Tuesday, October 29, 2013

Remove SendOnBehalfOf Permission From All Mailboxes

Today a client was looking for a method to remove a specific user from the SendOnBehalfOf permission of all mailboxes. The following script performs the task:
# Substitute the name of the user to remove for XXXX
$ToRemove=(Get-Mailbox XXXX).DistinguishedName

$mailboxes=get-mailbox -ResultSize unlimited
Foreach ($m in $mailboxes) {
    Set-Mailbox $m -GrantSendOnBehalfTo $new
There are probably more efficient ways to do this, but this script gets the job done. The only reason it's awkward is because GrantSendOnBehalfTo is a list that needs to be modified. 

Saturday, October 26, 2013

Free Exchange 2013 Training

Microsoft has added some Exchange 2013 Jump Start videos to Channel 9. For anyone interested in certification, they look like they'd be an excellent preparation tool for the 70-341 exam. Otherwise, they're definitely useful if you just want to learn more about how Exchange 2013 works.

The videos include:
  • Deploying and Managing Microsoft Exchange Server 2013
  • Configuring Mailbox Servers and Recipients
  • Deploying and Managing Client Access Servers and Clients
  • Configuring the Message Transport
  • Implementing High Availability and Disaster Recovery
  • Configuring Administrative Security and Auditing
  • Migrating to Microsoft Exchange Server 2013
Access the videos here:

Exception has been thrown by the target of an invocation

Recently I had to troubleshoot the following error for a client in ECP when trying to browse for an OU to create a new mailbox in Exchange 2013.
Exception has been thrown by the target of an invocation
The only reference to the error that I could find for Exchange 2013 related to domain controllers not being in the default Domain Controllers OU. Sure enough, this client had added child OUs inside of Domain Controllers. The child OUs were being used to control how WSUS was pushing out updates to the domain controllers.

To resolve the issue, we moved the domain controller computer objects back directly into the Domain Controllers OU and removed the child OUs from inside the Domain Controllers OU. We did this in all three domains.

A blog article that I used when troubleshooting:

Thursday, October 24, 2013

RDP Client for Android and iOS

Within the last few days, Microsoft has released an RDP (remote desktop) client for both Android and iOS. This is apparently the result of Microsoft buying the iTAP RDP application, which was fairly popular for iOS, about a year ago. As of now iTAP is no longer available and the Microsoft RDP clients are.

In the Play store, search for Microsoft Remote Desktop. If you search for RDP, you'll get a lot of other non-Microsoft apps listed. I've tested out the Android version and it seems pretty nice.

Microsoft Remote Desktop client for Andoid

 The controls are simple:
  • By default, it shows full screen.
  • Tap the zoom icon in the middle left for a larger view that you can scroll around it.
  • Tap the keyboard icon in the middle right to bring up a keyboard.
  • Press the menu button on the device to bring up special keys for the keyboard such as shift, control, and the Windows key.
Also note that it includes support for RD Gateways. This is a premium feature in many RDP clients.

UPN Not Available in ECP When Creating Mailbox

Recently I was working as part of a Notes to Exchange 2013 migration. The original vendor on the project had been replaced and we were taking over the process. As always in these scenarios, you're suspicious of everything that you see in the new environment because you don't know what is left at default.

When creating new mailboxes in Exchange Control Panel the client observed that only the forest root domain was available as a UPN suffix. Most of the environments that I work in are single domain, so I didn't identify the issue right away. The domains that the client uses are multiple trees. So, I was immediately concerned that the issue was related to that, but it was not. It was quite simple really and parallels what happens when using AD Users and Computers to set the UPN suffix for an account.

When you are using  AD User and Computers to configure the UPN suffix for an account, the root domain of the forest will always be one of the options. The other option will be the current domain if you are in a domain other than the root domain.

For example, if I have a forest with the following domains:
  • conexion.ca
  • child1.conexion.ca
  • child2.conexion.ca
If I'm running AD Users and computers in child1.conexion.ca, then I will see conexion.ca and child1.conexion.ca in the UPN suffix list. If I'm running AD Users and Computers in the conexion.ca domain then I will see only conexion.ca in the UPN suffix list.

So, my assumption is that Exchange 2013 was using conexion.ca as it's base for doing the AD queries/work, because we were seeing only the root domain in the drop down list.

To make the child domains available as UPN suffixes when running AD Users and Computers in the root domain, the child domains need to be added as alternative UPN suffixes to the forest. After they are added here, they are available from any domain. Note that you can add anything you want here. You are not limited to UPN suffixes that match your domain names.

Configuring the UPN Suffix for a User Account

Ultimately, what works for AD Users and Computers also worked for ECP. At the client, after adding the name of the other tree as an alternative UPN suffix, it appeared in ECP and all was good.

Steps to add an alternate UPN suffix for the forest:

  1. Open Active Directory Domains and Trusts.
  2. In Active Directory Domains and Trusts, right-click the Active Directory Domains and Trusts node and click Properties.
  3. On the UPN Suffixes tab, add the subdomain required.
Adding an Alternative UPN Suffix

Monday, October 21, 2013

Removing Disconnected Mailboxes in Exchange 2013

In most cases, waiting the default 30 days for disconnected (disabled) mailboxes to be removed is not a concern. However, when doing implementation testing, you might have significant data that you want to remove before doing a final migration with good data.

