Description

In an earlier post, Removing “Internet Newsgroups” in Exchange Server 2007, I showed you how to use Exchange Management Shell to hide the Internet Newsgroups public folder.

If you’re a consultant like me, you might find a need to hide the Internet Newsgroups during each and every project. So I came up with this PowerShell script to just do the job all automagically. The script enumerates the rights, and then removes each one, resulting in the default user account having no rights. Let me show you how it’s done.

As mentioned, we enumerate the rights that ‘default’ has. We do this by creating an array:

$perm = Get-PublicFolderClientPermission "\Internet Newsgroups" -User default

$perm now holds the results for the query. For Public Folder client permissions, you can’t remove ‘DeleteOwnedItems’ if the user also has the ‘DeleteAllItems’ right. The same applies with the ‘EditAllItems’ right if the user has ‘EditOwnedItems’ right. So we’ll check for those and remove those first.

if ($perm.AccessRights -contains "DeleteAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights DeleteAllItems -Confirm:$false
}
if ($perm.AccessRights -contains "EditAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights EditAllItems -Confirm:$false
}

Now that those are done, we can use a ForEach loop and cycle through the rest and remove each. First, we get the rights again, since we may have removed some above, then remove what’s left:

$perm=Get-PublicFolderClientPermission "\Internet Newsgroups" -user default
ForEach ($right in $perm.AccessRights){
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights $right -Confirm:$false
}

This results in default having ‘none’ for rights, as seen below. We verify this by looking at the rights again:

Get-PublicFolderClientPermission "\Internet Newsgroups" -User default | Format-Table User,AccessRights -AutoWidth

And that’s it. The full script looks like this:

# Hide-InternetNewsgroups.ps1
# https://www.ucunleashed.com/123
$perm = Get-PublicFolderClientPermission "\Internet Newsgroups" -user default
# first, delete the rights that must be deleted before others (to avoid an error)
if ($perm.AccessRights -contains "DeleteAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights DeleteAllItems -Confirm:$false
}
if ($perm.AccessRights -contains "EditAllItems") {
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights EditAllItems -Confirm:$false
}
# now do the rest
$perm=Get-PublicFolderClientPermission "\Internet Newsgroups" -User default
ForEach ($right in $perm.AccessRights){
 Remove-PublicFolderClientPermission "\Internet Newsgroups" -User default -AccessRights $right -Confirm:$false
}
Get-PublicFolderClientPermission "\Internet Newsgroups" -User default | Format-Table User,AccessRights -AutoWidth

Installation

Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

Downloads

Hide-InternetNewsgroups.zip

Microsoft has released the following update rollup for Exchange Server 2007:

• Update Rollup 9 for Exchange Server 2007 SP1 (970162)

If you’re running Exchange Server 2007 SP1, you need to apply Update Rollup 8 for Exchange 2007 SP1 to address the security issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running. RTM updates can’t be installed on SP1 and vice versa.

Rollup 9 for Exchange Server 2007 SP1 supersedes the following:

1. 945684 Update Rollup 1 for Exchange Server 2007 Service Pack 1
2. 948016 Update Rollup 2 for Exchange Server 2007 Service Pack 1
3. 949870 Update Rollup 3 for Exchange Server 2007 Service Pack 1
4. 952580 Update Rollup 4 for Exchange Server 2007 Service Pack 1
5. 953467 Update Rollup 5 for Exchange Server 2007 Service Pack 1
6. 959241 Update Rollup 6 for Exchange Server 2007 Service Pack 1
7. 960384 Update Rollup 7 for Exchange Server 2007 Service Pack 1
8. 968012 Update Rollup 8 for Exchange Server 2007 Service Pack 1

Here is a list of the fixes included in rollup 9:

1. 943073 An image attachment appears as a red “X” when you send an RTF e-mail message from an Exchange Server 2007 organization to an external recipient
2. 945877 The “eseutil /k” command takes a long time to verify the checksum of transaction logs in Exchange Server 2007 Service Pack 1
3. 947662 The transport rule “when the Subject field or the body of the message contains text patterns” does not work accurately on an Exchange Server 2007 Service Pack 1-based computer
4. 954739 The Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests in Exchange Server 2007 Service Pack 1
5. 957137 The reseed process is unsuccessful on the CCR passive node after you restore one full backup and two or more differential backups to the CCR active node in Exchange Server 2007 Service Pack 1
6. 957374 The Microsoft Exchange Replication service on a Standby Continuous Replication (SCR) target server continually crashes when you enable SCR for a storage group on an Exchange Server 2007 Service Pack 1-based computer
7. 959559 Transaction log files grow unexpectedly in an Exchange Server 2007 Service Pack 1 mailbox server on a computer that is running Windows Server 2008
8. 961124 Some messages are stuck in the Outbox folder or the Drafts folder on a computer that is running Exchange Server 2007 Service Pack 1
9. 961544 Mobile users whose location is set to New Zealand cannot synchronize an exceptional occurrence after the daylight saving time (DST) update that is described in KB 951072 is installed on an Exchange 2007 Service Pack 1 Client Access server (CAS)
10. 961551 An error message is returned when you run the Get-Recipient command in the Exchange Management Shell that uses a Windows 7 domain controller
11. 963679 The Update-Recipient command does not update specified domain controller parameters when you use Identity Lifecycle Manager (ILM) 2007 to migrate mail users to mailbox users in Exchange Server 2007 Service Pack 1
12. 967479 Entourage clients cannot synchronize with mailboxes that are located on a computer that is running Exchange 2007 Service Pack 1 and Windows Server 2008
13. 967525 Error 4 is returned when you synchronize a supported list of contact properties by using Exchange ActiveSync in Exchange Server 2007 Service Pack 1
14. 967605 A non-delivery report (NDR) is returned when a user sends an e-mail message to an X.400 address that includes the slash field separator in Exchange Server 2007 Service Pack 1
15. 967676 E-mail address properties of contacts changed through Exchange Web Services (EWS) are not updated in Outlook or Outlook Web Access (OWA) in Exchange Server 2007 Service Pack 1
16. 967739 If a sender requests a delivery receipt in an e-mail message, a delivery status notification (DSN) message is returned that has a blank subject in the body even though the original message contains a subject in Exchange Server 2007 Service Pack 1
17. 968081 Monthly recurring meetings are declined if the “Schedule only during working hours” option is enabled in Exchange Server 2007 Service Pack 1
18. 968106 Outlook clients are directed to global catalogs from the wrong domain if you are using a split session configuration to enable Outlook clients to access their mailboxes through an RPC/HTTP proxy server in Exchange Server 2007 Service Pack 1
19. 968111 Event ID 4999 is logged when an administrator deletes a mailbox store on an Exchange Server 2007 Service Pack 1-based server
20. 968205 The Microsoft Exchange Information Store service crashes every time that a specific database is mounted on a computer that is running Exchange Server 2007 Service Pack 1
21. 968224 You still receive unexpected error messages when you run the Test-OwaConnectivity command or the Test-ActiveSyncConnectivity command after you apply hotfix KB954213 on an Exchange 2007 Service Pack 1-based server
22. 968322 An HTTP 500 error message is returned when you send a message that has a large attachment by using Outlook Web Access (OWA) with S/MIME installed in Exchange Server 2007 Service Pack 1
23. 968350 When you change the location field of a recurring calendar item to empty in Exchange Server 2007 Service Pack 1, the location field is set to the default value of the recurring series if this recurring item is synchronized on a Windows Mobile device
24. 968621 The Microsoft Exchange Information Store service crashes when you use a Data Protection Manager (DPM) 2007 server to perform a snapshot backup for an Exchange Server 2007 Service Pack 1 server
25. 968626 Event ID 1009 is logged when you use an application to access a shared mailbox by using the POP3 protocol in Exchange Server 2007 Service Pack 1
26. 968651 Exchange Server 2007 Service Pack 1 servers continue to contact a domain controller even after you exclude it by using the Set-ExchangeServer command
27. 968715 Both public logons and private logons that connect to a Client Access server (CAS) proxy are processed as private logons on an Exchange Server 2007 Service Pack 1-based server
28. 969054 Error message after an Exchange Server 2007 Service Pack 1 user replies to a message that has more than 300 recipients in Outlook Web Access (OWA): “Microsoft Exchange issued an unexpected response (500)”
29. 969089 Some databases are not mounted on the target server after you use the Move-ClusteredMailboxServer command to transfer a clustered mailbox server (CMS) to an available passive cluster node in Exchange Server 2007 Service Pack 1
30. 969129 HTML e-mail messages that have a charset META tag that differs from the MIME charset tag are garbled when they are processed through disclaimer rules in Exchange Server 2007 Service Pack 1
31. 969324 Outlook crashes when you try to use Outlook to view e-mail messages that are arranged by subject in Exchange Server 2007 Service Pack 1
32. 969436 You cannot log on to a hidden mailbox by using Base64 authentication for IMAP4 or for POP3 in an Exchange Server 2007 Service Pack 1 environment
33. 969838 An error message is returned when a user tries to change a recurring appointment in Office Outlook Web Access that was created in Outlook 2007 in Exchange Server 2007 Service Pack 1
34. 969911 Mailboxes do not follow E-mail Lifecycle (ELC) configuration or storage limitation policies in Exchange Server 2007 Service Pack 1
35. 969943 Memory leaks occur in the Powershell.exe process when you run the Get-MailboxStatistics command and the Get-PublicFolderStatistics command in Exchange Server 2007 Service Pack 1
36. 969969 Error message when an Exchange Server 2007 Service Pack 1 user tries to delete a calendar item in OWA: “Outlook Web Access has encountered a Web browsing error”
37. 970028 The Store.exe process crashes when you use a WebDAV application to connect to Exchange Server 2007 Service Pack 1
38. 970086 Exchange Server 2007 Service Pack 1 crashes when the Extensible Storage Engine (ESE) version store is out of memory on a computer that is running Windows Server 2008
39. 970277 The System Attendant (SA) resource is not brought online or offline during a failover in an Exchange 2007 Service Pack 1 cluster environment
40. 970444 A move operation between an Exchange Server 2003-based server and an Exchange Server 2007 Service Pack 1-based server fails if the SimpleDisplayName attribute of a mailbox in the Exchange Server 2003-based server contains a single quotation mark
41. 970515 You receive an error message when you try to use the “New-Mailbox” command to create more than 1000 users who have the same “mailNickname” attribute (alias) in Exchange Server 2007 Service Pack 1
42. 970526 The EdgeTransport.exe process on a computer that is running Exchange Server 2007 Service Pack 1 crashes when a MIME message that contains iCAL items for a recurring meeting has more than 999 occurrences
43. 970725 Public folder replication messages stay in the local delivery queue and cause an Exchange Server 2007 Service Pack 1 database to grow quickly
44. 970993 Error message when a user tries to perform an address book search by using Outlook Web Access in an Exchange Server 2007 Service Pack 1 environment: “The item that you attempted to access appears to be corrupted and cannot be accessed.”

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Description

In legacy versions of Exchange, we saw the Internet Newsgroup public folder. This was intended to be used for a local NNTP source, where an org could have a local copy of some select newsgroups for their users to view. The feature never really went anywhere, and is now deprecated. But, if you’ve migrated from a legacy version of Exchange to Exchange 2007, the Internet Newsgroup is still there, as seen below. I see a lot of people asking how to just delete the public folder once and for all.

According to Microsoft, there is no supported method in Exchange 2007 for deleting that public folder. Some people have used ADSIEDIT to remove it, but that’s got the potential for disaster. The alternative is to hide it so it’s no longer visible. In this article, I’ll show you how.

Fire up good ol’ Exchange Manager Shell and type

Get-PublicFolderClientPermission -Identity "\Internet Newsgroups" | Format-List

As seen below (click images for larger versions), this shows us a list of all permissions for the PF. By default, you should see permissions for two ‘users’, Default and Anonymous. Default are permissions for Active Directory authenticated users, and Anonymous is for unauthenticated users. We need to remove the permissions for Default.

In my example, Default has ReadItems, CreateItems, EditOwnedItems, and FolderVisible rights. We can’t just remove FolderVisible (that would make too much sense) since that’s a built in right that comes with some of the others. So we’ll remove them all by using:

Remove-PublicFolderClientPermission -identity "\Internet Newsgroups" -User Default -AccessRights ReadItems, CreateItems, EditOwnedItems, FolderVisible

Once you hit enter, you should be prompted to confirm the operation, and then the rights should be removed, as seen below.

An important note is to leave a space between each right, and to only specify the rights that Default already has. Otherwise, you get an error, like the one seen below.

Once the rights are removed, the Internet Newsgroups public folder will quickly disappear from Outlook, as shown below.

