I was tasked with creating a daily messaging report that would meet the following requirements:

• Collect essential information about the Exchange 2007 environment
• Save the data in HTML format
• Email that report to users

So I created a powershell script that would collect the following information:

• Mailbox Stats (total #, over quota, over 5GB, etc)
• Message Stats (number of msg sent/rcd, NDRs, total size, etc)
• Identify servers who have volumes with less than 20% of free space available
• Database Information (last full backup, is mounted?, # of mbx, size, etc)
• Identify if any SMTP queues have more than 50 msgs pending delivery
• Collect errors from event log, generated during past 24 hours

Once collected, it will send a message with the information as an attached and within the body of the message.

Thanks to http://blogs.technet.com/b/gary/ & http://gsexdev.blogspot.com/ for their contribution

Attached is the script (right click and save target as for proper formatting)

Have fun!

Doug

Recently I had to install Lync Server 2010 on a repurposed Windows 2008 R2 server within a lab environment. One of the issues that I ran across was preventing me from accessing the Lync Control Panel from the Lync Front End server.

Attempting to open the Lync Control Panel from the Lync 2010 Front End server displayed the following error:

I started by confirming that all of the prerequisites were installed, followed TechNet: Troubleshooting Lync Server 2010 Control Panel, and confirmed the Kerberos was configured and working properly. None of these changed the error.

In the end, the resolution was to enable the DisableLoopBackCheck registry key.

WARNING: This setting should be carefully considered as this can change the security of a server. This scenario was a lab environment with no Internet access. For production environments, you may want to consider using the BackConnectionHostNames registry.

Good Luck!
Doug

Recently I deployed Exchange 2010 SP3 and experienced a few headaches when it came to the LAG copy.  It turns out that this was probably related to the known issue with Exchange 2010 SP3 and 8dot3Name, even though we never activated these copies and with no transaction logs on the active copy containing any 8.3 names (weird!). 

My configuration:

• Exchange 2010 SP2 RU4 on Windows 2008 R2
• Circular Logging enabled (backup-less environment)
• LAG copy containing more than 2 weeks of transaction logs

First, what is 8.3 name and why was it enabled?  This is a legacy naming convention, from the old MS-DOS days.  By default, our Windows 2008 R2 build does not have 8.3 enabled.  However, we discovered that a GPO had been set which overrode that value as a requirement for a government compliance program.  It turns out that lots of older government compliance programs required this to be enabled. 

An example of files with and without 8.3 naming convention:  (dir /x)

How did we discover was enabled?  In our testing, we had a number of LAG database copies go to a FailedandSuspended state.  Our troubleshooting led us to the known issue listed above and we confirmed using the FSUTIL command and DIR /X. 

What problems did we experience? If we upgraded a server from SP2 to SP3 that contained either the LAG copy or was the owner of the Active copy and if the LAG copy contained at least 1 log that had an 8.3 naming convention, then intermittently the LAG copy would go to a failedandsuspended state.  Not all copies failed all of the time.  Nor did we have to activate the DB for it to fail – it just did it whenever the server was rebooted.

What did we do to fix it? We knew that if the LAG copy contained any transaction logs with 8.3 naming convention, the DB would fail.  So we made a change to the server using FSUTIL (FSUTIL 8dot3Name Set 1).  It took us a day later to discover that the setting reverted, thus leading us to an old GPO entry.  After changing the GPO and forcing the update to occur, we could see that newly created transaction logs were not getting 8.3 names. 

Next, we wait for all database copies to get cycle thru the old logs (those containing the 8.3 names) before making any server reboots or significant changes.  We could fail a database over to another copy, this did not do anything. 

We verified that all database copies contained no transaction logs containing these 8.3 files names by running a PowerShell command per server:

Basically, before you upgrade to SP3, check that your server does not have 8.3 naming convention enabled (FSUTIL 8dot3Name Query).  If so, set that to disabled and cycle through all your transaction logs before deployment. 

As you can see, you don’t have to actually activate the DB for this to cause issues. 

Good Luck!

D

Over the years, there has been a request for finding various permissions on Public Folder objects within Exchange.  I figured that I would share how to do some of these tasks, specific to Exchange 2010 and 2013.

