Exchange Online Provisioning through MIM

In a complex environment, being in an Exchange hybrid configuration for an extended period of time seems largely unavoidable.

In our Exchange Hybrid configuration, even with 99% of all mailboxes moved to Exchange Online, we’re still very reliant on our on-prem processes and automation, and therefore MIM provisioning.

I spent a while working this out, eventually getting the MIM sync engine ADMA Exchange provisioning extensions to handle all provisioning in Exchange Online.  We provision person, shared, equipment and room mailboxes using this method, with and without archives.

Essentially the ADMA Export will run ‘update-recipient’ and create a MailUser of type RemoteMailbox, Subsequent ADConnect synchronisation will flow msExchRemoteRecipientType, triggering Exchange Online to provision mailboxes and archives accordingly.  For us, this was tied in with group-based licensing to ensure that licenses are allocated in a timely manner.

Based on attribute flow, the result will be MIM either provisioning an on-prem mailbox, or a MailUser remote mailbox object.

• MailUser – Flow mailNickname and targetAddress. Target Address is constructed to be accountName@tenant.mail.onmicrosoft.com
• Remote Mailbox – MailUser + msExchRemoteRecipientType, msExchRecipientTypeDetails and msExchRecipientDisplayType will trigger mailbox creation (and archive for people) in Exchange Online, and ensure recipient type details of a remote mailbox with the correct sub-type (eg room, shared).
• On-prem Mailbox only - mailNickname, msExchHomeServerName and homeMDB

Based on an attribute determining where the mailbox should be created, we use a bunch of ugly nested IIF statements in a custom expression in our outbound initial-flow only rules, such as:

Attribute	Expression
mailNickname	accountName
targetAddress	IIF(Eq(MailboxLocation,"Office365"),accountName+"@tenant.mail.onmicrosoft.com",Null())
msExchRecipientDisplayType	IIF(Eq(MailboxLocation,"Office365"),IIF(Eq(accountType,"Person"),-2147483642,IIF(Eq(accountType,"Shared"),-2147483642,IIF(Eq(accountType,"Room"),-2147481850,IIF(Eq(accountType,"Equipment"),-2147481594,-2147483642)))),Null())
msExchRecipientTypeDetails	IIF(Eq(MailboxLocation,"Office365"),IIF(Eq(accountType,"Person"),2147483648,IIF(Eq(accountType,"Shared"),34359738368,IIF(Eq(accountType,"Room"),8589934592,IIF(Eq(accountType,"Equipment"),17179869184,2147483648)))),Null())
msExchRemoteRecipientType	IIF(Eq(MailboxLocation,"Office365"),IIF(Eq(accountType,"Person"),3,IIF(Eq(accountType,"Shared"),97,IIF(Eq(accountType,"Room"),33,IIF(Eq(accountType,"Equipment"),65,1)))),Null())

This equates to:

Account Type	msExchRemoteRecipientType	msExchRecipientTypeDetails	msExchRecipientDisplayType
Shared	1 (provision mailbox)	34359738368	-2147483642
Room	33 (provision mailbox, room)	8589934592	-2147481850
Equipment	65 (provision  mailbox, equipment)	17179869184	-2147481594
Person	3 (provision mailbox + archive)	2147483648	-2147483642

Most of the attribute values were taken from here:

Recipient Type Values

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651

Read more!

Exchange PowerShell Commands #2

Well it's 2020, and instead of flying around in a hovercar I'm *still* doing IT. Trying to get back in the swing of things – and following on from the last post seven year ago (!?), here's an additional 64 Exchange commands circa Exchange 2013/2016.

Each command can be copied and pasted into a PowerShell command line running with an Exchange PSSession, although at the time I made notes on a couple of them about running locally on the server due to cmdlet or type casting limitations.

Remove an existing Exchange 2010 move request (to allow subsequent moves)
Remove-MoveRequest -id user01

Initiate an Exchange 2010 intra-org move request
new-moverequest -id user01 -TargetDatabase db02

Output semi-colon delimited list of email addresses for a mailbox
[string]::Join(';',$mailbox.emailaddresses)

Convert a mailbox to a standard user mailbox
get-mailbox user01 | set-mailbox -type regular -whatif

Modify permissions to allow modifying apply policy attributes of user objects
Add-ADPermission -Identity "OU=Resources,DC=domain,DC=local" -InheritanceType Descendents -InheritedObjectType user -AccessRights ReadProperty, WriteProperty -Properties msExchPoliciesIncluded, msExchPoliciesExcluded -User "domain\group1" -domaincontroller dc01

Disable an Exchange 2007 mailbox - leaving the user account in AD
Disable-Mailbox -id user01

Reapply the mandantory properties on a mailbox (changing from linked to normal)
set-mailbox -id $account -applymandatoryproperties  #Clearing AEA and master account SID resets the isLinked property of the mailbox, but RecipientTypeDetails / RecipientDisplayType is not automatically updated.  Re-applying mandatory properties corrects this issue and sets the mailbox back to being a user mailbox instead of a linked mailbox

Find Exchange 2010 DAG status
Get-DatabaseAvailabilityGroup -status | fl *

Find Exchange 2010 DAG replication status
$servers = Get-MailboxServer; foreach ($server in $servers) { Get-MailboxDatabaseCopyStatus -server $server.name}

Find the mailbox activation preference for an Exchange 2010 mailbox database
(Get-MailboxDatabase -id MBXDB1).ActivationPreference

Report the last 1000 commands executed
Get-history -count 1000

Reseed the content index catalog for the database copy
Update-MailboxDatabaseCopy "DB\SERVER" -CatalogOnly

Get the mailbox database copy status
Get-MailboxServer | Get-MailboxDatabaseCopyStatus -ExtendedErrorInfo | sort-object ContentIndexState | fl Name,ContentIndexState,ContentIndexErrorMessage

Convert a user mailbox to a linked mailbox without disabling
Set-User -id user01 -LinkedMasterAccount domainb\user01 -LinkedDomainController dc01.domainb.com -LinkedCredential $domainbcred # may need get-mailbox -id user01 | set-mailbox -type regular; get-mailbox -id user01 | set-mailbox -ApplyMandatoryProperties

Find the current owner of Exchange 2010 mailbox databases
dsquery * "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Dept,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -filter (objectclass=msExchMDB) -attr Name msExchOwningServer -s dc2

Mount an Exchange 2010  public folder database
Get-PublicFolderDatabase -id 'Public Folder Database 1' | mount-database

Find an Exchange 2010 Primary Active Manager for the specified DAG
Get-DatabaseAvailabilityGroup -Status | fl PrimaryActiveManager

Configure the Exchange 2010 postamaster address
Get-TransportConfig | fl -ExternalPostmasterAddress; Set-TransportConfig -ExternalPostmasterAddress postmaster@domain.com

Enumerate outlook profiles to find connected mailboxes and calendars
EnumOutlookProfiles.ps1

Find if an Exchange 2010 mailbox is enabled for ActiveSync
get-casmailbox -id user1

