|
Aunt Beth posted:I've got an Exchange 2013 on-prem deployment and I've been working more and more with RBAC. I've created a new role based on MailRecipients with permissions to run the Get-Mailbox command, but it can't use the -Database flag to get a mailbox on a particular. How do I add particular flags to a command a role is assigned? Sorry for the dumb question, I'm a bit of an Exchange baby. RBAC roles can only inherit permissions that the parent role already has. Looking at the parameters available to Mail recipients shows that the -Database parameter is not available. You can use the below to see what parameters are available for Get-Mailbox, but you can create another role that's a child of "View-Only Recipients" which should have the Database parameter for Get-Mailbox. In general, you can see the commands available to a role by using an asterisk, and then see the parameters available to each command by looking at the specific management role entry. You can then add or set the parameters available to that management role entry by using Set-ManagementRoleEntry commandlet. code:
|
# ? Mar 8, 2018 22:23 |
|
|
# ? Apr 27, 2024 05:17 |
|
Will Styles posted:RBAC roles can only inherit permissions that the parent role already has. Looking at the parameters available to Mail recipients shows that the -Database parameter is not available. You can use the below to see what parameters are available for Get-Mailbox, but you can create another role that's a child of "View-Only Recipients" which should have the Database parameter for Get-Mailbox.
|
# ? Mar 8, 2018 22:34 |
|
I'm an even dumber exchange baby and I need help too. Hybrid exchange with an on prem shared mailbox that I am trying to move to the cloud. I've been getting error message after error message. I finally got to the point where New-moverequest - identity "sharedboxonprem" - remote - remotehostname "mail.contoso.com" - targetdeliverydomain "contoso.mail.onmicrosoft.com" -remotecredentials $creds (where $creds is CONTOSO\mydomainadminaccount) Gives me a MapiExceptionNoAccess unable to open message store 80070005 error So it's a problem with permissions - but my user account is a domain administrator and has full rights to the mailbox I'm moving. Sorry for the phone formatting, I'm not yet comfortable logging in to SA on my work computer Happiness Commando fucked around with this message at 18:38 on Mar 9, 2018 |
# ? Mar 9, 2018 18:36 |
|
I’m fairly sure I’ve run into that one but I forgot what the issue was. Couple things you can check: is the identifier you use to select the mailbox you want to move unique for that mailbox? There are some cases (I think this was in the Ex2010 days) where you could generate the strangest mapi access errors because checks on whether an smtp address is unique didn’t apply correctly in all cases (so you could assign the same address to a user as well as to a contact for instance). Try using the mailbox guid, that one is always unique. You are a member of the Organization Management role group, right? Are your servers patched up to the latest CU? They need to be but you’ll probably notice other issues if they aren’t Does the mailbox you’re moving have a public folder database attribute and/or a null HomeDB attribute? Fix a null HomeDB attribute and remove the PF database attribute unless that PF database actually exists. You can add the -Verbose parameter to see more output of the move process as well, I think, or it might be in get-moverequeststatistics when you expand the error or progress attributes. Could be helpful. e.: this actually sounds really familiar. Not that much effort to do so despite the old Exchange version that page details it might be worth checking Old Binsby fucked around with this message at 19:26 on Mar 9, 2018 |
# ? Mar 9, 2018 19:16 |
|
Mailbox identity is unique. I am a member of Organization Management. The homedb *isn't* null. Get-moverequeststatistics is empty. I can't find where the public folder attribute is. Also we are 2 CUs behind. This sucks its for a C level and I haven't figured hardly anything out yet, it's only my third week.
|
# ? Mar 9, 2018 19:56 |
|
Happiness Commando posted:Mailbox identity is unique. I am a member of Organization Management. The homedb *isn't* null. Get-moverequeststatistics is empty. third week working with exchange as well? My sympathies in any case, it can be quite the challenge to figure these kinds of errors out even if you’ve done this much longer anyway you can be one CU behind for a valid hybrid deployment according to microsoft and I religiously keep up so I’m not sure what being 2 behind will do. It’s probably not the most likely suspect here but if you’re able you should patch them up to current or one behind. The Public Folder Database attribute is set on a mailbox database, you can read it from there. I’m not near an exchange server or my pc so I could be off on the details here but if you use get-moverequest, you have a failed moverequest, right? If you output that using Format-list (i.e fl, apologies if it sounds like I’m seriously underestimating how much powershell you know) there’s one attribute with a value that’s quite long usually. It should contain info on which steps the moverequest has been through and there might also be an error attribute that I believe you can expand on with select -expandproperty [errorattributename]. But like I said, I thought it was in moverequeststatistics. Do you see anything there? Oh and do check the mailbox database permissions like the post in my edit describes, that trick has saved me once or twice e removed double quote Old Binsby fucked around with this message at 20:23 on Mar 9, 2018 |
# ? Mar 9, 2018 20:16 |
I'm not in hybrid but isn't there a GUI option for moving mailboxes?
|
|
# ? Mar 9, 2018 20:27 |
|
Submarine Sandpaper posted:I'm not in hybrid but isn't there a GUI option for moving mailboxes? there is, it generates the parameters for new-moverequest and then runs that cmdlet. It’s fine if it works but removing that obfuscation layer for troubleshooting by simply using powershell is easier.
|
# ? Mar 9, 2018 20:35 |
|
Happiness Commando posted:I'm an even dumber exchange baby and I need help too. Try providing the credentials of an Office 365 global admin as the $creds variable
|
# ? Mar 9, 2018 20:38 |
|
I appreciate all of you helping me. Get-moverequest returns nothing. It accepts the command and puts me back at the prompt again - it seems like whatever permissions problem is happening is happening even before the request can go in the queue (or something) I am an O365 global admin. There is a GUI option, but it only lists my on prem servers. There's supposed to be a "migrate to exchange online" option that isn't there. I'm not convinced that the hybrid configuration was completed correctly, for this and other reasons... And I have some exchange and PS experience, but obviously not enough. My old posts belong in the small shop thread, my MSP focused on 10-20 user offices. We did SBS exchange or 20 O365 users, not anything like this operation (which admittedly is still quite small in the scheme of things) Happiness Commando fucked around with this message at 20:48 on Mar 9, 2018 |
# ? Mar 9, 2018 20:42 |
|
Thanks Ants posted:Try providing the credentials of an Office 365 global admin as the $creds variable oh dear that is way better than my suggestion. The source of the mapi errors will probably be the Office365 database and not the local one I think. Kind of unusual but it makes sense
|
# ? Mar 9, 2018 20:43 |
|
Happiness Commando posted:There is a GUI option, but it only lists my on prem servers. There's supposed to be a "migrate to exchange online" option that isn't there. I'm not convinced that the hybrid configuration was completed correctly, for this and other reasons... That option should be visible in the Exchange Online GUI. If it isn’t, check the status of the Hybrid tab over there. It will let you rerun the hybrid configuration wizard if need be (which will complain about your CU patch level probably...)
|
# ? Mar 9, 2018 20:45 |
|
I'm worried about re-running the configuration wizard and toppling this house of cards 😓 going to talk to the boss about it...
|
# ? Mar 9, 2018 20:49 |
|
Just to be sure, but the powershell you're running is against Exchange Online and not the on prem Exchange instance? Have you been able to move other mailboxes successfully? Where does the user object for the shared account live in your on prem AD, and does that OU, parent OU(s), or user object block inheritance? Exchange commandlets run as the Exchange Server and your permissions are evaluated at the application level, so you would need to make sure that the Exchange Trusted Subsystem has access to the user object. Something else to do may be to try a local move on prem between databases and see if that works. That way you can isolate the problem to hybrid issues or local permissions.
|
# ? Mar 10, 2018 03:52 |
|
When I ran it against Exchange Online, I got an error message that Google said indicated that I needed to run it against on prem. I double checked AD and inheritance looks correct and the Exchange trusted subsystem has permissions. I also tried moving mailboxes locally, and it didn't work, but isn't necessarily indicative of the problem - the only local mailbox server I could move it to is Exchange 2010 SP 3 (from 2016) and the error I got was "the mailbox database is not the same version as the cmdlet" I did spend a couple hours planning out everything involved in upgrading to 2016 CU 8 and 2010 SP3 RU 19. Here's how I got around it in the end: - Make on prem mailbox and AD account in on prem EAC - assign O365 license - disable on prem mailbox - enable-remotemailbox - change cloud mailbox to shared - edit AD object attributes to make it a shared mailbox as well Now I'm just waiting on send as delegation to propagate. Thanks for the help everyone.
|
# ? Mar 13, 2018 17:54 |
|
Does anyone know if it's possible in Exchange2010 to do a complex powershell search? To clarify, it's a legal email discovery thing. The lawyers want searches for Word1 *within two words of* Word2, etc. I've done all the simple searches they wanted, but these complex ones are giving me trouble. While Powershell in Exchange2016 appears to be able to use a "NEAR" function for this, it doesn't seem to apply to Exchange2010.
|
# ? Mar 27, 2018 01:27 |
|
MrMojok posted:Does anyone know if it's possible in Exchange2010 to do a complex powershell search? To clarify, it's a legal email discovery thing. The lawyers want searches for Word1 *within two words of* Word2, etc. I've done all the simple searches they wanted, but these complex ones are giving me trouble. I don't think it is. I dealt with the same issue on Exchange 2010, and only found 2 ways to work around it cheaply. 1) Export to PST and import into dtSearch. 2) Export to PST and import into a test env I set up with Ex2016. I did a sort of combo. Used dtSearch to quickly scan through a pile of PSTs and see if the searches turned up anything. Once the lawyers actually narrowed down the final search terms and emails they wanted, I imported PSTs into my Ex2016 env, and used the eDiscovery tools to search and export the matches into separate PSTs. Hit a few gotchas with things like wildcards being different and Ex2016 not liking nested NEAR statements, but it worked. For example, I couldn't do (Word1 NEAR(5) (Word2 OR Word3)), but ((Word1 NEAR(5) Word2) OR (Word1 NEAR(5) Word3)) was totally fine. It was a huge pain in the rear end, but the prices the proper eDiscovery/Forensic companies wanted were far outside anything we could have afforded at the time. And it did work quite well, search results between dtSearch and Ex2016 were near identical, with the only differences caused by false hits on things like email headers or junk inside attachments.
|
# ? Mar 27, 2018 07:52 |
|
Just uninstalled the last exchange 2010 box in our environment we had around for legal hold restore purposes! The only exchange bullshit I have to deal with now is two 2016 servers in HA for internal SMTP relay and exchange attribute editing, everything else is O365.
|
# ? Mar 27, 2018 14:28 |
|
devmd01 posted:Just uninstalled the last exchange 2010 box in our environment we had around for legal hold restore purposes! I am SLOWLY moving everything from using an IIS relay or OnPrem Exchange relay, to just using O365. I have a feeling though, it will be at least a year before I finally rid myself of OnPrem exchange.
|
# ? Mar 27, 2018 15:01 |
|
JBark posted:I don't think it is. I dealt with the same issue on Exchange 2010, and only found 2 ways to work around it cheaply. Thanks for this. At least I have a better idea now of what I'm up against. I'll find some third-party app that can do the complex searches.
|
# ? Mar 27, 2018 22:34 |
|
MrMojok posted:Thanks for this. At least I have a better idea now of what I'm up against. I'll find some third-party app that can do the complex searches. It's a pain in the rear end to do but there are decent tools out there. Combining simple queries that gather too much data and targeting the discovery mailbox you dumped them in with a more finely grained query also works sometimes but it requires more creativity than compliance people might be willing to deal with. At least while you're on-prem you can exert some influence on content indexing whereas in Exchange Online an eDiscovery search for the whole organisation usually ends up looking like this: Hits: Indexed Items 2.561 items (76 MB) Unindexed Items: 7.632.235 items (164 GB) Exporting the indexed results might work out fine but depending on the circumstances I can imagine auditors not accepting that you simply neglect that pile of unindexed items when they want all data on a specific set of keywords. And then you're poo poo out of luck because the pile of unindexed items in ExchOnline is big and nigh static
|
# ? Mar 28, 2018 12:11 |
|
My boss and I had both read in a couple of places that we couldn’t use NEAR in discovery searches on exchange 2010, then another guy in our group found a post somewhere saying you can in SP2 and above. We’d previously read that it couldn’t be done, and so just never tried it. But lo and behold, it does work. The exact syntax of the search was a little tricky as jbark described up above, but after tinkering a little while we got it to work.
|
# ? Mar 31, 2018 19:30 |
We have a weird issue where intermintently attachments are being stripped of file extensions. Doesn't matter attachment method but so far attachments originate from within the outlook client via drag and drop or attach outlook item. Pretty sure it's an addon but looking to confirm nobody else has encountered this. On prem 2016
|
|
# ? Apr 5, 2018 14:39 |
|
Submarine Sandpaper posted:We have a weird issue where intermintently attachments are being stripped of file extensions. Doesn't matter attachment method but so far attachments originate from within the outlook client via drag and drop or attach outlook item. Pretty sure it's an addon but looking to confirm nobody else has encountered this. On prem 2016 Before you even send them or after you receive them? If the latter that's the content scanning transport agent doing it's thing but it converts a 'bad' attachment into a text file saying that it did. The former doesn't really ring a bell. Any specific types of files?
