Archive

Posts Tagged ‘Exchange Management Shell (EMS)’

Update Rollup 5 (UR5) for Exchange Server 2007 SP3 Released

September 22nd, 2011 No comments

Microsoft has released the following update rollup for Exchange Server 2007:

  • Update Rollup 5 for Exchange Server 2007 SP3 (2582113)

If you’re running Exchange Server 2007 SP3, you need to apply Update Rollup 5 for Exchange 2007 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 5:

  1. 981820 New X-headers of a message item do not appear when the message item is retrieved by IMAP4 or by POP3 in an Exchange Server 2007 SP2 environment
  2. 2292150 A deleted hyperlink remains in the HTML source of an email message if you create the email message by using OWA in an Exchange Server 2007 environment
  3. 2411423 The Msftefd.exe process constantly consumes up to 100 percent of CPU resources when your mailbox language is set to German on an Exchange Server 2007 server
  4. 2450078 The sent time in an email message body is incorrect when you reply or forward the email message by using an EWS application in an Exchange Server 2007 environment
  5. 2451415 “There was a problem logging onto your mail server” error message when you use a POP3 client to access a mailbox in an Exchange Server 2007 SP3 environment
  6. 2536652 EdgeTransport.exe randomly stops responding on a Hub Transport server after you configure public folder replication in Exchange Server 2007
  7. 2536695 “Some items cannot be deleted” error message when you try to delete or modify an email message in a public folder in an Exchange Server 2007 environment
  8. 2536697 DBCS characters in a rule name are converted to question marks after you move a mailbox from Exchange Server 2003 to Exchange Server 2007
  9. 2537783 The EdgeTransport.exe process crashes occasionally after you install Update Rollup 2 for Exchange Server 2007 SP3
  10. 2538958 Extended Protection Warning Displayed in Exchange Management Console and Exchange Management Shell After Installing RU2 for Exchange 2007 SP3
  11. 2554575 Items accumulate in the MRM submission folder when managed folder assistant journal items in an Exchange Server 2007 environment
  12. 2556751 The EdgeTransport.exe process crashes when processing certain email messages on an Exchange Server 2007 Hub Transport server
  13. 2557304 The Store.exe process may consume excessive CPU resources and memory resources intermittently when a user opens a calendar item by using OWA in an Exchange Server 2007 SP3 environment

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Also, the installer and Add/Remove Programs text is only in English – even when being installed on non-English systems.

Note to Forefront users:

If you don’t disable Forefront before installing a rollup or service pack, and enable afterwards, you run the risk of Exchange related services not starting. You can disable Forefront by going to a command prompt and navigating to the Forefront directory and running FSCUtility /disable. To enable Forefront after installation of a UR or SP, run FSCUtility /enable.

[Redirect] New-PasswordReminder.ps1 v2.1 – updated to include better formatting, preview, and installer!

September 18th, 2011 10 comments

Update 09-30-2011: An updated version is available at New-PasswordReminder.ps1 v2.2 – target specific OUs, better password policy info, code tweaks.

I wrote in New-PasswordReminder.ps1 – email users when their password will soon expire about how to set up a scheduled task to send users a polite reminder email when their password will soon expire. It’s been a fairly popular post, but there has been some areas where it could be improved. Well, consider it done.

One of the hardest parts was getting a decently formatted email that looked good. This could take some trial and error, and the original script didn’t really have a way built in to preview what the end user would see. As a result, some hapless users would be flooded with your “test” messages. I fixed that by creating a preview mode. Manually run the script with the preview switch, and a user to send the email to. For example

.\New-PasswordReminder.ps1 -Preview -PreviewUser bgates

This will send an email to the user, bgates. The email is formatted for a password that expires in one day, so the user gets the additional banner near the top as well.

Next up was creating a scheduled task. Not really terribly difficult to do manually, but I could see where it might take some trial and error. So, I added the install switch, which will create a scheduled task for the script, configuring it to run at 6am each day. Of course, that time can be manually adjusted by opening the scheduled task once it’s created. The install mode will ask for credentials to run the scheduled task under. Install it as so:

.\New-PasswordReminder.ps1 -Install

Note: The scheduled task is configured to point to where the script is when you run the install switch. So don’t move it later!

Next up was a little tweaking to the HTML code. In the original version, I tossed in some very basic formatting, but the person installing it had to tweak some HTML code to point to the location of some images. The new version has more images, but I defined a variable in the param block for the root folder where the images are stored. Just edit that line, and all other HTML code for the images will be fine. Look for these lines in the param block:

[parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory=$false)] [string] $ImagePath = "http://www.mydomain.com/scripts"

Update accordingly with a URL to the directory holding the images, but don’t include a trailing slash. Of course, you’re free to rip out all of the formatting and substitute your own. I merely included something so that it would work “out of the box”. The new zip file includes all image files required for the new formatting.

Next up, I added some simple logging to the application event log. The script will write a single entry when it starts, and a single entry when it finishes, noting how many users were processed (sent an email). I would love to hear how this script works in large environments. If you’re willing, please let me know (via comments below) how long it’s taking to run in your environment, and the number of users in AD.

I fixed a couple of minor bugs, and included some code to install the RSAT-AD-PowerShell feature if it’s not installed. The comment based help was enhanced, and some of the code was cleaned up so it’s easier to read.

The rest of the setup requirements remain. See the original post for additional info. Download the latest version New-PasswordReminder2.1

I’m very interested in hearing how you customize this, and any suggestions you may have. I’m always looking for ideas.

Script: New-ADPasswordReminder.ps1 – Email Users When Their Password Will Soon Expire

August 27th, 2011 345 comments

Note: Development on this script has moved to Github. Please see the repo at https://github.com/patrichard/New-AdPasswordReminder.

Description

In today’s increasingly mobile workforce, many users don’t login to Active Directory on a domain joined computer. Some use only Outlook Web Access/App, some use non-domain joined machines external to the company network, some just use mobile devices such as smartphones and tablets. And others may use Macs.

Users who login via domain joined machines on the company network get the reminder several days ahead. The default is 14 days, but can be configured in the Default Domain Group Policy under Interactive logon: Prompt user to change password before expiration.

OWA users see a notification when they login as well. In OWA 2007 running on IIS6, this can be adjusted via PasswordExpirePrenotifyDays. In fact, with OWA 2007 and 2010, you can even change your password after it expires, using the Password Reset Feature in Exchange 2007 and 2010. However, there are times when that’s just not a remedy. The password reset feature requires the Exchange server to be running on Windows 2008 or later, as it relies on IIS 7. Many Exchange 2007 shops are not on that platform yet.

Anyone who’s ever worked on a Help Desk knows that a LOT of users call to say they can’t login, only to determine it’s because their password expired. Many, if not most, are those types of users mentioned above. Others don’t notice, or simply ignore the notice when logging in. So let’s really make sure we notify them of the pending expiration. There are some third-party tools, including some that run on SharePoint, that enable a user to reset their password. But this is after the fact. Sure, we could use some third-party application to send a reminder, but… well… why? PowerShell to the rescue!

In the pre-Windows 2008 domain functional level days, we could just peek at the Default Domain GPO, and grab the Maximum Password Age parameter, since it was a global setting. Then we could go through Active Directory, find users who are not set to “never expire”, use some math, and come up with a list of users whose password expired soon.

But with the changes implemented with Windows Server 2008, we can now have Fine Grained Password policies, which allows us to have more than just one password policy in our organization. So, Executives get one password, IT people with elevated rights get another, etc. Cool in theory, but frustrating in our endeavor to notify users when they’ll expire.

I blatantly admit that I used part of a script by M. Ali, who wrote a blog post Find out when your Password Expires. The script looks checks Get-AdDomain, and looks at the DomainMode parameter in the results. From here, we know whether we can just peek at the Default Domain policy, or if we need to look deeper. Regardless of which way, we look through the users using Get-AdUser, and grab the PasswordExpired, PasswordNeverExpires, and PasswordLastSet fields. Obviously, if the account is expired, no need to keep reminding the user. And if the password never expires, then we also don’t need to notify the user. With PasswordLastSet, our math comes into play to determine when the password will expire. Not terribly short and sweet, but effective.

Once we know when the password will expire, we can then set a window for when we should notify the users. It makes sense to match what’s in the GPO so that notifications are consistent regardless of platform. This script is set to 14 days by default.

Next, we need to craft some information that we want to convey to the user. In this case, we’ll use some HTML formatting so that we can properly convey the importance of the info, as well as include some additional formatting. I’ve mocked up something based on some third-party tools, and on the comments and recommendations of IT Professionals and users. It’s simple enough to change, but be warned that many clients, including Outlook, don’t strictly adhere to HTML standards. So it can take quite a bit of trial and error to find out what does actually appear the way you want it to.

Installation and Setup

First, you need a receive connector that will accept mail from PowerShell. I cover that in Creating a receive connector to use for sending email from PowerShell. Next, the script must run on a machine with PowerShell 2.0 installed. This is a prerequisite for Exchange 2010 (and installed by default on Windows 2008 R2), but not for Exchange 2007. If you’re reluctant to upgrade PowerShell on your 2007 box, it can be run from any other box that has PowerShell 2.0 and the Exchange Management tools installed. Note: Exchange Management tools should always be updated and patched to the same level that your Exchange servers are.

Second, you’ll need the ActiveDirectory module available on the machine that will run the script. The ActiveDirectory module is installed when you add the Remote-Server Administration Tools feature in Windows Server 2008 R2. If the module is not detected, the script will attempt to install it automatically the first time it runs.

Next, grab the latest zip file from the DOWNLOAD section below. It includes the script and ScriptImages.zip contains a couple of images that are used in the warning for users who’s password expires in < 24 hours (seen in the Outlook screenshot above). The images need to be accessible to all users who will receive the reminder emails. This is likely to be a public web site.