Set Exchange 2010 calendar processing to anyone can book and autoaccept
Set-CalendarProcessing -Identity room01 -AutomateProcessing AutoAccept -AllBookInPolicy $true

Get Exchange 2010 mailbox calendar configuration
Get-MailboxCalendarConfiguration -id room01 | fl *

Force an update of the offline address book
Update-OfflineAddressBook -id 'Default Offline Address List'

Exchange query for Global Security groups
get-group -filter "GroupType -eq $([Microsoft.Exchange.Data.Directory.Recipient.GroupTypeFlags]::SecurityEnabled.value__ + [Microsoft.Exchange.Data.Directory.Recipient.GroupTypeFlags]::Global.value__)"; #get-group -filter {GroupType -eq '-2147483646'}

Exchange query for Domain Local Security groups
get-group -filter "GroupType -eq $([Microsoft.Exchange.Data.Directory.Recipient.GroupTypeFlags]::SecurityEnabled.value__ + [Microsoft.Exchange.Data.Directory.Recipient.GroupTypeFlags]::DomainLocal.value__)"; #get-group -filter {GroupType -eq '-2147483644'}

Exchange query for Universal Security groups
get-group -filter "GroupType -eq $([Microsoft.Exchange.Data.Directory.Recipient.GroupTypeFlags]::SecurityEnabled.value__ + [Microsoft.Exchange.Data.Directory.Recipient.GroupTypeFlags]::Universal.value__)"; #get-group -filter {GroupType -eq '-2147483640'}

Set Out Of Office on a mailbox
Set-MailboxAutoReplyConfiguration 'user1' -AutoReplyState enabled -ExternalAudience all -InternalMessage "Internal not Here" -ExternalMessage "External not here"

Get a role group from the root of the forest
Get-RoleGroup -id Exchange-Lvl1Support -DomainController dc1.forest.root

Get a role group and the roles and role assignments
$rg = Get-RoleGroup -id Exchange-Lvl1Support -DomainController dc1.forest.root; $rg.roles; $rg.roleassignments

Get a management scope to show the recipient root and filter
Get-ManagementScope -id MS-Exchange_Distribution-Groups | fl *

Get the management role assignments for the specified assignee
Get-ManagementRoleAssignment | where {$_.RoleAssigneeName -like '*Exchange-Lvl1Support*'} | ft -wrap -auto

Get the management role assignment to confirm the CustomRecipientWriteScope
Get-ManagementRoleAssignment -id Distribution-GroupCreation | fl *

Expand the e-mail addresses of a mailbox to one per line
get-mailbox -id user1 | select -expand emailaddresses

Find Distribution List expansion
$expandDL = foreach ($server in Get-TransportServer) {Get-MessageTrackingLog -EventID EXPAND -resultsize unlimited -server $server | select "Timestamp","ServerHostname","EventId",{$_.RelatedRecipientAddress},{$_.Sender},"MessageSubject"}

Convert a mailbox from linked to resource
$ADsPath = "LDAP://CN=user1,OU=Shared Mailboxes,DC=domain,DC=local"; $user = [ADSI]$ADsPath ; $user.putex(1,"msExchMasterAccountSid",$null); $user.setinfo(); get-mailbox -id user1 | set-mailbox -ApplyMandatoryProperties; get-mailbox -id user1 | set-mailbox -type shared

Find mailboxes on a specific version of exchange (2010)
$mailboxes = get-mailbox -filter {ExchangeVersion -eq 44220983382016} -resultsize unlimited

Find the Exchange 2010 SP1+ Address Book RPC port
reg query \\cas1\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\ParametersSystem /v RpcTcpPort

Find the Exchange 2010 RPC port
reg query \\cas1\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem /v "TCP/IP Port"

Mail-enable an existing AD contact
Enable-MailContact -id "CN=User 01,OU=Contacts,DC=domain,DC=local" -ExternalEmailAddress user@somewhere.com

Modify the MRS mailbox replication for move requests
notepad "\\cas1\c$\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe.config" (MaxActiveMoves* and MaxTotalMovesPerMRS)

Find Exchange 2010 recoverable deleted items
Get-MailboxFolderStatistics -Identity "user@domain.com" -FolderScope RecoverableItems | ft -wrap -auto

Export mailbox to PST in EX2010 (requires Exchange Trusted Subsystem ACLs)
New-MailboxExportRequest -Mailbox user@domaincom -FilePath \\cas1\d$\martinwa.pst

Check the move history of a mailbox
get-mailboxstatistics -id "CN=user1,DC=domain,DC=local" -includemovehist | fl Identity,MoveHistory

Check Exchange 2010 logon statistics to see who is logging on to a mailbox
get-mailbox -id user1 | get-logonstatistics | ft UserName,ServerName,LogonTime,LastAccessTime,Windows2000Account -wrap -auto

Set mailbox delivery restrictions to only allow accepting messages from (ndr)
Set-Mailbox -Identity user1 -AcceptMessagesOnlyFrom @{add="user2"} -whatif

Use Exchange 2010 cmdlets to change the CN/DisplayName of a security group
get-adgroup -id oldsamid | set-adgroup -SamAccountName newsamid -whatif

Find safe and blocked senders configured through Outlook for each mailbox
$mailboxes | Get-MailboxJunkEmailConfiguration | export-csv -path c:\temp\JunkEmailConfiguration_20140625.csv

Delete all the items from an Exchange 2010 mailbox
Search-Mailbox -id user@domain.com -DeleteContent -confirm:$false -force

restore specific folders from a disconnect mailbox data to a recovery mailbox
New-MailboxRestoreRequest -BatchName Recovery -Name Test.User -SourceDatabase 'MBXDB5' -SourceStoreMailbox "2e94ffc9-9dad-42b1-92ec-5767d11051e4" -excludedumpster -includeFolders "Contacts/Misc", "Contacts/MISC/SHOPPING", "Contacts/MISC/Work Related" -TargetMailbox "recovery1" -AllowLegacyDNMismatch -whatif

Find Exchange 2010 RBAC management role entries for the specified role
Get-ManagementRole  -id RecipientCreationUserMailboxes | select -expand roleentries;  $entries = (Get-ManagementRole  -id RecipientCreationMailUser).RoleEntries; $entries | %{$_.split()[1]}

Find Exchange 2010 RBAC management scope OU and filter for the specified scope
Get-ManagementScope -id Managed-Users_UserMailboxes  | fl Identity,RecipientFilter,RecipientRoot

Search Exchange 2010 Admin Audit log for changes made by Exchange
Search-AdminAuditLog | ft -wrap -auto

export Exchange 2010 Admin Audit Log for new-mailbox requests and callers
$newUsers = Search-AdminAuditLog -cmdlets New-Mailbox,New-MailUser; $newUsers | select RunDate,ObjectModified,CmdletName,Caller,OriginatingServer | export-csv -path c:\temp\ExchangeUsers_20141020.csv -encoding ascii