|
# ? Apr 5, 2018 18:38 |
It's on sent items, so far .pdfs and .msgs which are examined but "ignored" by our metadata tool. What's very odd is that once the extension is stripped .msg attachments need the .eml extension to open. Your instinct of received items sorta shows that this probably isn't an exchange issue.
|
|
# ? Apr 5, 2018 18:59 |
This is a really weird one. Two of my co-workers here in IT suddenly had John Doe's mailbox pop up in their Outlook 2010 panes. Neither of them have John Doe's mailbox added to their accounts via Account Settings, nor does get-mailboxpermission or get-mailboxfolderpermission list them. Closing/reopening Outlook does not fix, nor does logging off of Windows and back on. Get-mailboxpermission does list a bunch of SIDs, but get-aduser for my IT users, gave me their SIDs and those SIDs are not on the get-mailboxpermission list. They also received his archive folders (standard Exchange archive DB setup) and can view/make changes to his calendar. I went over to John Doe's machine and confirmed he hadn't set up anyone at all as a delegate. We are all members of a security group for IT, but that security group only has ReadPermission rights to the mailbox. Anything else I can try here?
|
|
# ? Apr 18, 2018 19:55 |
|
MJP posted:This is a really weird one. Two of my co-workers here in IT suddenly had John Doe's mailbox pop up in their Outlook 2010 panes. Neither of them have John Doe's mailbox added to their accounts via Account Settings, nor does get-mailboxpermission or get-mailboxfolderpermission list them. Closing/reopening Outlook does not fix, nor does logging off of Windows and back on. Get-mailboxpermission does list a bunch of SIDs, but get-aduser for my IT users, gave me their SIDs and those SIDs are not on the get-mailboxpermission list. Strange issue, here's a few pretty far fetched things to check before someone chimes in with something far more reasonable. Maybe they'll help Does the user have anyone in the AD attribute msExchDelegateListLink? Do the users that suddenly automap John Doe have a reference to him in the msExchDelegateListBL attribute? If so, that would explain the automapping. If get-mailboxpermission lists SIDs they generally aren't active users any more but maybe they match with the SIDs listed in the SIDhistory AD attribute of the IT users. The automapping doesn't do anything without full access permissions, but maybe John also somehow set the mailbox folder permissions for anonymous or everyone (i.e. authenticated users) to reviewer on his calendar? That part would explain why you can also edit his calendar.
|
# ? Apr 19, 2018 16:33 |
|
So even though my permissions on the Public Folder I am working with are set as follows: When I try to either create a subfolder or drag/drop a folder in there, I get this: Am I missing something very obvious? edit: Never mind. Apparently dropping the item onto the folder under "All Public Folders" but not under "Favorites" AlternateAccount fucked around with this message at 17:46 on Apr 19, 2018 |
# ? Apr 19, 2018 17:42 |
Old Binsby posted:Strange issue, here's a few pretty far fetched things to check before someone chimes in with something far more reasonable. Maybe they'll help You basically nailed it - I escalated to my corporate IT counterparts to bounce off them while I was researching/asking here and elsewhere, and since I'd granted our admin account permissions to his mailbox via add-mailboxpermission, that iterated the automap function onto users who had added the admin account as an additional email account rather than an additional inbox. The two IT co-workers had added it as an additional email account, thus they got it via automap. Blew away the profile, readded the admin account as an additional inbox, issue did not recur.
|
|
# ? Apr 19, 2018 20:19 |
|
MJP posted:You basically nailed it - I escalated to my corporate IT counterparts to bounce off them while I was researching/asking here and elsewhere, and since I'd granted our admin account permissions to his mailbox via add-mailboxpermission, that iterated the automap function onto users who had added the admin account as an additional email account rather than an additional inbox. The two IT co-workers had added it as an additional email account, thus they got it via automap. Blew away the profile, readded the admin account as an additional inbox, issue did not recur. Good stuff. You're just sharing an admin mailbox, not a single actual privileged Exchange account though, right?
|
# ? Apr 19, 2018 20:38 |
Old Binsby posted:Good stuff. You're just sharing an admin mailbox, not a single actual privileged Exchange account though, right? Yeah, it's delegated domain admin rights for the OU that my group is in charge of. Nothing special about its mailbox other than the AD account itself has permissions to all Exchange users in this OU.
