Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«90 »
  • Post
  • Reply
Will Styles
Jan 19, 2005


Aunt Beth posted:

I've got an Exchange 2013 on-prem deployment and I've been working more and more with RBAC. I've created a new role based on MailRecipients with permissions to run the Get-Mailbox command, but it can't use the -Database flag to get a mailbox on a particular. How do I add particular flags to a command a role is assigned? Sorry for the dumb question, I'm a bit of an Exchange baby.

RBAC roles can only inherit permissions that the parent role already has. Looking at the parameters available to Mail recipients shows that the -Database parameter is not available. You can use the below to see what parameters are available for Get-Mailbox, but you can create another role that's a child of "View-Only Recipients" which should have the Database parameter for Get-Mailbox.

In general, you can see the commands available to a role by using an asterisk, and then see the parameters available to each command by looking at the specific management role entry. You can then add or set the parameters available to that management role entry by using Set-ManagementRoleEntry commandlet.

code:
Get the available role entries for a given role
Get-ManagementRoleEntry "Mail Recipients\*

Get the parameters for a specific role entry
(Get-ManagementRoleEntry "Mail Recipients\Get-Mailbox).Parameters

Adjust the parameters of a custom role entry
Set-ManagementRoleEntry "Custom View-Only Recipients\Get-Mailbox" -AddParameter "Database"
Set-ManagementRoleEntry "Custom View-Only Recipients\Get-Mailbox" -Parameters "Database","Identity","Server","ResultSize","SortBy"

Adbot
ADBOT LOVES YOU

Aunt Beth
Feb 23, 2006

Baby, you're ready!

Grimey Drawer

Will Styles posted:

RBAC roles can only inherit permissions that the parent role already has. Looking at the parameters available to Mail recipients shows that the -Database parameter is not available. You can use the below to see what parameters are available for Get-Mailbox, but you can create another role that's a child of "View-Only Recipients" which should have the Database parameter for Get-Mailbox.

In general, you can see the commands available to a role by using an asterisk, and then see the parameters available to each command by looking at the specific management role entry. You can then add or set the parameters available to that management role entry by using Set-ManagementRoleEntry commandlet.
Thank you! My Google skills were failing me on this one.

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$



I'm an even dumber exchange baby and I need help too.

Hybrid exchange with an on prem shared mailbox that I am trying to move to the cloud. I've been getting error message after error message. I finally got to the point where
New-moverequest - identity "sharedboxonprem" - remote - remotehostname "mail.contoso.com" - targetdeliverydomain "contoso.mail.onmicrosoft.com" -remotecredentials $creds
(where $creds is CONTOSO\mydomainadminaccount)
Gives me a MapiExceptionNoAccess unable to open message store 80070005 error

So it's a problem with permissions - but my user account is a domain administrator and has full rights to the mailbox I'm moving.

Sorry for the phone formatting, I'm not yet comfortable logging in to SA on my work computer

Happiness Commando fucked around with this message at Mar 9, 2018 around 17:38

Old Binsby
Jun 27, 2014


Iím fairly sure Iíve run into that one but I forgot what the issue was. Couple things you can check: is the identifier you use to select the mailbox you want to move unique for that mailbox? There are some cases (I think this was in the Ex2010 days) where you could generate the strangest mapi access errors because checks on whether an smtp address is unique didnít apply correctly in all cases (so you could assign the same address to a user as well as to a contact for instance). Try using the mailbox guid, that one is always unique.

You are a member of the Organization Management role group, right?

Are your servers patched up to the latest CU? They need to be but youíll probably notice other issues if they arenít

Does the mailbox youíre moving have a public folder database attribute and/or a null HomeDB attribute? Fix a null HomeDB attribute and remove the PF database attribute unless that PF database actually exists.