Get Exchange mail queues on the specified server
get-queue -Server mail02

Get Exchange mail queue information
get-queue -Identity MAIL02\281950 | fl DeliveryType,NextHopDomain,Status,MessageCount,LastError

Find disconnected mailboxes (run on console of exchange server, not session)
get-mailboxdatabase | Get-MailboxStatistics | where {$_.displayName -eq 'User 01' -and $_.DisconnectDate -ne $null}

Report AD permissions through Exchange cmdlets
Get-ADPermission -id "OU=Distribution Lists,OU=Resources,DC=domain,DC=local" |ft Identity,User,InheritedObjectType,ExtendedRights,Properties,ChildObjectTypes,AccessRights -wrap -auto

Add an address to an exchange 2010 object
Set-MailUser -id "user1" -EmailAddresses (((Get-MailUser -id "user1").EmailAddresses)+="smtp:usernew@domain.com") -whatif

Remove an address from an exchange 2010 object
$recipient = "user1"; $remove = "smtp:usernew@domain.com"; Set-MailUser -id $recipient -EmailAddresses ((Get-MailUser -id $recipient).EmailAddresses | where {$_ -ne $remove}) -whatif

Remove an address from an exchange 2010 object with AD cmdlets
$recipient = "user1"; $remove = "smtp:usernew@domain.com"; Set-ADUser -id $recipient -replace @{proxyAddresses=([system.object[]](Get-ADUser -id $recipient -prop proxyAddresses | Update-List -Property proxyAddresses -Remove $remove).proxyaddresses)} -whatif

Find Outlook Auto Mapping attributes for links/backlinks
get-adobject -LDAPFilter "(&(objectclass=user)(objectcategory=person)(|(msexchdelegatelistbl=*)(msexchdelegatelistlink=*)))" -prop displayname,msexchdelegatelistbl,msexchdelegatelistlink | select displayname,msexchdelegatelistbl,msexchdelegatelistlink | ft -wrap -auto

Exchange cmdlet to query the UPN suffix list
Get-UserPrincipalNamesSuffix

Find people that have upgrated to iOS 7.0 on EAS connected devices
get-adobject -ldapfilter "(&(objectClass=msExchActiveSyncDevice)(objectCategory=msExchActiveSyncDevice)(msExchDeviceOS=ios*7.0*))" -prop msExchDeviceOS,canonicalName -server dc1

Apply a throttling policy association to a standard user or MEU
Set-ThrottlingPolicyAssociation -Identity svc_mw -ThrottlingPolicy Office365MigrationWiz

Wayne's World of IT (WWoIT). 

Read more!

Exchange PowerShell Commands

It's been a long time between drinks...

However, I have still been quietly squirreling away useful command lines, with the following 166 commands used for Exchange 2007/2010 information gathering, automating configuration management, troubleshooting and many bits in between.

Each command can be copied and pasted into a PowerShell command line running the Exchange snap-in loaded with the default prefix, although you may need to adjust input such as distinguished names, server names, mailbox names etc.

Let me know if you find them useful.

Get mailboxes that have a space in the displayName
get-mailbox -filter "(displayname -like '* *')" | ft identity,database -wrap -auto

Find Exchange transport rules
Get-TransportRule | ft Name,Priority,{$_.Conditions | select Name,{$_.Words}},{$_.Actions | select Name,Rank,SclValue},Comments -wrap -auto 

Find Exchange 2007 mailbox servers in the local organisation
get-mailboxserver

Get mailbox statistics for mailbox servers with the specified name
get-mailboxserver | where {$_.Name -like 'server*'} | Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | select-object -prop DisplayName,LastLogonTime,StorageLimitStatus,TotalItemSize,TotalDeletedItemSize,@{N="Size (MB)";E={$_.TotalItemSize.Value.ToMB()}},@{N="Deleted Item Size (MB)";E={$_.TotalDeletedItemSize.Value.ToMB()}},ItemCount,ServerName,StorageGroupName,DatabaseName.LegacyDN | export-csv -path c:\temp\MailboxStatistics.csv

Get mailbox database size limit/quota settings on malibox stores
get-mailboxdatabase | select-object -prop Name,ServerName,StorageGroup,ProhibitSendReceiveQuota,ProhibitSendQuota,IssueWarningQuota | ft -wrap -autosize

Find the number of mail-enabled contacts in the organisation
get-mailcontact -ResultSize 'unlimited' | measure

Export the IP addressed allowed to relay through the specified connector
$rc = Get-ReceiveConnector -id 'server01\connector01'; $rc.RemoteIPRanges | export-csv -path c:\temp\rc1.csv

Exchange 2007 global transport size limits
get-transportconfig | ft -prop MaxReceiveSize,MaxSendSize -wrap -autosize   

Exchange 2007 transport server sizelimits
get-transportserver | ft -prop Name,OriginatingServer,InternalDsnMaxMessageAttachSize,ExternalDsnMaxMessageAttachSize -wrap -autosize

Exchange 2007 send connector size limits
get-sendconnector | ft -prop Identity,AddressSpaces,MaxMessageSize -wrap -autosize

Exchange 2007 receive connector size limits
get-receiveconnector | ft -prop Identity,AddressSpaces,MaxMessageSize -wrap -autosize

Exchange 2007 mailbox limits other than unlimited
get-mailbox |where {$_.MaxSendSize -ne 'unlimited' -or $_.MaxReceiveSize -ne 'unlimited'} | ft -prop Identity,MaxSendSize,MaxReceiveSize -wrap -autosize

Get the storage group copy status (CCR/LCR/SCR) for mailbox stores 
get-mailboxserver | where {$_.Name -like 'server*'} | Get-StorageGroupCopyStatus  | ft -wrap -autosize

Get storage groups and their SCR stand-by machine
Get-StorageGroup  | ft -prop Name,Server,StandbyMachines -wrap -autosize

Get the storage group copy status (SCR) for the first target on all SGs
Get-StorageGroup | %{Get-StorageGroupCopyStatus -id $_.Identity -StandbyMachine $_.StandbyMachines[0].NodeName} | sort -prop LastReplayedLogTime | select -prop Identity,SummaryCopyStatus,ServiceDown,CopyQueueLength,ReplayQueueLength,LatestAvailableLogTime,LastCopyNotificationedLogTime,LastCopiedLogTime,LastInspectedLogTime,LastReplayedLogTime,LatestFullBackupTime | export-csv -path c:\temp\SCR_Status.csv

Get the storage group copy status (SCR) for the specified server/target
Get-StorageGroupCopyStatus -Server server01 -standbymachine server01 | ft -wrap -autosize

Find the backup status and whether VSS was used for the backup
Get-StorageGroup | %{Get-StorageGroupCopyStatus -id $_.Identity -StandbyMachine $_.StandbyMachines[0].NodeName} | sort -prop LatestFullBackupTime | select -prop Identity,SummaryCopyStatus,ServiceDown,LatestFullBackupTime,SnapshotBackup  | export-csv -path c:\temp\MailboxBackup_Status.csv

