Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017
Revamped 3/31/2018 – Added the option to selectively remove BLs without removing FullAccess permissions to the shared mailbox

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

This shows how to remove the mailbox permissions and to re-add, and I just added how to simply just remove the backlinks WITHOUT removing FullAccess permissions. The users in this case, must re-add the mailbox in Outlook once it disappears from their profile.

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of  nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned Backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

image

How to remove it?

First, establish your PowerShell session to Exchange OnPrem or your Office 365 tenant. If unsure how, see this:
http://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail  | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail  | ft Name, DisplayName, mail –A

 

Then remove the msexchDelegateLinkListBL orphaned backlink and FullAccess permissions to the shared mailbox

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName”  -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

To just remove the backlink WITHOUT removing permissions

Note, using this method, the shared mailbox will automatically disappear from the Outlook profile. As soon as it does, you must manually re-add the shared mailbox either under the user account properties, where the permissions are proxied through the user account, which is the same as if it were Automapped, or as a separate account, which provides better features including sent and deleted items go into the shared mailbox itself instead of the mailbox owner under an automapped account or added under the user account.

To remove all BLs all at once:

#########################################################
#Remove the MSExchDelegateListBL from an account

$userToClean = “I061859”
  $userDN = Get-ADUser $userToClean | select -ExpandProperty DistinguishedName
  $delegates = Get-ADUser $userToClean -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
  Write-Host “======================================================”
  write-host “List of Delegated accounts that are backlinked:” $Delegates
  Write-Host “======================================================”
  foreach ($delegate in $delegates) {
  Set-ADUser $delegate -Remove @{msExchDelegateListLink = “$UserDN”}
  }
  Write-Host “======================================================”
  Write-Host “If the following get-aduser cmdlet searching for backlinds is empty, then all delegated backlinks have been removed”
  Get-ADUser $user -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
  Write-Host “======================================================”

To remove specific BLs one at a time:

# 1. Find the list of users in a shared mailbox that have been backlinked.
#    Note, as said, this is only for removing users that have requested it, unless you are working on removing all, which use the above

$SharedMailboxOrUserDisplayName = “Shared Mailbox Display Name”
$SharedMailboxOrUser = (get-recipient “$SharedMailboxOrUserDisplayName”).name
Write-Host “======================================================”
Write-host “Shared Mailbox sAMAccountName:” $sharedMailboxorUser
Write-host “List of Users (or ‘Delegates’) that currently have Backlinks on Shared mailbox ‘$sharedMailboxorUser’ :”
Get-ADUser $SharedMailboxOrUser  -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink | get-aduser -Properties displayName,mail  | ft Name,DisplayName,mail -A
write-host “======================================================”

# 2. Then enter the user account name from the above list that you want to remove, and then find the user’s DN:
  $UserToClean = “User sAMAccountName”
  $userToCleanDisplayName = (get-recipient $UserToClean).displayName
  $userDN = Get-ADUser $UserToClean | select -ExpandProperty DistinguishedName
  Write-Host “The DN of ‘$userToCleanDisplayName’ ($UserToClean) that you want to clean is: ” $userDN
  Write-Host “======================================================”
  write-host “List of Backlink DNs that you want to remove from $UsertoClean :”
  Write-Host
  Get-ADUser  $UserToClean -Properties msExchDelegateListbl |  select -ExpandProperty msExchDelegateListBL

  Write-Host  “======================================================”

# 3. Remove the MSExchDelegateListBL from my account or an account that was migrated to the cloud that previously had a MSExchDelegateListBL
#    Just have to run this, the BL gets removed after you run it
#    This does not remove any AccessRights to the Mailbox, it just removes the automapping

Set-ADUser  $UserToClean -Remove @{msExchDelegateListLink = (Copy and Paste the Backlink DN of the specific shared mailbox from the previous list that you want to remove) }

# 4. Then check to see if it worked:
   Get-ADUser  $UserToClean -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
   Get-ADUser  $UserToClean -Properties msExchDelegateListLink |  select -ExpandProperty msExchDelegateListBL

==========================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Exchange or Office 365 Mailbox Dumpster Report

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script to enumerate what’s in the dumpster, that I’ve created to help my day to day tasks. I hope you find it helpful.

Scope

This script enumerates an Exchange or Office 365 Dumpster, Purges, and Versions folders.

Note:

  • Dumpster and Deletions Report provides Size Values for the mailbox
  • Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
    Does not apply to Mailusers” -ForegroundColor cyan
    *** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***

The ‘Recoverable Items’ folder contains the following subfolders

  1. Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
  2. Calendar Logging:  For Calendar diagnostic purposes

  3. Deletions
    : Recover Deleted Items or the ‘Dumpster'”
         This subfolder contains all items deleted from the Deleted Items folder.
  4. Versions:          If In-Place Hold or Litigation Hold is enabled:
    This subfolder contains the original and modified copies of the deleted items.”
  5. Purges:            If either Litigation Hold or single item recovery is enabled:”
    This subfolder contains all items that are hard deleted.

Script

I did not make this into a function, although it can easily be converted. To run it, for the $RecipientName variable, just enter the username, email address, displayName, or their sAMAccountName, and fire away.

