Exchange Geek's Weblog

I'm a Geek!

How to generate a report of full mailbox access

Posted by Milind Naphade on 14/11/2011


If you have gone through an ExRAP lately and have encountered this as an observation during operational interview you are definitely going to need this very small piece of powershell command.

$CreateStamp = Get-Date -UFormat %d_%m_%Y
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where {$_.User.ToString() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[String]::Join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation -Path “C:\temp\Full_Mailbox_Access_Report_$CreateStamp.csv”



Posted in Exchange 2010, Exchange Server 2007 | 2 Comments »

Script to create new mailbox and set mailbox feature

Posted by Milind Naphade on 13/11/2011

Edit: This script can be downloaded from Microsoft Technet Gallery as well. Download is available at

Create Mailbox and Set-CASMailbox Features GUI Script


I wrote this script for one of our L1 support team where they create mailboxes manually. Lately, the customer where this team works wanted to the POP/IMAP services to be enabled and have the POP/IMAP access disabled on mailbox level.

Although doing so is not a big task, EMC / EMS put few limitations on you while performing both tasks together. As a result, you have to create a mailbox first and then set the mailbox features on it using EMC. If your L1 teams are well educated about how to use EMS then it might be a little easier for them. Unfortunately, mine one at this customer is not so well aware of powershell and its CLI 🙂

To help them out I decided to help them with a GUI that can handle these two tasks right at the time of mailbox creation itself. This is an initial version of this script and I am still working on adding few more features, and validations in it.

This is how the script window looks like:


Your feedback on this one will help improving it. So, please feel free to leave a comment or write to me.

Download this script from here 


Since WordPress does not allow more than specific file extensions the file is renamed to Create-Mailbox.pdf. After you download the file rename it to Create-Mailbox.ps1

This script will work only with Exchange 2010 and has to be executed from Exchange Management Shell only.

Posted in Exchange 2010 | 1 Comment »

How to Recover a Mailbox Server that is a part of a DAG

Posted by Milind Naphade on 13/10/2011

A day before yesterday, I was asked if an Exchange Server 2010 mailbox server which is a part of a DAG can be recovered using disaster recovery setup options.

Due to considerable changes in the ways Exchange 2010 handles the clustering components it is little tricky to recover a crashed server that was a part of some DAG in an exchange organization. In Exchange 2007 you could run /m:recovercms to recover a clustered mailbox server node. But, in exchange server 2010 you have to do it a little different way. Let us take a look at how to do this. It is highly recommended that you make a note of your database copy deployment layout before you go ahead.

For example:

Let us say you have a 2 member DAG with a database:

DAG Name: DAG01

Node1: E2K10SP101

Node2: E2K10SP102

Database: Mailbox Database

In my case the server E2K10SP102 crashed and the OS could not be recovered at all.

1. Remove Database Copies Configuration

When you add a member into DAG and deploy database copies across the members, this information is stored in active directory. Since this information is not removed automatically when either of the members a DAG crash or encounter an irrecoverable problem we need to clean this information first. During the cleanup process you essentially remove the information of the database copy that was configured to be peer of the server that is no longer available.

To perform the cleanup of the database copy run below command using EMS

Remove-MailboxDatabaseCopy –Identity “Mailbox Database\E2K10SP102

Right after you hit enter you will be prompted to confirm your action and you might also see your Management Shell screen filled up with warning messages. This is totally okay. In ideal situations, the server will try to clean up this information from another member’s local configurations as well. Since your other server is no longer available the local configuration data from other node will not be cleaned up. This will delete the database copy information from AD though. You need to repeat this for every database copy if you have more than one.

2. Remove DAG Member

Next step is to remove the crashed DAG member from the configuration.

Remove-DatabaseAvailabilityGroupServer –Identity DAG01 –MailboxServer E2K10SP102 ConfigurationOnly

ConfigurationOnly is very important here. If you miss this parameter in the command the server will try to contact the other node to remove the cluster service configuration and will fail since the other server is already gone. Keep in mind that we are removing all of this information from AD and not the other node so this parameter should not be missed.

3. Remove Cluster Service Configurations

As we all know, although DAG do not use failover clustering mechanism; it still uses MSCS failover clustering components. With said that there are some cluster service configurations in service control database and quorum needing cleanup before the crashed server could be brought back into the DAG. To clean up cluster service configurations open command prompt as a privileged user if you have UAC enabled on the server and simply type below command:

cluster.exe DAG01 /Node E2K10SP102 /Evict

Once you have completed the cleanup. Next steps are to rebuild the server, add it back to DAG and configure database copies.