Crack open the script in your favorite editor and update the lines in the param() block to match your environment. This includes $Company, $OwaUrl, $PSEmailServer, $EmailFrom, $HelpDeskPhone, $HelpDeskURL and $DaysToWarn. If you want to target a specific OU, set $OU. Also, set $ImagePath to a path holding the included image files (or those you add/edit). This path should be available to all users who may receive the reminder message. This is probably a public server.

param(
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[switch]$Demo,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[switch]$Preview,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[switch]$Install,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[string]$PreviewUser,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[switch]$Transcript,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false, HelpMessage="Please specify a company name.")]
	[ValidateNotNullOrEmpty()]
	[string]$Company = "Contoso Ltd",
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false, HelpMessage="Please specify an OWA URL")]
	[ValidateNotNullOrEmpty()][ValidatePattern("^https://")]
	[string]$OwaUrl = "https://mail.contoso.com",
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false, HelpMessage="Please specify the IP address of your email server")]
	[ValidateNotNullOrEmpty()][ValidatePattern("\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b")]
	[string]$PSEmailServer = "10.9.0.11",
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false, HelpMessage="Please specify a name and email address for the email 'from' field")]
	[ValidateNotNullOrEmpty()][ValidatePattern("\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b")]
	[string]$EmailFrom = "Help Desk ",
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[string]$HelpDeskPhone = "(586) 555-1010",
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[ValidatePattern("^http")]
	[string]$HelpDeskURL = "https://intranet.contoso.com/",
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[string] $TranscriptFilename = $MyInvocation.MyCommand.Name + " " + (hostname)+ " {0:yyyy-MM-dd hh-mmtt}.log" -f (Get-Date),
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false, HelpMessage="This must be zero")]
	[ValidateNotNullOrEmpty()]
	[int]$global:UsersNotified = 0,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false, HelpMessage="Please specify how many days before expiration that users should begin to be notified.")]
	[ValidateNotNullOrEmpty()]
	[int]$DaysToWarn = 14,
	[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$false)]
	[string] $ImagePath = "http://www.contoso.com/images/new-passwordreminder.ps1",
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)]
	[ValidateNotNullOrEmpty()]
	[string] $ScriptName = $MyInvocation.MyCommand.Name,
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)]
	[ValidateNotNullOrEmpty()]
	[string] $ScriptPathAndName = $MyInvocation.MyCommand.Definition,
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false, HelpMessage="Please specify an Organizational Unit")]
	[ValidateNotNullOrEmpty()]
	[string] $ou
)

Open an Exchange Management Shell session and run the script in demo mode to see a list of users that are expiring soon.The script won’t email the users in demo mode. It merely shows you who it WOULD, and how long till their password expires.

.\New-PasswordReminder.ps1 -demo

As we see in the example screenshot, Claudia’s password expires in 5 days, and the password policy that applies to her requires the password to be changed every 42 days. If we run the script normally, Claudia will receive the email reminder since it’s within the 14 day window defined in the script.

To run the script normally (non-demo mode), manually, just omit the -demo. There is no output to the screen when run normally, as the script is designed to be run as a scheduled task.

Once you’re satisfied that the script is running correctly, we can set it to run as a scheduled task. I have a blog post Running PowerShell scripts via Scheduled Tasks that details everything. In my production environment, it runs at 6am each day.

One of the hardest parts was getting a decently formatted email that looked good. This could take some trial and error, and the original script didn’t really have a way built in to preview what the end user would see. As a result, some hapless users would be flooded with your “test” messages. I fixed that by creating a preview mode. Manually run the script with the preview switch, and a user to send the email to. For example

.\New-PasswordReminder.ps1 -Preview -PreviewUser bgates

This will send an email to the user, bgates. The email is formatted for a password that expires in one day, so the user gets the additional banner near the top as well.

Next up was creating a scheduled task. Not really terribly difficult to do manually, but I could see where it might take some trial and error. So, I added the install switch, which will create a scheduled task for the script, configuring it to run at 6am each day. Of course, that time can be manually adjusted by opening the scheduled task once it’s created. The install mode will ask for credentials to run the scheduled task under. Install it as so:

.\New-PasswordReminder.ps1 -Install

Note: The scheduled task is configured to point to where the script is when you run the install switch. So don’t move it later!

To send an email that does not contain the images or their related formatting, specify $NoImages when running the script. This will send essentially an HTML formatted text email.

Next up, I added some simple logging to the application event log. The script will write a single entry when it starts, and a single entry when it finishes, noting how many users were processed (sent an email). I would love to hear how this script works in large environments. If you’re willing, please let me know (via comments below) how long it’s taking to run in your environment, and the number of users in AD.

Please send me your suggestions!

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Syntax

New-PasswordReminder.ps1 [-Demo] [-Install] [[-PreviewUser] ] [-NoImages] [-WhatIf] [-Confirm] []

Demo Runs the script in demo mode. Demo mode displays users who are expiring soon, but does not send them the reminder email.

Install Creates a scheduled task to run the script automatically every day at 6:00am

PreviewUser
Defines the user to send the preview email to.

NoImages
Specifies that a HTML text only message should be sent instead of one that contains the fancy formatting.

Installation

Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

In addition to the info listed above:

If you leave the following parameters blank, the related text will be removed from the email sent to users: $HelpDeskURL. This will get expanded in the future.

You can change the format of the date displayed in the email by changing the value of $DateFormat. The default is “d”, which yields a date such as 09/07/2012 (MM/dd/yyyy). If you’d like the European style, use “MM/dd/yyyy” instead.

Frequently Asked Questions

Question: Does this work with Exchange Server 2013

Answer: Yes

Download

v2.9 – 09-13-2013 New-ADPasswordReminder.v2.9.zip

v2.8 – 05-03-2013 New-ADPasswordReminder.v2.8.zip

v2.7 New-PasswordReminder.v2.7.zip

v2.6 New-PasswordReminder.v2.6.zip

v2.4 New-PasswordReminder.v2.4.zip

New-PasswordReminder.zip

ScriptImages.zip – image files used in emails

Changelog

See the changelog for this script which details all versions and their features.

Update Rollup 5 (UR5) for Exchange Server 2010 SP1 Released

August 23rd, 2011 No comments

Microsoft has released the following update rollup for Exchange Server 2010:

  • Update Rollup 5 for Exchange Server 2010 SP1 (2582113)

If you’re running Exchange Server 2010 SP1, you need to apply Update Rollup 5 for Exchange 2010 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 5:

  1. 2275156 The inline contents disposition is removed when you send a “Content-Disposition: inline” email message by using EWS in an Exchange Server 2010 environment
  2. 2499044 You cannot save attachments in an email message by using OWA if the subject line contains special characters in an Exchange Server 2010 environment
  3. 2509306 Journal reports are expired or lost when the Microsoft Exchange Transport service is restarted in an Exchange Server 2010 environment
  4. 2514766 A RBAC role assignee can unexpectedly run the Add-ADPermission command on an Exchange Server 2010 server that is outside the role assignment scope
  5. 2529715 Slow network or replication issues after you change the number of virus scanning API threads in Microsoft Exchange Server 2010
  6. 2536704 Mailbox users who are migrated by using ILM 2007 cannot use the Options menu in OWA in an Exchange Server 2010 environment
  7. 2537094 French translation errors occur when you edit a response to a meeting request by using OWA in an Exchange Server 2010 SP1 environment
  8. 2554604 A RBAC role assignee can unexpectedly manage certificates that are outside the role assignment scope in an Exchange Server 2010 environment
  9. 2555800 You cannot use the GetItem operation in EWS to retrieve properties of an email message in an Exchange Server 2010 environment
  10. 2555850 You cannot delete a mailbox folder that starts with a special character in its name by using Outlook in an Exchange Server 2010 environment
  11. 2556096 The columns in the .csv logging file are not lined up correctly when you perform a discovery search on a mailbox in an Exchange Server 2010 environment
  12. 2556107 The columns in the .csv logging file are not lined up correctly when you perform a discovery search on a mailbox in an Exchange Server 2010 environment
  13. 2556133 A device that uses Exchange ActiveSync cannot access mailboxes in an Exchange Server 2010 environment
  14. 2556156 Extra.exe crashes when it performs RPC activity checks against an Exchange Server 2010 server
  15. 2556352 “ChangeKey is required for this operation” error message in Outlook for Mac 2011 in an Exchange Server 2010 environment
  16. 2556407 Certain client-only message rules do not take effect on email messages that are saved as drafts in an Exchange Server 2010 environment
  17. 2559926 “There are no items to show in this view.” error message when you try to view a folder by using Outlook in an Exchange Server 2010 environment
  18. 2572958 The “Test-OutlookConnectivity -Protocol HTTP” command fails with an HTTP 401 error in an Exchange Server 2010 environment

Download the rollup here. This update will be available via Windows Update in late September. The next rollup, Update Rollup 6 for Exchange Server 2010 SP1 is planned for October 2011.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Also, the installer and Add/Remove Programs text is only in English – even when being installed on non-English systems.

Note to Forefront users:

If you don’t disable Forefront before installing a rollup or service pack, and enable afterwards, you run the risk of Exchange related services not starting. You can disable Forefront by going to a command prompt and navigating to the Forefront directory and running FSCUtility /disable. To enable Forefront after installation of a UR or SP, run FSCUtility /enable.

One Liners: See Failed Inbound Messages for the Past Few Days

August 22nd, 2011 No comments

Exchange 2013 logo 128x128Dealing with spam is like herding cats. It moves in every direction, and just when you think you might have it corralled, something comes along in a completely different direction.

Exchange has some fabulous features for reducing the amount of spam that lands in end-user mailboxes, and those features are well documented. Sometimes, you just want to see what’s being stopped. That’s where today’s one liner comes in. This little tidbit will troll through the tracking logs of the server you run it on, and display the failed messages from the last 7 days – most of which are stopped by the Content Filtering Agent. Of course, you can change the number of days to look back, as larger environments will no doubt have a tremendous number of failed messages. Here we see the sender’s email address, recipients, message subject, and the time stamp when the message was attempted.

Get-MessageTrackingLog -ResultSize unlimited -Start ((Get-Date).AddDays(-7)) | Where-Object {$_.EventId -eq "fail"} | Select-Object Sender,Recipients,MessageSubject,TimeStamp

We can specify a specific server to search on:

Get-MessageTrackingLog -ResultSize unlimited -Server  -Start ((Get-Date).AddDays(-7)) | Where-Object {$_.EventId -eq "fail"} | Select-Object Sender,Recipients,MessageSubject,TimeStamp

Or, search all servers:

Get-TransportServer | Get-MessageTrackingLog -ResultSize unlimited -Start ((Get-Date).AddDays(-7)) | Where-Object {$_.EventId -eq "fail"} | Select-Object Sender,Recipients,MessageSubject,TimeStamp

And, we can also dump the data to a .csv file for manipulation:

Get-MessageTrackingLog -ResultSize unlimited -Start ((Get-Date).AddDays(-7)) | Where-Object {$_.EventId -eq "fail"} | Select-Object Sender,Recipients,MessageSubject,TimeStamp | Export-Csv c:\failedmessages.csv

