Category: Exchange Server 2007

Exchange 2007 : Generating Mailbox Statistics Report

Use the following ommand from the Exchange shell to generate the report on a per-mailbox database basis:

get-mailboxstatistics -Database “[database name]” | select-object servername, storageGroupname, databasename, DisplayName, @{name=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},StorageLimitStatus,LastLogonTime, LastLoggedOnUserAccount,ItemCount, DeletedItemCount | export-csv c:\DB_Stats.csv

You can also format the data on screen using the following command:

get-mailboxstatistics -Database “[database name]” | ft servername, storageGroupname, databasename, DisplayName, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},StorageLimitStatus,LastLogonTime, LastLoggedOnUserAccount,ItemCount, DeletedItemCount

You can also report on an entire server using the command:

get-mailboxstatistics -Server “[server name]” | select-object servername, storageGroupname, databasename, DisplayName, @{name=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},StorageLimitStatus,LastLogonTime, LastLoggedOnUserAccount,ItemCount, DeletedItemCount | export-csv c:\Server_Stats.csv

Format-table is designed to display data in a readable format on screen, select-object is designed for exporting data:

• When using ft you should use @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}}
• When using select-object use @{name=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}}

If you try to use @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB when using export-csv you will end up with an invalid csv file that contains multiple lines of: 27c87ef9bbda4f709f6b4002fa4af63c

 

Enable Mailbox Auditing in Exchange 2007 SP1

From the Exchange Shell on the Mailbox Database Server(s) run the following command to enable auditing:
   Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” -level low
This command will return no feedback to the end-user.

You can check that this setting has been applied using the command:
   Get-EventLogLevel

Now monitor the Application event log for Event IDs 1013 and 1016
 
Enable Auditing in Exchange 2007 SP2

SP2 introduces new features for Mailbox Access auditing; a new event log is created on the Exchange Server and it is possible to audit Folder Access, Message Access, Extended Send As and Extended Send On Behalf.

Enable Folder Access using the command:
   Set-EventLogLevel “MSExchangeIS\9000 Private\Folder Access” -level low

You can create exceptions to auditing for specific accounts such as service accounts using the command:
   Get-MailboxDatabase –identity ‘SERVER’ | Add-ADPermission –User ‘account’ –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All

You can now view auditing events in the Exchange Auditing Event Log. 

Outlook 2007 : Scanpst.exe Errors

When using scanpst.exe to check a Personal Folder (.pst file) you may be presented with the following error: “Internal errors were found in this file. They must be repaired for this file to work correctly.“

This is actually a red-herring in some cases. Creating all of the standard Microsoft Outlook folders resolve the inconsistency errors requiring a repair with scanpst.exe.

These folders include:

• Calendar
• Contacts
• Deleted Items
• Drafts
• Inbox
• Journal
• Notes
• Outbox
• Sent Items
• Tasks

That-said, creating the folders is unnecessary as you needn’t be worried about the reported ‘errors.’

Exchange 2007 : SendAs Bug

I recently came across an issue where SendAs for a Resource (Shared) Mailbox appeared to be failing, despite specifically defined permissions granting this.The mailbox in question had several email addresses defined, and the SendAs function was using one of the secondary email addresses.

It would appear that it is impossible to SendAs using an email address other than the primary (reply) email address, or display name of any Exchange object.

Exchange 2007 : Grant Full Mailbox Access via Shell

The following Exchange Management Shell command can be used to assign ‘Full Mailbox Access’ permissions on a users mailbox for another user:

Add-MailboxPermission “UserA” -User “UserB” -AccessRights FullAccess

This will grant UserB full access to UserA’s mailbox.