You can add the -Verbose parameter to see more output of the move process as well, I think, or it might be in get-moverequeststatistics when you expand the error or progress attributes. Could be helpful.

e.: this actually sounds really familiar. Not that much effort to do so despite the old Exchange version that page details it might be worth checking

Old Binsby fucked around with this message at Mar 9, 2018 around 18:26

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$



Mailbox identity is unique. I am a member of Organization Management. The homedb *isn't* null. Get-moverequeststatistics is empty.

I can't find where the public folder attribute is. Also we are 2 CUs behind.

This sucks its for a C level and I haven't figured hardly anything out yet, it's only my third week.

Old Binsby
Jun 27, 2014


Happiness Commando posted:

Mailbox identity is unique. I am a member of Organization Management. The homedb *isn't* null. Get-moverequeststatistics is empty.

I can't find where the public folder attribute is. Also we are 2 CUs behind.

This sucks its for a C level and I haven't figured hardly anything out yet, it's only my third week.

third week working with exchange as well? My sympathies in any case, it can be quite the challenge to figure these kinds of errors out even if youíve done this much longer

anyway you can be one CU behind for a valid hybrid deployment according to microsoft and I religiously keep up so Iím not sure what being 2 behind will do. Itís probably not the most likely suspect here but if youíre able you should patch them up to current or one behind. The Public Folder Database attribute is set on a mailbox database, you can read it from there.

Iím not near an exchange server or my pc so I could be off on the details here but if you use get-moverequest, you have a failed moverequest, right? If you output that using Format-list (i.e fl, apologies if it sounds like Iím seriously underestimating how much powershell you know) thereís one attribute with a value thatís quite long usually. It should contain info on which steps the moverequest has been through and there might also be an error attribute that I believe you can expand on with select -expandproperty [errorattributename]. But like I said, I thought it was in moverequeststatistics. Do you see anything there?

Oh and do check the mailbox database permissions like the post in my edit describes, that trick has saved me once or twice

e removed double quote

Old Binsby fucked around with this message at Mar 9, 2018 around 19:23

Submarine Sandpaper
May 27, 2007

ASK ME ABOUT HOW I GHOULISHLY CELEBRATE THE DEATH OF CHILDREN TO TEACH THEIR PARENTS "A LESSON"


I'm not in hybrid but isn't there a GUI option for moving mailboxes?

Old Binsby
Jun 27, 2014


Submarine Sandpaper posted:

I'm not in hybrid but isn't there a GUI option for moving mailboxes?

there is, it generates the parameters for new-moverequest and then runs that cmdlet. Itís fine if it works but removing that obfuscation layer for troubleshooting by simply using powershell is easier.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Happiness Commando posted:

I'm an even dumber exchange baby and I need help too.

Hybrid exchange with an on prem shared mailbox that I am trying to move to the cloud. I've been getting error message after error message. I finally got to the point where
New-moverequest - identity "sharedboxonprem" - remote - remotehostname "mail.contoso.com" - targetdeliverydomain "contoso.mail.onmicrosoft.com" -remotecredentials $creds
(where $creds is CONTOSO\mydomainadminaccount)
Gives me a MapiExceptionNoAccess unable to open message store 80070005 error

So it's a problem with permissions - but my user account is a domain administrator and has full rights to the mailbox I'm moving.

Sorry for the phone formatting, I'm not yet comfortable logging in to SA on my work computer

Try providing the credentials of an Office 365 global admin as the $creds variable

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$



I appreciate all of you helping me. Get-moverequest returns nothing. It accepts the command and puts me back at the prompt again - it seems like whatever permissions problem is happening is happening even before the request can go in the queue (or something)

I am an O365 global admin.

There is a GUI option, but it only lists my on prem servers. There's supposed to be a "migrate to exchange online" option that isn't there. I'm not convinced that the hybrid configuration was completed correctly, for this and other reasons...


