Category: Exchange 2010

Error: “You cant use the domain because it’s not an accepted domain for your organization” when onboarding a mailbox to Exchange Online

Scenario:  You receive the following error message when you attempt to onboard a mailbox from Exchange On-Premises to Exchange Online:

“You cant use the domain because it’s not an accepted domain for your organization”

Solution:  Check their Email aliases (Get-mailbox steve | Select -expandproperty emailaddresses). The user account may have an invalid email alias OR an alias that is not an accepted domain for the Exchange Online tenant.  For Example,  the On-Prem mailbox may have an alias of  steve@xyz.com  but the @xyz.com is not an accepted domain in the cloud.  Either add that domain to the cloud OR remove the alias.

Disconnect Terminal Sessions via PowerShell on Remote ServersComputers

Scenario:  You want to disconnect all remote sessions on ServerComputers via PowerShell remotely.

Script:

#Disconnect Terminal Sessions via PowerShell################

#Gather the Servers in the $Servers Variable

$Servers = get-exchangeserver Exch* | Select -expandproperty Name

#Gather the Sessions
$TS = $Servers | %{
$computer = $_
quser /server:$computer 2>&1 | Select-Object -Skip 1 | ForEach-Object {
                $CurrentLine = $_.Trim() -Replace ‘s+’,’ ‘ -Split ‘s’
                $HashProps = @{
                    UserName = $CurrentLine[0]
                    ComputerName = $Computer
                }

                # If session is disconnected different fields will be selected
                if ($CurrentLine[2] -eq ‘Disc’) {
                        $HashProps.SessionName = $null
                        $HashProps.Id = $CurrentLine[1]
                        $HashProps.State = $CurrentLine[2]
                        $HashProps.IdleTime = $CurrentLine[3]
                        $HashProps.LogonTime = $CurrentLine[4..6] -join ‘ ‘
                        $HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join ‘ ‘
                } else {
                        $HashProps.SessionName = $CurrentLine[1]
                        $HashProps.Id = $CurrentLine[2]
                        $HashProps.State = $CurrentLine[3]
                        $HashProps.IdleTime = $CurrentLine[4]
                        $HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join ‘ ‘
                }

                New-Object -TypeName PSCustomObject -Property $HashProps | Select-Object -Property UserName,ComputerName,SessionName,Id,State,IdleTime,LogonTime,Error
                }

}

#Disconnect the Sessions
$TS | %{
    $id = $_.id
    $Name = $_.computerName
    $User = $_.Username
    rwinsta $ID /server:$name
    Write-Host “Session $Id for $User on $Name successfully disconnected”
}
#######################################################

 

“Can’t remove the access control entry on the object “CN=TestUser,DC=xyz,DC=com” for account “xyzsteve” because the ACE doesn’t exist on the object.”

Scenario:  You are attempting to remove the full access permission on a mailbox by running the remove-mailboxpermission command:

remove-mailboxpermission TestUser -user steve -accessrights Fullaccess -confirm:$False

But you are receiving this error :

Warning= “Can’t remove the access control entry on the object “CN=TestUser,DC=xyz,DC=com” for account “xyzsteve” because the ACE doesn’t exist on the object.”

Clearly the permission exists when you check with the get-mailboxpermission.

 

Solution:  Append the -deny:$True to the end of the powershell command and try it again.

remove-mailboxpermission TestUser -user steve -accessrights Fullaccess -confirm:$False -deny:$True

Get-ADUser to find Exchange Mailboxes

Scenario:  You want to use Get-ADUser to find all Exchange mailboxes in your environment.

Scriptlet:   Running the following will provide you with the detail:

#First, lets store some results into $1 for every mailbox
$1 = Get-ADUser -filter {HomeMDB -ne ‘$null’} -Properties MailNickName, HomeMDB, DisplayName| Select MailNickName, HomeMDB, DisplayName

 

#Now its time to play with your data

#Grab a count of mailboxes Excluding the HealthMailboxes
($1 | Where MailNickName -notlike “HealthMailbox*”).Count

#Grab a count of mailboxes per DB Excluding the HealthMailboxes
$1 | Where MailNickName -notlike “Healthmailbox*” | Group HomeMDB | Sort Name

#Filter mailboxes on a specific database
$1 | Where HomeMDB -like “CN=DB01*”

 

Get a list of all users that have a target address of a specific domain

Scenario:  You wish to see how many remote mailboxes have the correct email domain configured for their remote routing address (TargetAddress).  You want to perform a AD PowerShell query for speed.