While deleting the public folder may be preferred, hiding it from the list accomplishes the same end result as far as the user experience is concerned. This leaves a cleaner public folder hierarchy.

Donations

I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.

In an article I wrote earlier this year (“Installing the Exchange 2007 prerequisites on Windows Server 2008“) at Daniel Petri’s site, I showed how to use the XML files created by the product group to quickly and painlessly install the Exchange Server 2007 prerequisites on Windows Server 2008. For the most part, those work fine. But, if you’re installing multiple CAS servers, and going to load balance them using Windows Network Load Balancing (NLB) feature, you still need to manually install the NLB feature.

This can be done by either opening Server Manager, going to Features, and installing the NLB feature, or opening a command prompt and typing

ServerManagerCmd -i NLB

Since the whole idea behind the XML files was to automate the process, this wasn’t the cleanest way of doing it. Also, one of the best ways to test Hub Transport functionality is via telnet, which isn’t installed by default in Windows Server 2008. Telnet can also be manually installed via Server Manager or

ServerManagerCmd -i telnet-client

A common implementation practice is to install the Hub Transport and Client Access roles together, and then load balance CAS, as well as some hub traffic. That being the case, why not streamline the prerequiste process to include NLB and telnet? Now you can.

Open Exchange-CAS.xml, and scroll to the bottom. Right under

<Feature Id="RPC-OVER-HTTP-proxy" />

paste the following:

<!-- Install Network Load Balancing and telnet client as mentioned at https://www.ucunleashed.com/111 -->
<Feature Id="NLB" />
<Feature Id="Telnet-Client" />

Save the file as Exchange-NLBCAS.xml. Just like the others, you can call the file via servermanagercmd.exe using

ServerManagerCmd -ip Exchange-NLBCAS.xml

to install the prerequisites. Check the original article mentioned above for more info on how to use the XML files.

Enjoy!

A while back, I wrote a series at Daniel Petri’s site about Security Configuration Wizard (SCW) and Exchange 2007. The series talks about importing the files in order for the SCW to be Exchange ‘aware’. Those files, which reside in the \scripts folder, are:

1. Exchange2007.xml
2. Exchange2007_WinSrv2008.xml
3. Exchange2007Edge.xml
4. Exchange2007Edge_WinSrv2008.xml

Since that time, Microsoft has released Windows Server 2008 SP2. The SCW files that are included with Exchange won’t install on Windows Server 2008 SP2 due to a hard coded prerequisite check.

If you’re going to import the SCW files in Windows Server 2008, open each one that ends in ‘_WinSrv2008.xml’ and look for the 2nd line – which looks like this:

<SCWKBRegistrationInfo OSMajorVersion="6" OSMinorVersion="0" ServicePackMajorVersion="1" ServicePackMinorVersion="0">

Change the ServicePackMajorVersion value to “2” instead of “1”. Save the file, and you should be able to import the file using the info in my original value. Microsoft is aware of this, and working on resolving the issue.

Anyone who’s had a new mailbox on Exchange 2007 and logged in via OWA will remember seeing a screen that asks for the language and time zone, as seen below. Once they pick those, they are then taken to their mailbox.

If all of the users in an org use the same language and are in the same time zone, we can set these settings. New users will no longer be prompted for this information, but any user can change the information by going to to Options>Regional Settings in OWA, such as shown below:

To make the change, fire up the ol’ Exchange Management Shell and type:

Set-OWAVirtualDirectory "owa (Default Web Site)" -DefaultClientLanguage <Locale ID>

Replace <Local ID> with the specific Local ID for your area. For a list of Local IDs, see Locale IDs Assigned by Microsoft. For English in the United States, the Local ID is 1033. So, for my example, I use

Set-OWAVirtualDirectory "owa (Default Web Site)" -DefaultClientLanguage 1033

Once that’s set, all new users will default to that, as well as the time zone setting on the client access server.

Get-DistributionGroup "Operations" | Add-ADPermission -User "jcahill" -AccessRights WriteProperty -Properties "Member"

Large organizations generally have a large number of distribution lists. Managing membership of those DLs can often be a time consuming tasks. In earlier versions of Exchange, you could select a manager for the DL, and optionally grant that user the right to manage membership for that list, as seen below (click thumbnails for larger version).