Enjoy!

one liners: Finding users with forwarding addresses set

August 16th, 2011 4 comments

Exchange 2013 logo 128x128Sometimes while implementing new corporate policies, such as those that control forwarding messages outside of an environment, an admin needs to figure out who is configured that way. This can be a daunting task to go down through every account, visually inspecting each. PowerShell comes to the rescue in this one liner:

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.ForwardingAddress -ne $null} | Select-Object Name, @{Expression={$_.ForwardingAddress};Label="Forwarded to"}, @{Expression={$_.DeliverToMailboxAndForward};Label="Mailbox & Forward"}

As we see in our test, one user, Robert Sweet, is configured for forwarding. His account forwards to a contact called “Robert Sweet [External]”, and based on the Mailbox & Forward being False, we know that it only forwards to the external address, and does not also deliver to the Exchange mailbox.

If we needed to, we could use

Get-Contact "Robert Sweet [External]" | Format-List

to get info about the contact, including the destination SMTP address. If we need to disable forwarding for all of the enabled users, we can use

Get-Mailbox -Resultsize Unlimited | Where-Object {$_.ForwardingAddress -ne $null} | Set-Mailbox -ForwardingAddress $null

one liners: Finding Users Who Have Send-As or Full Access Permissions to Mailboxes

August 15th, 2011 6 comments

Exchange 2013 logo 128x128This comes up pretty often, especially around migrations and upgrades, or after some embarrassing incident. A manager wants to have a report of users who have send-as rights to other mailboxes. Fortunately, we can use PowerShell to do the heavy lifting:

Get-Mailbox -ResultSize Unlimited | Get-ADPermission | Where-Object {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self")} | Format-Table Identity, User -auto

This gives us a nice list of those users. As we see, user msweet has send-as permissions to Timothy Gaines’ mailbox:

To find users who have Full Access to the mailbox of others, we can use:

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {($_.AccessRights -match "FullAccess") -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table Identity, User

And we see that the same msweet has full control to the mailbox of user Oz Fox

In each example, we can replace the Get-Mailbox -ResultSize unlimited with a narrower scope, such as Get-Mailbox to look at specific accounts.

Note that in bigger environments, it can take quite a bit of time for this to run.

Update Rollup 4 (UR4) for Exchange Server 2010 SP1 Released

June 22nd, 2011 No comments

UPDATE: This UR has been pulled from the Download Center due to problems with copying folders in Outlook. Please see Kevin Allison’s comments for more information.

Microsoft has released the following update rollup for Exchange Server 2010:

  • Update Rollup 4 for Exchange Server 2010 SP1 (2509910)

If you’re running Exchange Server 2010 SP1, you need to apply Update Rollup 4 for Exchange 2010 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 4:

  1. 2537099 “80040154” error message when you try to configure external Client Access namespaces on an Exchange Server 2010 server
  2. 2536700 Outlook stops responding when you try to copy a folder to its subfolder by using Outlook in online mode in an Exchange Server 2010 SP1 environment
  3. 2536517 The Microsoft Exchange RPC Client Access service crashes intermittently on an Exchange Server 2010 server
  4. 2536494 It takes a long time to return results when you perform an Advanced Find search on a mailbox by using Outlook in online mode in an Exchange Server 2010 SP1 environment
  5. 2535648 The EMC takes a long time to open in an Exchange Server 2010 environment
  6. 2535130 Performance in Outlook or in OWA decreases when you use IMAP4 to access the contacts folder in an Exchange Server 2010 environment
  7. 2535105 There is no option to disable the Availability service in an Exchange Server 2010 environment
  8. 2533543 Event ID 2153 is logged on each database availability group member in an Exchange Server 2010 environment
  9. 2533538 You cannot look up the free/busy information of a user who is located on an Exchange Server 2010 organization from another Exchange Server 2010 organization
  10. 2533451 A RBAC role assignee can unexpectedly run the “Update-FileDistributionService” command on an Exchange Server 2010 server that is outside the role assignment scope
  11. 2519359 “Changes to the rule cannot be saved.” error message when you try to create a reply rule by using Outlook in an Exchange Server 2010 environment
  12. 2518850 You cannot receive email messages on a mobile phone by using ActiveSync in an Exchange Server 2010 environment
  13. 2517088 Public folder conflict resolution does not work as usual in an Exchange Server 2010 environment
  14. 2515259 “The items could not be copied.” error message when you run the Get-MailboxSearch cmdlet in an Exchange Server 2010 SP1 environment
  15. 2514709 Event ID 1001 after you successfully the install Exchange Server 2010 Unified Messaging server role
  16. 2514574 The Exchange RPC Client Access service crashes in an Exchange Server 2010 environment
  17. 2513723 The “New-MailboxImportRequest” cmdlet does not import all messages in a .pst file in the ANSI format in an Exchange Server 2010 environment
  18. 2512023 “GetUserOofSettings”, “SetUserOofSettings” and “GetUserAvailability” operations do not support Exchange Impersonation on the Exchange Server 2010 SP1 schema
  19. 2511897 You cannot send an email message to a mailbox for a brief period when you move the mailbox by using online move in an Exchange Server 2010 environment
  20. 2507463 You cannot move a mailbox that contains a corrupted Search Folder in an Exchange Server 2010 environment
  21. 2506820 The free/busy information does not display of a user whose mailbox is located on an Exchange Server 2003 server
  22. 2506049 The hierarchy of a new public folder database on an Exchange Server 2010 SP1 server is not replicated
  23. 2505968 The EdgeTransport.exe process crashes when you apply a rule that contains a bad email address in an Exchange Server 2010 environment
  24. 2504453 You cannot retrieve statistical information about a public folder by using the “Get-PublicFolderStatistics” cmdlet in an Exchange Server 2010 SP1 environment
  25. 2503337 Comments of your meeting response message is missing when you decline a meeting request in an Exchange Server 2010 environment
  26. 2501070 A RBAC role assignee can stop queue processing on an Exchange Server 2010 Hub Transport server or an Exchange Server 2010 Edge Transport server that is outside the role assignment scope
  27. 2500903 A space is missing in the subject line of a “Tentative” meeting response in an Exchange Server 2010 environment
  28. 2500648 “There are no items to show in this view.” error message when you try to view a folder in Outlook in an Exchange Server 2010 environment
  29. 2495167 You cannot recover a deleted public folder by using Outlook or MFCMAPI in an Exchange Server 2010 environment
  30. 2495010 The EdgeTransport.exe process consumes 100% CPU usage on an Exchange Server 2010 Edge Transport server or an Exchange Server 2007 Edge Transport server
  31. 2493393 You cannot use ECP to perform a wipe on a mobile phone in an Exchange Server 2010 SP1 environment
  32. 2492068 “The item cannot be saved to this folder.” error message when try to post an item to a mail-disabled public folder in an Exchange Server 2010 SP1 environment
  33. 2491354 You cannot view the free/busy information of users in a mixed Exchange Server 2007 and Exchange Server 2010 environment
  34. 2490134 A deferred delivery email message is not delivered by using Outlook 2007 in online mode in an Exchange Server 2010 environment
  35. 2489964 An update enables range 0x-0x1F characters in the display name of an Exchange Server 2010 user account
  36. 2489938 The “Connect-ExchangeServer” function does not change the target Exchange server in Exchange Server 2010
  37. 2489130 A RBAC role assignee can unexpectedly change mailbox properties that are outside the management role group scope in an Exchange Server 2010 environment
  38. 2488643 Outlook downloads duplicated POP3 email messages in an Exchange Server 2010 environment
  39. 2479188 The iCal parts of an email message contain invalid entries when they are sent from an Exchange Server 2003 mailbox to an Exchange Server 2010 mailbox
  40. 2477273 The DomainController parameter does not work when you use the “MoveMailbox.ps1” script to move mailboxes in an Exchange Server 2010 environment
  41. 2471964 A NDR is sent to the sender when you move an email message to a personal folder file in an Exchange Server 2010 SP1 or a later version environment
  42. 2467619 A user who manages a distribution group cannot remove another user whose mailbox is disabled in an Exchange Server 2010 environment
  43. 2465292 “MAPI_E_FAILONEPROVIDER (0x8004011D)” error message when you access an Exchange Server 2010 mailbox by using a MAPI application
  44. 2446908 ESE event descriptions are missing in Event Viewer when the Eseutil utility is called on an Exchange Server 2010 SP1 server
  45. 2394554 An email message is not delivered if it contains unsupported encoded characters in the subject line in an Exchange Server 2010 environment
  46. 2491951 You cannot install Exchange Server 2010 SP1 if the NetBIOS domain name of the domain controller contains an ampersand (&) character
  47. 2507066 Administrator audit logging is disabled unexpectedly during an Exchange Server 2010 SP1 installation

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Also, the installer and Add/Remove Programs text is only in English – even when being installed on non-English systems.

Note to Forefront users:

If you don’t disable Forefront before installing a rollup or service pack, and enable afterwards, you run the risk of Exchange related services not starting. You can disable Forefront by going to a command prompt and navigating to the Forefront directory and running FSCUtility /disable. To enable Forefront after installation of a UR or SP, run FSCUtility /enable.

Update Rollup 3 (UR3) for Exchange Server 2010 SP1 Released

March 8th, 2011 No comments

Microsoft has released the following update rollup for Exchange Server 2010:

  • Update Rollup 3 for Exchange Server 2010 SP1 (2492690)

If you’re running Exchange Server 2010 SP1, you need to apply Update Rollup 3 for Exchange 2010 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 3:

  1. 2506998 A call is disconnected when transferring the call from the main auto attendant to an auto attendant that has a different language configured in an Exchange Server 2010 environment
  2. 2497682 The store.exe process crashes when you try to dismount an active copy of a mailbox database that is hosted by a mailbox server in an Exchange Server 2010 SP1 environment
  3. 2497669 A meeting request cannot be opened after you disable the “Display sender’s name on messages” option in the EMC on an Exchange Server 2010 server
  4. 2494798 Certain email messages cannot be downloaded when you log on to an Exchange Server 2010 mailbox by using an IMAP4 client application
  5. 2494389 Unnecessary events are logged in the Application log when you run the “Test-EcpConnectivity” cmdlet in an Exchange Server 2010 environment
  6. 2489822 “The Mailbox you are trying to access isn’t currently available” error when you use OWA Premium to try to delete an item that is in a shared mailbox
  7. 2489713 Exchange Server 2010 SP1 supports the remote archive feature after an update changes Outlook cookies name
  8. 2489602 The “Get-FederationInformation” cmdlet cannot query federation information from an external Exchange organization in an Exchange Server 2010 environment
  9. 2487852 “You do not have sufficient permissions. This operation can only be performed by a manager of the group.” error message when you try to change the “ManagedBy” attribute in an Exchange Server 2010 SP1 environment
  10. 2487501 The body of an email message is empty when you try to use an IMAP client application to read it in an Exchange Server 2010 environment
  11. 2484862 You cannot read an email message by using an IMAP client in an Exchange Server 2010 environment
  12. 2482471 A content search fails in an IMAP client application that connects to an Exchange Server 2010 mailbox
  13. 2482103 It takes a long time to expand a distribution list by using EWS in an Exchange Server 2010 environment
  14. 2482100 You cannot create or update an inbox rule that specifies the “NoResponseNecessary” value by using EWS in an Exchange Server 2010 environment
  15. 2481283 Various issues occur after you use Outlook to sign and then forward an email message in an Exchange Server 2010 environment
  16. 2479875 The Microsoft Exchange Mailbox Replication Service service crashes when you run the “New-MailboxImportRequest” cmdlet to import a .pst file into a mailbox in an Exchange Server 2010 environment
  17. 2479227 A forwarding rule does not function and the EdgeTransport.exe process crashes on an Exchange Server 2010 server
  18. 2476973 Event ID 2168 is logged when you try to back up Exchange data from a DAG in an Exchange Server 2010 SP1 environment
  19. 2469341 Various issues occur after you forward a signed email message by using Outlook in online mode in an Exchange Server 2010 environment
  20. 2468514 OWA 2010 removes Calendar links that you add into multiple calendar groups by using Outlook 2010 calendar
  21. 2467565 You cannot install an update rollup for Exchange Server 2010 with a deployed GPO that defines a PowerShell execution policy for the server to be updated
  22. 2464564 You cannot change your password if the user name that you type in OWA is in UPN format when you enable Exchange Server 2010 SP1 Password Reset Tool
  23. 2463858 A request to join a distribution group does not contain the distribution group name in an Exchange Server 2010 SP1 environment
  24. 2463798 Users may experience a decrease in performance in Outlook or in OWA when you use IMAP4 to access the calendar folder in an Exchange Server 2010 SP1 environment
  25. 2458543 A memory leak occurs in the Exchange RPC Client Access service on Exchange Server 2010 servers
  26. 2458522 Entries disappear from a junk email blocked list or a junk email safe list after you install Exchange Server 2010 SP1
  27. 2457868 “HTTP Error 400 Bad Request” error message when you use OWA in Exchange Server 2010 SP1 to receive instant messages by using Internet Explorer 9
  28. 2457688 Error message when you try to add an external email address to the safe sender list in OWA in an Exchange Server 2010 SP1 environment
  29. 2457304 You receive a synchronization failed email message when you synchronize your mobile device by using ActiveSync on an Exchange Server 2010 mailbox
  30. 2451101 7 BIT is not in quotation marks when you use the “FETCH (BODYSTRUCTURE)” command to request for a specific message in an Exchange Server 2010 environment
  31. 2447629 Event ID 4999 is logged when the Exchange Mail Submission Service crashes intermittently on an Exchange Server 2010 Mailbox server
  32. 2445121 A memory leak occurs in the Microsoft.Exchange.Monitoring.exe process when you run the “Test-OwaConnectivity” cmdlet or the “Test-ActiveSyncConnectivity” cmdlet in the EMS on an Exchange Server 2010 server
  33. 2443688 Event ID 10003 and Event ID 4999 are logged when the EdgeTransport.exe process on an Exchange Server 2010 server crashes
  34. 2432494 You cannot view the mailbox database copies that are hosted on certain Mailbox servers by using the Exchange Management Console after you install Exchange Server 2010 SP1
  35. 2426952 You cannot remove a mailbox database copy from a database on an Exchange Server 2010 server
  36. 2424801 The Microsoft Exchange Service Host service on an Exchange Server 2010 server crashes
  37. 2423754 The recipient response status is incorrect after you add another user to an occurrence of a meeting request in an Exchange Server 2010 environment
  38. 2417084 A public folder disappears from the Public Folder Favorites list of an Exchange Server 2010 mailbox
  39. 2410571 A RBAC role assignee can unexpectedly change permissions of mailboxes that are outside the role assignment scope in an Exchange Server 2010 environment
  40. 2398431 Using Pipelining in SMTP to check email addresses does not work correctly when you disable tarpitting functionality on a Receive connector in an Exchange Server 2010 environment
  41. 2277649 You receive misleading information when you run the “New-TestCasConnectivityUser.ps1” script on an Exchange Server 2010 server
  42. 2009942 Folders take a long time to update when an Exchange Server 2010 user uses Outlook 2003 in online mode

Download the rollup here. The Update Rollup will be available via Microsoft Update on March 22nd 2011.

Microsoft has announced that Update Rollup 4 for Exchange Server 2010 SP1 is expected to be released in May 2011.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Also, the installer and Add/Remove Programs text is only in English – even when being installed on non-English systems.

Note to Forefront users:

If you don’t disable Forefront before installing a rollup or service pack, and enable afterwards, you run the risk of Exchange related services not starting. You can disable Forefront by going to a command prompt and navigating to the Forefront directory and running FSCUtility /disable. To enable Forefront after installation of a UR or SP, run FSCUtility /enable.