And I have some exchange and PS experience, but obviously not enough. My old posts belong in the small shop thread, my MSP focused on 10-20 user offices. We did SBS exchange or 20 O365 users, not anything like this operation (which admittedly is still quite small in the scheme of things)

Happiness Commando fucked around with this message at Mar 9, 2018 around 19:48

Old Binsby
Jun 27, 2014


Thanks Ants posted:

Try providing the credentials of an Office 365 global admin as the $creds variable

oh dear that is way better than my suggestion. The source of the mapi errors will probably be the Office365 database and not the local one I think. Kind of unusual but it makes sense

Old Binsby
Jun 27, 2014


Happiness Commando posted:

There is a GUI option, but it only lists my on prem servers. There's supposed to be a "migrate to exchange online" option that isn't there. I'm not convinced that the hybrid configuration was completed correctly, for this and other reasons...

That option should be visible in the Exchange Online GUI. If it isnít, check the status of the Hybrid tab over there. It will let you rerun the hybrid configuration wizard if need be (which will complain about your CU patch level probably...)

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$



I'm worried about re-running the configuration wizard and toppling this house of cards 😓 going to talk to the boss about it...

Will Styles
Jan 19, 2005


Just to be sure, but the powershell you're running is against Exchange Online and not the on prem Exchange instance? Have you been able to move other mailboxes successfully? Where does the user object for the shared account live in your on prem AD, and does that OU, parent OU(s), or user object block inheritance? Exchange commandlets run as the Exchange Server and your permissions are evaluated at the application level, so you would need to make sure that the Exchange Trusted Subsystem has access to the user object.

Something else to do may be to try a local move on prem between databases and see if that works. That way you can isolate the problem to hybrid issues or local permissions.

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$



When I ran it against Exchange Online, I got an error message that Google said indicated that I needed to run it against on prem. I double checked AD and inheritance looks correct and the Exchange trusted subsystem has permissions.

I also tried moving mailboxes locally, and it didn't work, but isn't necessarily indicative of the problem - the only local mailbox server I could move it to is Exchange 2010 SP 3 (from 2016) and the error I got was "the mailbox database is not the same version as the cmdlet"

I did spend a couple hours planning out everything involved in upgrading to 2016 CU 8 and 2010 SP3 RU 19.

Here's how I got around it in the end:
- Make on prem mailbox and AD account in on prem EAC
- assign O365 license
- disable on prem mailbox
- enable-remotemailbox
- change cloud mailbox to shared
- edit AD object attributes to make it a shared mailbox as well

Now I'm just waiting on send as delegation to propagate. Thanks for the help everyone.

MrMojok
Jan 27, 2011

You really ARE a funny guy!


Does anyone know if it's possible in Exchange2010 to do a complex powershell search? To clarify, it's a legal email discovery thing. The lawyers want searches for Word1 *within two words of* Word2, etc. I've done all the simple searches they wanted, but these complex ones are giving me trouble.

While Powershell in Exchange2016 appears to be able to use a "NEAR" function for this, it doesn't seem to apply to Exchange2010.

JBark
Jun 27, 2000
Good passwords are a good idea.

MrMojok posted:

Does anyone know if it's possible in Exchange2010 to do a complex powershell search? To clarify, it's a legal email discovery thing. The lawyers want searches for Word1 *within two words of* Word2, etc. I've done all the simple searches they wanted, but these complex ones are giving me trouble.

While Powershell in Exchange2016 appears to be able to use a "NEAR" function for this, it doesn't seem to apply to Exchange2010.

I don't think it is. I dealt with the same issue on Exchange 2010, and only found 2 ways to work around it cheaply.
1) Export to PST and import into dtSearch.
2) Export to PST and import into a test env I set up with Ex2016.

I did a sort of combo. Used dtSearch to quickly scan through a pile of PSTs and see if the searches turned up anything. Once the lawyers actually narrowed down the final search terms and emails they wanted, I imported PSTs into my Ex2016 env, and used the eDiscovery tools to search and export the matches into separate PSTs. Hit a few gotchas with things like wildcards being different and Ex2016 not liking nested NEAR statements, but it worked.

For example, I couldn't do (Word1 NEAR(5) (Word2 OR Word3)), but ((Word1 NEAR(5) Word2) OR (Word1 NEAR(5) Word3)) was totally fine.