Also, when moving mailboxes, the source mailbox is soft deleted and not purged for 30 days. If you were moving mailboxes to free up space in the database, then purging soft deleted mailboxes immediately is a reasonable way to go.

In Exchange 2010 you could purge disconnected mailboxes from the Exchange Management Console. In Exchange 2013, your only option is the Exchange Management Shell.

You can use the following to remove disabled/disconnected mailboxes from a specific database:
Get-MailboxStatistics -Database “YourDatabaseName″ | where {$_.DisconnectReason -eq “SoftDeleted”} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled -Confirm:$False
You can use the following to remove soft deleted mailboxes:
Get-MailboxStatistics -Database “YourDatabaseName″ | where {$_.DisconnectReason -eq “Disabled”} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted -Confirm:$False
To modify either of these to work for all databases in your organization, replace the Get-MailboxStatistics cmdlet with the following:
Get-Database | Get-MailboxStatistics | where ....

Saturday, October 19, 2013

ActiveSync-Based Email Access in Windows 8.1

Windows 8.1 includes the email application Windows Mail. This application can access email via IMAP or ActiveSync. Yes, that's right ACTIVESYNC!

I've been wondering why ActiveSync was good enough for mobile devices, but not desktop computers. It appears that this has finally arrived. Perhaps paying Microsoft a licensing fee for use of ActiveSync is holding other vendors back.

A standard IMAP client will synchronize only email messages. An ActiveSync client can synchronize messages, your calendar, and contacts. This is now an effective option for home users that want to access work email from their computer through a full email client but without purchasing a version of Office that includes Outlook.

Remote wipe is also supported for this application. However (and this is good news), remote wipe affects only the Exchange email data. This is unlike a phone remote wipe which wipes the entire device.

For more information see:

Forcing ECP to open in Exchange 2013

One of the annoyances I've been finding in Exchange 2013 during migrations is that when an administrator with a mailbox in Exchange 2010/2007 attempts to access Exchange Control Panel to administer, they are redirected the the older version of Exchange 2010. This happens because Exchange looks up where the user's mailbox is and assumes that you want to access the server where the mailbox is located.

Fortunately, there is an easy fix for this. Append the url with ExchClientVer=15 to force it to stay on Exchange 2013. For example:
  • https://server.domain.com/ecp?ExchangeClientVer=15

IE 11 Problems with OWA

I haven't had a chance to verify yet, but IE 11 appears to have issues working with OWA in Exchange 2007-2013. IE 11 is included in the Windows 8.1 Service Pack.

The core issue seems to be the at IE does not identify itself as IE anymore. Consequently, Exchange Server dumbs down the OWA experience to be sure that it is compatible.

You can update Exchange 2013 to work with IE 11 properly by installing Cumulative Update 2 for Exchange 2013.
You can update Exchange 2010 to work with IE 11 properly by installing update rollup 3 for SP3:
For Exchange 2007 there is currently no update available to fix the server side. Instead, you need to use compatibility mode in IE or InPrivate Browsing.

For a nice article about this and further explanation, see here:
*Updated Nov 26th to include new update that is available for Exchange 2010

Saturday, October 12, 2013

Error Creating Outlook 2010 Profile for Exchange 2013

We were recently connecting some newly imaged computers to Exchange 2013 and got an 0x80070057 error when attempting to create the user profile. This error did not occur when connecting to the older Exchange 2007 server. This error was a result of Office 2010 not being up to the correct update level.

Outlook 2010 must have at least Service Pack 1 with the November 2012 cumulative update. In this case, we installed Service Pack 2 and all was good.

Here is the link to the required versions of Outlook for Exchange 2013:
Update Oct 24/13: I have also seen this problem at a client using the HTTP proxy settings in IE. Make sure your Exchange servers are an exception that does not require the use of the proxy.

Thursday, October 10, 2013

New Tool to Remove Unneeded Windows Update Files

Microsoft has just released an update for Windows 7 that enables you to remove old files that allow Windows Updates to be removed. This will save a ton of disk space on many computers. If you are using a small SSD drive, the extra few GB would be nice to have back.

After applying the update, the Disk Cleanup wizard is updated to include the option Windows Update Cleanup. After performing the Windows Update Cleanup, you will not be able to remove Windows Updates that are cleaned up.

My only caution related to using this tool relates to Internet Explorer. We have several clients that require Internet Explorer 8 to use web-based applications. All of our new computers with Windows 7 have IE 9 preinstalled and we need to roll back to IE8. I'm concerned we would lose this ability if Dell starts to use this tool before shipping out computers. That said, I haven't had time to test yet.

For more information, see:
For the update go here:

Tuesday, October 8, 2013

Video on Basic Network Setup

Each year I help out with a networking class at the Asper School of Business in the University of Manitoba. I do a demonstration of basic server installation and configuration. Last year I made it into a video, and this year I've uploaded it to YouTube for the students.

In case anyone is interested the video is located here:
This video includes:
  • Installation of Windows Server 2008 R2
  • Joining a domain
  • Basic IP configuration
  • Create and configure file shares
  • Create and configure shared printers
  • Drive mappings via Group Policy preferences