Archive for Mailbox Management

Restore Mailbox after Mailbox Clean has removed Disconnected Mailbox

We have recently had an issue where we needed to bring back a mailbox and export it to .PST after the Exchange mailbox cleanup agent deleted the disconnected mailbox.

First we had to bring the files back from tape.  We used CommVault, and did a Restore to Non-Exchange Location <Out of Place, No Recover> – The database will be restored to the specified location and the logs will not be replayed.

We now have the files restored on a different drive than the original mailbox database was on,  all we need to do now is create a new Recover Database, and then point it to the files that were restored.

Once the files are there, you will need to bring them into a state that allows for you to mount them.  There are a couple of ways to do this.  Instead of giving the details here, you can go to this BLOG for details: http://www.mikepfeiffer.net/2010/04/getting-an-exchange-database-into-a-clean-shutdown-state-using-eseutil/

In this case, I was getting a JET error Operation terminated with error -1216 (JET_errAttachedDatabaseMismatch, An outst anding database attachment has been detected at the start or end of recovery, bu t database is missing or does not match attachment info) after 16.661 seconds.

Because I am only worried about creating a .PST file of a old mailbox, and do not wish to restore any other data, I did the Hard Recovery.  If I were restoring this database to be moved back into production, I would trouble shoot the error first.  I am only using the hard recovery option because this database is not going back into a production environment, and the loss of the log files is an acceptable risk.  NOTE: This process could take a long time.  The mailbox database I ran the command on was 103 GB in size, and it took 2395.255 seconds to run the command.

Once you can run the eseutil -mh on the database and have it return a Clean Shutdown state, then you are ready to create your recovery database, mount it, and then export the mailbox you are looking for.

To create the mailbox database, you need to use the new-mailboxdatabase command with the -recover switch.  Here is the command I used because the .edb file and log files were restored to s:\restore\ location.

new-mailboxdatabase -Recover -Name RDB1 – Server prexmb01 -EdbFilePath s:\restore\ex10-ms03.edb -LogFolderPath s:\restore\logfiles

You will also need to create a recovery mailbox, it cannot be in the recovery database.  I have a TempDB database that I use for things like this an legal discovery if needed.  I just created a recovery mailbox for that user.  It will be needed in the next step when you use the new-mailboxrestorerequest command.

You can find more details by going to Microsoft’s site.  I will use the commands I used in below.

First, you need to get the MailboxGuild.  I used the following command.

Get-MailboxStatistics -Database RDB1 | Where { $_.DisplayName -eq “USERNAME” } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason

You need the following info from the display:

MailboxGuid      : f5b9e238-1095-4a96-be24-1ab89e939506

Then you can use the new-mailboxrestorerequest to get the email from the recovery database and import it into the temp database.

New-MailboxRestoreRequest -SourceDatabase “RDB1″ -SourceStoreMailbox f5b9e238-1095-4a96-be24-1ab89e939506 -TargetMailbox recovermailbox -AllowLegacyDNMismatch

Notice that I added the -AllowLegacyDNMismatch so that you don’t have to have the new mailbox you are restoring to have the same LegacyExchangeDN or X500 proxy address as the mailbox you are recovering.

You can check on the progress of the restore by using the Get-mailboxrestorerequest command.   It should go from a status of Queued, to InProgress, and then to Completed.

At this point, you can then use the new-exportmailboxrequest to create a .PST file.  You can find more details on this command in a previous blog post that I did.

To export the mailbox, you then use the new-mailboxexportrequest command.  I used the following command:

New-MailboxexportRequest -Mailbox USERNAME -FilePath “\\mkiefferex\exld$\USERNAME_10-30-2010_1505.pst” -MRSServer prexchu01

You can check on the status of the export request by using the get-mailboxexportrequest.  The status should change from Queued to InProgress then to Completed.

Once it has completed, you can then copy the .PST to a file share, CD or DVD to give to the user that requested the mailbox restore.  NOTE:  I LEARNED THIS THE HARD WAY.  If you try to copy the file and it says the file is still in use, DO NOT terminate or close the connection that is accessing the file.  If you go and look at open files on the computer the .PST file was copied to, you will see the file is open by the client access computers admin user.  If you close the connection, it WILL damage the .PST file and you will not be able to use it.

Clean-Up – Don’t leave stuff that is unneeded in your Exchange Org.

When you are done, make sure you do the following.

  1. Delete the Recovery Mailbox Database.
  2. Delete the files that were used for the restore and the Recovery Mailbox Database.
  3. Delete the user you recovered the email to.

Clone distribution group attributes

I was asked to create a distribution group, and then add all of the moderation settings, and message accept settings for the group.   I wanted to find an easy way to do this without having to use the GUI and add every single member, moderator, etc.

To do this, you create the distribution list the same way you would create one if you did not want to copy the values.  Once that distribution list has been created, you can do a few tricks to copy the values from the old DL to the new DL.

To start, you need to load the old DL into a powershell variable.  You can do this by typing in the following command.

$olddl = get-distributiongroup olddl

This assigns the attributes for the distribution group olddl to the variable $olddl.  You can just type $olddl in the powershell window and it will return the same results as the get-distributiongroup command would.

Now comes the trick.  Lets say there are a couple of attributes you want to copy from the olddl to the newdl.  For this example, lets say I want to copy ModeratedBy, BypassModerationFromSendersOrMembers, and AcceptMessagesOnlyFromSendersOrMembers.   You can type in the following command to do that.

set-distributiongroup newdl -ModeratedBy $olddl.ModeratedBy -ByPassModerationFromSendersOrMembers $olddl.ByPassModerationFromSendersOrMembers -AcceptmessagesOnlyFromSendersOrMembers $olddl.AcceptMessagesOnlyFromSendersOrMembers

If you then get-distributiongroup newdl | fl, you will notice that the newdl now has the same values, in those three attributes, as the olddl.