It was a huge pain in the rear end, but the prices the proper eDiscovery/Forensic companies wanted were far outside anything we could have afforded at the time. And it did work quite well, search results between dtSearch and Ex2016 were near identical, with the only differences caused by false hits on things like email headers or junk inside attachments.

devmd01
Mar 7, 2006

Elektronik
Supersonik


Just uninstalled the last exchange 2010 box in our environment we had around for legal hold restore purposes!

The only exchange bullshit I have to deal with now is two 2016 servers in HA for internal SMTP relay and exchange attribute editing, everything else is O365.

Beefstorm
Jul 20, 2010

"It's not the size of the tower. It's the motion of the airwaves."


Lipstick Apathy

devmd01 posted:

Just uninstalled the last exchange 2010 box in our environment we had around for legal hold restore purposes!

The only exchange bullshit I have to deal with now is two 2016 servers in HA for internal SMTP relay and exchange attribute editing, everything else is O365.

I am SLOWLY moving everything from using an IIS relay or OnPrem Exchange relay, to just using O365.

I have a feeling though, it will be at least a year before I finally rid myself of OnPrem exchange.

MrMojok
Jan 27, 2011

You really ARE a funny guy!


JBark posted:

I don't think it is. I dealt with the same issue on Exchange 2010, and only found 2 ways to work around it cheaply.
1) Export to PST and import into dtSearch.
2) Export to PST and import into a test env I set up with Ex2016.

I did a sort of combo. Used dtSearch to quickly scan through a pile of PSTs and see if the searches turned up anything. Once the lawyers actually narrowed down the final search terms and emails they wanted, I imported PSTs into my Ex2016 env, and used the eDiscovery tools to search and export the matches into separate PSTs. Hit a few gotchas with things like wildcards being different and Ex2016 not liking nested NEAR statements, but it worked.

For example, I couldn't do (Word1 NEAR(5) (Word2 OR Word3)), but ((Word1 NEAR(5) Word2) OR (Word1 NEAR(5) Word3)) was totally fine.


Thanks for this. At least I have a better idea now of what I'm up against. I'll find some third-party app that can do the complex searches.

Old Binsby
Jun 27, 2014


MrMojok posted:

Thanks for this. At least I have a better idea now of what I'm up against. I'll find some third-party app that can do the complex searches.

It's a pain in the rear end to do but there are decent tools out there. Combining simple queries that gather too much data and targeting the discovery mailbox you dumped them in with a more finely grained query also works sometimes but it requires more creativity than compliance people might be willing to deal with.

At least while you're on-prem you can exert some influence on content indexing whereas in Exchange Online an eDiscovery search for the whole organisation usually ends up looking like this:
Hits: Indexed Items 2.561 items (76 MB)
Unindexed Items: 7.632.235 items (164 GB)

Exporting the indexed results might work out fine but depending on the circumstances I can imagine auditors not accepting that you simply neglect that pile of unindexed items when they want all data on a specific set of keywords. And then you're poo poo out of luck because the pile of unindexed items in ExchOnline is big and nigh static

MrMojok
Jan 27, 2011

You really ARE a funny guy!


My boss and I had both read in a couple of places that we couldnít use NEAR in discovery searches on exchange 2010, then another guy in our group found a post somewhere saying you can in SP2 and above.

Weíd previously read that it couldnít be done, and so just never tried it. But lo and behold, it does work. The exact syntax of the search was a little tricky as jbark described up above, but after tinkering a little while we got it to work.

Submarine Sandpaper
May 27, 2007

ASK ME ABOUT HOW I GHOULISHLY CELEBRATE THE DEATH OF CHILDREN TO TEACH THEIR PARENTS "A LESSON"


We have a weird issue where intermintently attachments are being stripped of file extensions. Doesn't matter attachment method but so far attachments originate from within the outlook client via drag and drop or attach outlook item. Pretty sure it's an addon but looking to confirm nobody else has encountered this. On prem 2016

Old Binsby
Jun 27, 2014


Submarine Sandpaper posted:

We have a weird issue where intermintently attachments are being stripped of file extensions. Doesn't matter attachment method but so far attachments originate from within the outlook client via drag and drop or attach outlook item. Pretty sure it's an addon but looking to confirm nobody else has encountered this. On prem 2016

Before you even send them or after you receive them? If the latter that's the content scanning transport agent doing it's thing but it converts a 'bad' attachment into a text file saying that it did. The former doesn't really ring a bell. Any specific types of files?

