Mailbox folder permission granted for resource mailbox

29.11.2012

I noticed that it is not easy to grant (Add-MailboxFolderPermission) mailbox folder permission for a resource mailbox (e.g. room, shared, equipment).

Note: The Identity parameter specifies the recipient and folder that you want to change the permissions for. This parameter takes the following format: <SMTP Address or Alias of Recipient>:<Folder path>. The following is an example: john@contoso.com:\Calendar. In my case it is \Kalenteri because of Finnish language. How to determine the right value for the folder path use for example Get-MailboxFolderStatistics “alias” | select Folderpath

[PS] C:\> Add-MailboxFolderPermission FORoom:\Kalenteri -AccessRights reviewer -User JohnK

The user "JohnK" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
 + CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidInternalUserIdException
 + FullyQualifiedErrorId : 158B211F,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

[PS] C:\> Add-MailboxFolderPermission  FORoom:\Kalenteri -User "JohnK@contoso.com" -AccessRights reviewer

The user "JohnK@contoso.com" is either not valid SMTP address, or there is no matching information.
 + CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidExternalUserIdException
 + FullyQualifiedErrorId : 331E5E8C,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

But why? Let me know 😉

Converted resource mailbox to user mailbox Type:Regular works properly. It does not matter if the resource has disabled AD accout (typical character for a resource mailbox) or not.

[PS] C:\ Get-Mailbox "JohnK" | Set-Mailbox -Type:Regular
[PS] C:\> Add-MailboxFolderPermission FORoom:\Kalenteri -User "JohnK@contoso.com" -AccessRights reviewer

RunspaceId : 696651a2-c64d-4d07-8bf2-a7bc32a4473f
FolderName : Kalanteri
User : JohnK
AccessRights : {Reviewer}
Identity : JohnK
IsValid : True

Message expire and must issue a STARTTLS

29.11.2012

I noticed the request from an user with the internet message header which contained error:

ala.poo@contoso.com
#550 4.4.7 QUEUE.Expired; message expired ##

I sent a test message and check message queues on EDGE server (Exchange 2010 SP2) . Related queue issued error:

451 4.4.0 Primary target IP address responed with:"451 5.7.3 Must issue a STARTTLS command first." Attempted failover to alternate host, but that did not succed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Well I check also related send connector and it has used RequireTLS:$true.

CheckTLS.com gave me answer: TLS is not an option on this server – TLS Adv failed

Destination’s MX servers do not support TLS (STARTTLS extension). And all messages addressed  there through the send connector which required TLS (encrypted transmittion) did not pass.

Solution? Maybe omit forced TLS, but is it secured? 🙂

How to easily track Public Folder replication messages in Exchange 2010

Dedicated PF server

Simple command can help us to track PF replication messages if you have dedicated PF server

get-exchangeserver *pf* | get-messagetrackinglog

PF database as part of mailbox server hosting active database copies

If you don´t have dedicated PF server, you should track SMTP traffic with the following message subjects and source server, which contains PF database

Folder Content
Status
Backfill Request
Hierarchy Backfill Response
Folder Content Backfill Response
Hierarchy
Conflict message: <Message original subject>

for example

get-transportserver HUBTRANSPORT | Get-MessageTrackingLog -MessageSubject "Folder Content" -resultsize 1

How to configure Calendar Repair Assistant in Exchange 2010/2013

What is Calendar Repair Assistant

 

Difference between Exchange 2010 and Exchange 2013

  • CRA in Exchange 2010 is not enabled by default
  • CRA in Exchange 2013 and Exchange 2010 SP3 has new configurable parameter  for CRA repair mode (ValidateOnly, RepairAndValidate)
  • Lower record is default from Exchange 2013, Higher is default from Exchange 2010 SP3 (not yet available)