Change an Exchange 2007 mailbox type to equipment (or room)
Set-Mailbox MailboxName -Type Equipment

Add full access mailbox permissoins for an Exchange 2007 mailbox
Add-MailboxPermission -Id MailboxName -User:'DOMAIN\group' -AccessRights:FullAccess

Add send as rights to the AD security of a mail-enabled user
Add-ADPermission -Id MailboxName -User:'DOMAIN\group' -ExtendedRights:Send-As

Find mailboxes that are not standard user mailboxes (Room, Equipment)
get-mailbox | where {$_.RecipientTypeDetails -ne 'UserMailbox'} | fl -prop Name,RecipientTypeDetails

Remove mailbox permissions for the specified user
Remove-MailboxPermission MailboxUser -User DOMAIN\User -AccessRight FullAccess    

Find exchange mailbox statistics including per-user mailbox and DB limits 
. C:\data\scripts\PowerShell\Exchange\FindMailboxSizes.ps1 | out-file -file c:\temp\MailboxStats.txt -encoding ascii

Find the AutomateProcessing setting for a resource mailbox
Get-MailboxCalendarSettings  -id mailboxID

Modify a resource mailbox to automatically accept in-policy requests
Set-MailboxCalendarSettings -id mailboxID -AllBookInPolicy:$true 

Find the mailbox type of one or more mailboxes
get-mailbox -id mailboxes* | fl -prop IsResource,RecipientType,RecipientTypeDetails,ResourceType

Find the debug event logging levels set on an Exchange 2007 server
Get-EventLoglevel -server ExchangeServer01

Set the equipment mailbox to auto-accept and allow anyone to automatically book
Set-MailboxCalendarSettings -Identity "mailbox01" -AutomateProcessing AutoAccept -AllBookInPolicy $true

Turn on high logging for the booking attendant
Set-EventLogLevel "server01\MSExchangeMailboxAssistants\Resource Booking Attendant" -Level High

Find all resource mailboxes of type equipment
get-mailbox |where {$_.resourcetype -eq 'Equipment'}

Read Exchange 2007 event logs for the MSExchangeMailboxAssistants (resources)
get-eventlog -logname application -computer server01 -source msexchangemailboxassistants

Check Exchange Message Tracking Logs based on message ID
Get-MessageTrackingLog -MessageId 'FBE264977E286848971C4C15BDD7F5FE439245C5EF@mx.company.com.au' -Start "05/07/2011 00:00:00" -End "07/07/2011 06:00:00" -server server01

Check Exchange Message Tracking Logs based on mail subject
Get-MessageTrackingLog -MessageSubject "RE: Subject" -Start "06/07/2011 00:00:00" -End "07/07/2011 00:00:00" -server server01

Find Exchange server version, edition and roles
Get-ExchangeServer | sort | select-object -prop Name,Role,Edition,ServerRole,Site,ExchangeVersion,AdminDisplayVersion | export-csv -path c:\temp\ExchangeServers.csv

Find the mailbox sizes in Exchange 2007 looking at the filesystem
Get-MailboxDatabase | foreach-object {add-member -inputobject $_ -membertype noteproperty -name mailboxdbsizeinGB -value ([math]::Round(([int64](get-wmiobject cim_datafile -computername $_.server -filter ('name=''' + $_.edbfilepath.pathname.replace("\","\\") + '''')).filesize / 1GB),2)) -passthru} | Sort-Object mailboxdbsizeinGB -Descending | format-table identity,mailboxdbsizeinGB 

Update the allowed IP addresses for an Exchange 2007 receive connector
$connector = Get-ReceiveConnector -id 'server01\connector01'; $connector.RemoteIPRanges += "192.168.20.10-196.168.20.20"; Set-ReceiveConnector 'server01\connector01' -RemoteIPRanges $connector.RemoteIPRanges

Move a mailbox to a new database
Move-Mailbox -id user01 -targetdatabase 'server01\sg01\db01' 

View the original warning quota message
Get-SystemMessage -original | where {$_.Identity -like 'en\warn*'}

Add a new warning quota message
New-SystemMessage -QuotaMessageType WarningMailbox -Language EN -Text "Please reduce your mailbox size! Delete any items you don't need from your mailbox and empty your Deleted Items folder."

Hide a mailbox from the GAL
get-mailbox -id user01 | set-mailbox -HiddenFromAddressListsEnabled:$true

Remove SID History from a user
get-aduser -id 'user01' -prop sIDHistory | foreach {set-aduser $_ -remove @{sIDHistory=$_.sIDHistory.value}}

Remove SID history from one or more groups
Import-Module ActiveDirectory; $groups = get-content -path groups_sAMAccountName.txt; foreach ($group in $groups) {get-adgroup -id $group -prop sIDHistory | foreach {set-adgroup $_ -remove @{sIDHistory=$_.sIDHistory.value}}}

Remove multiple attributes from an AD account
$user = get-aduser -id 'user01' -prop HomeDrive,HomeDirectory,ProfilePath; set-aduser $user -HomeDrive $null -HomeDirectory $null -ProfilePath $null

Enumerate public folders
Get-PublicFolder -server server01 -Recurse | ft -wrap -autosize

Restore a deleted user account using AD recycle bin
$deletedaccount = get-adobject -filter 'samaccountname -eq "user01"' -IncludeDeletedObjects -properties *; $deletedaccount | restore-adobject

Reconnect a mailbox to an AD user account 
$user = Get-MailboxStatistics -server server01 | where {$_.displayName -eq 'User01, Test' -and $_.DisconnectDate -ne $null}; Connect-Mailbox -Identity $user.Identity -Database $user.database -User DOMAIN\user01

Group and list the mailboxes on each mailbox store 
get-mailboxdatabase -server server01 | get-mailbox | Group-Object -prop database | ft -wrap -autosize

Create new mail contacts from CSV input in Exchange 2007
$dataSet = Import-Csv -path contacts.csv; foreach ($contact in $dataset)  {  New-MailContact -ExternalEmailAddress $contact.targetaddress -Name $contact.cn -DisplayName $contact.displayName -FirstName $contact.givenName -LastName $contact.sn -OrganizationalUnit domain.local/Contacts -PrimarySmtpAddress $contact.mail}

Set the primary mail AD attribute of a newly created Exchange 2007 contact
$contacts = get-mailcontact -OrganizationalUnit 'domain.local/Contacts' | where {$_.Name -like 'test*'} ; foreach ($contact in $contacts) {  set-mailcontact -id $contact.identity -WindowsEmailAddress $contact.PrimarySmtpAddress;  $contact.HiddenFromAddressListsEnabled = $true; }

Create a new basic authenticated send connector in Exchange 2007
$pass = Read-Host "Password?" -assecurestring; $credential = new-object System.Management.Automation.PSCredential("domain\username",$pass); $cred = get-credential -Credential $credential; New-SendConnector -Name "send01" -AddressSpaces * -AuthenticationCredential $cred -SmartHostAuthMechanism BasicAuth -DNSRoutingEnabled:$false -SmartHosts smtp.local

