  • The account is set to be invisible in GAL
  • Can access Sharepoint
  • Can have an external address associated with the account so they can participate in Sharepoint activities.

2.6. Non Nexus SSO account (planned)

We are hoping to provide secondary accounts similar to the AD account above. They will have the following characteristics

  • AD record with status 'User'
  • It has no email address associated with it
  • It has entry in AD only to keep AD in sync with Kerberos
  • For web or linux only accounts

2.7. Management of Inactive mailboxes with or without mail

Candidates for management

  • Accounts who have hit max quota with no activity for 2 months
  • Retired staff who have never used Nexus
  • Historical : project accounts that only wanted web but full mailbox was set up when they did not need it as we didn't have the tools at the time.
  • In addition, the account owner has a Status that qualifies them for a Nexus account.

Actions to be taken

  • Mailbox will be detached
  • If the person returns within 2 months, it will be restored
  • AD record set to 'User'
  • (SSO will be kept as it may be being used elsewhere)