Understanding DSNs and NDRs

Common Enhanced Status Codes

  • 4.3.1 – Insufficient system resources
  • 4.3.2 – System not accepting network messages
  • 4.4.1 – Connection timed out
  • 4.4.2 – Connection dropped
  • 4.4.7 – Message expired
  • 5.0.0 – HELO / EHLO requires domain address
  • 5.1.0 – Sender denied
  • 5.1.1 – Bad destination mailbox address
  • 5.1.2 – Invalid X.400 address
  • 5.1.3 – Invalid recipient address
  • 5.1.4 – Destination mailbox address ambiguous
  • 5.1.7 – Invalid address
  • 5.2.1 – Mailbox cannot be accessed
  • 5.2.2 – Mailbox full
  • 5.2.3 – Message too large
  • 5.2.4 – Mailing list expansion problem
  • 5.3.3 – Unrecognized command
  • 5.3.4 – Message too big for system
  • 5.3.5 – System incorrectly configured
  • 5.4.4 – Invalid arguments
  • 5.4.6 – Routing loop detected
  • 5.5.2 – Send hello first
  • 5.5.3 – Too many recipients
  • 5.5.4 – Invalid domain name
  • 5.5.6 – Invalid message content
  • 5.7.1 – Delivery not authorized
  • 5.7.1 – Unable to relay
  • 5.7.1 – Client was not authenticated
  • 5.7.3 – Not Authorized

More about understanding DSNs and NDRs

Enhanced Status Codes for Delivery
Request for Comments (RFC) 1893 provides an enhanced set of status codes for Delivery Status Notification (DSN) messages. This is an extension of the coding defined in RFC 821. The error codes in RFC 821 are designed to deal with messaging, and are not as useful for DSN messages. The code specified in the “More Information” section provides a more specific, flexible system of coding for DSN messages (non-delivery reports, read and delivery receipts, and so on). The Enhanced Status Codes provide a standard mechanism for reporting mail system errors, and provide more meaningful information than the standard error codes defined in the SMTP RFC (821).

2.X.X Success
4.X.X Persistent Transient Failure
5.X.X Permanent Failure

X.1.0 Other address status
X.1.1 Bad destination mailbox address
X.1.2 Bad destination system address
X.1.3 Bad destination mailbox address syntax
X.1.4 Destination mailbox address ambiguous
X.1.5 Destination mailbox address valid
X.1.6 Mailbox has moved
X.1.7 Bad sender’s mailbox address syntax
X.1.8 Bad sender’s system address

X.2.0 Other or undefined mailbox status
X.2.1 Mailbox disabled, not accepting messages
X.2.2 Mailbox full
X.2.3 Message length exceeds administrative limit
X.2.4 Mailing list expansion problem

X.3.0 Other or undefined mail system status
X.3.1 Mail system full
X.3.2 System not accepting network messages
X.3.3 System not capable of selected features
X.3.4 Message too big for system

X.4.0 Other or undefined network or routing status
X.4.1 No answer from host
X.4.2 Bad connection
X.4.3 Routing server failure
X.4.4 Unable to route
X.4.5 Network congestion
X.4.6 Routing loop detected
X.4.7 Delivery time expired

X.5.0 Other or undefined protocol status
X.5.1 Invalid command
X.5.2 Syntax error
X.5.3 Too many recipients
X.5.4 Invalid command arguments
X.5.5 Wrong protocol version

X.6.0 Other or undefined media error
X.6.1 Media not supported
X.6.2 Conversion required and prohibited
X.6.3 Conversion required but not supported
X.6.4 Conversion with loss performed
X.6.5 Conversion failed

X.7.0 Other or undefined security status
X.7.1 Delivery not authorized, message refused
X.7.2 Mailing list expansion prohibited
X.7.3 Security conversion required but not possible
X.7.4 Security features not supported
X.7.5 Cryptographic failure
X.7.6 Cryptographic algorithm not supported
X.7.7 Message integrity failure

More about enhanced Status Codes for Delivery – RFC 1893

Exchnage 2010 – OAB reported error (0x801901B8)

I noticed OAB related issue after migration from Ex2007 to EX2010 in one AD site. Migrated users were not able to download Offline Address Book. Downloading process failed with error:

Task ‘test@ficility.net’ reported error (0x801901B8) : ‘The operation failed.’