CRA_Difference

Configuration in Exchange 2010

  • Setting mailbox servers
Get-MailboxServer | Set-MailboxServer -CalendarRepairWorkCycle 7.00:00:00 -CalendarRepairWorkCycleCheckpoint 1.00:00:00 -CalendarRepairLogFileAgeLimit 30.00:00:00 -CalendarRepairLogPath E:LogsCalendarRepairAssistant -CalendarRepairLogDirectorySizeLimit unlimited -CalendarRepairLogSubjectLoggingEnabled $true -CalendarRepairLogEnabled $true -CalendarRepairIntervalEndWindow 60 -CalendarRepairSchedule Mon.20:00-Mon.23:59,Tue.20:00-Tue.23:59,Wed.20:00-Wed.23:59,Thu.20:00-Thu.23:59,Fri.20:00-Fri.23:59,Sat.20:00-Sat.23:59,Sun.20:00-Sun.23:59
  • Setting user mailboxes
Get-Mailbox -ResultSize unlimited -Filter {CalendarRepairDisabled -eq $True} | Set-Mailbox -CalendarRepairDisabled $false
  • Disabling CRA if needed
Get-MailboxServer | Set-MailboxServer -CalendarRepairWorkCycle $null -CalendarRepairWorkCycleCheckpoint $null -CalendarRepairSchedule $null

Configuration in Exchange 2013 RTM

  • Changing configuration

Changing in configuration is done the same way as it was in Exchange 2010.

  • Setting CRA repair mode
Get-MailboxServer | Set-MailboxServer -CalendarRepairMode ValidateOnly
  • Setting user mailboxes
Get-Mailbox -ResultSize unlimited -Filter {CalendarRepairDisabled -eq $True} | Set-Mailbox -CalendarRepairDisabled $false

Important parameters

  • CalendarRepairWorkCycle 7.00:00:00 -Defines time range within what all mailboxes must be checked
  • CalendarRepairWorkCycleCheckpoint 1.00:00:00 – Defines within what time mailbox will be repaired if error is found
  • CalendarRepairLogEnabled $true – Enables / disables logging of CRA
  • CalendarRepairIntervalEndWindow 60 – How many days in the future calendars will be checked
  • CalendarRepairSchedule Mon.20:00-Mon.23:59 – schedules CRA

Log example

CRA_Log_Example

Exchange 2013 – Cmdlets Road map

Created hmtl road map could help you to check all Exchange 2013 cmdlets under one page. The layout is the same like in technet:

  • Permissions Cmdlets
  • Security Cmdlets
  • Messaging Policy and Compliance Cmdlets
  • Anti-Spam and Anti-Malware Cmdlets
  • Mail Flow Cmdlets
  • Mailbox Cmdlets
  • Recipient Cmdlets
  • Email Address and Address Book Cmdlets
  • Move and Migration Cmdlets
  • Sharing and Collaboration Cmdlets
  • Federation and Hybrid Configuration Cmdlets
  • Client Access Cmdlets
  • Unified Messaging Cmdlets
  • High Availability Cmdlets
  • Server Health, Monitoring, and Performance Cmdlets
  • Active Directory Cmdlets
  • Cmdlet Extension Agent Cmdlets
  • Global Cmdlets

Download: Exchange 2013 Cmdlets Road Map

Please use right-click and “Save as” for downloading ps1 file otherwise the link shows source code in the same window.

Mailbox quotas change based on Custom Attribute

  • Exchange 2010 / 2013 can be designed so, that multiple mailbox tiers can be placed within one database. In this case there is not easy way how to control mailbox limits for bigger companies. I wrote the script, which can help managing limits based on single value in Custom attribute 12.