While that option still exists, we can now assign multiple users, and even groups, the right to manage membership. And all it takes is (surprise), a little PowerShell.

For this example, we’ll take the same DL, ‘Operations’, and grant Julie the ability to manage membership.

Get-DistributionGroup "Operations" | Add-ADPermission -User "jcahill" -AccessRights WriteProperty -Properties "Member"

But Pat, you say – how is this method better? Well, we can specify a group instead of a single user like this:

Get-DistributionGroup "Operations" | Add-ADPermission -User "HelpDesk" -AccessRights WriteProperty -Properties "Member"

As seen here:

This allows anyone in the HelpDesk group the ability to manage the DL.

If we need to remove Julie’s rights, we use Remove-ADPermissions like this:

Get-DistributionGroup "Operations" | Remove-ADPermissions -User 'jcahill' -AccessRights WriteProperty -Properties "Member"

As you can see, we now have the ability to grant multiple people rights to manage a distribution list.

The last thing we need to look at is generating a report as to who has rights to manage a specific DL. For that, we can use

Get-DistributionGroup 'operations' | Get-ADPermission | Where-Object {($_.AccessRights -match 'WriteProperty') -and ($_.Properties -match 'Member')} | Format-Table User,AccessRights,Properties -AutoWidth

Which produces output such as:

Hopefully, this tip will cut down on calls to the Help Desk, and allow admins to focus on more pressing matters.

Recently, someone on a distribution list asked for a method for users to ‘agree’ to a disclaimer before being able to logon to OWA. One of the suggestions was to just append extra info to the logon page, the way that Microsoft Corporate does. Click the images below for a screenshot of Microsoft’s OWA Exchange 2007 and 2010 logon pages.

As you can see below the fields for user credentials, Microsoft has added some helpful text and links. Thanks to Ross Smith IV, I’ve gone through the way Microsoft does it, cleaned up a little, and now I’m gonna show you how easy it is.

The method Microsoft employs is to just use an ASP include to include the contents of a text file. That text file can contain any HTML code you’d like to apped to the logon screen. For the sake of example, I’m going to use the same text that Microsoft uses. Let’s get started.

1. On your Client Access Server, create a text file called disclaimer.inc in the \Program Files\Microsoft\Exchange Server\ClientAccess\Owa\Auth folder of your Exchange installation, and insert any additional code/text you want to include on your logon screen.
2. Backup \Program Files\Microsoft\Exchange Server\ClientAccess\Owa\Auth\logon.aspx for safekeeping
3. Open \Program Files\Microsoft\Exchange Server\ClientAccess\Owa\Auth\logon.aspx in notepad
4. Find <table>
   right under that, insert a line with the following:
   <!– #include file=”disclaimer.inc” –>
5. Save and close the file
6. Visit the OWA logon page, and marvel at your handywork.

There is no need to restart services, reset IIS, or anything. In fact, as soon as you make changes, you can just refresh the logon screen to see the results.

The contents of the cleaned up disclaimer.inc that yields the above results looks like this:

<div style='font-size: 8pt;'>To protect against unauthorized access, your OWA session will automatically time out after a period of inactivity. <b>If your session ends, refresh your browser and log on again.</b>
<hr />
<b>For best OWA performance, click the link that corresponds to your Exchange server:</b>
<br /><br />
<a href="/">Europe </a>
<strong><a href="/">Redmond </a></strong>
<a href="/">Sao Paulo </a>
<a href="/">Singapore </a>
<a href="/">Exchange Dogfood </a>
<a href="/">Windeploy </a>
<a href="/">WinSE </a>
<hr />
<b>Having Trouble Logging On?</b> Please contact the <a href="/">Microsoft IT Global Helpdesk</a>
<hr />
Want to find more information on OWA? Need full access to Microsoft's corporate network or alternative ways to access e-mail from Outlook or a Windows Mobile device?<br />
<a href="/">The Remote Connectivity Options extranet site gets you started.</a></div>

A couple of notes:

The Microsoft version, if you view the source of their OWA page, isn’t quite as clean as this example. I spent some time cleaning things up and removing any unecessary code so that it’s not only more compliant, but easier for the non-HTML coder to understand.

This method is completely unsupported by Microsoft. Don’t go crying to them when it doesn’t work, or blows out your OWA logon page. You made a backup of logon.aspx for a reason.

