As you’ve probably heard, Microsoft recently released the first rollup package for Exchange 2010. Like the Exchange 2007 versions, installation on typical servers is fairly straightforward. However, when we get to Database Availability Group (DAG) servers, there are a few more steps involved. We’ll take a look at those steps here today.

When using DAGs, the idea is to provide a high availability solution. This can include having activated databases spread among 2 or more servers. This is a fabulous feature that is quite popular. But we have to take this into account when applying updates that will either stop services, or require a reboot. We’ll need to make sure there are no activated databases on the DAG server we’re installing the rollup on. To do this, we perform two steps: stop the server from activating any more databases, and take the activated databases and activate them (make them “live”) elsewhere. This will leave us with a DAG server that has no live mailbox connections, and thus, available for updating.

First, we’ll stop the current server from activating databases using some PowerShell. On the server you’re about to update, open Exchange Management Shell and run this:

Get-MailboxDatabaseCopyStatus -Server (hostname) | Suspend-MailboxDatabaseCopy -ActivationOnly -Confirm:$false

Note the “(hostname)”, which basically just says the local server – no need to put an actual server name there (OK, I’ll admit, I’m lazy). At this point, the server will continue to have databases kept up to date, but won’t activate any if another DAG member goes down. Now we perform a switchover, which takes all databases activated on this server and activates them on another DAG node instead. In this example, we’ll activate them on Ex2 using this:

Move-ActiveMailboxDatabase -Server (hostname) -ActivateOnServer Ex2

However, if this is a case where there are more than two nodes in the DAG, we could let the system automatically determine the best mailbox server to use by not specifying the -ActivateOnServer parameter, such as this:

Move-ActiveMailboxDatabase -Server (hostname)

In either case, enter “Y” at the prompt.

This can also be accomplished via the Exchange Management Console a couple of different ways. We can manually activate the individual databases on other DAG members. To do so, open EMC, and navigate to Organization Configuration>Mailbox. Find the database(s) that need to be activated on another server, right click, and choose Move Active Mailbox Database. Click Browse and pick the server you’d like to activate it on, as shown below, and click Move. When it’s done, click Finish. Do this for each of the databases currently activated on the server you want to update.

(click for larger image)

We can also do a full switchover, activating all databases on a single DAG server, or letting the wizard pick. To do so, in EMC, go to Server Configuration>Mailbox. Right click on the server you’re going to update, and choose Switchover Server. In the resulting box, as shown below, choose “Automatically choose a target server” to have Exchange pick the best server to activate a database on, or “Use the specified server as the target of the switchover” to manually pick a server (and then click browse and pick the server).

(click for larger image)

Click Ok, and the switchover will take place. When it’s finished, there is no confirmation that it’s done. You can look in EMC at Organization Configuration>Mailbox. On the Database Management tab, verify that all databases are mounted on a server other than the one you’re updating.

Once that’s finished, we install the rollup. There really isn’t much need to detail that here – just pick ‘next’ all of the way through. It will take some time to run. Click Finish when it’s done.

Once we’re sure the installation was successful, and all services are started, we enable the server to activate databases again using this:

Get-MailboxDatabaseCopyStatus -Server (hostname) | Resume-MailboxDatabaseCopy

This doesn’t activate databases right away – it just allows the server to do so if the activated copy on another DAG node (or the node itself) goes down.

Follow this same process for the remaining servers in your DAG. Disable activation, switchover, install the rollup, and resume activation.

Once all of the servers are updated, we need to make sure that each database is active on the correct server. Each database has a parameter called ActivationPreference that lists the order of preference that a database is activated on servers that hold a copy. This can be viewed in EMS by using

Get-MailboxDatabase | Select Name, ActivationPreference, Server

The Server field shows which server the database is currently activated on, as seen here:

(click image for larger version)

You could use EMC to manually activate the databases back on the original server, or use the code or script below.