Exchange related cmdlets:







Outlook check (check from end-user point of view):

When I tried to open OAB xml (https://mail.ficility.net/OAB/f050e98b-46d4-46d5-a094-3d7b4f001b8f/oab.xml) in web browser by test account, the owa was opened instead of xml file. Due to this reason IIS configuration needed to be checked.

Problem was caused by enabled http redirect on the OAB virtual directory in IIS configuration.

Related article: Troubleshooting Offline Address Book Issues in Exchange 2010

Solution: To solve this problem simply clear the http redirect on CAS servers + iisreset /noforce (Use the /noforce parameter to help prevent data loss in case the IIS services cannot be stopped within the one minute time-out period. If you are certain that it is safe to force IIS to restart, you can omit the /noforce parameter. However, be aware that you could lose data if you do not include this parameter.).

Other useful links:

Exchange 2010 – Get-ExchangeDatabaseInfo

The fuction Get-ExchangeDatabaseInfo has been created due to missing cmdlet like MailboxDatabaseStatistics that could be useful for report or statisticspurpose. The fuction is aimed to get more database information from disk/statistic point of view. If you are interested just copy/import the function to PS session and create (use help Get-ExchangeDatabaseInfo) a report for your organization.

– Report purpose ONLY (only “get” cmdlets).
– It supports only MS Exchange 2010 environment (AdminDisplayVersion 14*) and its Exchange Management Shell runspace.
– Processing time depends on Exchnage organization size (could spend couple of minutes). Procesing time is INCREASED by using parametr “Properties”.

Example – How to use the function:

Get-MailboxDatabaseInfo -LocalHost -Properties

Get-MailboxDatabaseInfo -AllMailboxServers -Properties | Export-Csv -path C:\DbReport.csv

$a = Get-MailboxDatabaseInfo -LocalHost -MailboxServer ExTest01 
$a | ft reportedserver,dbname,*free* -autosize
$a | ft reportedserver,log* -autosize

Example – Output for an one database:

Example – Tips for output:

More datails soon… sorry

Download: Get-ExchangeDatabaseInfo.ps1

Please use right-click and “Save as” for downloading ps1 file otherwise the link shows source code in the same window.

Exchange 2013 configuration part 1. – DAG

DAG description

  • DAG is a forming block for site resilience and data loss prevention as it was in Exchange 2010
  • DAG can consist of 16 nodes forming a group, which protects data from DB, Server and site failures
  • Data protection is on database level (Multiple copies of the same database, where only one copy is active at the same time)
  • Database copy activation is maintained by “Active Manager” which runs on every Exchange server within DAG
  • Active Manager is a part of MS Exchange Replication service (MSExchangeRepl.exe)
  • Active Manager is repsonsible for switchover (moving active copy to another node hosting passive copy of DB) and failover (automatic move of all active DBs to another nodes in case of server failure)

How to manage DAG in Exchange 2013

We can use 2 ways of DAG management in Exchange 2013. Powershell and Exchange Administration Center (Exchange Management Console is not present anymore in Exchange 2013

DAG prerequisites

DAG is simple to be configured, however there are several things to consider before actual configuration:

  • Static IP addresses (If we are going to use static IP addresses, we should register DNS A record prior DAG configuration
  • File Share Witness location – FSW can be automatically configured (usually will be placed on HUB server if it doesnt have Mailbox role on it) or you can configure FSW on other domain server specified by you. FSW can be either placed on DC, which is not supported but possible configuration and it will be also my case, because on my LAB I have only 2xDC, 2x Exchange 2013 multirole server and 1x Exchange 2010 multirole server.
  • At least one replication network should be reserverd and it is recommended to have separate backup segment for mailbox database and system backup (in my case I will only have separate replication network and nodedicated backup network)

Creating DAG

  • DNS A record has been created witg E13DAG and pointing to DAG IP address
  • Replication network has been added to virtual machines and basic configuration was made (no default GW is needed)
  • Networks priority has been changed to order Production -> Replication -> Backup (if applicable) Open the Network and Sharing center ->Change adapter settings ->  Hold Alt key  and select advanced settings:

  • Witness Directory has been created on DC1 and DC2 servers c:FSWEX13DAG
  • DAG has been created by issuing the following command
New-DatabaseAvailabilityGroup -Name E13DAG -WitnessServer DC1 -WitnessDirectory C:FSWE13DAG1 -DatabaseAvailabilityGroupIPAddress
  • Adding nodes to DAG (this task will automatically install Failover clistering to Windows server hodting mailbox role for DAG. Failover Clustering is essential component for creating Active Manager and “Quorum” for DAG)
Add-DatabaseAvailabilityGroupServer -Identity E13DAG -MailboxServer FrontEnd1
  • After second node is added, go to your witness server and check if data has been written to WitnessDirectory. If yes, your FSW is configured correctly. If you have ODD (1,3,5,7..) number of nodes in the DAG, FSW will not be used (will stay empty or with the directory with the last timestapm, when DAG had EVEN number of nodes).

DAG Network configuration

DAG is set to automatic network configuration as default option. This means that we are not able to change any network settings for the DAG. To set DAG to manual mode we will use the following command:

Set-DatabaseAvailabilityGroup E13DAG -ManualDAGNetworkConfiguration $true

After DAG Network configuration is set to manual mode, we can create new DAG networks, assign subnets to them and then remove automatically configured networks from DAG assignment. We can specify which network to use efor clients and which for replication or keep it as default (both enabled for clients and replication)

  • Adding production (client or “MAPI” network with disabled replication)
New-DatabaseAvailabilityGroupNetwork E13DAG -Name Production
Set-DatabaseAvailabilityGroupNetwork E13DAGProd -Name Production -Description Production -ReplicationEnabled $false -Subnets
  • Adding replication network with disabled client access
New-DatabaseAvailabilityGroupNetwork E13DAG -Name Replication

Set-DatabaseAvailabilityGroupNetwork E13DAGRepl -Name Replication -Description Replication -ReplicationEnabled $true -Subnets
  • checking network configuration
Get-DatabaseAvailabilityGroupNetwork E13DAG* | fl

DAC mode setting, alternate FSW

This also stays the same as it was in Exchange 2010.  To activate DAC mode DAG must have more than 2 nodes! Note: The directories on WitnessServer and AlternateWitnessServer must be the same (Path, name, share)

Get-DatabaseAvailabilityGroup E13DAG | Set-DatabaseAvailabilityGroup -DatacenterActivationMode DAGOnly -AlternateWitnessDirectory c:FSWE13DAG -AlternateWitnessServer DC2

Gathering Active Manager status

Gathering Active Manager status works as same way as in Exchange 2010: Article is https://exkb.wordpress.com/2012/09/02/exchange-2010-dag-active-manager-determinemove/

Gathering DAG status

This is regular command but it is very important. There are a list of active nodes, nodes under maintenance etc. To gather this info we need to use parameter -Status.

Get-DatabaseAvailabilityGroup E13DAG -Status | fl

In next article I will describe Store differences btween Exchange 2010 and Exchange 2013

Exchange 2010 – How to move edb file (Move-DatabasePath)


I had to change storage for one database in DAG (two nodes). I wanted to also keep the path for database file and log folder same like before.

I got a new storage available as mounted point F:\DB1 on both nodes (it needs to be on both nodes because of DAG) and had following configuration:

Get-MailboxDatabase | ft Name,LogFolderPath, EdbFilePath
Name    LogFolderPath EdbFilePath
----    ------------- -----------
DB01    F:\DB01       F:\DB01\DB01.edb

We can change/move database quite simple via EMC or EMS. I like PowerShell so I used Exchange Management Shell and build-in cmdlet Move-DatabasePath:

  • This cmdlet fails if it’s run while the database is being backed up.
  • If the specified database is mounted when this cmdlet is run, the database is automatically dismounted and then remounted, and is unavailable to users while it’s dismounted.
  • This cmdlet normally can be run on the affected Mailbox server only. An exception is that this cmdlet can be run on an administrator’s workstation when using the ConfigurationOnly parameter with a value of $true.
  • This cmdlet can’t be run against replicated mailbox databases. To move the path of a replicated database, you must first remove all replicated copies, and then you can perform the move operation. After the move operation is complete, you can add copies of the mailbox database.

