Avoid Account Lockout: Use PowerShell to Find Old Mobile Devices

Avoid Account Lockout: Use PowerShell to Find Old Mobile Devices

  • Comments 3
  • Likes

Summary: Guest blogger, Tim Bolton, talks about using Windows PowerShell to find old mobile devices that may cause account lockout.

Microsoft Scripting Guy, Ed Wilson, is here. Welcome back, guest blogger, Tim Bolton

One of the most common issues we have been seeing lately is user accounts being locked out due to an mobile device that has been replaced or upgraded. Unfortunately, it is still trying to access their Exchange Server email account. 99% of the time, the user will claim that the old device is not in use, but when they see these results, they realize that their kids are using their device, and they never removed the ActiveSync application.

I created this simple little script to show what devices are still in use.

Here are the prerequisites needed:

  1. Run on an Exchange Server with an Admin account, or use New-PSSession to an Exchange Server running with an Admin account.
  2. You must be able to use Import-Module ActiveDirectory.
  3. Change the internal mail relay address, for example:  $SmtpServer = "Mail.Big.Dog.Com"

When you run this script, it creates an HTML email that is sent to the requester with a BCC to the person who is running the Windows PowerShell command.  I added the BCC so I could make sure that the email went out and to be able to explain to the requesters what they were looking at.

The following image shows an example of a report that I ran for my mobile devices.

Image of report

Here is the script:

<#Prerequisites needed:

1) Run this on an Exchange Server with an Admin account or use New-PSSession to an Exchange Server running with an Admin account.

2) You must be able to use Import-Module ActiveDirectory.

 

Example: Enter the UserID for the requester and for the person you want the mobile report for.

PS C:\> Get-Mobile

 

cmdlet Get-Mobile at command pipeline position 1

Supply values for the following parameters:

Requester: tbolton

UserID: tbolton

#>

Function Get-Mobile {

[CmdletBinding()]

param(

    [Parameter(Mandatory=$True,

               ValueFromPipeline=$True,

               ValueFromPipelineByPropertyName=$True)]

    [string]$Requester,

 

    [Parameter(Mandatory=$True)]

    [string]$UserID

)

PROCESS {

# Date

$Date = (get-date).ToString("MM-dd-yy")

 

# Get Requester Info via their UserID

$RequesterEmail=(Get-ADUser $Requester -Properties mail).Mail

$RequesterFirstName=(Get-ADUser $Requester -Properties GivenName).GivenName

 

# Get Tech who is running this script information to CC Email to.

$MyName = $env:username

$MyEmail = (Get-ADUSer $MyName -Properties mail).mail

 

# Get DisplayName of User via their UserID

$TheUserName=(Get-ADUser $UserID -Properties DisplayName).DisplayName

#$TheUserName=$TheUser.DisplayName

 

# Email Settings

$SmtpServer = "Your Internal Mail Relay Address Here"

$SmtpFrom = "$MyEmail"

$SmtpTo = "$RequesterEmail"

$SmtpBcc = New-Object system.Net.Mail.mailaddress "$MyEmail"

$MessageSubject = "Mobile report for $TheUserName "

 

$Message = New-Object System.Net.Mail.MailMessage $Smtpfrom, $Smtpto

# Add BCC

$Message.Bcc.Add($SmtpBcc)

 

$Message.Subject = $MessageSubject

$Message.IsBodyHTML = $true

 

#### HTML Output Formatting #######

 

$a = @"

<style>

body {

    color:#333333;

    font-family:Calibri,Tahoma;

    font-size: 10pt;

}

TABLE {

            border-width: 1px;

            text-align: center;

            border-style: solid;

            border-color: black;

            border-collapse: collapse;

}

th {

    font-weight:bold;

            border-width: 1px;

            padding: 10px;

            border-style: solid;

            border-color: black;

    color:#eeeeee;

    background-color:#333333;

}

td {

            font-weight:bold;

            border-width: 1px;

            padding: 10px;

            border-style: solid;

            border-color: black;

}

</style>

"@

 

# This is what will pull the information on the mobile devices being used by $UserID and will create the message body.

$Message.Body = Get-ActiveSyncDeviceStatistics -Mailbox $UserID | select DeviceType,DeviceModel,DeviceFriendlyName,DeviceOS,DeviceUserAgent,LastSyncAttemptTime,Lastsuccesssync,NumberOfFoldersSynced | ConvertTo-HTML -PreContent "<h2>Mobile Devices for $TheUserName</h2>","<h2>Date: $Date</h2>" -Head $a

 

$smtp = New-Object Net.Mail.SmtpClient($smtpServer)

$smtp.Send($message)

 

}

}

###############################################################

The full script can be downloaded from the Script Center Repository: Get Users Mobile Devices Using Exchange ActiveSync.

Thank you, Tim, for once again sharing your time and knowledge.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Good stuff! Have been considering a reminder e-mail for folks with passwords about to expire. Including ActiveSync devices is a great idea. Question - Any reason you aren't using the built in Send-MailMessage function? I'm not seeing anything that isn't covered by that function, and using the .NET class seems to offer no benefit in this example.

  • 1) - Honestly what I used is what I had used in the past that just worked so to be honest I did not try the Send-MailMessage function but I will this week to see if there are any benefits or issues with the HTML rendering of the email. 2) I made an update that I thought would be a seemingly small change... I ran into the first instance of a person NOT having a mobile device which caused the email notice to show a small box instead of any information. I changed it so that a message was displayed with the User Name and Date and that no devices were found. FYI ~ This code change is in the link to the code. However, I did not make it in time for Ed to post here (Sorry Ed!) but I did update the code itself...

  • Yet another update... I added an updadte since I had a user that did have HasActiveSyncDevicePartnership = $Ture but due to some lockout issues had removed all of his Mobile Devices so when I ran $Message.Body = Get-ActiveSyncDeviceStatistics -Mailbox $UserID it was Null... I am updating the code today... $Active = Get-CasMailbox $UserID | Select HasActiveSyncDevicePartnership $Active2 = Get-ActiveSyncDeviceStatistics -Mailbox $UserID | Select DeviceType if($Active.HasActiveSyncDevicePartnership -eq $True -and $Active2.DeviceType -ne $Null) { $Message.Body = Get-ActiveSyncDeviceStatistics -Mailbox $UserID | select DeviceType,DeviceModel,DeviceFriendlyName,DeviceOS,DeviceUserAgent,LastSyncAttemptTime,Lastsuccesssync,NumberOfFoldersSynced | ConvertTo-HTML -PreContent "

    Mobile Devices for $TheUserName

    ","

    Date: $Date

    " -Head $a} Else{ $Message.Body = ConvertTo-HTML -PreContent "

    No ActiveSync Mobile Devices Were Found For $TheUserName

    ","

    Date: $Date

    " }