Find users who have been delegated send on behalf of rights to a mailbox
$delegates = Get-Mailbox 'room01' | select-object GrantSendOnBehalfTo; $delegates.GrantSendOnBehalfTo.toarray()

Find NDR 5.1.4 duplicate mail addresses from Exchange application event logs 
get-eventlog -logname 'Application' -computer server01 -after "28/10/2011 8:00:00" | where {$_.eventID -eq 3029}

Replace the primary SMTP email address 
Get-Mailbox -id 'user01' | Set-mailbox -EmailAddressPolicyEnabled $false; Get-Mailbox -id 'user01' | Update-List -Property EmailAddresses -Add "SMTP:user01@domain.local" | Set-Mailbox; Get-Mailbox -id 'user01' | Set-mailbox -EmailAddressPolicyEnabled $true

Add a new secondary SMTP address 
Get-Mailbox -id 'user01' | Update-List -Property EmailAddresses -Add "smtp:user01@domain.local" | Set-Mailbox

Check Exchange 2007 queues
Get-Queue -server server01 | ft -wrap -autosize

Find the public delegates for a mailbox and then reset to a new list
Get-Mailbox -id user01 | select -expand GrantSendOnBehalfTo; Get-Mailbox -id user01 | Set-Mailbox -grantSendOnBehalfto User02,User03,User04

Export Exchange client connection statistics (online/cached mode, client ver) 
$dateshort = [DateTime]::Now.ToString("yyyyMMddhhmmss"); get-mailboxserver | get-logonstatistics | select * | export-csv -path ("c:\temp\ExchangeLogonStats_" + $dateshort  + ".csv"); write-host ("c:\temp\ExchangeLogonStats_" + $dateshort  + ".csv")

Get a mailbox from the domain sAMAccountName 
get-mailbox -id 'domain\username' | fl *

Change the sAMAccountName of a mailbox-enabled user account
get-mailbox -id 'domain\user001' | set-mailbox -samaccountname user01

Change the Name/CN/DN of a mailbox-enabled user account
get-mailbox -id 'domain\user' | set-mailbox -DisplayName "User, Test" -Name "User, Test"

Change the alias of a mailbox object
get-mailbox -id 'domain\user' | set-mailbox -alias user01

Check if a mailbox exists
if (get-mailbox -id user01 -ErrorAction SilentlyContinue) {write-host "test"}

Find the oldest and newest dates of mailbox folders
get-mailboxfolderstatistics -id user01 -FolderScope Inbox -IncludeOldestAndNewestItems

Find Exchange logs for messages that failed to deliver
Get-MessageTrackingLog  -Start "21/12/2011 6:00:00" -server server01 | where {$_.eventId -eq 'Fail'} | ft * -wrap -autosize

Find messages where delivery failed 
Get-MessageTrackingLog -EventId FAIL -Start "20/12/2011 6:00:00" -server server01 | ft TimeStamp,Source,EventID,Recipients,Sender,RecipientStatus -wrap -autosize 

See which mailboxes a user has direct permissions to access
get-mailbox -OrganizationalUnit 'domain.local/Mailboxes/Shared' | get-mailboxpermission | where {$_.user -like 'domain\user01'}

Find mailboxes that have a specified ACE set
get-mailbox -OrganizationalUnit 'domain.local/Mailboxes/Shared' | get-adpermission | where {$_.AccessRights -contains 'WriteProperty' -and $_.Properties -like 'Personal-Information'} | ft -wrap -autosize

Find active sync utilisation for mailboxes
Get-Mailbox -ResultSize:Unlimited |ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity} |ft identity,devicemodel,LastSuccessSync,LastPolicyUpdateTime,DeviceType,DeviceID,DeviceUserAgent,LastPingHeartbeat,DeviceFriendlyName,DeviceOS,DeviceIMEI,DevicePhoneNumber

Find SMTP mail delivery failures
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog -EventId FAIL -Start "01/01/2012 6:00:00" -server $server.name | where {$_.recipients -like '*@*' -and $_.recipients -notlike '*@local.com' -and $_.recipients -notlike 'IMCEAEX*'} | ft EventId,Source,Sender,Recipients -wrap -autosize}

Find the owner of one or more mailboxes
get-mailbox -id user01 | get-adpermission -owner | ft -wrap -autosize

Get the Exchange 2007 organisation config
Get-OrganizationConfig

Find the Exchange 2007 accepted domains (authoritative and relay)
Get-AcceptedDomain

Find logs for distribution list expansion
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog  -EventId EXPAND -Start "29/02/2012 17:28:00" -server $server.name | ft Timestamp,Sender,RelatedRecipientAddress,Recipients,RecipientStatus -wrap -autosize}

Find logs for e-mail from a specific address
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog  -Sender "user01@external.com"  -Start "29/02/2012 17:28:00" -server $server.name | ft Timestamp,Recipients,RecipientStatus,Sender -wrap -autosize}

Find logs for failed messages
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog  -EventId FAIL -Start "29/02/2012 17:28:00" -server $server.name | ft Timestamp,Recipients,RecipientStatus,Sender -wrap -autosize}

Find logs for messages from the last minute
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog -start (Get-Date).AddMinutes(-1)  -server $server.name | ft Timestamp,Sender,RelatedRecipientAddress,Recipients,RecipientStatus -wrap -autosize}

Find mail attributes for a public folder
get-mailpublicfolder -id "\Folder01\SubFolder01" | fl *

Find Exchange 2007 Web Services
Get-WebServicesVirtualDirectory | fl *

Find Exchange Message Tracking messages from a particular client IP
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog -resultsize unlimited -start (Get-Date).AddMinutes(-15) -server $server.name | where {$_.ClientIp -eq '192.168.1.10'} | ft * -wrap -autosize}   

Report explicit OU security for OUs in the domain
$ous = dsquery ou "dc=domain,dc=local" -limit 0; $permissions = foreach ($ou in $ous) {Get-ADPermission -id $ou.replace('"','') | where {$_.IsInherited -eq $False -and $_.User -like 'DOMAIN\*'}}; $permissions | select Identity,User,Deny,{$_.ChildObjectTypes},{$_.AccessRights},{$_.Properties},{$_.InheritedObjectType} | export-csv -path c:\temp\OU_Permission_20120309.csv

Find OWA Internal/External URL configuration
Get-OwaVirtualDirectory | where {$_.name -eq 'owa (Default Web Site)'} | ft Server,Name,InternalUrl,ExternalUrl -wrap -autosize 

Find transport server message tracking configuraiton 
Get-TransportServer | fl Name,messagetra*

List the available event logs from a remote server
Get-EventLog -computer server01 -list

List the Exchange 2007 diagnostic logging configuration
Get-EventLogLevel -server server01 | ft -wrap -autosize

Enable connectivity logging for Exchange 2007 Edge/Hub transport servers
get-TransportServer -id server01 | set-transportserver -ConnectivityLogEnabled:$true

