Saturday, November 22, 2014

Mailbox Permission Issues After Cross-Forest Migration


Hi folks,

I would love to share with you one old story that I had 3 years ago during the cross-forest Exchange migration (2007 to 2010).

After migration of mailboxes some of them cannot be disabled using Microsoft Exchange Shell or console. In order to resolve this problem Exchange Trusted Subsystem group had to be assigned Read All Properties and Write All Properties permissions on the domain container.

1. Launch ADSI Edit
2. Connect ADSI edit to the Default Naming Context
3. Right click the container that is corresponding to the domain DC=contoso,DC=com and go to the Security tab
4. Click on the Advanced button
5. On the Advanced Security Settings for contoso.com make sure you are on the Permissions tab and clock on the Add button
6. Select All Descendant objects in the Apply to section. In the list of permissions tick boxes next to Allow-Read all properties and Allow-Write all properties. Click OK
7. Wait for Active Directory replication to occur.


And it should do the magic.

Enjoy.

Removing Email Addresses With Obsolete SMTP Domain From Users Mailboxes

Hi folks,

Just wanted to share with you a quick way to remove obsolete SMTP addresses from mailboxes in your Exchange estate.

Imagine a situation when you decommissioning a certain SMTP domain from your organization. First you perform all of the activities to prevent your environment to receive email from this domain. These activities include changes in DNS (removing MX,SPF and PTR records) and also removing accepted domains from your Exchange and hygiene appliances. Additionally you may edit your email address policies to stop provisioning decommissioned SMTP domain to the new mailboxes.

However you are still left with the mailboxes that still contain this email address in their EmailAddresses  attribute. Of course you can attend each mailbox one-by-one and scrap these addresses out, however for bigger environments it won't work.

The below script will help you to remove obsolete email addresses from mailboxes of users located in the OU contoso.com/Staff which have email addresses with adatum.com suffix. The script will go through all the users which may have this domain and scrap it out. Please note that when running this script you may need to adjust the name of the SMTP domain you're removing as well as path to the OU where mailboxes are stored.


$Mailbox = Get-User -OrganizationalUnit contoso.com/Staff -RecipientTypeDetails UserMailbox    
    $Mailbox | foreach { 
    for ($i=$_.EmailAddresses.Count;$i -ge 0; $i--) 
    { 
    $_.EmailAddresses[$i].ProxyAddressString  
     
    if ($_.EmailAddresses[$i].ProxyAddressString  -like "smtp:adatum*" ) 
    { 
    $_.EmailAddresses.RemoveAt($i) 
    } 
     
    } 
    $_|set-mailbox 
   

Enjoy.

Quickly Create OU Structure in the new AD domain


Hi folks,

This is a script that will help you creating OU infrastructure in the brand new Active Directory environment (of course it can also be used in creating OUs in existing AD, provided that you use OU names that are not in use). In addition to this it will protect newly created OUs from accidental deletion which is similar to this:



Make sure that you replace DC=contoso,DC=com with the right LDAP path of your domain and feel free to replace names for OUs (next to OU=) with the names that are in your environment

Import-Module ActiveDirectory

$objDomain =[ADSI]"LDAP://DC=contoso,dc=com "
$objOU = $objDomain.Create("organizationalUnit","ou=Clusters")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Servers")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Groups")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Security Groups,ou=Groups")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Distribution Groups,ou=Groups")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Services")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Staff")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Admins")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Workstations")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=SQL Servers,ou=Servers")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Exchange Servers,ou=Servers")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=Lync Servers,ou=Servers")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=CRM Servers,ou=Servers")
$objOU.SetInfo()

$objOU = $objDomain.Create("organizationalUnit","ou=BES Servers,ou=Servers")
$objOU.SetInfo()

Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Enjoy

Tuesday, November 11, 2014

PowerShell commands to manipulate mailbox folders

Hi folks,

This is a short post in support to those of you you are using PowerShell to manipulate mailbox folders in Exchange 2010/2013.

The main thing to remember is that Get-MailboxFolder command can be run by the mailbox owners as per this Technet article . If you are trying to run the same command as an administrator you are getting the following error:


No RBAC manipulations will help you to overcome this.

Therefore if you are interested in retrieving user mailbox folders you will need to use Get-MailboxFolderStatistics command. By default, it retrieves all the information in the list format, which doesn't always fit the screen. Of course this can be exported to TXT file for further reviews. Additionally you can use certain parameters.

As an example this command I used to retrieve information about folders and their structure within a mailbox:

Get-MailboxFolderStatistics "Farhad Mahmudov" |select Name,Identity

More details about this command can be found here .

Additionally there are commands that allow you to manage mailbox folders permissions like Set-MailboxFolderPermissionRemove-MailboxFolderPermissionAdd-MailboxFolderPermission and Get-MailboxFolderPermission.

Enjoy.

Quick Retrieving of Windows Updates installed in Exchange Environment

Hi folks,

I would love to share with you a quick and easy way to retrieve Windows updates installed in your Exchange 2010/2013 estate.

Instead of logging on locally to each server all you need is to execute Get-WmiObject -Class "win32_quickfixengineering" command against each server.

In my case I have simply added to the pipe all the Exchange servers that are domain members (usually Edge Transport servers are not added to the domain and the command should be executed against them separately). So if you don't run Edge servers in your environment there's no need to

So my command to retrieve this information looks like this (please note that I used Sort command to arrange patches based on server name and date of the installation)

Get-ExchangeServer | Where-Object {$_.ServerRole -ne "Edge"} |foreach {Get-WmiObject -Class "win32_quickfixengineering" -ComputerName $_.Name} |sort Source,InstalledOn

Optionally you can export the information to CSV file (screenshots below) to get more comprehensive report or use Select-Object command to limit it to certain parameters you're interested in.





Enjoy