How it works

  • Change custom attribute 12 for maiblox users to value Tier1, Tier2 ….Tier5
  • Plan to run the script on daily basis via task manager
  • Script will change the limits to correct values and check if the limits are still OK for existing mailboxes
  • If limits have changed for some reason. Script will set correct ones
  • For non existing value or deviated one: for example “Tier 1” the default tier will be set

What do you need to customize

  • Where to put report file (line 9)
  • Define tiers (Number for size, Unit for multiplier MB,GB etc)
  • You can specify unlimited value as well, unit value then is empty “”

Work left for service desk

  • Add tier info to CustomAttribute12 or leave it empty for default tier assignment
  • change CustomAttribute12 value once mailbox user requests change of mailbox limits

Script

 # Author: zbynek.salon@salonovi.cz
 # Version 3.0
 # Purpose: 1/ Changing limits based on tier value inside CustomAttribute12
 #
 #######################################################################################################################################################
 # Date and report definitions
 $dat = get-date | select day,month,year
 $date = "$($dat.day)_$($dat.month)_$($dat.year)"
 $file = "d:report_$date.txt"
 $report = "started at $($date) - Task 1/ Changing limits based on tier value inside CustomAttribute12"
 $report | out-file "$($file)" -width 2000000 -Append
 #######################################################################################################################################################
 # Tier definition W-Warning, S-ProhibitSend, R-ProhibitSendReceive, WU-Warning Unit, SU-Send Unit, RU-Receive Unit, TI - TierInfo
 $t = [PSCustomObject]@{
 T1 =[PSCustomObject]@{
 W="950"
 S="1024"
 R="1250"
 WU="MB"
 SU="MB"
 RU="MB"
 TI="Limit 1024MB"
 }
 T2 = [PSCustomObject]@{
 W="450"
 S="500"
 R="650"
 WU="MB"
 SU="MB"
 RU="MB"
 TI="Limit 500MB"
 }
 T3 = [PSCustomObject]@{
 W="130"
 S="150"
 R="200"
 WU="MB"
 SU="MB"
 RU="MB"
 TI="Limit 150MB"
 }
 T4 = [PSCustomObject]@{
 W="8192"
 S="10240"
 R="unlimited"
 WU="MB"
 SU="MB"
 RU=""
 TI="Business demand 8GB"
 }
 T5 = [PSCustomObject]@{
 W="2048"
 S="2548"
 R="3072"
 WU="MB"
 SU="MB"
 RU="MB"
 TI="Temporarily increased - for cleanup 2,5GB"
 }
 }
 #######################################################################################################################################################
 # Function
 function Limit ($mb,$ti,$rep){
 $res=0
 if ($mb.issuewarningquota.isunlimited -eq $true)
 {
 if ("unlimited" -ne $ti.w){$res=1}
 }
 else{
 if ($mb.issuewarningquota.value.toMB() -ne $ti.w){$res=1}
 }
 if ($mb.prohibitsendquota.isunlimited -eq $true)
 {
 if ("unlimited" -ne $ti.s){$res=1}
 }
 else{
 if ($mb.prohibitsendquota.value.toMB() -ne $ti.s){$res=1}
 }
 if ($mb.prohibitsendreceivequota.isunlimited -eq $true)
 {
 if ("unlimited" -ne $ti.r){$res=1}
 }
 else{
 if ($mb.prohibitsendreceivequota.value.toMB() -ne $ti.r){$res=1}
 }
 if ($res -eq 1){
 Write-Host "$($ti.TI)"
 $report = "$($mb.alias);$($mb.ExchangeGuid);$($mb.customattribute12);$($mb.issuewarningquota);$($mb.prohibitsendquota);$($mb.prohibitsendreceivequota);Will be set to correct limits"
 $report | out-file "$($rep)" -width 2000000 -Append
 set-mailbox "$($mb.exchangeguid)" -usedatabasequotadefaults $false -Prohibitsendquota "$($ti.s)$($ti.SU)" -prohibitsendreceivequota "$($ti.r)$($ti.RU)" -issuewarningquota "$($ti.w)$($ti.WU)"
 }
 else{
 Write-Host "$($ti.TI)"
 $report = "$($mb.alias);$($mb.ExchangeGuid);$($mb.customattribute12);$($mb.issuewarningquota);$($mb.prohibitsendquota);$($mb.prohibitsendreceivequota);Mailbox OK"
 $report | out-file "$($rep)" -width 2000000 -Append
 }
 }
########################################################################################################################################
 # Main program
 $a = $null
 $a = @()
 $a += get-mailbox -resultsize unlimited | select *quota*,customattribute12,alias,Exchangeguid
 foreach ($line in $a){
 if ($line.exchangeguid -ne $null){
 $tier=$null
 switch ($line.customattribute12) {
 "Tier1"{
 $tier = $t.t1
 Limit $line $tier $file
 }
 "Tier2"{
 $tier = $t.t2
 Limit $line $tier $file
 }
 "Tier3"{
 $tier = $t.t3
 Limit $line $tier $file
 }
 "Tier4"{
 $tier = $t.t4
 Limit $line $tier $file
 }
 "Tier5"{
 $tier = $t.t5
 Limit $line $tier $file
 }
 "$null"{
 $tier = $t.t3
 Limit $line $tier $file
 }
 default{
 $tier = $t.t3
 Limit $line $tier $file
 }
 }
 }
 }