This change may get overwritten by any hotfix, rollup, and/or service pack that overwrites the logon.aspx page. So you may need to reapply the change to the logon.aspx file after updating.

Microsoft has released the following update rollup for Exchange Server 2007:

• Update Rollup 8 for Exchange Server 2007 SP1 (968012)

If you’re running Exchange Server 2007 SP1, you need to apply Update Rollup 8 for Exchange 2007 SP1 to address the security issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running. RTM updates can’t be installed on SP1 and vice versa.

Rollup 8 for Exchange Server 2007 SP1 supersedes the following:

1. 945684 Update Rollup 1 for Exchange Server 2007 Service Pack 1
2. 948016 Update Rollup 2 for Exchange Server 2007 Service Pack 1
3. 949870 Update Rollup 3 for Exchange Server 2007 Service Pack 1
4. 952580 Update Rollup 4 for Exchange Server 2007 Service Pack 1
5. 953467 Update Rollup 5 for Exchange Server 2007 Service Pack 1
6. 959241 Update Rollup 6 for Exchange Server 2007 Service Pack 1
7. 960384 Update Rollup 7 for Exchange Server 2007 Service Pack 1

Here is a list of the fixes included in rollup 8:

1. 948856 Event ID 9667 occurs when you create a new named property on an Exchange Server 2007 server
2. 952935 A software update is available that provides the log tracing feature for the LogTruncator tag in Exchange Server 2007
3. 954639 Exchange Information Store service stops responding intermittently on an Exchange 2007 server
4. 955480 Meeting requests from external senders are displayed as Busy instead of Tentative in an Exchange 2007 environment
5. 956633 User calendar permissions are removed after you run the Set-MailboxCalendarSettings cmdlet in an Exchange Server 2007 environment
6. 957640 The “test-*” command fails when you run it on a site that contains only CAS roles in an Exchange 2007 environment
7. 958239 Exchange Server 2007 does not generate an event log message for public folder replication messages even though a property validation exception is thrown and the replications do not occur
8. 958881 All HTML content in attachment files of messages is run through an HTML filter when you open or save the attachment by using Outlook Web Access (OWA)
9. 958938 The importance attribute of a message is lost when an Exchange 2007 user accesses a high-importance message or a low-importance message from Exchange Server 2007 by using a non-Outlook POP3 client or IMAP4 client
10. 959510 A meeting request that is sent from OWA causes a “553 5.0.0 Message-Id header line format error” NDR message in an Exchange Server 2007 environment
11. 959748 An account with the “Exchange View-Only Administrator” permission can review user mailbox contents by using an administrative application in Exchange Server 2007
12. 959861 Some clients cannot connect to back-end Exchange Server 2003 IMAP servers after Exchange 2007 Service Pack 1 RU2 is applied
13. 959990 An error occurs when you try to update a recurring appointment by using an Outlook client that is connected to an Exchange 2007 server
14. 960178 You receive an NDR when you send an e-mail using OWA Premium and the ANR cache if the Exchange organization name has more than one space
15. 960354 Edge Attachment Filtering does not honor the ExceptionConnectors value in Exchange Server 2007
16. 960367 Error message when you run the Export-Mailbox command on a folder that has more than 5000 items in Exchange 2007: “-1056749164”
17. 960495 The Information Store service crashes continuously on an Exchange Server 2007 server
18. 960633 The Microsoft Exchange Information Store service crashes on an Exchange Server 2007 that has the mailbox server role installed
19. 960703 Extended characters are replaced by question marks when you send an e-mail message that contains extended ASCII characters by using an IMAP4 client in Exchange 2007
20. 960775 You receive a “Message too large for this recipient” NDR that has the original message attached after you restrict the Maximum Message Send Size value in Exchange Server 2007
21. 960869 A queue that has multiple connections cannot enter a Retry state in Exchange Server 2007
22. 961152 The Exchange information store service (Store.exe process) crashes intermittently when you migrate user data from Lotus Notes to Exchange Server 2007
23. 961347 Error message when you export an Exchange 2007 mailbox to a .pst file and a filter is defined: “Export-Mailbox : Error was found for &lt;username&gt; (&lt;SMTP address&gt;)”
24. 961443 Users cannot use Outlook Web Access for Exchange Server 2007 to open an address book
25. 961524 Some journal messages are stuck in the Submission queue in Exchange Server 2007
26. 961606 After you apply Rollup Update 5 for Exchange Server 2007, Outlook Web Access users find the font size of plain text messages is extremely small when they use some third-party Web browsers
27. 961693 Japanese (1 byte Kana) characters in the subject and display name are corrupted when you try to reply or forward task requests or calendar items in Outlook client
28. 962235 The date and time information for a “Follow Up” flag is missing if an Exchange 2007 user sends a message to an external recipient
29. 966535 Duplicate messages are sent to an external recipient if the recipient is included in multiple distribution lists in an Exchange Server 2007 environment
30. 967038 Many log entries are generated in Exchange Server 2007 if you turn on the Exchange log to audit the logons that do not use the primary account for shared resource mailboxes
31. 967097 Users may receive duplicate calendar items for the updated instance on mobile devices
32. 967109 A delegate cannot accept a meeting request for an online meeting in an Exchange Server 2007 environment
33. 967255 Only the tracing information of the last user is logged when you configure Exchange Server 2007 to trace multiple users at the same time
34. 968310 Many log entries are generated on an Exchange Server 2007 computer when you enable the Exchange log to audit user logons that do not use the primary account for their mailbox
35. 968352 The W3wp.exe process crashes when you use the Italian version of the spelling checker on a message in Outlook Web Access in Exchange 2007
36. 968589 The managed policy does not work if the ptagProvisionedFid attribute is missing in Exchange Server 2007
37. 968673 The EdgeTransport.exe file of Exchange 2007 servers crashes continuously and Event ID 10003 and Event ID 5000 occur
38. 968745 Incomplete tasks show in the Complete tasks view in OWA 2007 in an Exchange 2007 environment
39. 968966 Many log entries are generated in Exchange Server 2007 if you turn on the Exchange log to audit administrator logons that do not use the primary account for mailboxes
40. 969690 Unresolved sender for delivery status notifications after applying update rollup 7 for Exchange Server 2007 Service Pack 1
41. 970687 A search operation in Outlook does not return a correct result if there is a corrupted HTML message in the target folder in an Exchange Server 2007 environment