4. Rebuild the Server– If you have completed fixing your hardware issues (If at all the server had any  🙂 ), it is time to install the OS similar to what patch levels  and drivers what you have on the currently working node.

5. Reset the computer account – After your server OS is built correctly and you have made sure the path level is matching to the currently working box, reset the computer account of this server in AD and join the computer with same name in the domain.

6. Install Software Prerequisites for Exchange 2010 -If you had more than one server roles installed on the server you should install all applicable prerequisites for each server role.

7. Recover the Server – Insert Exchange 2010 RTM / SP1 disk (depending upon what release of Exchange you are running) and install exchange server binaries using command line setup. Run /m:recoverserver from command prompt.

8. Add the server to DAG – After the installation completes, reboot the server once and add the server in DAG using below cmdlet

Add-DatabaseAvailabilityGroupServer –Identity DAG01 –MailboxServer E2K10SP102

This will initiate the cluster service configuration on local as well as remote computer.

9. Add Mailbox Database Copies – If you have reached this step that means you are almost done and need to execute following command to database copy configuration completed.

Add-MailboxDatabaseCopy –Identity “Mailbox Database” –MailboxServer E2K10SP102 –ActivationPreference :2

Done! You just need to monitor how the replication of this copy is going; using Get-MailboxDatabaseCopyStatus –Identity “Mailbox Database”

Hope this information helps!

Posted in Exchange 2010, MBX | 4 Comments »

You cannot edit a transport rule if one or more of the recipient addresses are disabled or removed in an Exchange Server 2007 server

Posted by Milind Naphade on 24/06/2011

Been through such thing before? Well, it was a brain teaser for me for a while. One of my team mates contacted saying they are unable to edit a transport rule configured to BCC emails marked to a particular mailbox.

The situation was like this. Customer has a transport rule which adds 4 recipients as BCC recipients into emails sent to a mailbox named Application Support ( Now, One of these intended BCC recipients resigned and his mailbox was deleted immediately. As a result, emails sent to started bouncing to the senders with an NDR stating the email was not delivered to a user named U Gardner (u.garnder@exchange.local). Indeed, it was annoying for everyone to receive NDRs on each email sent to Application Support mailbox.

Off course, customer contacted our support team to fix this problem. We faced a new issue to be fixed before the NDR could be.

After locating the transport rule they found that they were not able to edit it so that they could simply remove the problem user from the actions page of the transport rule wizard. When right clicked on the rule they never got an option to edit the rule.

Microsoft confirmed this as a problem with Exchange 2007 SP2 systems and it is fixed in RU2 for Exchange Server 2007 SP2 here

Customer is on Exchange 2007 SP2 currently so it was impractical for us to install RU2 just to resolve this problem. So, we took a little way around 😉

Below are the steps:

  1. Open ADSIEDIT and connect to your configuration partition.
  2. Browse to CN=Transport,CN=Rules,CN=Transport Settings,CN=<Org Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
  3. Locate the transport rule in the result pane of ADSIEDIT that has a problem
  4. Right click the transport rule and go to properties.
  5. Locate the attribute msExchTransportRuleXml in properties of the transport rule.
  6. Click on edit button.

XML of the rule in AD looks like below:

<rule name="Application Support Forwarding" comments="Application Support Forwarding">
                                <recipient />
                                                <true />
                <action name="AddEnvelopeRecipient">
                                <argument value=om.k@exchange.local />
                <action name="AddEnvelopeRecipient">
                                <argument value=ra.rai@exchange.local />
                <action name="AddEnvelopeRecipient">
                                <argument value=
u.garnder@exchange.local />
                <action name="AddEnvelopeRecipient">
                                <argument value=Ven.C@exchange.local />

If you look at the XML carefully, you will observe that the deleted user email address still lies there in the XML. This deleted mailbox causes a problem and would not let you edit the rule by any known method.

Now, to fix this problem you just have to locate the below part in the Transport Rule XML and delete it from the attribute value.

                <action name="AddEnvelopeRecipient">
                                <argument value=
u.garnder@exchange.local />

Once you have deleted this portion of XML and made sure that AD replication has completed, disable the rule in question and enable it back.

Bingo! Problem resolved!!

Posted in Exchange 2007, Transport | Comments Off on You cannot edit a transport rule if one or more of the recipient addresses are disabled or removed in an Exchange Server 2007 server