|
|
# ? Apr 23, 2018 20:45 |
|
Spitballing an idea here. When external senders blast an email to several staff members as well as our help desk address, there are people in our company that will just hit reply-all and this ends up creating multiple tickets. I’m planning on making a transport rule that adds a banner to the top of messages that land into a users mailbox when the message was also sent into a help desk queue basically telling people to respond through the software rather than email. The bit that I think makes this tricky is that I don’t want the banner to appear on the message being sent to the help desk queue - if I add a filter to exclude messages with the relevant mailboxes in the recipients list then it’s not going to match anything because I think Exchange just sees it as one message as it passes through the transport rules and then expands it afterwards if there are multiple recipients. Is there a different approach I can take here? Edit: I can set a custom MailTip on the mailbox which will cover off most of what I want to do, but it will pop up for new messages and also won’t show anything to native iOS users. I’ll start with that though. Thanks Ants fucked around with this message at 08:42 on Apr 24, 2018 |
# ? Apr 24, 2018 08:35 |
|
super late but did you manage this? I know there is a way for transport servers to trigger expanding messages with multiple recipients into separate messages and then applying rules to individual versions, a bit like distribution group expansion. I always forget how it works. If you route a message over a separate send connector you’re guaranteed this will happen, I think, so then you can rewrite the subject as you please excepting messages To: help desk. There are more practical ways, though
|
# ? May 3, 2018 11:02 |
|
Just went with Mailtips in the end, didn't have the time to spare on looking too closely at the different routing options.
|
# ? May 3, 2018 12:04 |
|
What the HELL has happened to this user's mailbox? I've never seen Clutter go so entirely tits-up. She's not received ANY email since yesterday afternoon. We also received an alert that something had created a forwarding rule for her account, but we can't find anything in the audit logs corresponding to that event. Does it look to you like everything is getting auto-purged? What is Clutter's role in this? I can't find anything about this online. Has someone or something hijacked her mailbox? What the efff. Edit: Lol okay she got hijacked, nvm. my cat is norris fucked around with this message at 14:27 on Jun 19, 2018 |
# ? Jun 19, 2018 14:03 |
|
I am in the midst of moving email from Exchange 2010 running on SBS to an Exchange 2016/Office 365 hybrid environment. I've reached the point where I've moved mailboxes to Exchange 2016 and subsequently to Office 365. Everything on the mailbox works fine except the mobile redirect feature. From what I understand the mobile device should look at the on-prem mail server and then be redirected to Office 365. That isn't happening. In the research I've done so far I found that apparently there is supposed to be an organization relationship set up between the on-prem server and Office 365 after the initial hybrid configuration wizard is run. That never happened. I do a get-organizationrelationship in Powershell and nothing is returned. I tried to run a new-organizationrelationship and fill in details for the TargetOWAURL (the attribute which is apparently used for redirect) but I'm not really sure what I'm doing. Anyone been through this before?
|
# ? Jul 15, 2018 21:13 |
|
I should add - I can delete and recreate the email account on a mobile device and it gets re-added correctly. I'm just really trying to avoid having to walk remote employees through that process.
|
# ? Jul 15, 2018 21:27 |
|
Okay, I've actually got the on-prem server pushing new attributes to mobile devices. I created a new organization relationship using info that I got from the federation relationship for our hybrid environment. So I can see on my mobile device that the on-prem server pushed the attributes to my device, but apparently I put something in wrong or I'm missing an attribute. my iPhone keeps prompting for a password. At least I got the redirect working in principle.
|
# ? Jul 15, 2018 22:45 |
|
I'm just gonna keep updating as I progress - I had to type in the UPN format from my iPhone as my username and then it worked. The problem is pretty much every device is set up with domain\username format. So yeah, the fix was: - Configure the organization relationship between on-prem and Office 365 because somehow it wasn't configured when I ran the hybrid configuration wizard. - Enter credentials in the UPN format since that is how the Azure AD Connect syncs accounts with Office 365. Ehud fucked around with this message at 01:31 on Jul 16, 2018 |
# ? Jul 16, 2018 01:10 |
|
|
# ? Apr 27, 2024 05:17 |
|
I've been tasked to migrate AD Users and their Exchange 2013 mailboxes from one forest to another. The new forest is completely fresh, as is the new Exchange 2016 server. I've managed AD a bit but I'm not that knowledgeable about it, and I'm used to tiny postfix/dovecot email servers, not Exchange. The end goal is to get everyone off the old forest. Has anyone had success doing this kind of migration? I've been poking at it with ADMT and Prepare-MoveRequest.ps1 for a few days and I keep running into walls - duplicate GUID's while trying to migrate mailboxes, our test user's password not coming over.
|
# ? Jul 25, 2018 23:58 |