Archive for Server Management

Clone distribution group attributes

I was asked to create a distribution group, and then add all of the moderation settings, and message accept settings for the group.   I wanted to find an easy way to do this without having to use the GUI and add every single member, moderator, etc.

To do this, you create the distribution list the same way you would create one if you did not want to copy the values.  Once that distribution list has been created, you can do a few tricks to copy the values from the old DL to the new DL.

To start, you need to load the old DL into a powershell variable.  You can do this by typing in the following command.

$olddl = get-distributiongroup olddl

This assigns the attributes for the distribution group olddl to the variable $olddl.  You can just type $olddl in the powershell window and it will return the same results as the get-distributiongroup command would.

Now comes the trick.  Lets say there are a couple of attributes you want to copy from the olddl to the newdl.  For this example, lets say I want to copy ModeratedBy, BypassModerationFromSendersOrMembers, and AcceptMessagesOnlyFromSendersOrMembers.   You can type in the following command to do that.

set-distributiongroup newdl -ModeratedBy $olddl.ModeratedBy -ByPassModerationFromSendersOrMembers $olddl.ByPassModerationFromSendersOrMembers -AcceptmessagesOnlyFromSendersOrMembers $olddl.AcceptMessagesOnlyFromSendersOrMembers

If you then get-distributiongroup newdl | fl, you will notice that the newdl now has the same values, in those three attributes, as the olddl.

You can do this with almost any of the attributes in the olddl.  This makes it really easy to clone a distribution list.

new-mailboxexportrequest fails – TimeoutErrorTransientException

Sometimes when you do a new-mailboxexportrequest you receive the following error:
The call to 'net.tcp://prexchu01/Microsoft.Exchange.MailboxReplicationService PREXCHU01.******** (14.2.247.1 caps:0 7)' timed out.

Error details: This request operation sent to net.tcp://prexchu01/Microsoft.Exchange.MailboxReplicationService
did not receive a reply within the configured timeout (00:01:00). The time allotted to this operation may have been a portion of a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

+ CategoryInfo : NotSpecified: (0:Int32) [New-MailboxExportRequest], TimeoutErrorTransientException

+ FullyQualifiedErrorId : C857038,Microsoft.Exchange.Management.RecipientTasks.NewMailboxExportRequest

I have found that it is because the CAS server is located behind a hardware load balancer. We are using a BIGIP load balancer for all our CAS/HUB functions. If you do a get-mailboxdatabase on the database of the mailbox you are trying to move, you will probably see that the RpcClientAccessServer is set to point to the VIP of the CAS pool instead of the actual CAS server.

I have found two ways to fix this, the first (not recommended) is to do a set-mailboxdatabase and set the RpcClientAccessServer to the UNC for the CAS server you are going to use for the export request. Make sure you change it back after you make the change.

The second way, and the way I recommend is to modify the HOSTS record on the CAS server so that the UNC found in the RpcClientAccessServer points to the IP address of that CAS server. This is a suggestion that Microsoft gives on there site (KB2675690).

Also, make sure that you have setup the file share you are creating the PST file on correctly by following instructions found on the new-mailboxexportrequest instructions.

The FilePath parameter specifies the network share path of the .pst file to which data is exported, for example, \\SERVER01\PST Files\exported.pst.

You need to grant read/write permission to the group Exchange Trusted Subsystem to the network share where you’ll export or import mailboxes. If you don’t grant this permission, you’ll receive an error message stating that Exchange is unable to establish a connection to the target mailbox.

Also, make sure you use the -MRSSever switch so that it is using the CAS server that you modified the Hosts file on.

Then make sure you remove or comment out the entry in the HOSTS file after the new-mailboxexportrequest finishes.

Mailbox Permissions

We have a lot of shared mailboxes. Mailboxes that are setup as -type shared. It basically is a mailbox that the AD account has been disabled on, that people use their own username and password to access. One of my tasks as and Exchange Admin is to give people and remove peoples rights from these mailboxes. To help me with this process, I have created a permissions.ps1 script that I use. The syntax is .\permission.ps1 shared_mailbox_name user_name

 param($mailboxname,$user) $mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Add-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Add-ADPermission -Identity $mailbox.DisplayName -User $user -ExtendedRights 'Send-as'

NOTE: If you give a person Full Mailbox rights to a mailbox, if they are running Outlook 2010, then it will automatically add that new mailbox as a mailbox to their Outlook. If you are using SP2 of Exchange 2010, you can add a parameter to the add-mailboxpermission cmdlet that will block this from happening. You can add the -AutoMapping $false to the command.

The Automapping parameter specifies whether to ignore the auto-mapping feature in Outlook. If a user is granted Full Access permissions to another user’s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. This parameter accepts $true or $false values. For more information about auto-mapping, [Source]

You can find more details here.

I also sometimes use the following script to remove permissions from the shared mailbox.

param($mailboxname,$user)

$mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Remove-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Remove-ADPermission -Identity $mailbox.DistinguishedName -User $user -ExtendedRights 'Send-as' 

Script – Check Message Queue

note: following the transfer of this domain to the new owners, per user requests this article was recovered from the internet archive wayback machine, but may not be complete.

Here is a simple script I wrote that checks the message queue and then sends an email if the message queue goes over a specified limit. Read more

Exchange – Cannot remove ACE on object … because it is not present.

note: following the transfer of this domain to the new owners, per user requests this article was recovered from the internet archive wayback machine, but may not be complete.

I have run into a problem while doing some routine maintenance on some shared mailboxes for the company I work for.   During the maintenance process, we audit the list of users that have full mailbox rights to any shared mailbox.  In the process, I was trying to remove full permissions from several user accounts.  Here is what the Manage Full Access Permission screen looked like. Read more