Exchange 2007 : Mailbox Statistics and Storage Quotas

Usethe following Exchange Shell command to list all mailboxes, sorted by size

get-mailbox | Get-MailboxStatistics |  Select @{n=”DisplayName”;e={$_.DisplayName}}, StorageGroupName,@{e={$_.TotalDeletedItemSize.Value.ToMB()};n=”TotalDeletedItemsSize(MB)”}, DeletedItemCount, @{e={$_.TotalItemSize.Value.ToMB()};n=”TotalItemSize(MB)”}, ItemCount, StorageLimitStatus | Sort-Object “TotalItemSize(MB)” | ft

Use the following command to list all mailboxes with a StorageQuotaStatus of ‘ProhibitSend’

get-mailbox  | Get-MailboxStatistics | where-object {$_.StorageLimitStatus -eq “ProhibitSend”} |  Select @{n=”DisplayName”;e={$_.DisplayName}}, StorageGroupName,@{e={$_.TotalDeletedItemSize.Value.ToMB()};n=”TotalDeletedItemsSize(MB)”}, DeletedItemCount, @{e={$_.TotalItemSize.Value.ToMB()};n=”TotalItemSize(MB)”}, ItemCount, StorageLimitStatus | Sort-Object “TotalItemSize(MB)” | ft

Alternately you can export the results to a CSV file using the following command:

get-mailbox | Get-MailboxStatistics | where-object {$_.StorageLimitStatus -eq “ProhibitSend”} |  Select @{n=”DisplayName”;e={$_.DisplayName}}, StorageGroupName,@{e={$_.TotalDeletedItemSize.Value.ToMB()};n=”TotalDeletedItemsSize(MB)”}, DeletedItemCount, @{e={$_.TotalItemSize.Value.ToMB()};n=”TotalItemSize(MB)”}, ItemCount, StorageLimitStatus | Sort-Object “TotalItemSize(MB)” | Export-Csv C:\mailbox_stats.csv

The following options are available as StorageQuotaStatus:

• IssueWarning
• BelowLimit
• ProhibitSend
• MailboxDisabled
• NoChecking

Simply modifiy the command as follows to change the data returned by the command:

get-mailbox | Get-MailboxStatistics | where-object {$_.StorageLimitStatus -eq “IssueWarning“} |  Select @{n=”DisplayName”;e={$_.DisplayName}}, StorageGroupName,@{e={$_.TotalDeletedItemSize.Value.ToMB()};n=”TotalDeletedItemsSize(MB)”}, DeletedItemCount, @{e={$_.TotalItemSize.Value.ToMB()};n=”TotalItemSize(MB)”}, ItemCount, StorageLimitStatus | Sort-Object “TotalItemSize(MB)” | Export-Csv C:\mailbox_stats.csv

Exchange 2007 : Purge Outbox Script

I recently cam across an issue where users email was getting ‘stuck’ in their Outbox, despite being sent to the intended recipient. Some users had approx 95% of the mailbox Send limit in stuck email, so this problem was affecting their ability to work.

The following script helped me to identify that approx 4GB of data was stuck in user Outboxes across my Exchange environment. This will genetrate a CSV file containing the Outbox size for every mailbox in the Exchange Org. Save the following code to a ‘.ps1‘ file and call from the Exchange Shell:

$data = @()
foreach($mbx in Get-Mailbox -ResultSize unlimited) { $data += Get-MailboxFolderStatistics $mbx.identity -FolderScope ‘Outbox’ | select @{n=”DisplayName”;e={$mbx.DisplayName}},FolderPath,ItemsInFolder,@{n=”FolderSize(MB)”;e={$_.folderSize.toMB()}}}

$data | sort-object “FolderSize(MB)” –Descending | export-csv c:\Outbox_sizes.csv

Once I had identified the severity of the issue I wrote the following power shell script to purge all user Outboxes, exporting the to a PST file in case of any repercussion, note you will have to create the intended export folder prior to running this scrip. As before, copy the following command into a  ‘ .ps1‘ file and execute from the Exchange Shell:

foreach($mbx in Get-Mailbox -ResultSize unlimited){ Export-Mailbox -Identity $mbx.identity -IncludeFolders “\Outbox” -PSTFolderPath “C:\OutboxExport\” -DeleteContent -BadItemLimit 1000 -confirm:$false }

Granting Mailbox Access to Other Users Mailbox via OWA

OWA will does not work with inherited mailbox database/server permissions for other users mailbox access. Permissions must be specifically granted on each mailbox. The Powershell scripts will enable access to users users mailboxes ia OWA for a chosen user or group.
 