Submarine Sandpaper
May 27, 2007

ASK ME ABOUT HOW I GHOULISHLY CELEBRATE THE DEATH OF CHILDREN TO TEACH THEIR PARENTS "A LESSON"


It's on sent items, so far .pdfs and .msgs which are examined but "ignored" by our metadata tool. What's very odd is that once the extension is stripped .msg attachments need the .eml extension to open. Your instinct of received items sorta shows that this probably isn't an exchange issue.

MJP
Jun 17, 2007

Are you looking at me Senpai?

Grimey Drawer

This is a really weird one. Two of my co-workers here in IT suddenly had John Doe's mailbox pop up in their Outlook 2010 panes. Neither of them have John Doe's mailbox added to their accounts via Account Settings, nor does get-mailboxpermission or get-mailboxfolderpermission list them. Closing/reopening Outlook does not fix, nor does logging off of Windows and back on. Get-mailboxpermission does list a bunch of SIDs, but get-aduser for my IT users, gave me their SIDs and those SIDs are not on the get-mailboxpermission list.

They also received his archive folders (standard Exchange archive DB setup) and can view/make changes to his calendar.

I went over to John Doe's machine and confirmed he hadn't set up anyone at all as a delegate.

We are all members of a security group for IT, but that security group only has ReadPermission rights to the mailbox.

Anything else I can try here?

Old Binsby
Jun 27, 2014


MJP posted:

This is a really weird one. Two of my co-workers here in IT suddenly had John Doe's mailbox pop up in their Outlook 2010 panes. Neither of them have John Doe's mailbox added to their accounts via Account Settings, nor does get-mailboxpermission or get-mailboxfolderpermission list them. Closing/reopening Outlook does not fix, nor does logging off of Windows and back on. Get-mailboxpermission does list a bunch of SIDs, but get-aduser for my IT users, gave me their SIDs and those SIDs are not on the get-mailboxpermission list.

They also received his archive folders (standard Exchange archive DB setup) and can view/make changes to his calendar.

I went over to John Doe's machine and confirmed he hadn't set up anyone at all as a delegate.

We are all members of a security group for IT, but that security group only has ReadPermission rights to the mailbox.

Anything else I can try here?

Strange issue, here's a few pretty far fetched things to check before someone chimes in with something far more reasonable. Maybe they'll help

Does the user have anyone in the AD attribute msExchDelegateListLink? Do the users that suddenly automap John Doe have a reference to him in the msExchDelegateListBL attribute? If so, that would explain the automapping. If get-mailboxpermission lists SIDs they generally aren't active users any more but maybe they match with the SIDs listed in the SIDhistory AD attribute of the IT users.

The automapping doesn't do anything without full access permissions, but maybe John also somehow set the mailbox folder permissions for anonymous or everyone (i.e. authenticated users) to reviewer on his calendar? That part would explain why you can also edit his calendar.

AlternateAccount
Apr 25, 2005
FYGM

So even though my permissions on the Public Folder I am working with are set as follows:



When I try to either create a subfolder or drag/drop a folder in there, I get this:



Am I missing something very obvious?

edit: Never mind. Apparently dropping the item onto the folder under "All Public Folders" but not under "Favorites"

AlternateAccount fucked around with this message at Apr 19, 2018 around 16:46

MJP
Jun 17, 2007

Are you looking at me Senpai?