Paul Flaherty posted a couple of one liners that we’ll use here. First, we’ll activate the databases on the correct servers using this:

Get-MailboxDatabase | Sort Name | ForEach {$db=$_.Name; $xNow=$_.Server.Name ;$dbown=$_.ActivationPreference| Where {$_.Value -eq 1};  Write-Host $db "on" $xNow "Should be on" $dbOwn.Key -NoNewLine; If ( $xNow -ne $dbOwn.Key){Write-host " WRONG" -ForegroundColor Red; Move-ActiveMailboxDatabase $db -ActivateOnServer $dbOwn.Key -confirm:$False} Else {Write-Host " OK" -ForegroundColor Green}}

This will essentially look at each database, determine which server has the preference of ‘1’, and make sure the database is activated on that server.
(click image for larger version)

Then, we can verify that they are all activated correctly using another one liner from Paul:

Get-MailboxDatabase | Sort Name | ForEach {$db=$_.Name; $xNow=$_.Server.Name ;$dbown=$_.ActivationPreference| Where {$_.Value -eq 1};  Write-Host $db "on" $xNow "Should be on" $dbOwn.Key -NoNewLine; If ( $xNow -ne $dbOwn.Key){Write-host " WRONG" -ForegroundColor Red; } Else {Write-Host " OK" -ForegroundColor Green}}

(click image for larger version)

At this point, we have the rollup installed on all DAG members, and the databases are activated on the correct server. We can also take a script written by Bhargav Shukla to verify which servers have which rollup(s) installed. This is helpful in an environment with a lot of servers to help validate that they are all at the same patch level.

Update: I’ve created a quick PowerShell script that will perform many of these tasks. I used the commands listed here, as well as some basic error handling. Thanks to the contributions of others listed here, it’s now much easier. Perform steps 1 and 2 before installing the update, and 3,4, and 5 after the update.

Installation

Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Download

DAG-InstallRollup.zip

Also – if you’re installing the rollup on servers that don’t have Internet access, take a look at Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access

This is the changelog page for Set-Exchange2010FilterConfig.ps1. You will find a complete list of released versions, their dates, and the features and issues addressed in each. Please refer to the script’s main page for more information including download links, installation details, and more.

v2.0 – 05-08-2010

1. better detection of installed filter packs
2. uses Filter Pack 2
3. includes PDF iFilter pack
4. menu

v1.0 – 12-14-2009

1. initial version

Microsoft has released the following update rollup for Exchange Server 2007:

• Update Rollup 1 for Exchange Server 2007 SP2 (971534)

If you’re running Exchange Server 2007 SP2, you need to apply Update Rollup 1 for Exchange 2007 SP1 to address the security issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running. RTM updates can’t be installed on SP2 and vice versa.

Here is a list of the fixes included in rollup 1:

1. 941775 An error message occurs when you run the “Isinteg” command on a newly created Exchange 2007 database
2. 958617 E-mail messages are blocked at the local delivery queue in an Exchange Server 2007 Service Pack 2 environment if a user has Outlook client-side rules totaling more than 32 kilobytes (KB)
3. 961856 The logon page does not display the “This is a private computer” option correctly in the Greek version of Outlook Web Access
4. 967174 The User account is not logged in Event ID 566 after the user makes changes to a mailbox
5. 969046 E-mail messages are queued when you use the DNS round robin feature on multiple Exchange Server 2007 hub servers
6. 969487 The Public Folder Hierarchy replication fails and event error 3079 and 9669 occur in Exchange Server 2007
7. 969606 Recurring appointments in the calendar public folder are not replicated correctly in Microsoft Exchange Server 2007
8. 970104 When you install an Exchange Server 2007 update rollup by using a user account that has no Exchange Server Administrator permissions, the installation program fails
9. 970118 The IMAP4 service crashes, and then event error 4999 occurs on a computer that is running Exchange Server 2007
10. 970893 E-mail addresses are created incorrectly if an e-mail address policy in Exchange Server 2007 contains certain symbols, a slash or a backslash, and then another of these symbols
11. 971010 Some databases intermittently do not come back online when a cluster failover occurs in an Exchange Server 2007 CCR environment
12. 971053 The Edgetransport.exe program intermittently crashes on Exchange Server 2007
13. 971431 The IMAP service crashes and event error 4999 occurs on a computer that is running Exchange Server 2007
14. 971641 After you synchronize your mobile device to work with an Exchange Server 2007 server, the synchronization time and the request time are shown in UTC
15. 971857 The storage limit does not affect the managed custom folder if you copy messages into this folder by using Outlook Web Access (OWA)
16. 972009 E-mail messages cannot be retrieved by an Exchange Web Service (EWS)-based application if there are invalid control characters in the text body of the e-mail message
17. 972103 The Microsoft Exchange Information Store service crashes during move-mailbox operations and event error 4999 occurs in Exchange Server 2007
18. 972115 A transport rule is not applied to MDNs in Exchange Server 2007
19. 972172 The “Display sender’s name on messages” option in the Exchange Management Console of Exchange Server 2007 does not work for Message Delivery Notifications (MDNs) that are to remote domains
20. 972269 The Store.exe process hangs intermittently and all clients accessing the server are blocked in an Exchange 2007 environment
21. 972272 A new download method is available for HTTP offline address books on Exchange Server 2007 servers that has the Client Access Server role installed
22. 972278 Update of Private status in a meeting request is not reflected in an Exchange Server 2007 environment
23. 972357 You cannot view a clear-signed e-mail message in Exchange Server 2007 SP2 when you open the message by using a non-MAPI client
24. 972426 Error message when you save a filter as default in the Exchange Management Console (EMC) and then restart the EMC: “The search filter is invalid”
25. 972473 Outlook Web Access (OWA) removes the Calendar items for a recurring meeting when you delete the meeting request from the Deleted items folder in Exchange Server 2007
26. 972514 Event ID 4011 is logged when you query free/busy data for external contacts in Exchange Server 2007
27. 973190 The wrong attendee is removed in Scheduling Assistant when you remove attendees from a meeting request in Outlook Web Access server light version
28. 973253 Message delivery times are stamped with the current date and time when Exchange Server 2007 users submit messages by using an IMAP4 client and the APPEND command
29. 973293 The Edge Transport server’s transport process fails during an e-mail address rewrite on an Exchange Server 2007 server
30. 973307 An application that uses Exchange Web Services returns an exception on an Exchange Server 2007 server
31. 973361 Hidden messages in an Exchange Server 2007 mailbox can be downloaded by any IMAP4 client
32. 973490 Error message in Exchange Management Shell in Microsoft Exchange Server 2007 when you run the “New-DynamicDistributionGroup” command: “You must provide a value expression on the right-hand side of the ‘-and’ operator.”
33. 973761 When an Exchange Server 2007 user sends a meeting request to external recipients with the Reminder turned off, the default 15 minute Reminder pop-up window still appears
34. 973868 A delegate cannot cancel meetings in the organizer’s calendar by using Exchange Web Service (EWS)
35. 973912 Error message when an Exchange 2007 user clicks “Post” or “Send” to submit a new post item or to submit a new calendar item for a moderated public folder in OWA: “The item that you attempted to access no longer exists”
36. 974010 Recipients cannot see the attendee entry for Domino Room resource after an Exchange Server 2007 user sends a meeting request that includes a Domino room resource to the recipient
37. 974242 The abbreviation sequence is incorrect when an Outlook Web Access Light user checks the calendar in Weekly view after the user sets the language to “Basque” in Exchange Server 2007 Service Pack 2
38. 974640 The whole calendar view is broken and an error message is returned when you view an exception occurrence of a private recurring meeting in OWA

Download the rollup here. It is also available on Microsoft Update.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

This is the changelog page for Set-Exchange2010Features.ps1. You will find a complete list of released versions, their dates, and the features and issues addressed in each. Please refer to the script’s main page for more information including download links, installation details, and more.

v3-3 – 12-29-2011

1. bug fix: option 99, to exit, didn’t work.
2. bug fix: CAS options were missing asp.net and ISAPI filters
3. feature added: Adobe PDF filter pack is now a separate menu option

v3.2 – 12-23-2011

1. added Web-WMI Windows Feature to all Client Access Server (CAS) role requirements as this is now a requirement in SP2
2. Changed latest update download to SP2

v3.0

1. swapped out some functions for newer versions
2. added transcript
3. general code cleanup

v2.2

1. Cleaned up code for detecting R2 version so that it doesn’t bomb with service packs.
2. cleaned up some other items so that the Lync prerequisite script and this script are more similar.

v2.1

1. Cleaned up menu code; Cleaned up code to disable IP v6;

v2.0 – 05-07-2010

1. better detection of installed filter packs; uses Filter Pack 2; includes PDF iFilter pack; added disabling TCP/IP V6 option.
2. Now uses BITS for file transfers; added unzip function to unzip the PDF iFilter pack download. Cleaned up some functions. Uses environmental
3. variable “temp” for download location. Checks if things are already installed/downloaded/unzipped before trying to install/download/unzip them.

v1.1 – 04-09-2010

1. added help; downloads of update rollups; cleanup of variables; added another option for typical install w/o RPC-Over-HTTP
2. added RunOnce to delete download path on reboot

v1.0 – 11-27-2009

1. initial version

Description

Once upon a time, we didn’t have to worry about our sensitive eyes seeing offensive words in emails. Times have changed, and now we have some built-in features to help prevent us from seeing terms and phrases that might be deemed offensive. Exchange has had the capacity to define a list of words that are considered bad, and bounce messages if it comes across a message containing any.

But that can take quite a while to manually add each one to the Content Filter, especially if you’re starting out with a long list of words you’d like to filter for. If that’s the case, PowerShell to the rescue! We can use Get-Content to open a text file, and then a ForEach loop to cycle through each line, adding each to the content filter phrase list via Add-ContentFilterPhrase. Add-ContentFilterPhrase can add words and phrases to either the GoodWord list, which will allow words through, or the BadWords list, which will get blocked.

The text file containing the words and phrases to be filtered just needs to have each word/phrase on a new line. No special formatting or anything. So if you have an existing text file, such as the sample word list previously supplied with Microsoft Forefront Security for Exchange, it will work fine. Copy this script to Notepad:

$a = hostname
If ((Get-TransportServer $a).AntispamAgentsEnabled -eq $false) {
    write-host "Please install the antivirus agents first, then rerun this script"
    exit
}
$phrases=Get-Content badwordlist.txt

if ($args[0] -ne "uninstall"){
 ForEach ($phrase in $phrases)           {
  Add-ContentFilterPhrase -Phrase $phrase -Influence BadWord
 }
}else{
 ForEach ($phrase in $phrases)           {
  write-host "Removing $phrase"
  Remove-ContentFilterPhrase -Phrase $phrase -confirm:$false
 }
}

Save that as Add-BadWordsFromFile.ps1, and your text file as badwordlist.txt in the same folder. If you’ve already installed the anti-spam agents on your transport server, then run

.\Add-BadWordsFromFile.ps1

and it will import the contents of the text file, and add them to the Content Filter. If you don’t have the anti-spam agents installed, the script will exit without trying to import the list. If you decide later that you’d like to remove the complete list from the Content Filter, just run the script again as

.\Add-BadWordsFromFile.ps1 uninstall

and it will remove those words contains in the file (preserving any other words you may have manually added).

Once the words and phrases are imported, you can view/add/remove them manually by opening Exchange Management Console and navigating to Organization Configuration>Hub Transport>Anti-spam>Content Filtering>Properties>Custom Words. You’ll see the list in the lower half of the window, as shown below:

This should make importing a list into the Content Filter a little quicker and easier. I welcome any comments.

Installation

Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Download

Add-BadPhrasesFromFile.zip

Description

In some organizations, the Global Address List is used extensively as a phone list and corporate directory. When that’s the case, keeping the information current can be time-consuming. Users don’t always notify you of changes, and Help Desk staff have better things to do than updating stuff like that. There are applications like fellow Jim McBee’s awesome web-based Directory Update, which provides a simple interface for users to update GAL info. But that still requires that the user take the time to update the info. Here, we’ll automate the process of updating the GAL with a new mobile number when a user syncs a new ActiveSync device for the first time.

When a user synchronizes a device, information about the device is stored in Active Directory. The info can be viewed using the Get-ActiveSyncDeviceStatistics.

Get-ActiveSyncDeviceStatistics -mailbox dbingham
FirstSyncTime         : 10/2/2009 5:45:54 PM
LastPolicyUpdateTime  : 10/2/2009 5:46:38 PM
LastSyncAttemptTime   : 10/13/2009 4:46:38 PM
LastSuccessSync       : 10/13/2009 4:46:38 PM
DeviceType            : PocketPC
DeviceID              : AF053AA9D0FE3D37C5A2AC3C77ACB9F8
DeviceUserAgent       :
DeviceWipeSentTime    :
DeviceWipeRequestTime :
DeviceWipeAckTime     :
LastPingHeartbeat     :
RecoveryPassword      : ********
DeviceModel           : RAPH800
DeviceIMEI            : 0x80046B09
DeviceFriendlyName    : Pocket_PC
DeviceOS              : Windows CE 5.2.19965
DeviceOSLanguage      : English
DevicePhoneNumber     : 5865311234
Identity              : Danielle.Bingham@mydomain.org\AirSync-PocketPC-AF053AA9D0FE3D37C5A2AC3C77ACB9F8

We see that the next-to-last field contains the device’s phone number*. So, we’ll use some code that will accomplish the following tasks:

• Get a list of all user mailboxes
• Get ActiveSync data for all devices that:
  • have a phone number
  • have synced for the first time in the last 24 hours
• filter out any old devices still listed (in case a user has had more than one EAS device)
• format the number in a human friendly version (hyphenate)
• Update the user’s AD account with the number