You can do this with almost any of the attributes in the olddl.  This makes it really easy to clone a distribution list.

Mailbox Permissions

We have a lot of shared mailboxes. Mailboxes that are setup as -type shared. It basically is a mailbox that the AD account has been disabled on, that people use their own username and password to access. One of my tasks as and Exchange Admin is to give people and remove peoples rights from these mailboxes. To help me with this process, I have created a permissions.ps1 script that I use. The syntax is .\permission.ps1 shared_mailbox_name user_name

 param($mailboxname,$user) $mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Add-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Add-ADPermission -Identity $mailbox.DisplayName -User $user -ExtendedRights 'Send-as'

NOTE: If you give a person Full Mailbox rights to a mailbox, if they are running Outlook 2010, then it will automatically add that new mailbox as a mailbox to their Outlook. If you are using SP2 of Exchange 2010, you can add a parameter to the add-mailboxpermission cmdlet that will block this from happening. You can add the -AutoMapping $false to the command.

The Automapping parameter specifies whether to ignore the auto-mapping feature in Outlook. If a user is granted Full Access permissions to another user’s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. This parameter accepts $true or $false values. For more information about auto-mapping, [Source]

You can find more details here.

I also sometimes use the following script to remove permissions from the shared mailbox.

param($mailboxname,$user)

$mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Remove-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Remove-ADPermission -Identity $mailbox.DistinguishedName -User $user -ExtendedRights 'Send-as' 

List Members of a Dynamic Distribution List

This post was inspired by a post found on http://www.howexchangeworks.com/2009/10/task-listing-members-of-exchange-2007.html

But I have modified the commands some to get a better listing.

$group = Get-DynamicDistributionGroup –identity “AllStaff”

Get-Recipient –RecipientPreviewFilter $group.RecipientFilter | sort name | select name > d:\_temp\dlist_members.txt

These changes will give you an alphabetical list of members, with names only in the list.   I find this easier for managers to use to verify list membership.

The list we have uses the PO filed to filter it.  So we then just have to go to the user account and add specific text in the PO filed to add or remove them from the distribution list.

Script – Mailbox Audit

This is a script I wrote that will look for specific email accounts in an OU, and then send an email to all the people who have access to those email accounts.

#$ErrorActionPreference = "SilentlyContinue"
 $smtpServer = "[REMOVED]"
 $smtp = new-object Net.Mail.SmtpClient($smtpServer)
 $emailFrom = "mkieffer@[REMOVED]"

$a = get-user -OrganizationalUnit "[REMOVED]/Corp/Email Accounts" | where {$_.DistinguishedName -notlike '*OU=Contacts,OU=Email Accounts,OU=[REMOVED]' -and $_.DistinguishedName -notlike '*OU=Resources,OU=Email Accounts,OU=[REMOVED]'} | sort name

foreach ($item in $a) {

$mailboxName = $item.name
 $mailboxAddress = $item.WindowsEmailAddress
 $body = "We are in the process of auditing access rights to shared mailboxes. According to our audit, you have access to the mailbox ""$mailboxName"".

"
 $smtpAddresses = get-mailbox $mailboxName | select -expand EmailAddresses | %{$_.SmtpAddress}
 $body += "This mailbox has the following email addresses:
 $smtpAddresses

Primary Contact: [None Specified]

"
 $body += "The Following employees have full access to this mailbox:`r`n"
 $subject = ""
 $emailTo = "mkieffer@[REMOVED]"
 $subject = "Audit of mailbox $mailboxName ($mailboxAddress)"
 echo "$mailboxName ($mailboxAddress)"
 $b = get-mailboxpermission $item.Name | where {$_.AccessRights -like "*FullAccess*"}
 $newEmailTo = ""
 $emailcounter = 0
 foreach ($item2 in $b) {
 [String]$name = $item2.User
 $c = get-mailbox $name
 if ($c.OrganizationalUnit -eq "[REMOVED]/Corp/Users/Employees" -and $c.name -ne "Mike Kieffer" ) {
 [String]$email = $c.WindowsEmailAddress
 [String]$fname = $c.DisplayName
 echo "--> $fname ($email)"
 $body += $fname
 $body += [char]13
 if ($emailcounter -gt 0) {$newEmailTo += ", "}
 $newEmailTo += $email
 $emailcounter = $emailcounter + 1
 }
 }
 $body += "`r`nPlease reply to this email with the following information:
 1- If this mailbox is still needed or if this mailbox can be deleted.
 2- Who is the primary contact for this mailbox.
 3- Who needs to be added or removed from accessing this mailbox.
 4- If any of the email addresses associated with this mailbox are no longer used, and can be removed.
 5- Is the name of ""$mailboxName"" still approrpiate for this mailbox.

Thanks,
 Mike Kieffer
 IT Sr. Systems Administrator
 "
 echo $subject
 echo $body
 echo $newEmailTo
 $smtp.Send($emailFrom, $newEmailTo, $subject, $body)
 }

Of course, you will need to modify the script to work in your environment, but this is a good starting point.  Suggestions are welcomed on how to increase the usability of this script and also the effectiveness of it.

If you are unable to delete some of the users from the mailboxes during the audit, you may find this post helpful: Cannot remove ACE on object…

Exchange – Cannot remove ACE on object … because it is not present.

note: following the transfer of this domain to the new owners, per user requests this article was recovered from the internet archive wayback machine, but may not be complete.

I have run into a problem while doing some routine maintenance on some shared mailboxes for the company I work for.   During the maintenance process, we audit the list of users that have full mailbox rights to any shared mailbox.  In the process, I was trying to remove full permissions from several user accounts.  Here is what the Manage Full Access Permission screen looked like. Read more