Exchange 2013 – Unattended installation for prerequisites

I would like to show you how to install Exchange 2013 prerequisites in unattended mode under Windows Server 2012 operation system.

It is not problem to install required windows features in one cmdlet as can here.

But what about other prerequisites such as:

  • Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit that contains:
    • Microsoft Visual C++ 2012 x64 Minimum Runtime – 11.0.50727
    • Microsoft Server Speech Platform Runtime (x64)
    • Microsoft Speech Platform VXML Runtime (x64)
    • Microsoft Server Speech Recognition Language – TELE (en-US)
    • Microsoft Server Speech Text to Speech Voice (en-US, Helen)
    • Microsoft Lync Server 2013, Bootstrapper Prerequisites Installer Package
    • Microsoft Unified Communications Managed API 4.0, Runtime
  • Microsoft Office 2010 Filter Pack 64 bit
  • Microsoft Office 2010 Filter Pack SP1 64 bit

It is also simple just call installation packages with parameters /passive /norestart:

.\UcmaRuntimeSetup.exe /passive /norestart

.\FilterPack64bit.exe /passive /norestart

.\filterpack2010sp1-kb2460041-x64-fullfile-en-us.exe /passive /norestart

Help for installation package can be seen:

.\FilterPack64bit.exe /help

Well we are also able to extract installation package for Exchange 2013 by similar way:

$targetfolder="C:Temp"
.\Exchange-x64.exe /extract:$targetfolder\Exchange2013-x64 /u

Reconnected mailbox is still in disabled MailboxState

I noticed this issue when I reconnected a disabled mailbox to different user account. Also after Clean-MailboxDatabase (Connecting the Disconnected in Exchange 2010) had the mailbox disabled MailboxState (the status can be checked via Get-MailboxStatistics).

Exchange server could not deliver/route messages to the mailbox and also indicated problem in application log.

Related errors:

  • An ambiguous mailbox GUID b6a7be4d-c4dd-4797-a1f3-9b75b11ea26b was found on 0x2 mailboxes in the Active Directory. The store cannot map this Mailbox GUID to a unique user.
  • Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: MailTips query failed for mailbox.
  • Microsoft OutlookDelivery has failed to these recipients or groups: “user” There’s a problem with the recipient’s mailbox. Please try resending the message. If the problem continues, please contact your helpdesk.
  • #554 5.2.0 STOREDRV.Deliver.Exception:StoragePermanentException.MapiExceptionAmbiguousAlias; Failed to process message due to a permanent exception with message Cannot open mailbox
  • #554-5.2.1 mailbox disabled 554 5.2.1 STOREDRV.Deliver.Exception:AccountDisabledException.MapiExceptionMailboxDisabled; Failed to process message due to a permanent exception with message Cannot open mailbox
  • Cannot get the security descriptor of mailbox ‘b3a7be4d-c4ad-4797-a1f3-9b83b11ea26b’ in Exchange mailbox database ‘158d5a5c-c376-43c5-b137-1f0caab770f1’.
  • MapiExceptionAmbiguousAlias: Unable to get mailbox SecurityDescriptor. (hr=0x80004005, ec=2202)