Save the the following powershell script to a bew .ps1 file, modifying the appropriate username/group name as highlighted in red.

# Set-Full Mailbox Permissions on all Mailboxes in Org for EU Mailbox Admins
#
#This is required for OWA mailbox access as OWA does not support inherited permissions on mailboxes
#
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue
$userAccounts = get-mailbox -resultsize unlimited
ForEach ($user in $userAccounts)
{
add-MailboxPermission -identity $user -user “Exchange Mailbox Admins” -AccessRights FullAccess
}

Alternately you can grant access to all mailboxes from OWA for a single Mailbopx Database using the following script, change the mailbox database path as applicable for your environment:

# Set-Full Mailbox Permissions on all Mailboxes in Org for EU Mailbox Admins
#
#This is required for OWA mailbox access as OWA does not support inherited permissions on mailboxes
#

Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue
$userAccounts = get-mailbox -resultsize unlimited -Database “MYSERVER\SG2\Mailbox Database“
ForEach ($user in $userAccounts)
{
add-MailboxPermission -identity $user -user “Exchange Mailbox Admins” -AccessRights FullAccess
}

Exchange 2007 Split Permissions

During the migration/centralisation project I’ve been involved in recently, one of our challenges was delegation of Exchange object management on a per-site or per-country level.

Our goal was to allow local IT teams at each site to create and manage user mailboxes and distribution groups, without having the ability to affect users at other sites and also allowing for centralised management of hardware, backups etc. Now Exchange 2007 doesn’t cater for this permission model out-of-the-box. This type of permissions configuration is referred to as a ‘split permissions’ model.

The Exchange Management Shell allows granular control of permissions at both the AD and Mailbox level. Initial investigation led me to the following command for user management:

Remove-ADPermission -Identity “OU=DE,DC=mydom,DC=com” -User “MYDOM\DE Mailbox Admins” -AccessRights ReadProperty, WriteProperty -Properties Exchange-Information, Exchange-Personal-Information, legacyExchangeDN, displayName, adminDisplayName, displayNamePrintable, publicDelegates, garbageCollPeriod, textEncodedORAddress, showInAddressBook, proxyAddresses, mail 

Users of the DE Mailbox Admins group were also granted rights to Create and Delete User Objects on the “OU=DE,DC=mydom,DC=com” container and all sub-containers.

This however did not provide management of Distribution Groups. In order to achieve this the following shell command is necessary:

ADPermission -Identity “OU=DE,DC=mydom,DC=com” -User “MYDOM\DE Mailbox Admins” -AccessRights GenericAll -ChildObjectTypes msExchDynamicDistributionList

The Exchange Management Tools come with a script which integrates the above commands into a single command:

ConfigureSplitPerms.ps1 -user “DE Mailbox Admins” -identity “OU=DE,DC=mydom,DC=com”

Finally, the only remaining permission required in our environment was the delegation of Public Folder administrative rights. Again, the following shell command can be used to delegate these on a public folder and all of its sub-folders:

Get-PublicFolder “\DE\” –recurse  | Add-PublicFolderAdministrativePermission -User “DE Mailbox Admins” -AccessRights AllExtendedRights -Inheritance SelfAndChildren

Update 12/01/2010: In order to delegate the “Manage Full Mailbox Access” and “Manage Send As Permissions” use the following ExchangeShell command:

Add-ADPermission -identity (Get-MailboxDatabase “\\“).distinguishedName -user “” -ExtendedRights ms-Exch-Store-Admin