View messages in the queue
get-queue -server server01 | get-message -IncludeRecipientInfo | fl *

Find recipients with a filter based on department
get-recipient -filter '((Department -eq "DEPT") -and (Alias -ne $null))'

Find users that do not have the specified primary SMTP address domain
get-recipient -filter '(ObjectClass -eq "User")' -resultsize:unlimited | where {$_.PrimarySmtpAddress -notlike "*@domain.local"} | ft Identity,PrimarySmtpAddress -wrap -autosize

Export to CSV users that don't have the specified primary SMTP domain
get-recipient -filter '(ObjectClass -eq "User")' -resultsize:unlimited | where {$_.PrimarySmtpAddress -notlike "*@domain.local"} | select Identity,PrimarySmtpAddress,Department | export-csv -path c:\temp\PrimarySMTP.csv

Expand a nested distribution group, counting all mail recipients
. C:\data\scripts\PowerShell\Exchange\ExpandDL.ps1 "CN=DL01,OU=Groups,dc=domain,dc=local"       

Find the user and SID on mailbox permissions (useful when sidhistory is used)
get-mailboxpermission -id user01 | ft User,{$_.user.securityidentifier} -wrap -auto

Find mailbox enabled users with a first/last name using ActiveDirectory
$users = get-aduser -filter {givenName -like '*' -and sn -like '*' -and mailnickname -like '*'}

Find user mailbox recipients that have a first and last name set
$mailboxes = get-recipient -resultsize unlimited -filter "(firstName -like '*' -and lastname -like '*' -and Alias -like '*' -and RecipientType -eq 'UserMailbox')"; foreach ($mailbox in $mailboxes) {  $firstName = $mailbox.firstname.replace(" ", "");   $lastName = $mailbox.lastname.replace(" ", "");   $primary = $mailbox.EmailAddresses | where {$_.IsPrimaryAddress -eq $true -and $_.PrefixString -eq "SMTP"} ;   $mailSplit =  $primary.SmtpAddress.split(".@");   if ($firstName -ne $mailSplit[0] -or $lastName -ne $mailSplit[1]) {    Write-Host $primary.SmtpAddress;   }}

Find mail recipients that don't have a first or last name (shared mailboxes)
$mailboxes = get-recipient -resultsize unlimited -filter {firstName -eq $null -and lastname -eq $null -and Alias -like '*' -and RecipientType -eq 'UserMailbox'}

Find mailboxes with the specified domain name
get-mailbox -filter {emailaddresses -like '*@domain.local'}

Find mailboxes with the specified domain name as their primary address
get-mailbox -filter {emailaddresses -like '*@domain.local'} | get-mailbox | where {$_.primarysmtpaddress -like '*@domain.local'}

Find distribution lists that can be emailed externally
$dls = get-distributiongroup -resultsize unlimited -filter {Alias -ne $null -and RequireAllSendersAreAuthenticated -eq $true}

Update the accept from for a DL with a list of users
$users = "User01, Test", "User02, Test"; foreach ($user in $users) {$user = get-mailbox -id $user; if ($user) {Get-DistributionGroup -id "DL01" | Update-List -Property AcceptMessagesOnlyFrom -Add $user.distinguishedName | Set-DistributionGroup }}

Update a distribution list to allow sending only from another DL
set-distributiongroup -id dl01 -AcceptMessagesOnlyFromDLMembers dl02

Find the user accounts for mailbox recipients with first and last name 
$mail = get-user -filter {(FirstName -ne $null -and LastName -ne $null)} -RecipientTypeDetails UserMailbox,LinkedMailbox -resultsize unlimited -OrganizationalUnit "OU=Mailboxes,dc=domain,dc=local" | select FirstName,LastName,windowsemailaddress

Find users that don't conform to first.last@ email addresses
$mail = get-user -filter {(FirstName -ne $null -and LastName -ne $null)} -RecipientTypeDetails UserMailbox,LinkedMailbox -resultsize unlimited -OrganizationalUnit "OU=Mailboxes,dc=domain,dc=local" | select FirstName,LastName,windowsemailaddress

Create a new transport rule setting SCL based on subject or body text
$condition = Get-TransportRulePredicate SubjectOrBodyContains; $condition.words = "SCL=9"; $action = Get-TransportRuleAction SetSCL; $action.sclvalue = 9; New-TransportRule -name "Filter01" -Condition $condition  -Action $action

Find mailboxes configured to forward and report details
$outputFile = "c:\temp\EmailForward_" + ([DateTime]::Now.ToString("yyyyMMddhhmmss")) + ".csv"; get-mailbox -filter {forwardingaddress -ne $null} | sort -prop whenChanged -descending | select whenChanged,SamAccountName,Identity,DeliverToMailboxAndForward,ForwardingAddress, @{N='ForwarderPrimarySMTPAddress';E={$recipient = get-recipient -id $_.ForwardingAddress; if ($recipient.recipienttype -eq 'MailContact') {write-output $recipient.externalemailaddress.tostring().replace("SMTP:","")} else {write-output $recipient.primarysmtpaddress}}},@{N='RecipientType';E={$recipient = get-recipient -id $_.ForwardingAddress; write-output $recipient.recipienttype.tostring()}} | export-csv -path $outputFile; write-host $outputFile

Turn on send connector verbose logging
get-sendconnector -id 'SendConnect01' | set-sendconnector -ProtocolLogginglevel verbose

Find NDR 5.4.6 routing loops in the last day from all transport servers
foreach ($server in Get-TransportServer) {Get-MessageTrackingLog -resultsize unlimited -EventId FAIL -Start (Get-Date).AddDays(-1) -server $server.name | where {$_.RecipientStatus -like '*5.4.6*'} | ft Timestamp,Recipients,RecipientStatus,Sender -wrap -autosize}

Find email addresses that aren't using first.last
foreach ($user in $mail) { if (!($user.windowsemailaddress.tostring().tolower().contains($user.firstname.tolower().replace(' ', '') + '.' + $user.lastName.tolower().replace(' ', '') + '@'))) { write-host $user.windowsemailaddress} }

Export a mailbox to PST
export-mailbox -id user01 -PSTFolderPath c:\temp\user01.pst

Find the Exchange 2003 global restrictions in AD for envelope recipients
Get-ADObject -id "CN=Message Delivery,CN=Global Settings,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,dc=domain,dc=local" -prop msExchRecipLimit

Find the Exchange 2007/2010 global restrictions in AD for envelope recipients
Get-ADObject -id "CN=Transport Settings,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,dc=domain,dc=local" -prop msExchRecipLimit

Find the Exchange 2007 transport settings for max enveople recipients
Get-TransportConfig | fl MaxRecipientEnvelopeLimit

Update managedBy for a distribution group
get-distributiongroup -id DL01 | Set-DistributionGroup -ManagedBy "CN=user01,OU=Mailboxes,dc=domain,dc=local"

Get the offline address book update schedule 
$oab = Get-OfflineAddressBook; $oab.schedule | ft -wrap -auto