I could not able to reconnect the mailbox to any other accounts, because the mailbox was always in the same  “corrupted” state.I did and checked many things some of them are here:

Unfortunately I did not find the root cause, but it seemed to be AD related issue caused by renaming of user’s attributes by windows team recently.

Solution:
Disconnected mailbox has been connected to the original account and its data has been exported to the different mailbox. The mailbox has been disconnected again and removed from mailbox store.

 

Whitespace not increasing when moving mailboxes to other database

Let’s try to look at this topic: White-space not increasing when moving mailboxes to other database and also more.

What is reason for it?
When a mailbox is moved to another database, it´s only softdeleted (-MailboxState SoftDeleted). This mean that its kept in the origional database until the time you have set for the database to keep deleted mailboxes (Default 30 days) has past.

Is it related also for disconnected/disabled mailboxes?
Yes, it is. Disconnected mailboxes are also still in database for retention period (-MailboxState Disabled).

How to check white-space and database size for mailbox databases?

Get-MailboxDatabase -Status| ft name,AvailableNewMailboxSpace,DatabaseSize -a

Get-ExchangeDatabaseInfo

How to find softdeleted and disabled mailboxes for particular database?

Get-MailboxStatistics -Database MBD01 | Where { $_.DisconnectReason -eq "SoftDeleted" -or $_.DisconnectReason -eq "Disabled" } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason

How to purge softdeleted mailboxes and consequently increase white-space (AvailableNewMailboxSpace)?

Remove-StoreMailbox -Database MBD01 -Identity Ayla -MailboxState SoftDeleted

This example permanently purges all soft-deleted mailboxes from mailbox database MBD01.

Get-MailboxStatistics -Database MBD01 | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}

Remove-StoreMailbox

Is it possible to remove “active” mailbox by Remove-StoreMailbox?
No, the cmdlet accepts only SoftDeleted or Disabled mailboxes.

Is there delay for white-space incrteasing after using Remove-StoreMailbox?
Yes, there is the delay, but basically only few seconds.

Is it possible restore softdeleted or disabled mailboxes?
Yes of course via New-MailboxRestoreRequest.
Softdeleted mailboxes can be only exported to existing mailbox, but disabled mailboxs can be connected and also exported same like softdeleted.

New-MailboxRestoreRequest

Connect-Mailbox

How to Reconnect a Disconnected Mailbox in Exchange Server 2010

Meeting Requests in Delegate’s Outlook Calendars

From time to time I notice that typically end-user complaints for involuntary meeting request appears in his mailbox. There could be many reasons for this issue. Here is one thing that should be known, if you will troubleshoot similar issue. The thing is delegate access.

Who is the dalegate?
Similar to having an assistant help you manage your incoming paper mail, you can use Microsoft Outlook to allow another person, known as a delegate, to receive and respond to meeting requests or responses and to send e-mail messages on your behalf. You can also grant additional permissions that allow your delegate to read, create, or have full control over items in your Exchange mailbox.

Turn on Delegate Access?
It can be allowed via Outlook look at this post.

How is involuntary meeting request related to delegate access?
If a delegate needs permission to work with meeting requests and responses only, the default permission settings, including “Delegate receives copies of meeting-related messages sent to me“.

How to check delegate access for particular mailbox via Exchange Management Shell?

Get-Mailbox -anr "user name" | Get-CalendarProcessing | select ResourceDelegates

How to remove all delegates from particular mailbox?

Get-Mailbox -identity "alias" | Set-CalendarProcessing -ResourceDelegates $null