Well, I performed following steps:

  • Move active mailbox database on server with ActivationPreference number 1. It prevents to lose information about the preference because of two nodes (If you have more nodes, you should save original declaration of ActivationPreference).
Get-MailboxDatabase DB01 | fl name, ActivationPreference 
Name : DB01
ActivationPreference : {[ServerA, 1], [ServerB, 2]}

Move-ActiveMailboxDatabase DB01 -ActivateOnServer ServerA –MountDialOverride lossless
  • Remove mailbox database copy
Remove-MailboxDatabaseCopy -Identity DB01\ServerB
  • Move database file and log folder (database will be dismounted, moved and mounted itself). I also manually copied database file (DB01.edb) from F:\DB01 to F:\DB1 on ServerB (passive node) because it prevents to do the seeding (the process in which a copy of a mailbox database is added to another Mailbox server in a database availability group (DAG)).
Move-DatabasePath -Identity DB01 -EdbFilePath F:\DB1\DB01.edb -LogFolderPath F:\DB1
  • After the moving (Move-DatabasePath passed ok/ the database was mounted + copy process was also done on passive node). I dismounted the database manually (Dismount-Database DB01) and renamed mounted points on both nodes (F:\DB01 → F:\DB01OLD, F:\DB1 → F:\DB01) and used cmdlet Move-DatabasePath with parameter ConfigurationOnly (The ConfigurationOnly switch specifies whether the configuration of the database changes without moving any files. A value of $true changes the configuration. A value of $false changes the configuration and moves the files. The default value is $false.).
Move-DatabasePath -Identity DB01 -EdbFilePath F:\DB01\DB01.edb -LogFolderPath F:\DB01 -ConfigurationOnly:$true
  • After that, I mounted the database manually (Mount-Database DB01) and create database copy on ServerB (parameter ActivationPreference was not needed at this point, but could be useful for you and more copies)
Add-MailboxDatabaseCopy -Identity DB01 -MailboxServer ServerB -ActivationPreference 2
  • Index Catalog rebuilding for the database was needed (old index related folder can be removed new one is consequently created)
Get-Service MSExchangeSearch | Stop-Service
Get-Service MSExchangeSearch | Start-Service
  • Check
get-mailboxserver|Get-MailboxDatabaseCopyStatus| ft -a
Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState
---- ------ --------------- ----------------- -------------------- -----------------
DB01\ServerA Mounted 0 0 Crawling
DB03\ServerB Mounted 0 0 Crawling
  • The database had about 200 GB so the ContentIndexState was in “Crawling” state many hours but it was changed to “Healthy” state itself. Good to know that: If we do not have “Healthy” ContentIndexState, we cannot do failover process (Move-ActiveMailboxDatabase) and end-users are not able to search mailbox content.

Technet.microsoft.com: Move the Database Path

Social.technet.microsoft.com: Edb.irs.raw file

Cannot Activate Database Copy: Content Index Catalog Files in Failed State

ContentIndexState STILL CRAWLING?

Exchange 2010 – How to check mailbox limits

Mailbox limits can be checked through cmdlet Get-MailboxStatistics

We can also calculate mailbox sizes based on a database as can be seen in article: How to Calculate Exchange 2010 Mailbox Sizes with PowerShell

  • Get-Mailbox -Database DB01 | Get-MailboxStatistics | ft displayname,totaldeleteditemsize,totalitemsize
  • Get-Mailbox -Database DB01 | Get-MailboxStatistics | %{$_.TotalItemSize.Value.ToMB()} | Measure-Object -sum -average -max -min

Quotas on mailbox/database can be checked:

  • Get-MailboxDatabase DB01 | fl *quota*
  • Get-Mailbox "TestUser" | fl *quota*

Be careful: Items in the “dumpster/recover deleted items” do not count against database limits.

Exchange Server Forums: Dumpster count towards the mailbox Quota/Size

Understanding Recoverable Items

The Recoverable Items folder contains the following subfolders:

  • Deletions – This subfolder contains all items deleted from the Deleted Items folder. (In Outlook, you can soft delete an item by pressing Shift+Delete.) This subfolder is exposed to users through the Recover Deleted Items feature in Outlook and Outlook Web App.
  • Versions – If either litigation hold or single item recovery is enabled, this subfolder contains the original and modified copies of the deleted items. This folder isn’t visible to end users.
  • Purges – If either litigation hold or single item recovery is enabled, this subfolder contains all items that are hard deleted. This folder isn’t visible to end users.
  • Audits – If mailbox audit logging is enabled for a mailbox, this subfolder contains the audit log entries.

XADM: Understanding Deleted Item Retention and Message Deletion

XCLN: Understanding Deleted Item Recovery

Outlook – Tips For Cleaning Up Your Mailbox

Exchange Server 2010 – Failover and Maintenance


Database status

  • PS C:\> Get-DatabaseAvailabilityGroup
  • PS C:\> Get-MailboxDatabase -Status | select Identity,MountedOnServer,ActivationPreference,MasterServerOrAvailabilityGroup,MaintenanceSchedule

Quorum check/move

  • PS C:\> Cluster DAG1 group
  • PS C:\> Cluster group "cluster group" /status
  • PS C:\> Cluster group "cluster group" /move

Database status through organization

  • PS C:\> Get-MailboxServer | Get-MailboxDatabaseCopyStatus
  • PS C:\> (Get-MailboxDatabase | Get-MailboxDatabaseCopyStatus | where {$_.Status -eq "Mounted"}).Count


Managing Database Availability Groups

Before performing any type of software or hardware maintenance on a DAG member, you should first remove the DAG member from service by using the StartDagServerMaintenance.ps1 script (just find Exchange Scripts directory for example“D:\Exchange Server\Scripts”). This script moves all the active databases off the server and blocks active databases from moving to that server. The script also ensures that all critical DAG support functionality that may be on the server (for example, the Primary Active Manager (PAM) role) is moved to another server and blocked from moving back to the server. Specifically, the StartDagServerMaintenance.ps1 script performs the following tasks:

  • Runs Suspend-MailboxDatabaseCopy with the ActivationOnly parameter to suspend each database copy hosted on the DAG member for activation.
  • Pauses the node in the cluster, which prevents the node from being and becoming the PAM.
  • Sets the value of the DatabaseCopyAutoActivationPolicy parameter on the DAG member to Blocked.
  • Moves all active databases currently hosted on the DAG member to other DAG members.
  • If the DAG member currently owns the default cluster group, the script moves the default cluster group (and therefore the PAM role) to another DAG member.
  • If any of the preceding tasks fails, all operations, except for successful database moves, are undone.

After the maintenance is complete and the DAG member is ready to return to service, you can use the StopDagServerMaintenance.ps1 script to take the DAG member out of maintenance mode and put it back into production. Specifically, the StopDagServerMaintenance.ps1 script performs the following tasks:

  • Runs the Resume-MailboxDatabaseCopy cmdlet for each database copy hosted on the DAG member.
  • Resumes the node in the cluster, which enables full cluster functionality for the DAG member.
  • Sets the value of the DatabaseCopyAutoActivationPolicy parameter on the DAG member to Unrestricted.
  • Both scripts accept the -ServerName parameter (which can be either the host name or the fully qualified domain name (FQDN) of the DAG member) and the -WhatIf parameter. Both scripts can be run locally or remotely. The server on which the scripts are executed must have the Windows Failover Cluster Management tools installed (RSAT-Clustering).

Installing Update Rollups on DAG Members:

  1. Use the StartDagServerMaintenance.ps1 script to put the DAG member in maintenance mode.
  2. Install the update rollup.
  3. Use the StopDagServerMaintenance.ps1 script to take the DAG member out of maintenance mode and put it back into production.
  4. Use the RedistributeActiveDatabases.ps1 script to rebalance the active database copies across the DAG.
  • 1. PS C:\>.\StartDagServerMaintenance.ps1 –serverName MbxServer01
  • 2. PS C:\> Restart-Computer
  • 3. PS C:\>.\StopDagServerMaintenance.ps1 –serverName MbxServer01
  • 4. PS C:\>.\RedistributeActiveDatabases.ps1 -DagName DAG01 –BalanceDbsByActivationPreferenc

Switchover Server

  • PS C:\> Move-ActiveMailboxDatabase -Server MbxServer01
  • PS C:\> Move-ActiveMailboxDatabase -Server MbxServer01 -ActivateOnServer MbxServer02 -MountDialOverride lossless

Switchover Active Database

  • PS C:\> Move-ActiveMailboxDatabase DB01 -ActivateOnServer MbxServer02 -MountDialOverride lossless

Cannot Activate Database Copy – Content Index Catalog Files in Failed State:

  • PS C:\> Update-MailboxDatabaseCopy "DB01\MbxServer01" –CatalogOnly

How to Reseed a Failed Mailbox Database Copy in Exchange Server 2010:

  • PS C:\> Suspend-MailboxDatabaseCopy -Identity "DB01\MbxServer01"
  • PS C:\> Update-MailboxDatabaseCopy -Identity "DB01\ MbxServer01" -DeleteExistingFiles




  • PS C:\> Test-ServiceHealth
  • PS C:\> Test-Mailflow -TargetDatabase MbxServer02
  • PS C:\> Test-ReplicationHealth


You can use built-in test account or an account $cred=Get-Credential fici\admin:
You must create a test account before you can diagnose Availability service issues using the Test-OutlookWebServices cmdlet. To create the test mailbox, log on to the Exchange Server 2007 or Exchange 2010 Mailbox server. Open the Shell, and then locate the Scripts directory under the installation path on the Exchange server. For Exchange 2007, the folder is located at C:\Program Files\Microsoft\Exchange Server\Scripts, where C:\ is the directory to which you installed Exchange. For Exchange 2010, the folder is located at C:\Program Files\Microsoft\ExchangeServer\V14\Scripts, where C:\ is the directory to which you installed Exchange 2010. Run the script New-TestCasConnectivityUser.ps1. Repeat this process on each Exchange 2007 or Exchange 2010 Mailbox server that is to be tested.

Related issue solved here: Mailbox could not be created. Verify that OU (Users) exists and that password meets complexity requirements…

  • PS C:\> Test-ServiceHealth
  • PS C:\> Test-WebServicesConnectivity -MailboxCredential $cred OR Test-WebServicesConnectivity
  • PS C:\> Test-OwaConnectivity -MailboxCredential $cred -url "https://outlook.fici.net/owa"
  • PS C:\> Test-ActiveSyncConnectivity -MailboxCredential $cred -URL https://outlook.fici.net/Microsoft-Server-ActiveSync
  • PS C:\> Test-MAPIConnectivity


  • PS C:\> Test-ServiceHealth
  • PS C:\> Get-TransportServer|Get-Queue|fl Identity,Status,MessageCount


ExchangeServerPro.com provides us two great scripts for health check/report.

  1. PowerShell Script to Generate a Health Check Report for Exchange Server 2010 – Test-ExchangeServerHealth.ps1
  2. How to Health Check an Exchange 2010 Mailbox Server – Test-MailboxServer.ps1

Exchange 2010 – ActiveSyncOrganizationSetting

The feature called the Allow/Block/Quarantine list (or ABQ for short) was designed to help control of the growing number of Exchange ActiveSync-enabled devices are allowed to connect to Exchange Servers. With this feature, organizations can choose which devices (or families of devices) can connect using Exchange ActiveSync (and conversely, which are blocked or quarantined): Set-ActiveSyncOrganizationSetting

Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients facility@gmail.com -UserMailInsert "Facility Service"


Environment could have enabled Default Access Level as Quarantine. It prevents to access of all devices through the Exchange ActiveSync service before explicitly approved by the administrator.

The Device ID needs to be associated to CAS mailbox, it is the real condition for syncing. It could be achieved through Exchange Management Shell and cmdlet Set-CASmailbox.

How to allow two device IDs for a user? 

Set-CASMailbox –Identity atest -ActiveSyncAllowedDeviceIDs ("Appl8801647U3NP","IMEI351996046976019")

Set-CASMailbox –Identity atest -ActiveSyncAllowedDeviceIDs @{Add="Appl8801647U3NP","IMEI351996046976019"}

How to allow  another device IDs and also remove old one? 

Set-CASMailbox –Identity atest -ActiveSyncAllowedDeviceIDs @{Remove="Appl8801647U3NP",Add="IMEI35134667777809"}

Remove devices which last successfull sync date older than 60 days: Remove-ActiveSyncDevices.ps1

Script for granting already synced device as allowed. 

When we have configured the default access level as quarantine, it means that we created new restriction and all ActiveSync users will not be able to sync their device till we allow them. PowerShell script Lock-EAS-profiles will pass through already existing ActiveSync users and allow their devices.

Please use right-click and “Save as” for downloading ps1 file otherwise the link shows source code in the same window.

But be careful: HasActivesyncDevicePartnership doesn’t reflect actually having device partnership?