Exchange: Addresslist and Dynamic Distribution Groups in Shell

All you need are working samples not thousands lists and Technet Articles. So here we go with some Exchange Powershell we daily use.

Maybe you want a lists of all fields so you can choose one to use for the filter first.

Get all user info from a certain OU

Starting OU would be:



Get-ADUser -filter * -SearchBase "OU=Active,OU=Users_W7,OU=BUTSCH,DC=butsch,DC=ch" -Properties * | select-object givenname, sn, displayname, description,office, streetaddress,city,st,postalcode,country, title, Department, company | ConvertTo-Csv –NoTypeInformation


Exchange 2010 Addresslist and Dynamic Distribution Groups (E-Mail Distribution)


Exchange 2010 Addresslist

Generate Exchange Addresslist with starting OU, OPATH filter for CITY and STREET

new-AddressList -Name 'Mitarbeiter Nestle Suisse – W110' -RecipientContainer '' -IncludedRecipients 'MailboxUsers' -Container '\' -DisplayName 'Mitarbeiter Nestle Suisse – W110'

set-Addresslist -identity 'Mitarbeiter Nestle Suisse – W110' -RecipientFilter {(ObjectClass -eq 'user' -and City -eq 'Lausanne' -and StreetAddress -eq 'Roberstenstrasse 133' )}


Remark: DO not try to add other additional GAL-addresslists because they will appear in the ROOT of the Adressbook. You can't filter all you can with regular Addresslist and you will be limited when you migrate those to later Exchange versions.

Dynamic Distribution Groups


Generate Exchange Dynamic Distribution Groups with OU, OPATH filter for CITY and STREET

This will generate a DynamicDistributionGroup which is located in "''" and will list all members of OU ''. With the second command we filter to show ONLY the employees who have the field city and Streetaddress with a certain value.



This is a TWO part and it ONLY works in two commands. Forget it and don't try.


new-DynamicDistributionGroup -Name 'Alle Mitarbeiter Nestle Suisse' -RecipientContainer '' -IncludedRecipients 'MailboxUsers' -OrganizationalUnit '' -Alias 'Alle_Mitarbeiter_Nestle Suisse'


set-DynamicDistributionGroup "Alle Mitarbeiter Nestle Suisse" -RecipientFilter {(ObjectClass -eq 'user' -and City -eq 'Lausanne' -and StreetAddress -eq 'Roberstenstrasse 133' )}


If you want to change the FIELD you search for check:

Filterable properties for the -RecipientFilter parameter

Manage the Members of Distribution Groups

Upgrade Custom LDAP Filters to OPATH Filters


Exchange 2013: 451 4.7.0 Temporary Server errors. Please Try Again Later. PRX

Problem: Exchange 2013 Mail Stuck and can't get delivered to other Exchange 2013 or WAN.

Error you see: 451 4.7.0 Temporary Server error. Please Try Again Later. PRX



This is related to some DNS resolution bug. Solving it may include "Old days" HOSTS File ;-)

  1. Check name resolution with nslookup
  2. Check the your Exchange Server has two correct DNS on the NIC-card of the OS (One does not solve it) Use external if you don't have two DC
  3. Change the Default frontend Connector to use fixed DNS
  4. Change the Exchange Server itself to user fixed DNS
  5. Add the exchange to the c:\windows\system32\drivers\etc\hosts File as Short and FQDN (See below)

Start ECP

Message Flow

Change the Default Frontend YOURSERVERNAME (With the pencil)

Down below change "All unassigned" to your Exchange 2013 Server IPV4 address"

Change the DNS that Exchange USES (Make it hard coded).


ABOVE the one or two Internal DNS and maybe or your providers Uplink DNS

Below your one or two internal DNS


This MAY sound confusing but sometimes there is no other way:

Adapt the HOSTS file:

Do this is CMD so you find it ;-)

Add or Change the HOSTS file to:

192.168.X.X Yourexchange2013            [ sample : exc2013-16cas) ]

192.168.X.X YourexchangeFQDNname        [ sample: ]



Exchange: Powershell list all user who have a Forward or Redirect active



In Exchange 2010 users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don't have a DLP (Data Lost Prevention).

There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mailcopy external may get targeted. See below at end for a solution or at least a direction to go.


This is what we talk about in Exchange2010 GUI.

Here is how to find out which users in the Organization have such a forward or Redirect active.

Powershell command:


foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }


foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }

Another query which does not catch all

Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward

Prevent with RBAC from (Sike Fogarty - BPOS Support)

  1. New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
    Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
    Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter

    Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.

    Assign the Role Assignment Policy to the user(s) desired.




Exchange: Activesync 1053 Event, 4003 Error 2007/2010/2013/2016 Adminsholder


Activesync with Exchange 2013 does not work, ADMINSHOLDER or ADMINCOUNT Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_



We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:


FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.


Activesync Log from



blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pR EXCHANGE2013BUTSCH


Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET



Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"



Change to <NOT SET> with CLEAR BUTTON on the account whjich has problems with IPHONE / ANDROID or any Activesync Device.

Open the User in ADUAC Console

Activesync should work now again

Important: You have 15 Minutes TO do both steps a) ADSEDIT b) And Security Inheritance correct.


ESX: VM’s with wrong CPUID mask show bluescreen after 5.X > 6.0

This is due the NX/CD flag CPUID mask set on machines. Esp. we had seen this on Server 2012R2 which were installed on ESX5.0/5.X and the flag had to be set so machines where running. Be sure to capture this in advance or in time because the SRV2012 will start in Recover Mode at some point.

2008R2 > Bluescreen

2012R2 > Boots into Recovery Console

To resolve this issue, reset the CPUID Mask settings on the affected virtual machine.

To reset the CPUID Mask settings:

  1. Using the vSphere Client, connect to vCenter Server and locate the affected virtual machine.
  2. Power off the virtual machine.
  3. Right-click the virtual machine and click Edit Settings > Options > CPUID Mask > Advanced.
  4. Click Reset All to Default to reset the CPUID Mask.
  5. Click OK > OK, then power on the virtual machine.
  6. The virtual machine now shows the correct EVC mode.

Note: If these steps do not resolve the issue, upgrade the virtual machine's virtual hardware to the latest version. For more information, see Upgrading a virtual machine to the latest hardware version (1010675).

Here is the relevant Link where the Flag was set:

Here is a script to report the flags on all machines: