Archive

Archive for the ‘Exchange Administation’ Category

Adding ActiveSync Management Rights to the Recipient Administrators Group

December 9, 2013 Leave a comment

If you are using my ActiveSync Power Administrator, or just using the ECP to manage ActiveSync devices, you may have found it difficult to assign your helpdesk staff the appropriate rights to use these tools. Logically, you would think that the Recipient Management role group should have the correct rights to perform these tasks. The reality is that the Organization Management group is the only default role group that has the appropriate default management roles; Organization Client Access and Mail Recipients. You certainly don’t want to assign your helpdesk staff to the Organization Management group. You could create a custom role group but even assigning the Organization Client Access and Mail Recipients managements roles would assign too many permissions.

The solution to this problem is to not only create a custom role group, but also to create custom management roles, which only contain the required powershell commands. To allow someone who is already in the Recipient Administrators group to use the ActiveSync Power Administrator, they need permission to run the following commands:

Get-CASMailbox

Set-CasMailbox

Clear-ActiveSyncDevice

Get-ActiveSyncDeviceStatistics

Remove-ActiveSyncDevice

The first thing we need to do is create our custom management roles, which are based on the two default roles that have the required commands. To do that, run the following commands:

New-ManagementRole "ActiveSync Admin 1" -Parent "Mail Recipients

New-ManagementRole "ActiveSync Admin 2" -Parent "Organization Client Access"

The next step is to remove all the commands we don’t need. To do that, run the following commands:

Get-ManagementRole "ActiveSync Admin 1" | Get-ManagementRoleEntry | where { $_.name -ne "Clear-ActiveSyncDevice" -and $_.name -ne "Get-ActiveSyncDeviceStatistics" -and $_.name -ne "Remove_ActiveSyncDevice" } | Remove-ManagementRoleEntry

Get-ManagementRole "ActiveSync Admin 2" | Get-ManagementRoleEntry | where { $_.name -ne "Get-CASMailbox" -and $_.name -ne "Set-CASMailbox" } | Remove-ManagementRoleEntry

Now we need to create the new role group:

New-RoleGroup -Name "ActiveSync Management" -Roles "ActiveSync Admin1","ActiveSync Admin1"

Finally, we add the Exchange Recipient Administrators group to the new role group:

Add-RoleGroupMember -Identity "ActiveSync Management" -Member "Exchange Recipient Administrators"

Your recipient administrators should now be able to manage ActiveSync devices with the least amount of permissions.

Advertisements

ActiveSync Power Administrator 2.0 (Exchange 2010 Support)

May 30, 2013 3 comments

Version 2.0 of the ActiveSync Power Administrator is now available.

Bug Fixes:

  • No bug fixes in this release

New Functionality:

  • Now works with both Exchange 2007 and 2010

Please see this post for details on the ActiveSync Power Administrator.

You can download the latest version here (change extension to .ps1).

Version 2.1 of WizBang Exchange Message Tracker

October 18, 2012 24 comments

Version 2.1 of WizBang Exchange Message Tracker is now available.

Bug Fixes:

  • Fixed bug where hours on graph were sometimes wrong
  • Fixed bug where messages with multiple recipients were counted in sent totals for each recipient. Each unique sent message is now counted a maximum of once in internal sent total and once in external sent total.
  • Added code to check for null values in $unkey, $sndarray, and $recparray before attempting to add to collection

New Functionality:

  • Added export to html button on dashboard

Please see this post for details on the WizBang Exchange Message Tracker.

You can download the latest version here (change extension to .ps1).

ActiveSync Power Administrator

September 19, 2012 25 comments

The latest trend in IT is bring you own device (BYOD), where employees are allowed to either chose which device(s) the company provides, or allow employees to use their personal devices to connect to the corporate network and work off. The company I work for is anti-BYOD. We standardized on iPhones, which are purchased by the company and assigned to employees. I was tasked with ensuring only those company assigned iPhones could sync with Exchange. This is fairly easy to do in Exchange 2007/2010 as there is a CASMailbox property called “ActiveSyncAllowedDeviceIDs”. This property has a null value by default and when the value is null any device can form a partnership with that account. All the user needs to do is run the setup Wizard on the phone, enter their credentials, then the phone starts syncing with Exchange. You can limit which devices are allowed to sync with a mailbox by setting a list of device serial numbers in the ActiveSyncAllowedDeviceIDs property. When the property is not null, only the devices listed can form a partnership with that mailbox.

Microsoft has assumed that setting the value of ActiveSyncAllowedDeviceIDs isn’t something the majority of organization would want to do, so they have left it out of the EMC. If you want to set this value, you need to do it through powershell. I wanted my help desk staff to be able to modify this property but I didn’t want them to have to use powershell, so I decided to create a Windows form GUI for this function. I decided if I was going to create a GUI for this function, I might as well create a full blown ActiveSync administrator to take care of all admin task in one GUI. I also decided to add some reporting functionality to the GUI.

Overview

The script uses a Windows form to look up and set ActiveSync properties on an Exchange 2007/2010 mailbox. The first tab of the form is the user administrator. After an email address is entered, the form will retrieve the current ActiveSync settings on the mailbox. The administrator can then modify those settings. The second tab is a reporting function. There are four reports defined. I can add more on request if you have a specific report in mind. The results of the report are displayed on the form and can also be exported to a csv file.

Prerequisites

To run this script, you need to have the Exchange 2007 or Exchange 2010 management tools installed. You also need the free Quest cmdlets for Active Directory, which can be found here.

User Admin Tab

Email Address

Enter the primary email address on the mailbox you want to manage. As you type, the script will do a look up in AD and present suggestions. Once you have entered the email address, click the Lookup button.

ActiveSync Status

This will tell whether ActiveSync is enabled for this mailbox. You can enable/disable ActiveSync with the corresponding buttons.

ActiveSync Policy

This shows which ActiveSync policy is currently assigned to the mailbox. If you have defined ActiveSync policies, you can select which policy to apply from the drop-down. If you have not defined any policies, the “Default” policy will be assigned.

Allowed Devices

The Allowed Devices list shows any device serial numbers that have been allowed for this mailbox. If the list is empty, all devices are allowed to connect. You can remove devices by clicking the checkbox next to the device serial number and clicking the “Remove Selected” button.

Serial Number

You can add serial numbers to the Allowed Devices list by entering the serial number and clicking “Add”.

Sync History

This shows the device partnerships for devices that have synced with this mailbox, as well as the last time the device has synced.

Identity

You can issue a wipe command to a device, cancel a pending wipe, or remove the device partnership by selecting the device identity and clicking the corresponding button.

Reporting Tab

From the reporting tab, you can run various predefined reports on your ActiveSync users. There are currently four reports defined but I can add additional reports on request. The current reports are:

Users with ActiveSync enabled
Users with ActiveSync enabled and a null list of allowed devices
Users with ActiveSync disabled
Devices that haven’t synced in 30 days

Once the report has finished running, it will be displayed on the Reporting tab. You will then be presented with a button, which allows you to take action on all the users returned in the report. For example, you will be able to enable ActiveSync on all users returned after you run the “Users will Activesync disabled” report. You can also export the report to a csv file by clicking the “Export to File” button.

To run this script, download it from the link below and save it to your hard drive. Change the extension from txt to ps1. Open a powershell window and navigate to the directory where you saved the script. Type .\ActiveSyncAdmin.ps1 and hit enter.

DOWNLOAD SCRIPT (Change extension from doc to ps1)