“======================================================”
$RecipientName = “user’s email address, DisplayName, or sAMAccountName”
$RecipientDisplayName = (get-recipient $RecipientName).displayname

Optional (for reporting purposed):

$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

“======================================================” -ForegroundColor Cyan                   
  write-host “Dumpster and Deletions Report for ‘$RecipientDisplayName’ ($RecipientName) (Does not apply to Mailusers or Contacts):” “$(get-date)” -ForegroundColor Yellow
     Write-host “======================================================”
Write-host “Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.”  -ForegroundColor Cyan
     Write-Host “Does not apply to Mailusers” -ForegroundColor cyan
     Write-Host “*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***”  -ForegroundColor Red
     Write-Host “***”
     Write-host “The ‘Recoverable Items’ folder contains the following subfolders:” -ForegroundColor Yellow
     Write-Host ”   Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.”
     Write-Host ”   Calendar Logging:  For Calendar diagnostic purposes”
     Write-Host ”   Deletions:         Recover Deleted Items or the ‘Dumpster'”
     Write-host ”                      This subfolder contains all items deleted from the Deleted Items folder. “
     Write-Host ”   Versions:          If In-Place Hold or Litigation Hold is enabled:”
     Write-Host ”                      This subfolder contains the original and modified copies of the deleted items.”
     Write-Host ”   Purges:            If either Litigation Hold or single item recovery is enabled:”
     Write-host ”                      This subfolder contains all items that are hard deleted.”
     Write-host “======================================================” -ForegroundColor Cyan
Get-MailboxFolderStatistics $RecipientName -FolderScope RecoverableItems | ft Name,FolderAndSubfolderSize, @{name=”LitigationHoldEnabled”;expression={(Get-mailbox $RecipientName).LitigationHoldEnabled}} –a
##########################################################

Report Output

(Watch the word-wrap):

=================================================================================================
Dumpster and Deletions Report for ‘User DisplayName’ (SAP Legal Operations) (Does not apply to Mailusers): 03/27/2018 11:22:01
=================================================================================================
Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
Does not apply to Mailusers
*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***
***
The ‘Recoverable Items’ folder contains the following subfolders:
    Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
    Calendar Logging:  For Calendar diagnostic purposes
    Deletions:         Recover Deleted Items or the ‘Dumpster’
                       This subfolder contains all items deleted from the Deleted Items folder.
    Versions:          If In-Place Hold or Litigation Hold is enabled:
                       This subfolder contains the original and modified copies of the deleted items.
    Purges:            If either Litigation Hold or single item recovery is enabled:
                       This subfolder contains all items that are hard deleted.
=================================================================================================

Name              FolderAndSubfolderSize     LitigationHoldEnabled
—-              ———————-     ———————
Recoverable Items 1.32 MB (1,383,783 bytes)                  False
Calendar Logging  0 B (0 bytes)                              False
Deletions         1.196 MB (1,253,945 bytes)                 False
Purges            126.8 KB (129,838 bytes)                   False
Versions          0 B (0 bytes)                              False

Clear on the picture for a full view:

image

Summary

I hope this helps!

Published 3/27/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Get-Rules

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script I created to help my day to day tasks. I hope you find it helpful.

Like I said before, I’m far from being an expert, but I continue to read up on it, research, and ask lots of questions. The more you work at something, the more you get something out of it. Ever play pool?

Scope

This script will enumerate the Inbox rules for a mailbox. You will have four options:

  1. List of rules without a description using FT
  2. List of rules with a description using FT
  3. Rules listed individually using FL
  4. Rules sent to a CSV file named based on the user account entered

Get-Rule Script

Copy and paste the following into notepad, and save it as Get-UserList.ps1, and run it to load the function.

#################################\\\\\\\\\\\\\\\\////////////////#################################
# This script will:
# 1. Read a console entry for a user accounts, whether a sAMAccountName, alias, or email address
# 2. Provide a list of rules without descriptions
# 3. Provide a list of rules with descriptions
#
#    .SYNOPSIS
#    Lists a User’s Mailbox InboxRules
#
#    .DESCRIPTION
#    Enumerate Inbox rules with and without a description
#
#    .PARAMETER User
#    Specific user you want to search for.
#
#    .PARAMETER Description
#    You want the rules listed out individually with a description
#
#    .PARAMETER NoDescription
#    You want the rules listed out in table format without a description
#
#    .PARAMETER NoDescription
#    You want the rules listed out in table format without a description
#
#################################\\\\\\\\\\\\\\\\////////////////#################################
# Variables

$RecipientName = “I823135”
$RecipientDisplayName = (get-recipient $RecipientName).displayname
$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

# Script

Function Get-Rules {
[CmdletBinding()]
Param (
[Parameter(Position=0,Mandatory=$true)]
[string]$RecipientName,

[Parameter(Mandatory=$false)]
[switch]$Description,

[Parameter(Mandatory=$false)]
[switch]$NoDescription,

[Parameter(Mandatory=$false)]
[switch]$IndividualList,

[Parameter(Mandatory=$false)]
[switch]$CSVFile
)

$RecipientDisplayName = (get-recipient $RecipientName).displayname
$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

#If -Description was selected – Inboxrules to Console Screen:
If ($NoDescription) {
Write-Host “=================================================================================================” -ForegroundColor Cyan
Write-Host “You’ve selected to List the Inbox Rules to the Console Without a Description” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):”  “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | ft @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype -Wrap -a
Write-Host “=================================================================================================” -ForegroundColor Cyan
}

#If -NoDescription was selected – Inboxrules to Console Screen :
If ($Description) {
Write-Host “You’ve selected to List the Inbox Rules to the Console With a Description” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):”  “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | ft name,enabled,priority,ruleidentity,RedirectTo,movetofolder,inerror,errortype,description    -Wrap
#    Get-InboxRule -Mailbox $RecipientName -IncludeHidden | ft -AutoSize
#    (Get-InboxRule -Mailbox $RecipientName -IncludeHidden | ft -AutoSize).count
# FL –      Get-InboxRule -mailbox $RecipientName -IncludeHidden | fl @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
# Select –  Get-InboxRule -mailbox $RecipientName -IncludeHidden | select  @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
Write-Host “=================================================================================================” -ForegroundColor Cyan
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
Write-Host “=================================================================================================” -ForegroundColor Cyan
}
#################################\\\\\\\\\\\\\\\\////////////////#################################

#If -IndividualList is selected
If ($IndividualList) {
Write-Host “You’ve selected to list each InboxRule individually” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):”  “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | fl @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
Write-Host “=================================================================================================” -ForegroundColor Cyan
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
Write-Host “=================================================================================================” -ForegroundColor Cyan
}
#################################\\\\\\\\\\\\\\\\////////////////#################################