That can be accomplished using the following code:

$mailboxes = @(Get-Mailbox | ? {$_.RecipientType -eq 'UserMailbox'})
ForEach ($mailbox in $mailboxes){
  $devices = @(Get-ActiveSyncDeviceStatistics -mailbox $mailbox.Alias | Where-Object {($_.DevicePhoneNumber -ne '') -and ($_.FirstSyncTime -gt (Get-Date).addhours(-24))}) | Sort-Object LastSuccessSync -descending | Select-Object -first 1
ForEach ($device in $devices){
  if($device.DevicePhoneNumber){
   $NumberLength = $device.DevicePhoneNumber.length
   if ($NumberLength -eq 10) {$DeviceNumber = $device.DevicePhoneNumber.SubString(0,3)+"-"+$device.DevicePhoneNumber.SubString(3,3)+"-"+$device.DevicePhoneNumber.SubString(6,4)}
   if ($NumberLength -eq 11) {$DeviceNumber = $device.DevicePhoneNumber.SubString(1,3)+"-"+$device.DevicePhoneNumber.SubString(4,3)+"-"+$device.DevicePhoneNumber.SubString(7,4)}
   Set-User $mailbox.Alias -MobilePhone $DeviceNumber
  }
 }
}

Copy that code to notepad and save it in your scripts folder as Update-MobileNumber.ps1. Then we just run the script via a scheduled task every 24 hours. If you don’t run it every 24 hours, make sure you adjust the (Get-Date).addhours(-24) line accordingly.

* – Most devices have the number stored there. Some devices, like the Apple iPhone, unfortunately don’t.

Installation

Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Download

Update-MobileNumber.zip.

The robust capabilities of PowerShell and the Exchange Management Shell allow us to streamline and automate many system tasks. By using scheduled tasks, we can now run tasks on a recurring schedule, thus reducing our manual workload, as well as providing capabilities that were not previously available.

Generally, any PowerShell task can be automated, as long as it doesn’t require manual intervention. For this example, we’ll run a script called New-UserWelcome.ps1. This script, as will be documented in a future blog post, sends a ‘welcome’ email to all new mailboxes. This blog post assumes that the script to be scheduled is error free. We’ll plan to run the script every 4 hours.

What the PowerShell script does might dictate what server you run it from. In this example, since the script will send email, we’ll run it from an Exchange 2007 hub transport server.

On a hub transport server running on Windows 2003 server, we go to Control Panel>Scheduled Tasks. Once there, right click and chose New Scheduled Task. Give the task a name and press enter. Now right click on the task and choose Properties.

In the Run field, we include the path to the PowerShell executable, as well as the path to the Exchange console file (which contains the Exchange cmdlets), and the actual script we want to run. An example would be:

c:\windows\system32\windowspowershell\v1.0\powershell.exe -psconsolefile "c:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "New-UserWelcome.ps1"

We also place the path to our scripts folder in the Start In field. This is because our example script, New-UserWelcome.ps1, is in the scripts folder:

"c:\program files\microsoft\exchange server\scripts"

In the Run As field, enter the name of an Exchange admin account, and click Set Password to enter the password for that account.

On the Schedule tab, set the Schedule Task to be Daily, Every 1 day, and click the Advanced button. Check Repeat Task, and set it for Every 4 hours for a duration of 24 hours. Click Ok twice.

Now we can test the scheduled task by right clicking on it and choosing Run.

In Windows 2008, the GUI is a tad different. Go to Administrative Tools>Task Scheduler. In the Action pane on the far right, click Create Basic Task. Give the task a name, and click next. Click Daily, and Next. Choose Recure every 1 day, and Next. Choose Start a program, and Next. Enter the path to PowerShell, the path to the Exchange console file, and the path to the scipe in the Program/Script field. For this example, we’ll use:

c:\windows\system32\windowspowershell\v1.0\powershell.exe -psconsolefile "c:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "New-UserWelcome.ps1"

In the Start In field, add the path to the \scripts folder than holds your PowerShell script, such as

"c:\program files\microsoft\exchange server\scripts"

And then click Next. When presented with the popup about arguments in the text box, click Yes. On the Summary page, click the box for Open the Properties dialog for this task when I click Finish. Then click Finish.

When the properties dialog box opens, click the triggers tab, click edit, click the Repeat task every 4 hours (you can type in the pulldown box) for a duration of 1 day. Then click Ok twice.

