Archive

Author Archive

Adding ActiveSync Management Rights to the Recipient Administrators Group

December 9, 2013 Leave a comment

If you are using my ActiveSync Power Administrator, or just using the ECP to manage ActiveSync devices, you may have found it difficult to assign your helpdesk staff the appropriate rights to use these tools. Logically, you would think that the Recipient Management role group should have the correct rights to perform these tasks. The reality is that the Organization Management group is the only default role group that has the appropriate default management roles; Organization Client Access and Mail Recipients. You certainly don’t want to assign your helpdesk staff to the Organization Management group. You could create a custom role group but even assigning the Organization Client Access and Mail Recipients managements roles would assign too many permissions.

The solution to this problem is to not only create a custom role group, but also to create custom management roles, which only contain the required powershell commands. To allow someone who is already in the Recipient Administrators group to use the ActiveSync Power Administrator, they need permission to run the following commands:

Get-CASMailbox

Set-CasMailbox

Clear-ActiveSyncDevice

Get-ActiveSyncDeviceStatistics

Remove-ActiveSyncDevice

The first thing we need to do is create our custom management roles, which are based on the two default roles that have the required commands. To do that, run the following commands:

New-ManagementRole "ActiveSync Admin 1" -Parent "Mail Recipients

New-ManagementRole "ActiveSync Admin 2" -Parent "Organization Client Access"

The next step is to remove all the commands we don’t need. To do that, run the following commands:

Get-ManagementRole "ActiveSync Admin 1" | Get-ManagementRoleEntry | where { $_.name -ne "Clear-ActiveSyncDevice" -and $_.name -ne "Get-ActiveSyncDeviceStatistics" -and $_.name -ne "Remove_ActiveSyncDevice" } | Remove-ManagementRoleEntry

Get-ManagementRole "ActiveSync Admin 2" | Get-ManagementRoleEntry | where { $_.name -ne "Get-CASMailbox" -and $_.name -ne "Set-CASMailbox" } | Remove-ManagementRoleEntry

Now we need to create the new role group:

New-RoleGroup -Name "ActiveSync Management" -Roles "ActiveSync Admin1","ActiveSync Admin1"

Finally, we add the Exchange Recipient Administrators group to the new role group:

Add-RoleGroupMember -Identity "ActiveSync Management" -Member "Exchange Recipient Administrators"

Your recipient administrators should now be able to manage ActiveSync devices with the least amount of permissions.

Mailbox Moves to Exchange 2010 Fail at 95%

I recently performed a migration from Exchange 2007 to 2010 in which I was having an issue with some of the mailbox moves. The moves would get to 95% completion and then fail with the following error:

7/24/2013 12:27:34 AM [SERVER] Fatal error MapiExceptionRpcBufferTooSmall has occurred.
Error details: MapiExceptionRpcBufferTooSmall: Unable to Read from stream. (hr=0x80004005, ec=1149)
Diagnostic context:
Lid: 45095 EMSMDB.EcDoRpcExt2 called [length=64]
Lid: 61479 EMSMDB.EcDoRpcExt2 returned [ec=0x0][length=64][latency=46]
Lid: 23226 — ROP Parse Start —
Lid: 27962 ROP: ropOpenStream [43]
Lid: 27962 ROP: ropBufferTooSmall [255]
Lid: 45533
Lid: 45597 StoreEc: 0x47D
Lid: 22785
Lid: 21817 ROP Failure: 0x47D
Lid: 25438
Lid: 21342 StoreEc: 0x47D
at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
at Microsoft.Mapi.MapiStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at Microsoft.Mapi.Rule.GetPropertyAsStream(MapiMessage msg, PropTag tag)
at Microsoft.Mapi.Rule.ExtractBinaryPropertyValue(MapiMessage msg, PropValue propValue, PropTag propTag)
at Microsoft.Mapi.Rule..ctor(PropValue[] cols, PropTag[] extraProps, MapiFolder mapiFolder, Boolean classic)
at Microsoft.Mapi.MapiFolder.GetRules(PropTag[] extraProps)
at Microsoft.Exchange.MailboxReplicationService.LocalFolder.Microsoft.Exchange.MailboxReplicationService.IFolder.GetRules(PropTag[] extraProps)
at Microsoft.Exchange.MailboxReplicationService.FolderWrapper.c__DisplayClass1c.b__1b()
at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(GenericCallDelegate operation)
at Microsoft.Exchange.MailboxReplicationService.FolderWrapper.Microsoft.Exchange.MailboxReplicationService.IFolder.GetRules(PropTag[] extraProps)
at Microsoft.Exchange.MailboxReplicationService.FolderRecWrapper.ReadRules(IFolder folder, PropTag[] extraPtags)
at Microsoft.Exchange.MailboxReplicationService.FolderRecWrapper.EnsureDataLoaded(IFolder folder, FolderRecDataFlags dataToLoad, ReportBadItemsDelegate reportBadItemsDelegate)
at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.c__DisplayClass4`1.b__0()
at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(GenericCallDelegate operation)
at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.LoadFolders[TFolderRec](FolderRecDataFlags dataToLoad, PropTag[] additionalPtags, GenericCallDelegate abortDelegate, ReportBadItemsDelegate reportBadItemsDelegate)
at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.GetFolderMap[TFolderRec](FolderRecDataFlags dataToLoad, PropTag[] additionalPtags, GenericCallDelegate abortDelegate, ReportBadItemsDelegate reportBadItemsDelegate)
at Microsoft.Exchange.MailboxReplicationService.MailboxCopierBase.GetSourceFolderMap(GetFolderMapFlags flags, FolderRecDataFlags dataToLoad, GenericCallDelegate abortDelegate)
at Microsoft.Exchange.MailboxReplicationService.MailboxMover.FinalSyncCopyAllFolders()
at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.b__4d(MailboxMover mbxCtx)
at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.ForeachMailboxContext(MailboxMoverDelegate del)
at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.FinalSync(Object[] wiParams)
at Microsoft.Exchange.MailboxReplicationService.CommonUtils.CatchKnownExceptions(GenericCallDelegate del, FailureDelegate failureDelegate)
Error context: ——–
Operation: IFolder.GetRules
OperationSide: Source
Primary (a95e73e7-58c0-434f-83c5-25c35191db52)
PropTags: [ReportTime; 1627389955; 1627455491]

This Microsoft KB article was the closest I could find to describing my issue. I was moving mailboxes between local installs of Exchange in the same organization, not from Office 365, so it isn’t exactly my situation but it got me looking at the Junk Folder rules. I used the instructions here to use MFCMAPI to delete the Junk Folder rules. After doing this, the mailbox moved without error.

Apparently, a large number of Junk Folder rules will cause a buffer overflow issue. Though I didn’t try it, you should be able to modify the settings described in the KB article to increase the buffer size and resolve the issue globally. This would be the way to go if you have a lot of mailboxes that are throwing this error. I generally prefer to not modify the default configuration values, especially when there is no explanation of why default values were chosen. In my case, the number of mailbox affected was small enough that I just deleted the Junk Folder rules on each one.

Categories: Mailbox Moves

ActiveSync Power Administrator 2.0 (Exchange 2010 Support)

May 30, 2013 3 comments

Version 2.0 of the ActiveSync Power Administrator is now available.

Bug Fixes:

  • No bug fixes in this release

New Functionality:

  • Now works with both Exchange 2007 and 2010

Please see this post for details on the ActiveSync Power Administrator.

You can download the latest version here (change extension to .ps1).

Version 2.1 of WizBang Exchange Message Tracker

October 18, 2012 24 comments

Version 2.1 of WizBang Exchange Message Tracker is now available.

Bug Fixes:

  • Fixed bug where hours on graph were sometimes wrong
  • Fixed bug where messages with multiple recipients were counted in sent totals for each recipient. Each unique sent message is now counted a maximum of once in internal sent total and once in external sent total.
  • Added code to check for null values in $unkey, $sndarray, and $recparray before attempting to add to collection

New Functionality:

  • Added export to html button on dashboard

Please see this post for details on the WizBang Exchange Message Tracker.

You can download the latest version here (change extension to .ps1).

Properly Terminating User Access

October 6, 2012 8 comments

Security is a big part of any IT professional’s job. Employee turnover is inevitable in any organization and when employee and organization part way, it is not always amicable. For this reason, it is important that when an employee is terminated, they immediately lose access to all company systems. If you ask most IT professionals what they do when HR notifies them that an employee has been terminated, you will get answers like:

  • Change user’s passwords
  • Disable user’s accounts
  • Issue wipe command to mobile devices

Those are certainly good security practices but imagine performing those steps then getting an angry call from the VP of Sales that the Account Manager who just left the company for a position with the competition is sending emails to clients, from their company email account, informing the clients that he now works for company X, which has a superior product.

Your immediate reaction is that this isn’t possible as you have disabled the accounts and changed the passwords. You check Exchange message tracking and verify the emails are indeed coming from the terminated account. What you don’t realize is that disabling an account or changing the password will prevent a new authentication session but it will not affect a current session. In this case, the terminated employee could be logged to the mailbox with a mobile device that hasn’t been wiped, an OWA session, or an Outlook Anywhere session from a personal computer. Those sessions will remain active until they time out, which could be hours or days.

You could perform a IIS reset on your Exchange CAS server, which will reset the connection, but that could be disruptive to other users as their sessions will also be reset. A better way to ensure the terminated employee’s sessions are disconnected is to set the logon hours on the AD account to never. As soon as the current time falls outside the allowed logon hours on an AD account, any active sessions are immediately terminated.

To set the logon hours to never, open the user account in ADUC and go to the Account tab, then click the Logon Hours button.

Image

In the Logon Hours window, click the Logon Denied button.

Image

Ensure the whole grid is white then click OK. Once this change replicates throughout your directory, any active sessions this users has will be terminated.

If you would prefer to set the logon hours to never with powershell, you can run the following command, which requires the Quest AD cmdlets:

Get-QADUser user | Set-QADUser -ObjectAttributes @{logonhours=[byte[]](,0*21)}

The credit for this command is this discussion on the powergui forum.

If you set the logon hours to never as part of your termination process, you will ensure you never get into a situation where a terminated employee continues to have access to resources.

ActiveSync Power Administrator

September 19, 2012 25 comments

The latest trend in IT is bring you own device (BYOD), where employees are allowed to either chose which device(s) the company provides, or allow employees to use their personal devices to connect to the corporate network and work off. The company I work for is anti-BYOD. We standardized on iPhones, which are purchased by the company and assigned to employees. I was tasked with ensuring only those company assigned iPhones could sync with Exchange. This is fairly easy to do in Exchange 2007/2010 as there is a CASMailbox property called “ActiveSyncAllowedDeviceIDs”. This property has a null value by default and when the value is null any device can form a partnership with that account. All the user needs to do is run the setup Wizard on the phone, enter their credentials, then the phone starts syncing with Exchange. You can limit which devices are allowed to sync with a mailbox by setting a list of device serial numbers in the ActiveSyncAllowedDeviceIDs property. When the property is not null, only the devices listed can form a partnership with that mailbox.

Microsoft has assumed that setting the value of ActiveSyncAllowedDeviceIDs isn’t something the majority of organization would want to do, so they have left it out of the EMC. If you want to set this value, you need to do it through powershell. I wanted my help desk staff to be able to modify this property but I didn’t want them to have to use powershell, so I decided to create a Windows form GUI for this function. I decided if I was going to create a GUI for this function, I might as well create a full blown ActiveSync administrator to take care of all admin task in one GUI. I also decided to add some reporting functionality to the GUI.

Overview

The script uses a Windows form to look up and set ActiveSync properties on an Exchange 2007/2010 mailbox. The first tab of the form is the user administrator. After an email address is entered, the form will retrieve the current ActiveSync settings on the mailbox. The administrator can then modify those settings. The second tab is a reporting function. There are four reports defined. I can add more on request if you have a specific report in mind. The results of the report are displayed on the form and can also be exported to a csv file.