 

If ($CSVFile) {
#####################################################################################
#Inboxrules to CSV file
Write-Host “=================================================================================================” -ForegroundColor Cyan
Write-Host “You’ve selected to send the Inbox Rules to a CSV file.” -ForegroundColor Magenta
Write-host
Write-Host “Rules list was sent to a CSV file located at ***C:\temp\InboxRules-for-$RecipientName.csv***” -ForegroundColor Yellow
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
#Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | select @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,description | export-csv “C:\temp\InboxRules-for-$RecipientName.csv”
Write-Host “=================================================================================================” -ForegroundColor Cyan
} }

 

How to run it

Create a list in notepad, save it as a txt file in c:\temp, or anywhere else and reference that in the script, then run:

get-Rules aceman –description –nodescription –individuallist –csv

Summary

I hope this helps!

Published 2/21/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


Listing SendAs and SendOnBehalf Permissions

By Ace Fekay
Published 3/20/2018

Intro

Ace here again.

There are a number of tools that you can use in your day to day AD and Exchange management. This includes Office 365 Hybrid, but we’ll assume that you are performing one way sync to the cloud, and only replicating MSOL attributes back to on premises, so you can manage them locally, for the most part.

This is about getting SendAs and SendOnBehalf rights on a mailbox

SendAs

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-Host “///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
Write-Host “*****************************************************************”
Write-host “The following is a list of who has SendAs permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-recipient $_.User).Displayname}}, extendedRights -AutoSize
$MailboxCount = @(Get-recipient $Mailbox | Get-ADPermission  | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}).count
Write-Host “Total number of users that can SendAs on contact ‘$MailboxDisplayName’ is” $MailboxCount
Write-Host “*****************************************************************”

Write-Host “\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////”
Write-Host “*****************************************************************”

SendOnBehalf

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox =
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-host “The following is a list of who has SendOnBehalf permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
# – property not found – $sendonbehalfList = (get-recipient $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
$sendonbehalfList = (get-mailbox $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
#Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “Grant*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-User $_.User).Displayname}}, extendedRights -AutoSize
Write-Host “And the list of who have SendOnBehalf on ‘$MailboxDisplayName’ is:” $SendonBehalfList  
Write-Host “*****************************************************************”

Example output:

*****************************************************************
///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*****************************************************************
The following is a list of who has SendAs permissions for ‘Fekay, Ace’ :
*****************************************************************
User            User’s DisplayName                           ExtendedRights
—-            ——————                                          ————–
Contoso\AFekay-Admin Fekay, Ace (Admin Only) {Send-As}    

Total number of users that can SendAs on contact ‘Fekay, Ace’ is 1
*****************************************************************
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////
*****************************************************************

Summary

I hope this helps!

Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Get-UserList

By Ace Fekay
Published 2/21/2018

Intro

Ace here again. I’ve been playing more and more with scripting and well, I’m far from being an expert, but I continue to read up on it, research, and ask lots of questions.

I thought to share this cool function to enumerate a list of sAMAccountNames and email addresses and validate if the account exists. There isn’t anything out there like this at the moment, at least that I could find, which prompted its creation.

Kudos to my colleague Gamal. that helped me with this script.

Scope

Ever had a list of user accounts that you want to run the Exchange PowerShell cmdlet Get-Recipient to list their email addresses and displayNames, etc?

And the list is mixed with sAMAccountNames, email addresses, and displayNames, and worse, there are spaces and empty lines in the list, and further, they include bunch of accounts that don’t exist that give you that awesome (yea right) RED errors on your screen?

And you have to clean up the list first. Isn’t that a pain to clean it up before you run it?

Here’s a quick function to clean up the list, then enumerate and validate the list, reporting in almost any way you like that also tells you which accounts are invalid, without all those errors.

Get-Recipient

I decided to use Get-Recipient because the Get-Mailbox cmdlet won’t work if the account is a MailUser, Contact, or DL.

Quick script to enumerate and count, but without account validation

(Get-content “c:\temp\email-addresses.txt”) | ? {$_.trim() -ne “” } | set-content “c:\temp\user-list.txt”
$File = ((Get-content “c:\temp\user-list.txt”)).Trim()
$File | get-recipient  -Properties PrimarySmtpAddress ,displayName,name  | ft  Name,DisplayName, prim* -A
Write-Host “Total count:” ($file).Count

Script to enumerate and count, with account validation

Copy and paste the following into notepad, and save it as Get-UserList.ps1, and run it to load the function.

#################\\\\\\\\\\\\\\\\////////////////#################
# This Function (or script without the Function tag) will:
# 1. Reads a text file with mixed sAMAccountName, DisplayNames,
#     or primary email alias (recommended to not use displayNames)
# 2. Clean up white spaces and empty lines in the list
# 3. Searches and performs a validity check creating a report that
#      indicates active and inactive accounts
#
# Usage: Create a file of sAMAccountNames and email addresses,
# save it as a text file, then run Get-UserList
#
# Credit to my colleague Gamal for helping to create this cool script
#################\\\\\\\\\\\\\\\\////////////////#################
Function Get-UserList {

function change-color-red
{
process {Write-Host $_ -ForegroundColor DarkRed}
}
############
$EmailAddressList = “C:\temp\user-list.txt”
$File = ((Get-content $EmailAddressList) | Where-Object {$_.trim() -ne “” }).Trim()

$output = $File | ForEach-Object {

    $exists = if((Get-recipient $_ -erroraction SilentlyContinue)) {
                   Write-Output “Yes”
               }
             else {
                 Write-Output “Does not exist”
             }
     $recipient = Get-Recipient $_ -ErrorAction SilentlyContinue            

    $hash = @{‘Name’ = $_;
               ‘Does-Account-Exist?’ = $exists;
               ‘userID’ = $recipient.SamAccountName
               ‘DisplayName’ = $recipient.DisplayName
               ‘Email’ = $recipient.PrimarySMTPAddress
       }
      
     New-Object psobject -Property $hash
}
Write-Host “******************************************************************************”
$output | ft name,UserId, DisplayName, Email, Does-Account-Exist? -AutoSize | Out-Host
Write-Host “******************************************************************************”
Write-Host “There is/are $(($output).Count) account(s) in the queried user access list.” -ForegroundColor Magenta
Write-Host “Out of the list of users, there is/are $(($output | Where-Object Does-Account-Exist? -EQ ‘Yes’).count) Active account(s).” -ForegroundColor Cyan
Write-Host “Out of the list of users, there is/are $((($output | Where-Object Does-Account-Exist? -EQ ‘Does not exist’) | Measure-Object).count) Inactive account(s).” -ForegroundColor Red
Write-Host “******************************************************************************”
Write-Host “Ref: Part of a Cool Scripts and Functions List! – Ace Fekay”
}
#################////////////////\\\\\\\\\\\\\\\\#################

User list file example

As you can see I’ve mixed up the input type. The first.last represents a saMAccountName,”Ace Fekay” represents a displayname, and of course, email addresses.

============================
Smith, John

Ace Fekay
tom.thumb@contoso.com

j.doe
m.smith
============================

If you have displayNames mixed in the file

Keep in mind, if the displayName is not an exact match, it will result in a “Does Not Exist.” In such cases if you need to look them up, add the –anr (for ambiguous name lookup) to the Get-Recipient cmdlet – there are two lines in the script wtih the Get-Recipient. Add –anr to both, as shown below:

$recipient = Get-Recipient -anr $_ -ErrorAction SilentlyContinue

However, if there are multiple similar names, then you won’t get an accurate report. I’d rather just not use it and just create a user list based on either email addresses or sAMAccount names.           

How to run it

Create a list in notepad, save it as a txt file in c:\temp, or anywhere else and reference that in the script, then run:

get-Userlist

=====================

Summary

I hope this helps!

Published 2/21/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

To add, this is a big stickler especially with migrating from on-premises to Office 365, where the SendAs permission is now changed, because the permission must be re-assigned to the EXO object, the entity actually sending-As the email as another, and not the on-premises AD object. This also discusses how to remove the original Automapped BL (backlink).

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of  nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

image

 

How to remove it?

First, establish your PowerShell session to Exchange onprem or your Office 365 tenant. If unsure how, see this:
https://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail  | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail  | ft Name, DisplayName, mail –A

 

Then remove the msexchDelegateLinkListBL orphaned backlink:

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName”  -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

 

============================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

 

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


Establishing a PowerShell Session to Your Office 365 Tenant or OnPrem Exchange

By Ace Fekay
Published 5/11/2017

Prelude

I’m working on posting more scripting blogs managing Active Directory, Office 365, and Exchange OnPrem, or On Premises.

And I stress the phrase, “On Premises,” and NOT “On Premise!”

Scope

Instead of repeating this procedure in each blog I write that has something to do about scripting where you must connect a PowerShell or an ISE session (I’d rather use ISE) to the tenant or OnPrem box, I thought to just put this together and reference the URL to connect. It’s easier and takes up less space on the blog with the actuals PS commands and scripts.

Office 365 tenant without ADFS

If you are not using multifactor auth or ADFS, open a PowerShell window and the run the following:

$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $YourCred -Authentication Basic –AllowRedirection

This will prompt you for your credentials. Then import the session you just created:
import-pssession $MySession

If using a Proxy:

$MySession = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri https://ps.outlook.com/powershell/ -Credential $YourCred -Authentication Basic –AllowRedirection (New-PSSessionOption -ProxyAccessType IE)

This will prompt you for your credentials. Then import the session you just created:
import-pssession $MySession

Import AD Module:

I always import the Active Directory module so I can run AD tools. Of course, you will need AD permissions to modify, but anyone can read properties:

Import-module ActiveDirectory

.

Office 365 ADFS and/or Multifactor Auth

Go to http://aka.ms/exopspreview. It will open and create a PowerShell session specifically to assist with establishing a session with Office 365. Then run the following:

Connect-EXOPSSession -UserPrincipalName YourEmail@contoso.com -PSSessionOption

If using a Proxy:

Connect-EXOPSSession -UserPrincipalName YourUserNamea@contoso.com -PSSessionOption (New-PSSessionOption -ProxyAccessType IE)

Import the AD Module:

I always import the Active Directory module so I can run AD tools. Of course, you will need AD permissions to modify, but anyone can read properties:

Import-module ActiveDirectory

.

Exchange OnPrem

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Exchange02.contoso.local/PowerShell/ -Authentication Kerberos
Import-PSSession $Session
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Support

Import the AD Module:

I always import the Active Directory module so I can run AD tools. Of course, you will need AD permissions to modify, but anyone can read properties:

Import-module ActiveDirectory

.

============================================================

Summary

I hope this helps!

Published 5/11/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Office 365 PowerShell Fun with Calendars

Published 9/13/2015

Prologue

Ace Fekay here again.

You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, dealing with mailbox permissions.

I hope this blog and my future scripts blogs, especially with Office 365, help you out.

Scope

These are a few examples of dealing with every day requests for calendar administration. Sure, you can do it from your web based, Office 365 tenant dashboard, but what fun is that?

And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up. I’ve found various websites that provide how-tos, but when it comes to handling variables and piping, I’ve found there is no one place to get various examples and have found myself looking at multiple places to get this info, including my colleagues, who are extremely adept at scripting. With many place, I also see elaborate scripts that do more than what I need. They are fabulous blogs and websites, but sometimes I need the simple one-liners to perform day to day stuff.