Once that’s done, click Run in the lower part of the Action pane to test.

As you can see, it’s not terribly complex to run scheduled PowerShell scripts. By doing so, we can automate many mundane tasks, and even add functionality that is not already there.

We will build upon this article in future articles.

Description

In an earlier post, Removing “Internet Newsgroups” in Exchange Server 2007, I showed you how to use Exchange Management Shell to hide the Internet Newsgroups public folder.

If you’re a consultant like me, you might find a need to hide the Internet Newsgroups during each and every project. So I came up with this PowerShell script to just do the job all automagically. The script enumerates the rights, and then removes each one, resulting in the default user account having no rights. Let me show you how it’s done.

As mentioned, we enumerate the rights that ‘default’ has. We do this by creating an array:

$perm = Get-PublicFolderClientPermission "\Internet Newsgroups" -User default

$perm now holds the results for the query. For Public Folder client permissions, you can’t remove ‘DeleteOwnedItems’ if the user also has the ‘DeleteAllItems’ right. The same applies with the ‘EditAllItems’ right if the user has ‘EditOwnedItems’ right. So we’ll check for those and remove those first.

if ($perm.AccessRights -contains "DeleteAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights DeleteAllItems -Confirm:$false
}
if ($perm.AccessRights -contains "EditAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights EditAllItems -Confirm:$false
}

Now that those are done, we can use a ForEach loop and cycle through the rest and remove each. First, we get the rights again, since we may have removed some above, then remove what’s left:

$perm=Get-PublicFolderClientPermission "\Internet Newsgroups" -user default
ForEach ($right in $perm.AccessRights){
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights $right -Confirm:$false
}

This results in default having ‘none’ for rights, as seen below. We verify this by looking at the rights again:

Get-PublicFolderClientPermission "\Internet Newsgroups" -User default | Format-Table User,AccessRights -AutoWidth

And that’s it. The full script looks like this:

# Hide-InternetNewsgroups.ps1
# https://www.ucunleashed.com/123
$perm = Get-PublicFolderClientPermission "\Internet Newsgroups" -user default
# first, delete the rights that must be deleted before others (to avoid an error)
if ($perm.AccessRights -contains "DeleteAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights DeleteAllItems -Confirm:$false
}
if ($perm.AccessRights -contains "EditAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights EditAllItems -Confirm:$false
}
# now do the rest
$perm=Get-PublicFolderClientPermission "\Internet Newsgroups" -User default
ForEach ($right in $perm.AccessRights){
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights $right -Confirm:$false
}
Get-PublicFolderClientPermission "\Internet Newsgroups" -User default | Format-Table User,AccessRights -AutoWidth

Installation

Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Downloads

Hide-InternetNewsgroups.zip

Microsoft has released the following update rollup for Exchange Server 2007:

• Update Rollup 9 for Exchange Server 2007 SP1 (970162)

If you’re running Exchange Server 2007 SP1, you need to apply Update Rollup 8 for Exchange 2007 SP1 to address the security issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running. RTM updates can’t be installed on SP1 and vice versa.

Rollup 9 for Exchange Server 2007 SP1 supersedes the following:

1. 945684 Update Rollup 1 for Exchange Server 2007 Service Pack 1
2. 948016 Update Rollup 2 for Exchange Server 2007 Service Pack 1
3. 949870 Update Rollup 3 for Exchange Server 2007 Service Pack 1
4. 952580 Update Rollup 4 for Exchange Server 2007 Service Pack 1
5. 953467 Update Rollup 5 for Exchange Server 2007 Service Pack 1
6. 959241 Update Rollup 6 for Exchange Server 2007 Service Pack 1
7. 960384 Update Rollup 7 for Exchange Server 2007 Service Pack 1
8. 968012 Update Rollup 8 for Exchange Server 2007 Service Pack 1

Here is a list of the fixes included in rollup 9:

1. 943073 An image attachment appears as a red “X” when you send an RTF e-mail message from an Exchange Server 2007 organization to an external recipient
2. 945877 The “eseutil /k” command takes a long time to verify the checksum of transaction logs in Exchange Server 2007 Service Pack 1
3. 947662 The transport rule “when the Subject field or the body of the message contains text patterns” does not work accurately on an Exchange Server 2007 Service Pack 1-based computer
4. 954739 The Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests in Exchange Server 2007 Service Pack 1
5. 957137 The reseed process is unsuccessful on the CCR passive node after you restore one full backup and two or more differential backups to the CCR active node in Exchange Server 2007 Service Pack 1
6. 957374 The Microsoft Exchange Replication service on a Standby Continuous Replication (SCR) target server continually crashes when you enable SCR for a storage group on an Exchange Server 2007 Service Pack 1-based computer
7. 959559 Transaction log files grow unexpectedly in an Exchange Server 2007 Service Pack 1 mailbox server on a computer that is running Windows Server 2008
8. 961124 Some messages are stuck in the Outbox folder or the Drafts folder on a computer that is running Exchange Server 2007 Service Pack 1
9. 961544 Mobile users whose location is set to New Zealand cannot synchronize an exceptional occurrence after the daylight saving time (DST) update that is described in KB 951072 is installed on an Exchange 2007 Service Pack 1 Client Access server (CAS)
10. 961551 An error message is returned when you run the Get-Recipient command in the Exchange Management Shell that uses a Windows 7 domain controller
11. 963679 The Update-Recipient command does not update specified domain controller parameters when you use Identity Lifecycle Manager (ILM) 2007 to migrate mail users to mailbox users in Exchange Server 2007 Service Pack 1
12. 967479 Entourage clients cannot synchronize with mailboxes that are located on a computer that is running Exchange 2007 Service Pack 1 and Windows Server 2008
13. 967525 Error 4 is returned when you synchronize a supported list of contact properties by using Exchange ActiveSync in Exchange Server 2007 Service Pack 1
14. 967605 A non-delivery report (NDR) is returned when a user sends an e-mail message to an X.400 address that includes the slash field separator in Exchange Server 2007 Service Pack 1
15. 967676 E-mail address properties of contacts changed through Exchange Web Services (EWS) are not updated in Outlook or Outlook Web Access (OWA) in Exchange Server 2007 Service Pack 1
16. 967739 If a sender requests a delivery receipt in an e-mail message, a delivery status notification (DSN) message is returned that has a blank subject in the body even though the original message contains a subject in Exchange Server 2007 Service Pack 1
17. 968081 Monthly recurring meetings are declined if the “Schedule only during working hours” option is enabled in Exchange Server 2007 Service Pack 1
18. 968106 Outlook clients are directed to global catalogs from the wrong domain if you are using a split session configuration to enable Outlook clients to access their mailboxes through an RPC/HTTP proxy server in Exchange Server 2007 Service Pack 1
19. 968111 Event ID 4999 is logged when an administrator deletes a mailbox store on an Exchange Server 2007 Service Pack 1-based server
20. 968205 The Microsoft Exchange Information Store service crashes every time that a specific database is mounted on a computer that is running Exchange Server 2007 Service Pack 1
21. 968224 You still receive unexpected error messages when you run the Test-OwaConnectivity command or the Test-ActiveSyncConnectivity command after you apply hotfix KB954213 on an Exchange 2007 Service Pack 1-based server
22. 968322 An HTTP 500 error message is returned when you send a message that has a large attachment by using Outlook Web Access (OWA) with S/MIME installed in Exchange Server 2007 Service Pack 1
23. 968350 When you change the location field of a recurring calendar item to empty in Exchange Server 2007 Service Pack 1, the location field is set to the default value of the recurring series if this recurring item is synchronized on a Windows Mobile device
24. 968621 The Microsoft Exchange Information Store service crashes when you use a Data Protection Manager (DPM) 2007 server to perform a snapshot backup for an Exchange Server 2007 Service Pack 1 server
25. 968626 Event ID 1009 is logged when you use an application to access a shared mailbox by using the POP3 protocol in Exchange Server 2007 Service Pack 1
26. 968651 Exchange Server 2007 Service Pack 1 servers continue to contact a domain controller even after you exclude it by using the Set-ExchangeServer command
27. 968715 Both public logons and private logons that connect to a Client Access server (CAS) proxy are processed as private logons on an Exchange Server 2007 Service Pack 1-based server
28. 969054 Error message after an Exchange Server 2007 Service Pack 1 user replies to a message that has more than 300 recipients in Outlook Web Access (OWA): “Microsoft Exchange issued an unexpected response (500)”
29. 969089 Some databases are not mounted on the target server after you use the Move-ClusteredMailboxServer command to transfer a clustered mailbox server (CMS) to an available passive cluster node in Exchange Server 2007 Service Pack 1
30. 969129 HTML e-mail messages that have a charset META tag that differs from the MIME charset tag are garbled when they are processed through disclaimer rules in Exchange Server 2007 Service Pack 1
31. 969324 Outlook crashes when you try to use Outlook to view e-mail messages that are arranged by subject in Exchange Server 2007 Service Pack 1
32. 969436 You cannot log on to a hidden mailbox by using Base64 authentication for IMAP4 or for POP3 in an Exchange Server 2007 Service Pack 1 environment
33. 969838 An error message is returned when a user tries to change a recurring appointment in Office Outlook Web Access that was created in Outlook 2007 in Exchange Server 2007 Service Pack 1
34. 969911 Mailboxes do not follow E-mail Lifecycle (ELC) configuration or storage limitation policies in Exchange Server 2007 Service Pack 1
35. 969943 Memory leaks occur in the Powershell.exe process when you run the Get-MailboxStatistics command and the Get-PublicFolderStatistics command in Exchange Server 2007 Service Pack 1
36. 969969 Error message when an Exchange Server 2007 Service Pack 1 user tries to delete a calendar item in OWA: “Outlook Web Access has encountered a Web browsing error”
37. 970028 The Store.exe process crashes when you use a WebDAV application to connect to Exchange Server 2007 Service Pack 1
38. 970086 Exchange Server 2007 Service Pack 1 crashes when the Extensible Storage Engine (ESE) version store is out of memory on a computer that is running Windows Server 2008
39. 970277 The System Attendant (SA) resource is not brought online or offline during a failover in an Exchange 2007 Service Pack 1 cluster environment
40. 970444 A move operation between an Exchange Server 2003-based server and an Exchange Server 2007 Service Pack 1-based server fails if the SimpleDisplayName attribute of a mailbox in the Exchange Server 2003-based server contains a single quotation mark
41. 970515 You receive an error message when you try to use the “New-Mailbox” command to create more than 1000 users who have the same “mailNickname” attribute (alias) in Exchange Server 2007 Service Pack 1
42. 970526 The EdgeTransport.exe process on a computer that is running Exchange Server 2007 Service Pack 1 crashes when a MIME message that contains iCAL items for a recurring meeting has more than 999 occurrences
43. 970725 Public folder replication messages stay in the local delivery queue and cause an Exchange Server 2007 Service Pack 1 database to grow quickly
44. 970993 Error message when a user tries to perform an address book search by using Outlook Web Access in an Exchange Server 2007 Service Pack 1 environment: “The item that you attempted to access appears to be corrupted and cannot be accessed.”