Find the offline address book server, PF database and web distribution point
Get-OfflineAddressBook | fl Server,PublicFolderDatabase,VirtualDirectories

Find the Offline Address Book virtual directory
Get-OabVirtualDirectory | ft -wrap -auto

Find the custom resource schema configuration for custom resource properties
Get-ResourceConfig

Gather public folder statistics
$pfstats = Get-PublicFolderStatistics -server server01

Start the Exchange Management Shell from a standard powershell instance
add-pssnapin  Microsoft.Exchange.Management.PowerShell.Admin; . "C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1"

Send an SMTP e-mail with PowerShell 2.0 or later
send-mailmessage -from $sendfrom -to $sendto -subject $subject -body $body -BodyAsHtml -smtpServer $smtpserver

Add an availability address space to access local public folder schedule+ FB
Add-AvailabilityAddressSpace -ForestName remote.address.space -AccessMethod PublicFolder

Query free/busy schedule+ public folder replica information
get-publicfolder -Identity "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY"  -Recurse | ft Name,OriginatingServer,Replicas -wrap -auto

Query free/busy schedule+ public folder information on Exchange 2007/2010
get-publicfolder -Identity "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY"  -Recurse | Get-PublicFolderItemStatistics | ft PublicFolderName,Subject -wrap -auto

Show the e-mail addresses for the specified user in list format
((Get-Mailbox user01).EmailAddresses)

Add a secondary e-mail address in Exchange 2010 to a mailbox user
Set-Mailbox user01 -EmailAddresses (((Get-Mailbox user01).EmailAddresses)+="smtp:user01@test.com")

Add a secondary e-mail address in Exchange 2010 to a MEU
Set-MailUser testuser01 -EmailAddresses (((Get-MaiLUser testuser01).EmailAddresses)+="smtp:testuser01@new.domain.com") -whatif

Update the targetAddress attribute for an ADSI object
$user = [adsi]"LDAP://CN=testuser01,OU=Migrated,DC=domain,DC=local"; $user.put("targetAddress","smtp:testuser01.User@new.domain.com")

List the client-side public folder permissions for all public folders
$pfperms = Get-PublicFolder -recurse | Get-PublicFolderClientPermission

Get the report from a Exchange 2010 new-moverequest operation
$MoveReport = (Get-MailboxStatistics -Identity user01 -IncludeMoveReport).MoveHistory

Add to the managedBy property of a distribution list
set-distributiongroup -id $group -managedby (((get-distributiongroup -id $group).managedby) += $user.identity.distinguishedName)

Find the current management roles that have distribution in the name
Get-ManagementRoleAssignment | where {$_.name -like '*recipient*'} -warningaction silentlycontinue | ft -wrap -auto

Find CAS array information for an Exchange 2010 installation
get-clientaccessarray

Find delegate access to a mailbox with Exchange 2010 SP1
adfind -b "DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(msExchDelegateListLink=*))" -h dc01.domain.local samaccountname msExchDelegateListLink

Find delegate access to a mailbox with Exchange 2010 SP1 through backlink
adfind -b "DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(MsExchDelegateListBL=*))" -h dc01.domain.local samaccountname MsExchDelegateListBL

Convert legacy global distribution groups to universal
Get-Group -ResultSize Unlimited -RecipientTypeDetails NonUniversalGroup -OrganizationalUnit "OU=Distribution Lists,OU=Resources,DC=domain,DC=local" | Where-Object {$_.GroupType -match 'global'} | Set-Group -Universal

Mail-enable legacy global DLs that have been converted to universal
Get-Group -ResultSize Unlimited -RecipientTypeDetails UniversalDistributionGroup -OrganizationalUnit "OU=Distribution Lists,OU=Resources,DC=domain,DC=local"  | enable-distributiongroup

Change group scope for non-universal groups to universal
Get-DistributionGroup -ResultSize Unlimited -RecipientTypeDetails MailNonUniversalGroup | Set-Group -Universal

Upgrade Exchange 2010 legacy groups
Get-DistributionGroup -ResultSize Unlimited | Set-DistributionGroup -ForceUpgrade

Extract all properties of one or more users and save to CSV
get-aduser -ldapfilter "(&(objectClass=User)(objectCategory=Person)(samaccountname=*.exchtest*))" -prop * | export-csv -path c:\temp\TestUsers.csv

Create a new display name with surname in UPPER and first in Title case
$newName = $user.LastName.toUpper() + ' ' + (Get-Culture).textinfo.totitlecase($user.FirstName)

Start a remote powershell session to an exchange 2010 namespace
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://cas01.domain.local/PowerShell/ -Authentication Kerberos;   Import-PSSession $Session

Start a remote powershell session to an exchange 2010 namespace using prefix
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://cas01.domain.local/PowerShell/ -Authentication Kerberos;   Import-PSSession $Session -prefix ResForest

Bitwise OR to whether whether grouptype is distribution or security
if (14 -bor 2147483648 -eq 14) {write-output "Distribution} else {write-output "Security"}

Find mailbox folder permissions in Exchange 2010
$mailbox = get-mailbox -id user01; get-mailboxfolderpermission -id ($mailbox.primarysmtpaddress.tostring() + ":\Calendar")

Find the Exchange 2010 autodiscover URL (then stored in SCP)
Get-ClientAccessServer | fl *autodisc*      

Find Exchange 2010 RBAC management roles
Get-ManagementRole -id 'Distribution Groups' | fl *

Find Exchange 2010 RBAC management role assignments
Get-ManagementRoleAssignment |where {$_.role -eq 'Distribution Groups'} | ft -wrap -auto

Select the value of a property as an array of strings rather noteproperty
$members = get-adgroup "CN=group,DC=domain,DC=local" -server $dc | get-adgroupmember -server $dc | %{write-output $_.SamAccountName.ToString()}

Convert a group from security to distribution
get-adgroup -id migtestdl3 | set-adgroup -GroupCategory 0

Find recipient info from multiple forests and group by primary SMTP domain
$recipients = get-recipient -domaincontroller dc01.domain.local -OrganizationalUnit "OU=People,DC=domain,DC=local" -filter {(firstName -ne $null -and LastName -ne $null) -and (RecipientType -eq 'UserMailbox')} -resultsize unlimited ; $recipients += get-recipient  -domaincontroller targetdc.target.domain -OrganizationalUnit "OU=People,DC=target,DC=domain" -filter {(firstName -ne $null -and LastName -ne $null) -and (RecipientType -eq 'UserMailbox')} -resultsize unlimited ; $recipients | select @{N='EmailDomain';e={$_.primarysmtpAddress.tostring().split("@")[1]}} | group-object -prop EmailDomain | sort -prop Count | ft -wrap -auto