Prerequisites

To run this script, you need to have the Exchange 2007 or Exchange 2010 management tools installed. You also need the free Quest cmdlets for Active Directory, which can be found here.

User Admin Tab

Email Address

Enter the primary email address on the mailbox you want to manage. As you type, the script will do a look up in AD and present suggestions. Once you have entered the email address, click the Lookup button.

ActiveSync Status

This will tell whether ActiveSync is enabled for this mailbox. You can enable/disable ActiveSync with the corresponding buttons.

ActiveSync Policy

This shows which ActiveSync policy is currently assigned to the mailbox. If you have defined ActiveSync policies, you can select which policy to apply from the drop-down. If you have not defined any policies, the “Default” policy will be assigned.

Allowed Devices

The Allowed Devices list shows any device serial numbers that have been allowed for this mailbox. If the list is empty, all devices are allowed to connect. You can remove devices by clicking the checkbox next to the device serial number and clicking the “Remove Selected” button.

Serial Number

You can add serial numbers to the Allowed Devices list by entering the serial number and clicking “Add”.

Sync History

This shows the device partnerships for devices that have synced with this mailbox, as well as the last time the device has synced.

Identity

You can issue a wipe command to a device, cancel a pending wipe, or remove the device partnership by selecting the device identity and clicking the corresponding button.

Reporting Tab

From the reporting tab, you can run various predefined reports on your ActiveSync users. There are currently four reports defined but I can add additional reports on request. The current reports are:

Users with ActiveSync enabled
Users with ActiveSync enabled and a null list of allowed devices
Users with ActiveSync disabled
Devices that haven’t synced in 30 days

Once the report has finished running, it will be displayed on the Reporting tab. You will then be presented with a button, which allows you to take action on all the users returned in the report. For example, you will be able to enable ActiveSync on all users returned after you run the “Users will Activesync disabled” report. You can also export the report to a csv file by clicking the “Export to File” button.

To run this script, download it from the link below and save it to your hard drive. Change the extension from txt to ps1. Open a powershell window and navigate to the directory where you saved the script. Type .\ActiveSyncAdmin.ps1 and hit enter.

DOWNLOAD SCRIPT (Change extension from doc to ps1)

WizBang Exchange Message Tracker 2.0

September 6, 2012 38 comments

UPDATE: Version 2.1 is available. For details, click here.

The Exchange tracking logs provide a wealth of information about mail flow through your organization. Unfortunately, the tools that ship with Exchange aren’t very good at leveraging this information in a useful way. You can use the message tracking tool that ships with EMC to search for specific logs but beyond viewing the raw log data, there isn’t much information available. Fortunately, Microsoft has provided us with powershell and powershell can be used in all sorts of interesting ways to gather, aggregate and present data in useful summaries and reports.

One of the great things about powershell and the IT community is that there are plenty of people who have built powershell scripts to solve problems, automate or streamline tasks, and gather and present data. Most people are more than happy to share their scripts with anyone who would like to use them. Those scripts are then sometimes improved or built upon by someone else. I was recently searching for a way to analyze message tracking logs and I came across this blog post. Glen Scales built a powershell script that uses a Windows form GUI to gather Exchange message tracking logs and present a summary of mail flow statistics, including graphs and charts that are built with the Google Charts API. Glen called his script “WizBang 2007 Message Tracker”. While I really like Glen’s script, I decided to make some changes and improvements to better suite the information I needed to get out of the script. Thus “WinzBang Exchange Message Tracker 2.0” was born.

Overview

This script uses Windows forms to accept input and display output. There are five tabs on the form (explained in detail below). The user selects query setting for the search on the first tab. Once the search has been completed, the summary results are displayed on the dashboard tab. The email summaries tab shows a summary of email statistics for each internal recipient. Message tracking logs for a specific user can also be displayed on this tab. The tracking data tab shows raw tracking logs for the period of the search. The final tab is used to find and display individual messages using the EWS service.