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Description

In legacy versions of Exchange, we saw the Internet Newsgroup public folder. This was intended to be used for a local NNTP source, where an org could have a local copy of some select newsgroups for their users to view. The feature never really went anywhere, and is now deprecated. But, if you’ve migrated from a legacy version of Exchange to Exchange 2007, the Internet Newsgroup is still there, as seen below. I see a lot of people asking how to just delete the public folder once and for all.

According to Microsoft, there is no supported method in Exchange 2007 for deleting that public folder. Some people have used ADSIEDIT to remove it, but that’s got the potential for disaster. The alternative is to hide it so it’s no longer visible. In this article, I’ll show you how.

Fire up good ol’ Exchange Manager Shell and type

Get-PublicFolderClientPermission -Identity "\Internet Newsgroups" | Format-List

As seen below (click images for larger versions), this shows us a list of all permissions for the PF. By default, you should see permissions for two ‘users’, Default and Anonymous. Default are permissions for Active Directory authenticated users, and Anonymous is for unauthenticated users. We need to remove the permissions for Default.

 

In my example, Default has ReadItems, CreateItems, EditOwnedItems, and FolderVisible rights. We can’t just remove FolderVisible (that would make too much sense) since that’s a built in right that comes with some of the others. So we’ll remove them all by using:

Remove-PublicFolderClientPermission -identity "\Internet Newsgroups" -User Default -AccessRights ReadItems, CreateItems, EditOwnedItems, FolderVisible

Once you hit enter, you should be prompted to confirm the operation, and then the rights should be removed, as seen below.

An important note is to leave a space between each right, and to only specify the rights that Default already has. Otherwise, you get an error, like the one seen below.

Once the rights are removed, the Internet Newsgroups public folder will quickly disappear from Outlook, as shown below.

While deleting the public folder may be preferred, hiding it from the list accomplishes the same end result as far as the user experience is concerned. This leaves a cleaner public folder hierarchy.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.