Open PowerShell session and Login – Of course you first have to open a PowerShell session to your tenant account

Open a PowerShell window.
Run the following:
$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $AceCred -Authentication Basic -AllowRedirection

This will prompt you to login using your credentials.
Then run:
import-pssession $MySession

To be able to run Start-OnlineCoexistenceSync Dirsync – on a DC

After you make any changes in your local AD, instead of waiting for the dirsync schedule to run, you can manually run a dirsync on your onprem AD to force a sync:

Command Prompt
cd “C:\Program Files\Microsoft Online Directory Sync”
Run:
.\DirSyncConfigShell.psc1

Or just run:
“C:\Program Files\Microsoft Online Directory Sync\DirSyncConfigShell.psc1”
Then run:
Start-OnlineCoexistenceSync  or invoke-dirsync

To view the dirsync log, click on the DirSync icon in task bar that opens the Synchronization Service Manager. If it’s not on the task bar, it can be found in:

“C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”

===========================================================

General Calendar Commands

To view the rights on a calendar:

get-mailboxfolderpermission MarySmith@contoso.com:\Calendar

To add rights to a calendar for a user, JohnDoe, and providing him “Editor” access rights:

Add-MailboxFolderPermission -Identity Office.Vacation.Calendar@contoso.com:\Calendar -User JohnDoe@contoso.com -AccessRights Editor

To remove JohnDoe’s rights from a calendar:

remove-mailboxfolderpermission -Identity Office.Vacation.Calendar@contoso.com:\Calendar -User JohnDoe@contoso.com

Rule to move anything with subject, “Sent by Microsoft Exchange Server 2013” to a folder called, “Rejected Calendar Notifications”

New-InboxRule “Sent by Exchange 2013” -Mailbox MarySmith@contoso.com -MyNameInToBox $true -FlaggedForAction Any -SubjectOrBodyContainsWords “Sent by Microsoft Exchange Server 2013” -MoveToFolder “Rejected Calendar Notifications” -StopProcessingRules

New-InboxRule “SendOnBehalf Sent by Exchange 2013” -Mailbox JohnDoe -MyNameInToBox $true -FlaggedForAction Any -SubjectOrBodyContainsWords “Sent by Microsoft Exchange Server 2013” -MoveToFolder “Rejected Calendar Notifications” –StopProcessingRules

Create a shared calendar in Office 365 without creating it in our Active Directory so we don’t get charged for a license.

This is an example for creating a shared calendar called “Ace’s Cancelled Meetings” with a username of AceCancelledMeetings.

1. New-Mailbox -Name “AceCancelledMeetings” -DisplayName “Ace’s Cancelled Meetings” -Share

If required:
2.  UserPrincipalName: AceCancelledMeetings@YourDomain.onmicrosoft.com

Give permissions for Mary Smith (MarySmith) to access the calendar.
3.  Add-MailboxfolderPermission AceCancelledMeetings:\Calendar -user “MarySmith” -AccessRights editor  

Give permissions for John Doe (JohnDoe) to access the calendar.
4.  Add-MailboxfolderPermission AceCancelledMeetings:\Calendar -user “JohnDoe” -AccessRights editor  

Give permissions for John Smith (JohnSmith) to access the calendar:
5. Add-MailboxfolderPermission AceCancelledMeetings:\Calendar -user “JohnSmith” -AccessRights editor

Get permissions Examples for a calendar:

PS C:\Windows> (Get-MailboxFolderPermission JohnDoe:\Calendar) | select user

Output:

User
—-
Default
User One
User Two
User Three
User Four
User Five
User Six
User Seven
User Eight

To display the accessrights for a calendar:

PS C:\> (Get-MailboxFolderPermission JohnDoe:\Calendar) | select user,accessrights

User                AccessRights
—-                ————
Default                {AvailabilityOnly}
User One            {Reviewer}
User Two            {Reviewer}
User Three            {Reviewer}
User Four            {Reviewer}
User Five            {Reviewer}
User Six            {Editor}
User Seven            {Editor}
User Eight            {Editor}
User Nine            {Owner}

PS C:\> get-MailboxFolderPermission -Identity ConfRoom1:\Calendar

FolderName           User        AccessRights
———-           —-        ————
Calendar             Default        {AvailabilityOnly}
Calendar             Anonymous        {None}
Calendar             Ace Fekay        {Editor}
Calendar             User One        {PublishingEditor}
Calendar             User Two        {PublishingEditor}
Calendar             User Three        {PublishingEditor}
Calendar             User Four        {PublishingEditor}
Calendar             User Five        {Editor}

Office 365 Alias issues

If the user’s alias, such as “JohnDoe,” doesn’t work, run the following to find and use the identifier Microsoft assigned to the user:
get-mailbox JohnDoe@contoso.com
    For example, the above query returned:   
        JohnDoe_8672d315f2
    Therefore, I had to run the following command to add permissions for that user:
    Add-MailboxFolderPermission -Identity ConfRoom22:\Calendar -User “JohnDoe_8672d315f2” -AccessRights Reviewer

Command to Add permissions to one Calendar for multiple users (list of users) importing a list of users in a text file and piping the command:

Get-Content c:\Scripts\users.txt | foreach {Add-MailboxFolderPermission -Identity Classroom2:\calendar -User $_ -AccessRights Editor}

Content of “users.txt:”
UserOne@contoso.com
UserTwo@contoso.com
UserThree@contoso.com
UserFour@contoso.com
UserFive@contoso.com
UserSix@contoso.com
UserSeven@contoso.com
UserEight@contoso.com

If you need to change the permissions on the calendar for a set of user, use the same format except use the ‘set-calendar’ command:

Get-Content c:\Scripts\users.txt | foreach {Set-MailboxFolderPermission -Identity Classroom2:\calendar -User $_ -AccessRights Editor}

If you need to give a single user permissions to multiple calendars:

This is giving MikeSmith@contoso.com access to multiple calendars

Get-Content C:\Scripts\ListOfCalendars.txt | foreach {Add-MailboxFolderPermission -Identity $_ -User MikeSmith@contoso.com -AccessRights Editor}

Content of “ListOfCalendars.txt:”

HospitalFloor1West@contoso.com:\Calendar
HospitalFloor1East@contoso..com:\Calendar
HospitalFloor1South@contoso..com:\Calendar
HospitalFloor1North@contoso..com:\Calendar
HospitalFloor2West@contoso..com:\Calendar
HospitalFloor2East@contoso..com:\Calendar
HospitalFloor2South@contoso..com:\Calendar
HospitalFloor2North@contoso..com:\Calendar

To provide permissions to multiple calendars for a list of users.