Changes in Version 2.0

  • Changed Server Name drop-down list
    • Limited server list to Exchange 2007/2010 Hub Transport, Mailbox, and Edge Transport roles (Previously contained all Exchange servers in org, even legacy)
    • Added “All” to server list to enable searching all servers
  • Added quick date range options for Last Hour, Today, Previous 24 hours, and Previous 7 days (Previously only option was to manually pick starting and end time)
  • Added filter options to match default Exchange Message Tracker
  • Added check box to determine if raw data should be displayed (Raw data collection is system resource intensive)
  • Changed graphs and charts
    • Changed graph from vertical to horizontal
    • Changed graph to display internal, sent to external, and received from external (Previously just sent and received)
    • Changed graph to display data for full time of search query (Was previously last 6 hours max)
      • When time frame is less than 31 minutes, data is graphed in minute increments
      • When time frame is between 31 minutes and 8 hours, data is graphed in 15 minute increments
      • When time frame is between 9 and 24 hours, data is graphed in hourly increments
      • When time frame is greater than 24 hours, data is graphed in daily increments
    • Consolidated pie charts into one, which now displays totals for internal, sent to external, and received from external for total time frame
  • Broke out top senders/receivers report into four separate reports: top internal sender, top internal receiver, top external sender, top external receiver, which covers search time frame (Previously consolidated into one report that covered previous hour)
  • On Organizational Totals report, consolidated total internal received and total internal sent into just total internal as these two values are always equal
  • Excluded message journaling messages from reports (except raw data)
  • Raw tracking data now includes all events; not just SENT and RECEIVED

Prerequisites

To run this script, you need to have the Exchange 2007 or Exchange 2010 management tools installed.

To use the message find functionality, you need to have EWSUtil.dll in C:\temp. You can get the file here.

Query Settings Tab

Server Name

Message tracking logs are stored on Exchange servers with the Mailbox, Hub Transport, and Edge Transport roles. The server name drop-down is automatically populated with servers in your organization that hold those roles. You can select an individual server to search against, or you can search against all servers. Being able to search all servers is a major advantage over the message tracking feature in the Exchange tools, which is only able to search one server at a time.

Date Range

The date range to search tracking logs can be selected here. There are quick selection options for last hour, today, previous 24 hours, and previous 7 days. Additionally, custom date ranges can be selected.

Filter Criteria

Tracking logs can be filtered based on the same criteria used in the message tracking log searcher built into the Exchange tools. For example, logs can be filtered to look for a specific, sender, recipient, or message subject. This is helpful is you are trying to find information on a specific sender, recipient, or message.

Presentation Options

This option allows the user to choose whether or not to show raw tracking data. This option should only be selected for narrow searches as displaying large amounts of raw tracking date is system memory intensive.

Dashboard Tab

The dashboard tab displays a summary of message tracking log data, based on the search criteria. A graph of mail flow is displayed at the top of the window. Below the graph, there are four tables which show the top 5 internal recipients, internal senders, external recipients, and external senders. A table also shows the organizational totals broken down by internal email, received from external, and sent to external email. This table is accompanied by a pie chart.

Email Summaries Tab

This tab displays a summary of the number and size of emails sent and received by individual internal users in the top table. A user can be highlighted and the “Get Messages” button pressed to to display all the tracking logs related to that user in the bottom table. If the option to show raw tracking data was selected on the query settings tab, an individual cell is highlighted in the bottom table, the “Show Message” button can be pressed to populate fields on the Message Find tab. Both tables can be exported to csv files but pressing the appropriate export button.

Tracking Data Raw Tab

If the option to show raw tracking data was selected on the query settings tab, this tab displays the full raw message tracking data. This data is filtered based on the settings on the Query Settings tab.

Message Find Tab

You can use the Message Find tab to search a mailbox for a specific message, if you have the message ID. This will display the To, From, Subject, and body of the message. You can also download any attachments and view the message headers.

Note: There is an issue when Outlook users are in cached mode, as described in this KB article. You won’t be able to find messages in the user’s sent items folder if they are in cached mode.

DOWNLOAD SCRIPT (Change extension from to ps1)