NOTE: The following commands use the Exchange Management Shell

Exchange 2010
List All Top Level Public Folders Default Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | Where {$_.User.IsDefault -eq $True} | FT Identity, User, AccessRights -auto -wrap

List All Top Level Public Folders Anonymous Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | ?{$_.User.IsAnonymous -eq $True} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Anonymous is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User.IsAnonymous -eq $True) -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Default is NOT Author
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User.IsDefault -eq $True) -AND ($_.AccessRights -ne 'Author')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where JoeUser is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User -like "*JoeUser*") -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Containing Old/Deleted Users with Permissions
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User -like "*NT User:*"} | FT Identity, User, AccessRights -auto -wrap

Remove Old/Deleted Users from Public Folders (w/ WhatIf)
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User -like "*NT User:*"} | ForEach {Remove-PublicFolderClientPermission -Identity $_.Identity -User $_.User -AccessRights $_.AccessRights -WhatIf

Modify/Add JoeUser to be an Owner of a Folder
Add-PublicFolderClientPermission -Identity "\MyPublicFolder\Reports" -User JoeUser -AccessRights Owner

Exchange 2013
List All Top Level Public Folders Default Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | Where {$_.User.UserType -eq 'Default'} | FT Identity, User, AccessRights -auto -wrap

List All Top Level Public Folders Anonymous Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | ?{$_.User.UserType -eq 'Anonymous'} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Anonymous is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ? {($_.User.UserType -eq 'Anonymous') -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Default is NOT Author
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User.UserType -eq 'Default') -AND ($_.AccessRights -ne 'Author')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where JoeUser is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User -like "*JoeUser*") -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Containing Old/Deleted Users with Permissions
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User.UserType -like "Unknown"} | FT Identity, User, AccessRights -auto -wrap

Remove Old/Deleted Users from Public Folders (w/ WhatIf)
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User.UserType -like "Unknown"} | ForEach {Remove-PublicFolderClientPermission -Identity $_.Identity -User $_.User -AccessRights $_.AccessRights -WhatIf}

Modify JoeUser to be an Owner of a Folder
Add-PublicFolderClientPermission -Identity "\MyPublicFolder\Reports" -User JoeUser -AccessRights Owner

More information on managing Public Folders can be found on TechNet for Exchange.

Good Luck

Da

So what about Active Directory Permissions on an Object using PowerShell?  There are a number of options and methods to manage Active Directory permissions, but here are some common tasks that I might perform using PowerShell.

NOTE: This blog uses PowerShell with the Active Directory Module (Import-Module ActiveDirectory)
To use Get-ACL, you may want to set the location to Active Directory ( Set-Location AD: ), otherwise you may have to call AD: within the command.

FIND IF USER ACCOUNT HAS ANY DENY PERMISSIONS SET
Using DSACLS:
Get-ADUser UserName | ForEach { DSACLS $_.DistinguishedName } | Where {$_.Contains("Deny")}

Using Get-ACL:
Set-Location AD:
(Get-Acl (Get-ADUser UserName)).access | Where {$_.AccessControlType -eq 'Deny'} | FT IdentityReference, AccessControlType, IsInherited -Autosize

FIND ALL USERS WHO HAVE NON-INHERITED DENY RIGHTS ASSIGNED
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE)}| Select {$X}, IdentityReference, AccessControlType, IsInherited}

FIND ALL USERS WHO HAVE NON-INHERITED DENY WRITEPROPERTY SET
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE) -AND ($_.ActiveDirectoryRights -eq "WriteProperty")}| Select {$X}, IdentityReference, AccessControlType, IsInherited}

FIND ALL USERS WHO HAVE SPECIFIC GROUP/USER LISTED WITH PERMISSIONS
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {$_.IdentityReference -like "DOMAIN\USERNAME"}| Select {$X}, IdentityReference, AccessControlType, IsInherited -Unique}

VIEW PERMISSIONS OF NON-INHERITED USERS ON SPECIFIC ORGANIZATIONAL UNIT (OU)
(Get-ACL "AD:CN=Joe User,OU=Users,DC=Contoso,DC=com").Access | Where {$_.IsInherited -eq $FALSE}| Select IdentityReference, AccessControlType, IsInherited

 
VIEW ACCESS RIGHTS ON GROUP OBJECT
(Get-ACL (Get-ADGroup GroupName)).Access

RESTRICT GROUPX USERS FROM MODIFYING AD ATTRIBUTE ON ALL USERS
Get-ADUser –Filter * | ForEach { DSACLS $_.DistinguishedName /D 'Contoso\GroupX:WP;employeeID'}

There are many other items that you can do with Active Directory permissions but I’d thought that I would start with the above items.  If you want something more, try another blog

Thanks!

Da