Exchange: Powershell list all user who have a Forward or Redirect active



In Exchange 2010 users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don't have a DLP (Data Lost Prevention).

There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mailcopy external may get targeted. See below at end for a solution or at least a direction to go.


This is what we talk about in Exchange2010 GUI.

Here is how to find out which users in the Organization have such a forward or Redirect active.

Powershell command:


foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }


foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }

Another query which does not catch all

Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward

Prevent with RBAC from (Sike Fogarty - BPOS Support)

  1. New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
    Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
    Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter

    Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.

    Assign the Role Assignment Policy to the user(s) desired.




Exchange: Activesync 1053 Event, 4003 Error 2007/2010/2013/2016 Adminsholder


Activesync with Exchange 2013 does not work, ADMINSHOLDER or ADMINCOUNT Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_



We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:


FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.


Activesync Log from



blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pR EXCHANGE2013BUTSCH


Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET



Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"



Change to <NOT SET> with CLEAR BUTTON on the account whjich has problems with IPHONE / ANDROID or any Activesync Device.

Open the User in ADUAC Console

Activesync should work now again

Important: You have 15 Minutes TO do both steps a) ADSEDIT b) And Security Inheritance correct.


ESX: VM’s with wrong CPUID mask show bluescreen after 5.X > 6.0

This is due the NX/CD flag CPUID mask set on machines. Esp. we had seen this on Server 2012R2 which were installed on ESX5.0/5.X and the flag had to be set so machines where running. Be sure to capture this in advance or in time because the SRV2012 will start in Recover Mode at some point.

2008R2 > Bluescreen

2012R2 > Boots into Recovery Console

To resolve this issue, reset the CPUID Mask settings on the affected virtual machine.

To reset the CPUID Mask settings:

  1. Using the vSphere Client, connect to vCenter Server and locate the affected virtual machine.
  2. Power off the virtual machine.
  3. Right-click the virtual machine and click Edit Settings > Options > CPUID Mask > Advanced.
  4. Click Reset All to Default to reset the CPUID Mask.
  5. Click OK > OK, then power on the virtual machine.
  6. The virtual machine now shows the correct EVC mode.

Note: If these steps do not resolve the issue, upgrade the virtual machine's virtual hardware to the latest version. For more information, see Upgrading a virtual machine to the latest hardware version (1010675).

Here is the relevant Link where the Flag was set:

Here is a script to report the flags on all machines:


Exchange 2007 > 2013 Migration, Braindump / things used

Here are some steps and scripts we used for Exchange 2007 > 2013 Transition (Migration > It's the same ;-)

Exchange 2007 side, Get Size and items in each box to migrate

[PS] D:\edv>Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft D






MOVE of Exchange Mailboxes (If you move one DO not forget to REMOVE the Move-request (Esp. if you want to move back to 2007 in worst case for a user)


Get-MoveRequest | Get-MoveRequestStatistics



Remove-MoveRequest 2007ch

Get-MoveRequest -movestatus completed | remove-moverequest



Auf 2007 zurueck:

new-moverequest -identity 2007ch -targetdatabase "exchange2007\sg1\mb1"


Von 2007 auf 2013:

new-moverequest -identity user1 -targetdatabase "mdb01ch"

new-moverequest –identity user2 -targetdatabase "mdb01ch"

Check Health and read about theat before you start the MIGRATION (maybe you will not start then at all and stop and move to 2010)



Check if the 2013/2016 is running?


Get-HealthReport -Server exchange2013| where { $_.alertvalue -ne "Healthy" }

Get-MonitoringItemIdentity -Identity HubTransport -Server exchange2013 | ft Identity,ItemType,Target Resource -autosize

Get-ServerHealth -Identity munexc1 -HealthSet "HubTransport" | where { $_.alertvalue -ne "Healthy" } | fl Name

Get-ServerComponentState -Identity exchange2013



Problem large growing DIAG / Health Logfiles are migration of 50 users and 3 day runtime


(IF you are new to Exchange DO NOT Delete Any Transaction Logfiles like below yellow)



The Diag Below YOU COULD delete carefully. Start with LARGE.

Don't start reading about Exchange 2013/2016 Health sets or you stop using Exchange 2013… ;-)



Here are some batch scripts to do that automatic:

Clean DIAG Logs

@echo off

:: Diagnostic Logfiles Remove

if Exist "D:\Program Files\Microsoft\Exchange Server\V15\Logging" forfiles.exe /p "D:\Program Files\Microsoft\Exchange Server\V15\Logging" /s /m *.log /d -2 /c "cmd /c del @file"

ping -n 1 -w 60000 > nul

if Exist "D:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\DailyPerformanceLogs" forfiles.exe /p "D:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\DailyPerformanceLogs" /s /m *.* /d -2 /c "cmd /c del @file"

ping -n 1 -w 60000 > nul

:: forfiles.exe /p "c:\inetpub\logs\LogFiles" /s /m *.log /d -2 /c "cmd /c del @file"

:: ping -n 1 -w 60000 > nul



Exchange Activesync Recycle

Do this for all users who were migrated and use Activesync


#Use this script to recycle IIS Application Pools to overcome Exchange 2013 SP1 ActiveSync bug for migrated users


$CASServers = Get-ClientAccessServer | where {$_.WorkloadManagementPolicy -ne $null}


#Loop through each CAS2013 and recycle the IIS App Pools

foreach ($CAS in $CASServers) {

Write-Host "Recycling App Pools on $CAS..."

$appPool = Get-WmiObject -Authentication PacketPrivacy -Impersonation Impersonate -ComputerName $CAS -namespace "root/MicrosoftIISv2" -class IIsApplicationPool | Where-Object {$_.Name -eq "W3SVC/AppPools/MSExchangeAutodiscoverAppPool" }


$appPool = Get-WmiObject -Authentication PacketPrivacy -Impersonation Impersonate -ComputerName $CAS -namespace "root/MicrosoftIISv2" -class IIsApplicationPool | Where-Object {$_.Name -eq "W3SVC/AppPools/MSExchangeSyncAppPool" }





Do an IISRESET (Thats is not the same as above!!!!) Just a base step!

If that does not work > Also recycle the IIS folders and Reboot the Exchange.

Open IIS Konsole

Go to "Application Pools"

  • On right side "Select" Recycle
  • From "Defaultpool" downwards to "MSexchagesyncappool" press Recycle RIGHT side in IIS console




Dump all permission of the Exchange Virtual Directory (iis). This will help to get an overview of the permission set on IIS and within Exchange.

The Russian blog has an excellent description of this script:

 get-website | ForEach-Object -Process {


cd $xSite



$myWebApp | Format-Table -AutoSize Path ,

@{Label= "anonim:" ; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/anonymousAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Basic:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/basicAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "ClientCert:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/clientCertificateMappingAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Digest:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/digestAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "IIS client Cert:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/iisClientCertificateMappingAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Windows"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/windowsAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "SSL Flags"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/access -Name * -PSPath $xSite -location $_.Path).SSLflags }}





WSUS: Rollup like SP2 for W7 / Change in Patch Strategy Microsoft

  • Einige Kunden waren am "klönen" wegen den 1 of 200/230 Updates bei W7. Weder C'T Updater oder Offline Updater waren bis jetzt Lösungen. Auch direkt in WIM integrieren war keine saubere Lösung und nach 2-3 Jahren war Sackgasse wegen Fehler die keiner erklären konnte.
  • NEU sagt Microsoft dass man das ROLLUP MAY 2016 ins WIM offiziell integrieren kann und keine Fehler kommen sollen (Man rechnet damit, dass diese in 2-3 Jahren passieren UND dann eh alle auf W10 sind ;-)



  • Es kommen neu NICHT security relevanten Updates via WSUS auch fuer W7/2008R2
  • Es gibt ein MAY ROLLUP fuer 2008R2 (Dies ist ca. 6MB) und es gibt eine Art SP2 fuer Windows 7
  • Das erste ab jetzt im WSUS ist in ROLLUP fuer W7 UND Server 2008R2 (  May 2016 update rollup for 7 SP1 and Windows Server 2008 R2 SP1
  • ACHTUNG! Einige davon können NICHT deinstalliert werden (Wie Service Packs)