There are two variables in this scenario.

First you must bring in the list of users into memory. In this case, the users are in filename, “ListOfUsers.txt.” Now run the following to bring the users

Pull the list into memory:
PS C:\> $users= get-content C:\Scripts\ListOfUsers.txt

If you like, you can double check and see what’s in the file you just pulled in by simply typing in the variable name and hit enter:

PS C:\> $users
UserOne@contoso.com
UserTwo@contoso.com
UserThree@contoso.com
UserFour@contoso.com
UserFive@contoso.com
UserSix@contoso.com
UserSeven@contoso.com
UserEight@contoso.com
etc

You can also run the following format to get the same info on the file:

PS C:\> $users | get-member
UserOne@contoso.com
UserTwo@contoso.com
UserThree@contoso.com
UserFour@contoso.com
UserFive@contoso.com
UserSix@contoso.com
UserSeven@contoso.com
UserEight@contoso.com
etc
 
Then you bring the list of rooms into memory, “ListOfRooms.txt”
PS C:\> $resources = get-content c:\Scripts\ListOfRooms.txt

Then to see what’s in the file, run:
PS C:\> $resources

ConfRoom1
ConfRoom2
ConfRoom3
ConfRoom4
ConfRoom5
ConfRoom6
ConfRoom7
ConfRoom8
etc

Now let’s take a look at what the calendar processsing is for one of the rooms:
    PS C:\>  Get-CalendarProcessing ConfRoom1

Identity                                                     AutomateProcessing
——–                                                     ——————
ConfRoom1                                                    AutoUpdate

To get more information about the calendar processing data for the room:
    PS C:\> Get-CalendarProcessing ConfRoom1 | fl

RunspaceId                          : <snipped>
AutomateProcessing                  : AutoUpdate
AllowConflicts                      : False
BookingWindowInDays                 : 180
MaximumDurationInMinutes            : 1440
AllowRecurringMeetings              : True
EnforceSchedulingHorizon            : True
ScheduleOnlyDuringWorkHours         : False
ConflictPercentageAllowed           : 0
MaximumConflictInstances            : 0
ForwardRequestsToDelegates          : True
DeleteAttachments                   : True
DeleteComments                      : True
RemovePrivateProperty               : True
DeleteSubject                       : True
AddOrganizerToSubject               : True
DeleteNonCalendarItems              : True
TentativePendingApproval            : True
EnableResponseDetails               : True
OrganizerInfo                       : True
ResourceDelegates                   : {}
RequestOutOfPolicy                  : {}
AllRequestOutOfPolicy               : False
BookInPolicy                        : {}
AllBookInPolicy                     : True
RequestInPolicy                     : {}
AllRequestInPolicy                  : False
AddAdditionalResponse               : False
AdditionalResponse                  :
RemoveOldMeetingMessages            : True
AddNewRequestsTentatively           : True
ProcessExternalMeetingMessages      : False
RemoveForwardedMeetingNotifications : False
MailboxOwnerId                      : ConfRoom1
Identity                            : ConfRoom1
IsValid                             : True
ObjectState                         : Changed

And now the moment you’ve been waiting for: Run the following command to set Calenar Processing settings for multiple users for multiple calendars:

PS C:\> $resources | foreach {Set-CalendarProcessing $_ -AutomateProcessing autoaccept -bookinpolicy $users}

Another example providing Editor rights to a list of calendars

This is for the IT-Rooms where we must give a list of users “Editor” permissions to a list mailbox Calendars.

List of users are in file:    c:\Scripts\ListOfUsers.txt
List of mailbox room calendars    c:\ListOfRooms.txt

=====
1. Pull the list of users into memory first:
$users= get-content c:\Scripts\ListOfUsers.txt

Run $users to see what’s in the file to be sure:
$users
or
$users | get-member

=====
2. Pull in the rooms or calendars into memory:
$resources = get-content c:\ListOfRooms.txt

If you want, run this to see what’s in that file:
$resources
or
$resources | get-member

If you want, run this to see what calendar processing is currently set on one of the rooms:
get-CalendarProcessing ConfRoom1 | fl

=====
3. Run it:

$resources | foreach {Add-MailboxFolderPermission -Identity $_:\calendar -User $Users -AccessRights Editor}

=====
Or just create a DL, and add the list of users to the DL, then run the following:

This gives the group ConfRoomSchedulers@contoso.com “Editor” access rights on the rooms listed in the file ListOfRooms.txt:

Get-Content ListOfRooms.txt | foreach {Add-MailboxFolderPermission -Identity $_ -User ConfRoomSchedulers@contoso.com -AccessRights Editor}

ListOfRooms.txt contains:
ConfRoom1@contoso.com:\calendar
ConfRoom2@contoso.com:\calendar
ConfRoom3@contoso.com:\calendar
ConfRoom4@contoso.com:\calendar
ConfRoom5@contoso.com:\calendar

Change the “Default” user on a list of calendars (rroms) or users to “None.”