Update Rollup 1 (UR1) for Exchange Server 2007 SP3 Released

September 13th, 2010 No comments

Microsoft has released the following update rollup for Exchange Server 2007:

  • Update Rollup 1 for Exchange Server 2007 SP3 (2279655)

If you’re running Exchange Server 2007, you need to apply Update Rollup 1 for Exchange 2007 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 1:

  1. 2188615 Event ID: 4999 is logged when the EdgeTransport.exe process crashes intermittently on an Exchange Server 2007 server
  2. 2203381 “554 5.6.0 STOREDRV.Deliver; Corrupt message content” NDR is generated when you send an email message to an Exchange Server 2007 user
  3. 2251714 The connecting information is not logged when a user accesses a mailbox that is hosted on an Exchange Server 2007 server by using POP3 or by using IMAP4
  4. 958305 An incorrect user is displayed as the caller in a mail message in an Exchange Server 2007 environment
  5. 973040 The Bcc information is lost when the Exchange Server 2003 journalized messages are sent to an Exchange Server 2007 mailbox
  6. 973637 Exchange Server 2007 creates incorrect Lotus Notes proxy email addresses
  7. 975424 The “legacyExchangeDN” value is shown in the “From” field of an email message instead of the Simple Display Name in an Exchange Server 2007 environment
  8. 975993 “The message could not be opened” error message when an Exchange Server 2007 user tries to open or accept a meeting request
  9. 976100 Shared calendar items are shown incorrectly in the server time zone instead of the time zone of an Exchange Server 2007 user who is accessing the shared calendar
  10. 977189 The meeting time of a meeting forward notification is incorrect on an Exchange Server 2007 server
  11. 978144 A warning message is received when you run the Test-ReplicationHealth cmdlet on an Exchange Server 2007 server
  12. 978468 You receive an error message and Event ID: 1008 is logged when you move an Exchange Server 2007 mailbox
  13. 979038 A memory leak occurs in the Microsoft.Exchange.Monitoring.exe process when you run the Test-OwaConnectivity cmdlet or the Test-ActiveSyncConnectivity cmdlet in Exchange Management Shell on an Exchange Server 2007 server
  14. 979194 Excluding domain names from the Sender ID filter does not take effect after you run the Set-SenderIDConfig cmdlet on an Exchange Server 2007 server
  15. 979338 Fax communication sessions are dropped by an Exchange Server 2007 Unified Messaging server
  16. 979519 The PR_REPORT_TEXT property represents an incorrect read notification in Exchange Server 2007
  17. 979803 Internet Explorer unexpectedly focuses on an Exchange Server 2007 user’s OWA inbox or on an OWA calendar that is added as a web part on a SharePoint Server-based website
  18. 980205 Public folder replication is blocked unexpected in an Exchange Server 2007 environment
  19. 980301 The Microsoft Exchange Information Store service stops responding during a Volume Shadow Copy Service backup on an Exchange Server 2007 server
  20. 980404 A multibyte character is converted into a “0xFFFD” character or into unrecognized characters when you use Exchange Web Services in an Exchange Server 2007 environment
  21. 980725 You experience issues when you move messages from one mailbox folder to another mailbox folder in an Exchange Server 2007 environment
  22. 980914 A user does not receive any new email messages by using a third-party POP3 client in a mixed Exchange Server 2007 and Exchange Server 2003 environment
  23. 980953 A second dot is added to the file names of the automatic generated attachments on an Exchange Server 2007 SP2 or later version server
  24. 981794 The Get-AgentLog cmdlet operation stops and you receive an error message Exchange Server 2007
  25. 982055 The store.exe process crashes occasionally on an active node when you move the Exchange Virtual Server from an active node to a passive node in an Exchange Server 2007 cluster environment
  26. 982099 Unexpected issues occur after you run the Set-mailbox cmdlet on an Exchange Server 2007 server to convert a shared mailbox into a regular mailbox
  27. 982118 The VSS backup operation fails occasionally and Event ID: 2034 is generated on an Exchange Server 2007 server
  28. 982213 The display name or the address of a user is displayed in garbage characters when you reply to an email message in an Exchange Server 2007 environment
  29. 982475 The inline image of an email message that is sent by using OWA with S/MIME enabled is lost for an Exchange Server 2007 user
  30. 982542 Attachments of certain email messages disappear at the client-side when you use an ExOLEDB-based application to change email messages in an Exchange Server 2007 environment
  31. 982722 It takes a long time to copy or move items from one public folder to another public folder by using Outlook in an Exchange Server 2007 environment
  32. 982928 The Msftesql.exe process continues using memory on an Exchange Server 2007 server
  33. 983296 Exchange ActiveSync crashes on an Exchange Server 2007 server causing the client synchronization to be unavailable
  34. 983447 A NDR is not generated when an email message is not delivered after you set the value for “Maximum number of recipients” of “Transport Settings” to “0” on an Exchange Server 2007 server
  35. 983529 The EdgeTransport.exe process crashes and then restarts on an Exchange Server 2007 server
  36. 983540 “Http 500” error message when you use Exchange Troubleshooting Assistant on an Exchange Server 2007 Client Access server to diagnose issues

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.