Download the rollup here. It will be available via Windows Update May 26th.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Some of the PowerShell scripts I use and/or write send email to either users or myself. In order for that to work, a Hub Transport server has to allow the SMTP traffic from the script. So, we need a receive connector that will allow the email to be sent under the right conditions. Here’s how we can easily accomplish that.

I find it best to run scripts that send email right from a Hub Transport server. So we’ll create a new receive connector called “Internal Relay” using the New-ReceiveConnector cmdlet, and set it to allow mail from itself. This is done with the -RemoteIPRanges parameter. We’ll set it to 127.0.0.1, the loopback address for the server.

Since we don’t need to authenticate, we’ll set -AuthMechanism to ‘none’, and set the -PermissionsGroups to ‘AnonymousUsers’.

Last, we’ll set it to enabled, and configure which server it should be on. Remember, it needs to be on a server holding the Hub Transport role.

New-ReceiveConnector -Name "Internal Relay" -Bindings 0.0.0.0:25 -RemoteIPRanges 127.0.0.1 -AuthMechanism Tls -Enabled $true -Fqdn "myserver.mydomain.com" -PermissionGroups AnonymousUsers -Server mysever

Change the highlighted info to suit your needs. I use 127.0.0.1 if I’ll be running the scripts on the local Exchange server.

We allow anonymous users to actually relay by granting the ‘ms-Exch-SMTP-Accept-Any-Recipient’ extended right to the Anonymous Logon account using Add-AdPermission. This is done using:

Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

We can also grant NT Authority\Anonymous Logon the right to bypass anti-spam agents using:

Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-exch-bypass-anti-spam"

We can pipe all of the commands together into a one-liner. The finished script looks like this:

New-ReceiveConnector -Name "Internal Relay" -Bindings 0.0.0.0:25 -RemoteIPRanges 127.0.0.1 -AuthMechanism Tls -Enabled $true -Fqdn "myserver.mydomain.com" -PermissionGroups AnonymousUsers -Server mysever | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient, ms-exch-bypass-anti-spam"

This gives us a connector that we can use to send email from PowerShell. Verify it by using

Get-ReceiveConnector -Name "Internal Relay" | Get-ADPermission | ft User, ExtendedRights

In the coming posts, we’ll use this to our advantage.