Get-Content c:\Scripts\ListOfRooms.txt | foreach {Set-MailboxFolderPermission -Identity $_:\Calendar -User Default -AccessRights None}

Removing Permissions for a folder (calendar in this example)

Remove-MailboxFolderPermission -Identity <mailbox>:\Calendar –User <Mailbox-that-will-be-removed-from-Calendar-Permissions>
remove-MailboxfolderPermission ConferenceRoom1 -user “John Doe” -AccessRights editor
remove-MailboxfolderPermission ConferenceRoom1:\Calendar -user “JohnDoe”

Then confirm with:
get-MailboxFolderPermission -Identity ConferenceRoom1:\Calendar

Create a conference room. Do not allow anyone to book the room other than the people that have access rights to the room:

Set-Calendarprocessing VeryImportantConfRoom7thFloor@contoso.com -AddAdditionalResponse $true -AdditionalResponse “<p><strong><font color=red

size=4>Scheduling request denied.</strong><font></p><p><font color=blue size=4>Reason code: You are not authorized to schedule meetings or

appointments in the Very Important Conference Room 7th Floor. If you must book an entry in the room, please submit a request to either Mary Smith,

John Doe, or Robert Redford. Thank you.</p><p>Your Company’s IT Department.</font></p>”

More to come…

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 9/13/2015

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002622[2] clip_image004622[2] clip_image006622[2] clip_image008622[2] clip_image010622[2] clip_image012622[2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Office 365 PowerShell Fun with Mailbox Permissions

Published 9/11/2015

Prologue

Ace Fekay here again.

You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, dealing with mailbox permissions.

I hope this blog and my future scripts blogs, especially with Office 365, help you out.

Scope

These are a few examples of dealing with every day requests for mailbox delegation and permissions administration. Sure, you can do it from your web based, Office 365 tenant dashboard, but what fun is that?

And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up and there is no one place to get all of this at the simple level. All I see are elaborate scripts that do more than what I needed. Hence, my posts.

Open PowerShell session and Login – Of course you first have to open a PowerShell session to your tenant account

Open a PowerShell window.
Run the following:
$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $AceCred -Authentication Basic -AllowRedirection

This will prompt you to login using your credentials.

Then run:
import-pssession $MySession

To be able to run Start-OnlineCoexistenceSync Dirsync – on a DC

After you make any changes in your local AD, instead of waiting for the dirsync schedule to run, you can manually run a dirsync on your onprem AD to force a sync:

Command Prompt
cd “C:\Program Files\Microsoft Online Directory Sync”
Run:
.\DirSyncConfigShell.psc1

Or just run:
“C:\Program Files\Microsoft Online Directory Sync\DirSyncConfigShell.psc1”
Then run:
Start-OnlineCoexistenceSync  or invoke-dirsync

To view the dirsync log, click on the DirSync icon in task bar that opens the Synchronization Service Manager. If it’s not on the task bar, it can be found in:

“C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”

===========================================================

To find who has been delegated to a mailbox

Get-Mailbox JohnDoe@contoso.com | fl displayname, GrantSendOnBehalfTo

To see the whole list of delegated users:

PS C:\Windows> Get-Mailbox JohnDoe@contosl.com | select -expandproperty GrantSendOnBehalfTo
Output:
user1
user2
user3
user4
user5
user6

Or you can run this, too:

PS C:\Windows> (Get-Mailbox JohnDoe@contoso.com|).grantsendonbehalfto
Output:
user1
user2
user3
user4
user5
user6

 

Remove Mike Smith as a delegate – example:

First find the permission:

This will give you a summary list:
get-mailboxpermission –identity Dept1-Shared-Mailbox | ft

This will give you a full list:
Get-MailboxPermission -identity Dept1-Shared-Mailbox | fl

Then remove it:

Remove-mailboxpermission -identity Dept1-Shared-Mailbox -user NAMPRD999\Mike.Smith8047888747747123 -AccessRights FullAccess -Inheritance All

Remove-mailboxpermission -identity Dept1-Shared-Mailbox -user NAMPRD999\Mike.Smith8047888747747123 -AccessRights SendAs -Inheritance All

To find who has FullAccess Permissions on a Mailbox

There are two ways the results can be displayed:

  • FT – Format Table – One big summarized list
  • FL – Format List – in sections with detail

using FT

get-mailboxpermission JohnDoe@contoso.com | ft

Output example:

Identity                   User                 AccessRights        IsInherited Deny
——–                    —-                      ————        ———– —-
JohnDoe               NT AUTHORITY\SELF    {FullAccess, Rea… False       False
JohnDoe               S-1-5-21-24478488… {FullAccess}        False       False
JohnDoe               NAMPRD05\jar02546… {FullAccess}        False       False
JohnDoe               NAMPRD05\FullAcce… {FullAccess}        False       False
JohnDoe               NAMPRD05\Administ… {FullAccess}        True        True
JohnDoe               NAMPRD05\Domain A… {FullAccess}        True        True
JohnDoe               NAMPRD05\Enterpri… {FullAccess}        True        True
JohnDoe               NAMPRD05\Organiza… {FullAccess}        True        True
JohnDoe               NT AUTHORITY\SYSTEM  {FullAccess}        True        False
JohnDoe               NT AUTHORITY\NETW… {ReadPermission}    True        False
JohnDoe               PRDMGT01\View-Onl… {ReadPermission}    True        False
JohnDoe               NAMPRD05\Administ… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Domain A… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Enterpri… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Organiza… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Public F… {ReadPermission}    True        False
JohnDoe               NAMPRD05\Exchange… {FullAccess, Rea… True        False
JohnDoe               NAMPRD05\Exchange… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Managed … {ReadPermission}    True        False

using FL

get-mailboxpermission JohnDoe@contoso.com | fl

Output Example:

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : S-1-5-21-2447848828-1310731447-1641304557-6207581
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NAMPRD05\jar02546711232540629
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NAMPRD05\FullAccessAdmin
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : NAMPRD05\Administrator
Identity        : JohnDoe
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

etc

Other tidbits:

===========================

To display FullAccess on a Mailbox

Get-MailboxPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights | fl

===========================

This will display SendOnBehalf:

Get-RecipientPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights | fl

 

===========================

View SendAs:

Get-RecipientPermission JohnDoe | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘Null sid’)} | select Identity,Trustee,AccessRights | fl

==========================

View all “Send As permissions” you’ve configured in your organization

Careful running this on a really large tenant or you will tie up the bandwidth and get throttled.