Grimey Drawer

Old Binsby posted:

Strange issue, here's a few pretty far fetched things to check before someone chimes in with something far more reasonable. Maybe they'll help

Does the user have anyone in the AD attribute msExchDelegateListLink? Do the users that suddenly automap John Doe have a reference to him in the msExchDelegateListBL attribute? If so, that would explain the automapping. If get-mailboxpermission lists SIDs they generally aren't active users any more but maybe they match with the SIDs listed in the SIDhistory AD attribute of the IT users.

The automapping doesn't do anything without full access permissions, but maybe John also somehow set the mailbox folder permissions for anonymous or everyone (i.e. authenticated users) to reviewer on his calendar? That part would explain why you can also edit his calendar.

You basically nailed it - I escalated to my corporate IT counterparts to bounce off them while I was researching/asking here and elsewhere, and since I'd granted our admin account permissions to his mailbox via add-mailboxpermission, that iterated the automap function onto users who had added the admin account as an additional email account rather than an additional inbox. The two IT co-workers had added it as an additional email account, thus they got it via automap. Blew away the profile, readded the admin account as an additional inbox, issue did not recur.

Old Binsby
Jun 27, 2014


MJP posted:

You basically nailed it - I escalated to my corporate IT counterparts to bounce off them while I was researching/asking here and elsewhere, and since I'd granted our admin account permissions to his mailbox via add-mailboxpermission, that iterated the automap function onto users who had added the admin account as an additional email account rather than an additional inbox. The two IT co-workers had added it as an additional email account, thus they got it via automap. Blew away the profile, readded the admin account as an additional inbox, issue did not recur.

Good stuff. You're just sharing an admin mailbox, not a single actual privileged Exchange account though, right?

MJP
Jun 17, 2007

Are you looking at me Senpai?

Grimey Drawer

Old Binsby posted:

Good stuff. You're just sharing an admin mailbox, not a single actual privileged Exchange account though, right?

Yeah, it's delegated domain admin rights for the OU that my group is in charge of. Nothing special about its mailbox other than the AD account itself has permissions to all Exchange users in this OU.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Spitballing an idea here. When external senders blast an email to several staff members as well as our help desk address, there are people in our company that will just hit reply-all and this ends up creating multiple tickets. Iím planning on making a transport rule that adds a banner to the top of messages that land into a users mailbox when the message was also sent into a help desk queue basically telling people to respond through the software rather than email.

The bit that I think makes this tricky is that I donít want the banner to appear on the message being sent to the help desk queue - if I add a filter to exclude messages with the relevant mailboxes in the recipients list then itís not going to match anything because I think Exchange just sees it as one message as it passes through the transport rules and then expands it afterwards if there are multiple recipients.

Is there a different approach I can take here?

Edit: I can set a custom MailTip on the mailbox which will cover off most of what I want to do, but it will pop up for new messages and also wonít show anything to native iOS users. Iíll start with that though.

Thanks Ants fucked around with this message at Apr 24, 2018 around 07:42

Old Binsby
Jun 27, 2014


super late but did you manage this? I know there is a way for transport servers to trigger expanding messages with multiple recipients into separate messages and then applying rules to individual versions, a bit like distribution group expansion. I always forget how it works. If you route a message over a separate send connector youíre guaranteed this will happen, I think, so then you can rewrite the subject as you please excepting messages To: help desk. There are more practical ways, though

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Just went with Mailtips in the end, didn't have the time to spare on looking too closely at the different routing options.

Adbot
ADBOT LOVES YOU

my cat is norris
Mar 11, 2010

#onecallcat



College Slice

What the HELL has happened to this user's mailbox? I've never seen Clutter go so entirely tits-up. She's not received ANY email since yesterday afternoon. We also received an alert that something had created a forwarding rule for her account, but we can't find anything in the audit logs corresponding to that event. Does it look to you like everything is getting auto-purged? What is Clutter's role in this? I can't find anything about this online. Has someone or something hijacked her mailbox? What the efff.



Edit: Lol okay she got hijacked, nvm.

my cat is norris fucked around with this message at Jun 19, 2018 around 13:27

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«90 »