Find mailboxes from multiple forest and info on e-mail domain and islinked
$mailboxes = get-recipient -domaincontroller dc01.domain.local -OrganizationalUnit "OU=People,DC=domain,DC=local" -filter {(firstName -ne $null -and LastName -ne $null) -and (RecipientType -eq 'UserMailbox')} -resultsize unlimited  | get-mailbox -domaincontroller dc01.domain.local; $mailboxes += get-recipient  -domaincontroller dc01.taret.domain -OrganizationalUnit "OU=People,DC=target,DC=domain" -filter {(firstName -ne $null -and LastName -ne $null) -and (RecipientType -eq 'UserMailbox')} -resultsize unlimited | get-mailbox -domaincontroller dc01.target.domain; $mailboxes | select OriginatingServer,@{N='EmailDomain';e={$_.primarysmtpAddress.tostring().split("@")[1]}},IsLinked | group-object -prop OriginatingServer,EmailDomain,IsLinked | sort -prop Count | ft Count,Name -wrap -auto  

Find mailboxes with an ActiveSync device partnership
get-casmailbox -resultsize unlimited  | where {$_.HasActiveSyncDevicePartnership -eq 'true'}

Find the preferred domain controllers for the current Exchange 2010 session
Get-ADServerSettings | fl *

Set domain controller configuration for an exchange server
Set-ExchangeServer -StaticConfigDomainController dc01 StaticDomainControllers dc01,dc02 -StaticExcludedDomainControllers dc03 -StaticGlobalCatalogs gc01

Link an Exchange 2010 mailbox to a cross-forest security principal
get-mailbox user01 | set-mailbox -LinkedMasterAccount domain\user01 -linkeddomaincontroller dc01.domain.local

Get Exchange 2010 IMAP settings
Get-IMAPSettings -Server cas01

Disable policy and update the primary SMTP address of a 2010 mailbox 
get-mailbox -id "CN=user01,OU=People,DC=domain,DC=local" | set-mailbox -EmailAddressPolicyEnabled $false -PrimarySmtpAddress user01@domain.local

Find the server generating the Offline Address Book
Get-OfflineAddressBook | ft server,guid,AddressLists -wrap -auto (files stored in C:\Program Files\Microsoft\Exchange Server\V14\ExchangeOAB\)

Prepare an Exchange 2010 cross-forest move (create MEU and merge contact)
.\Prepare-MoveRequest.ps1 -Identity $username -RemoteForestCredential $cred -RemoteForestDomainController dc01.domain.local -LinkedMailUser -MailboxDeliveryDomain domain.local -TargetMailUserOU "OU=Resource Forest Accounts,DC=domain,DC=local" -UseLocalObject

Initiate an Exchange  2010 cross-forest move request
New-MoveRequest -Identity $username -RemoteLegacy -RemoteGlobalCatalog dc01.domain.local -TargetDatabase 'DB01' -RemoteCredential $cred -TargetDeliveryDomain 'domain.local' ?Verbose

Get an Exchange 2010 move request report
$moverequest = Get-MoveRequestStatistics -id user01 -IncludeReport; $moverequest.report

Get all the mailbox users in an OU and set a user property
get-mailbox -org "OU=Resource Forest Accounts,DC=domain,DC=local" | set-user -company 'Company01'

Check Exchange 2010 CAS RPC Client Access stats for online mode
$matches = select-string -pattern "2013-03" -simple -path "\\cas01\c$\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access\RCA_201303*"; $results = foreach ($match in $matches) {$line = $match.line;   write-output $line }; $results | out-file -file c:\temp\rpcusage.txt -encoding ascii; $rpc = import-csv -path c:\temp\rpcusage.txt -header date-time,session-id,seq-number,client-name,organization-info,client-software,client-software-version,client-mode,client-ip,server-ip,protocol,application-id,operation,rpc-status,processing-time,operation-specific,failures; $classic = $rpc | where {$_.'client-mode' -eq 'Classic' -and $_.'client-software' -eq 'outlook.exe'}; $classic | select client-name | group-object -prop client-name | ft -wrap -auto Count,Name

Find Exchange 2007/2010 mailbox statistics in MB (not with remote powershell)
get-mailbox -id user* | get-mailbox | get-mailboxstatistics | select DisplayName,ItemCount,@{n='SizeMB';e={$_.TotalItemSize.value.tomb()}} | ft -wrap -autosize

Wayne's World of IT (WWoIT), Copyright 2010 Wayne Martin. 

Read more!

Modifying Exchange mailbox permissions

Two methods are discussed in this post regarding command-line modifications to Exchange 2003 mailbox security, VBScript and ADModify.Net.

Method 1 - VBScript

The first method is to use a VBScript - modifying exchange mailbox rights can be done in a very similar fashion to modifying the ntSecurityDescriptor attribute. However, to make this work you need CDOEXM installed, installed with the exchange console on your administrative workstation.

The CDOEXM (Collaboration Data Objects for Exchange Management) objects provide an interface called IExchangeMailbox. This interface inherits from IMailboxStore, and also provides an additional property key to modifying Exchange permissions - the MailboxRights property.

Instead of using the msExchMailboxSecurityDescriptor attribute, you need to get and set the DACL using the MailboxRights property. The msExchMailboxSecurityDescriptor is only a back-link from the Exchange store, it doesn’t have a matching forward-link - therefore it won't be replicated if you modify this AD attribute. It eventually would be overwritten when the DACL is replicated back from the exchange mailbox object.

I assume the reason for the backlink msExchMailboxSecurityDescriptor attribute is mostly convenience and backwards compatibility, ie, an application or an admin can read the Exchange permissions (excluding inheritance I think) without requiring CDO.

Note that the Microsoft references below provide example script on using MailboxRights to modify existing mailboxes, and although the articles are quite good and very detailed, the relevance of MailboxRights compared to msExchMailboxSecurityDescriptor wasn't immediately obvious (to me at least).

Method 2 - ADModify.Net

The second method is to use ADModify.Net - a very powerful (and therefore potentially dangerous) utility to perform bulk modifications on mailbox objects. It comes with both command-line and GUI versions.

admodcmd is the command-line version, and the following example command starts at the specified DN, filtering based on user accounts with a certain CN, and then adds full-access mailbox rights to these users for the specified group:

admodcmd -dn "OU=USERS,DC=domain,DC=com" -f "(&(objectClass=user)(objectCategory=person)(CN=user*))" -addtomailboxrights domain\GroupToAdd ACE_MB_FULL_ACCESS


Issuing Query....

12 items found matching the specified filter.


0% 50% 100%
----------------------------------------
...................................................

Successful changes: 12
Already set to specified value: 0
Failed changes: 0

Operation Completed in 4.15625 seconds.


References

How to set Exchange Server 2003 and Exchange 2000 Server mailbox rights on a mailbox that exists in the information store
http://support.microsoft.com/?id=310866

How to set Exchange Server 2000 and 2003 mailbox rights at the time of mailbox creation
http://support.microsoft.com/kb/304935

Exchange 2003 SP2 Disabling Mapi/Non-Cached Access Per User
http://technet.microsoft.com/en-us/library/bb219050(EXCHG.65).aspx

ADModify.NET - Home
http://www.codeplex.com/admodify


Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

Read more!