Get-RecipientPermission | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘Null sid’)} | select Identity,Trustee,AccessRights

============================

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

Get-RecipientPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights | fl

============================

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like ‘*Discovery Management*’) } | Select Identity, user, AccessRights | fl

=============================

Revoke “Send As” Permissions

Remove-RecipientPermission <Identity>  -AccessRights SendAs -Trustee <Identity>
Remove-RecipientPermission John   -AccessRights SendAs -Trustee Suzan

Adjustments & Improvements – To avoid the need for confirmation, we can add the option: “-Confirm:$False”
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False

 

More to come…

 

 

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 8/17/2015

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002622 clip_image004622 clip_image006622 clip_image008622 clip_image010622 clip_image012622 clip_image014622

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Reanimate an Exchange Server Deleted From the Exchange Organization in the Configuration Container in Active Directory

By Ace Fekay
MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer & Janitor

Background:

Hey everyone, Ace here again. Here’s an interesting issue I came across when an administrator, while using ADSI Edit, deleted one of their Exchange 2010 servers from the Exchange Organization in AD’s Configuration Container. Of course, it was not intentional, so I didn’t even ask why or how, but I was told that they were working on something else in ADSI Edit, and the administrator unintentionally deleted the Exchange server object. And as we all know, there is no “Undelete” button in ADSI Edit.

Before I went about trying to perform an Authoritative Restore with AD, I figured I would try to use the AD Recycle Bin to recover the object. However, I knew it wouldn’t be there, because it was never deleted from ADUC Computer Container, rather it was deleted from the Exchange Organization. But I did it just to show how to do it, and to illustrate the differences in the object’s locations and significance.

What I did was is re-animated the deleted server using ADSI Edit. I used a lab machine to test it before attempted to try it on their production system.

 

Before I performed a test delete in my lab

Here are the three Exchange Servers, Van-EX1, Van-EX2, and Van-EX3, showing in the ADUC’s Computers Container:

 

Here’s VAN-EX3 in ADSI Edit and its attributes. This is what it’s supposed to look like.

 

Looking further into the server object attributes in ADUC Advanced View, Attribute Editor, it shows the server’s ObjectSID:

 

Delete VAN-EX3

Here’s where I deleted VAN-EX3 in ADSI Edit:

 

The delete warning message:

 

And the second delete warning message. Apparently ADSI Edit, the tool that doesn’t have an Undelete” button, wants to make sure that you want to delete it. I think it’s good that it asks twice:

 

VAN-EX3 has now been deleted from the Exchange Organization section in the Configuration Container:

 

However, as you an see in ADUC, it still shows VAN-EX3. That’s because we didn’t delete it from AD, rather it was deleted from the Configuration Container.

 

As you can see here, Exchange’s services still show that they’re still running.

 

Trying to find the deleted object in the Recycle Bin using LDP

Here’s where I looked for the Exchange object in the Recycle Bin using LDP. However, since the Exchange computer object still exists in AD, rather it was deleted from the Organization. I knew it won’t be in the Recycle Bin, because it wasn’t really deleted from AD.

These steps were more to show everyone the differences between a deleted computer object, that would show up here, and an Exchange server deleted from the Organization.

 

Click Connection, then Bind:

 

We’re binding using default values, meaning it will use the currently logged on domain administrator account.

 

In LDP, click Options, then Controls:

 

In the Load Predefined drop-down box, I chose to “Return Deleted Objects:”

 

As you can see, Return Deleted Objects chosen in the drop-down box:

Under Tree View, for the base DN, I typed in cn=deleted objects,dc=adatum,dc-com. As you can see, nothing showed up. So VAN-EX3 is not in the Recycle Bin.

 

Recreating VAN-EX3 in the Exchange Organization in the Configuration Container

I drilled down into the Exchange Organization in the Configuration Container, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Servers. Then I right-clicked CN=Servers, New, Object.

By the way, not to get off topic, but if you’re wondering how the Exchange team came up with that Administrative Group name, “(FYDIBOHF23SPDLT),” click here.

 

Once the server object has been created, now we need to create the necessary Exchange server object containers under the server object we created. What helps is that the attributes are still in AD:

 

For “Select a Class” dialog box, scroll down and select msExchServersContainer

 

For the Value field, type in VAN-EX3:

 

Click Finish:

 

Now we must create the Exchange Information Store container. Right-click, New, choose Object:

 

In the Select a Class dialog box, choose msExchInformationStore:

 

Type “Information Store” in the Value field:

 

Click Finish:

 

The values appear correct so far. If you double-click on the CN=Information Store object, scroll down, you can see the DN value is correct (sorry, I didn’t screenshot that part):

 

Now let’s create the MTA. Same deal as above, in the Select a Class dialog box, right-click, New, scroll down and choose mTA:

 

Type in Microsoft MTA:

 

To get the time out and other values it’s asking, I opened another instance of ADSI Edit, and looked at the values for one of the other existing Exchange Servers:

 

The transRetryMins value of 5 that I populated, which I found from the other Exchange server:

 

The last attribute, which of course is the server’s name:

 

Now we must create the Microsoft System Attendant object for VAN-EX3 by right-clicking Van-Ex3, new, choose Object, and in the Select a Class dialog box, scroll down and select exchangeAdminService:

 

For the CN value, type in Microsoft System Attendant:

 

Scroll down in the Attribute Editor to deliveryMechanism, set it to 0 (zero):

 

Click Finish:

 

Now test logging on with a mailbox that exists in VAN-EX3, and try to send and receive an email. You should find that it works perfectly.

 

Point of the story: Be careful what you do in ADSI Edit.

Suggestions, Comments, Corrections are welcomed.

Ace Fekay