Scriptlet:

Get-ADuser -filter {TargetAddress -like “*.mail.onmicrosoft.com”} | Select Name, TargetAddress

OR you just want a count:

(Get-ADuser -filter {TargetAddress -like “*.mail.onmicrosoft.com”} | Select Name, TargetAddress).count

Check MountPoints for Database

Scenario:  You use mountpoints in your Exchange organization and you want to check for specific disk information for your mountpoints by database name.   Note: The label of the mountpoint reflects the database name.

Script:

 

#Enter the DB Variable
$Db = "DB01"
#Script
$Servers = Get-mailboxdatabasecopystatus $DB | Select -ExpandProperty MailboxServer
$1 = @()
$Servers | %{
    "Checking on $_ for $Db"
    $1+= Invoke-Command -Computer $_ -argumentlist $db -ScriptBlock {Get-WmiObject win32_volume | Where label -like $args[0] | Select Name, Label, FreeSpace, FileSystem, SerialNumber}
}
#ViewResults
$1

 

Cleanup Mobile Devices older than 180 Days

Scenario:  You want a script that will remove all mobile devices older than 180 days.  You also want to report the CAS Mailboxes that have a mobile device partnership and the list of mobile devices removed.

Scriptlets:

Here are the commands broken down by output type:

#Collect CasMailboxes with Mobile Devices
$cas = Get-CASMailbox -ResultSize unlimited –Filter {(HasActiveSyncDevicePartnership -eq $true)} | Select -expandproperty Identity

#Export a List of Cas Mailboxes
$cas | Sort | Export-csv C:tempCASmailbox.csv 

#Collect devices older than 180 days old
$device = @()
$cas | sort | %{
"Checking $_" 
$device += Get-MobileDeviceStatistics -Mailbox $_ | Where-Object {$_.LastSuccessSync -le ((Get-Date).AddDays(“-180”))} 
}

#Export-csv Stale Devices
$Device | Export-csv C:tempStaleDevices.csv

#Remove Mobile Devices
$Device | Remove-mobiledevice -confirm:$false

 

 

 

 

 

 

Outlook’s Autodiscover Redirect Limit – Hybrid Autodiscover Breaking for Exchange Online Mailboxes / Remote On-Premises Mailboxes

Scenario:  After introducing additional Exchange On-Premises servers, we noticed that Autodiscover stopped working for our Exchange Online Hybrid mailboxes that were on computers internal to the domain. Using the ‘Test E-mail AutoConfiguration’ feature in Outlook, it would fail after the SCP/DNS autodiscover lookup.

Reason:  Outlook has an Autodiscover Redirect limit of 8-10 responses.  Being we had more than 10 servers in our Exchange Infrastructure, once it hit the response limit from each SCP lookup for each server, it would then fail all redirects thereafter. You do not need 100 SCP Failures if its going to fail after the first 10 servers.

Solution:  You can reduce the number of SCP lookup’s by performing any of the following.

  1. Set the AutoDiscoverSiteScope value on each Exchange server so it only serves requests for each  AD Site via the following command:  Set-ClientAccessServer ExSrv1 -autodiscoversitescope NewYork   (Or a combination NewYork,Baltimore,Tampa)
  2. Set the AutoDiscoverSiteScope to $null so it does not participate in SCP lookups via the following command: Set-ClientAccessServer ExSrv1 -AutodiscoverSiteScope $null
  3. Set the AutoDiscoverServiceInternalURI to $null so it does not participate in SCP lookups via the following command: Set-ClientAccessServer ExSrv1 -AutodiscoverServiceInternalURI $null

 

Determine the effective management roles assigned to an Exchange Administrator

Scenario: You want to view/verify the management roles assigned to Exchange Administrators.

Scriptlet:

To view a list of management roles for every Exchange Administrator, run:

Get-ManagementRoleAssignment -GetEffectiveUsers

If you are looking for a specific user, run:

Get-ManagementRoleAssignment -GetEffectiveUsers | Where { $_.EffectiveUserName -like “steveadm1” }

Send on Behalf not working Externally

Scenario:  When ‘Sending on Behalf’ to an internal recipient, the sender displays correctly/as expected:

Steven on behalf of TestService123

BUT, when “Sending on Behalf” to an external recipient, the result of the sender line displaying correctly is unpredictable.  It may only show the email address of the sender you sent on behalf of and may not include your delegated email address.

TestService123 (TestService123@domain.com)

Reason:  The “Send on Behalf” feature is an Exchange feature.  Unless your external mail system knows how to process the headers ‘From’ and ‘Sender’ lines, it may only show it coming from the ‘From’ address, the email address you sent on behalf from and not include your delegated email address.