Exchange: Powershell list all user who have a Forward or Redirect active

 

Problem:

In Exchange 2010 users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don't have a DLP (Data Lost Prevention).

There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mailcopy external may get targeted. See below at end for a solution or at least a direction to go.

 

This is what we talk about in Exchange2010 GUI.

Here is how to find out which users in the Organization have such a forward or Redirect active.

Powershell command:

Forwards

foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }

Delegates

foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }

Another query which does not catch all

Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward

https://blogs.technet.microsoft.com/lystavlen/2012/04/10/how-to-prevent-internal-users-from-autoforwaring-mails-to-external-recipients/

Prevent with RBAC from (Sike Fogarty - BPOS Support)

  1. New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
    Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
    Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter

    Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.

    Assign the Role Assignment Policy to the user(s) desired.

     

     

     

Exchange: Activesync 1053 Event, 4003 Error 2007/2010/2013/2016 Adminsholder

 

Activesync with Exchange 2013 does not work, ADMINSHOLDER or ADMINCOUNT Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

Events:

 

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

https://testconnectivity.microsoft.com/

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

 

 

http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx

Resolution:

FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.

 

Activesync Log from https://testconnectivity.microsoft.com/

 

  

blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pRRBknDTp58DusHBvAN8ud7YydsWys9YscJ5Agm9F2a7b6qIT%2bZ%2frM9%2btPQRyan97mInwoRsp1cgvsaffQtFPq9%2b%2fUjmh5g4UMvjYsM%2fVzVR2Of0c43FBQRBOkBfuavQW%2fwf%2fpr8BtFs28meQ0AAA%3d%3d_S111_Error:ADOperationException1%3aActive+Directory+operation+failed+on+MUNWDC1.butsch.ch.+This+error+is+not+retriable.+Additional+information%3a+Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_Mbx:EXCHANGE2013BUTSCH.butsch.ch_Dc:MUNWDC1.butsch.ch_Throttle0_SBkOffD:L%2f-470_DBL7_DBS1_CmdHC-1477255686_TmRcv08:05:50.2747716_TmSt08:05:50.2747716_TmDASt08:05:50.4310224_TmPolSt08:05:50.4622759_TmExSt08:05:50.4935244_TmExFin08:05:50.9622794_TmFin08:05:51.0716528_TmCmpl08:06:10.27494_ActivityContextData:ActivityID%3d5eeffb0c-62d3-46fe-994c-X-DiagInfo: EXCHANGE2013BUTSCH

X-BEServer: EXCHANGE2013BUTSCH

Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-FEServer: EXCHANGE2013BUTSCH

 

Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Solution:

REMOVE the ADMINCOUNT = 1 FLAG with ADSEDIT on DC

Change to <NOT SET> with CLEAR BUTTON on the account whjich has problems with IPHONE / ANDROID or any Activesync Device.

Open the User in ADUAC Console

Activesync should work now again

Important: You have 15 Minutes TO do both steps a) ADSEDIT b) And Security Inheritance correct.

 

Exchange 2007 > 2013 Migration, Braindump / things used

Here are some steps and scripts we used for Exchange 2007 > 2013 Transition (Migration > It's the same ;-)

Exchange 2007 side, Get Size and items in each box to migrate

[PS] D:\edv>Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft D

isplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()

}},ItemCount

 

 

 

MOVE of Exchange Mailboxes (If you move one DO not forget to REMOVE the Move-request (Esp. if you want to move back to 2007 in worst case for a user)

Get-MoveRequest

Get-MoveRequest | Get-MoveRequestStatistics

 

 

Remove-MoveRequest 2007ch

Get-MoveRequest -movestatus completed | remove-moverequest

 

----------------------------------------------------------

Auf 2007 zurueck:

new-moverequest -identity 2007ch -targetdatabase "exchange2007\sg1\mb1"

----------------------------------------------------------

Von 2007 auf 2013:

new-moverequest -identity user1 -targetdatabase "mdb01ch"

new-moverequest –identity user2 -targetdatabase "mdb01ch"

Check Health and read about theat before you start the MIGRATION (maybe you will not start then at all and stop and move to 2010)

 

 

Check if the 2013/2016 is running?

 

Get-HealthReport -Server exchange2013| where { $_.alertvalue -ne "Healthy" }

Get-MonitoringItemIdentity -Identity HubTransport -Server exchange2013 | ft Identity,ItemType,Target Resource -autosize

Get-ServerHealth -Identity munexc1 -HealthSet "HubTransport" | where { $_.alertvalue -ne "Healthy" } | fl Name

Get-ServerComponentState -Identity exchange2013

----------------------------------------------------------

 

Problem large growing DIAG / Health Logfiles are migration of 50 users and 3 day runtime

 

(IF you are new to Exchange DO NOT Delete Any Transaction Logfiles like below yellow)

 

 

The Diag Below YOU COULD delete carefully. Start with LARGE.

Don't start reading about Exchange 2013/2016 Health sets or you stop using Exchange 2013… ;-)

 

 

Here are some batch scripts to do that automatic:

 

https://gallery.technet.microsoft.com/Task-Scheduler-to-cleanup-25047622#content

Clean DIAG Logs

@echo off

:: Diagnostic Logfiles Remove

if Exist "D:\Program Files\Microsoft\Exchange Server\V15\Logging" forfiles.exe /p "D:\Program Files\Microsoft\Exchange Server\V15\Logging" /s /m *.log /d -2 /c "cmd /c del @file"

ping 1.1.1.1 -n 1 -w 60000 > nul

if Exist "D:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\DailyPerformanceLogs" forfiles.exe /p "D:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\DailyPerformanceLogs" /s /m *.* /d -2 /c "cmd /c del @file"

ping 1.1.1.1 -n 1 -w 60000 > nul

:: forfiles.exe /p "c:\inetpub\logs\LogFiles" /s /m *.log /d -2 /c "cmd /c del @file"

:: ping 1.1.1.1 -n 1 -w 60000 > nul

Exit

 

Exchange Activesync Recycle

Do this for all users who were migrated and use Activesync

Also check ADMINSHOLDER ( ADMOINCOUNT) FLAG!

http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

http://www.butsch.ch/post/Activesync-with-Exchange-2013-does-not-work-ADMINSHOLDER-Flag-(an-old-bad-friend).aspx

#Use this script to recycle IIS Application Pools to overcome Exchange 2013 SP1 ActiveSync bug for migrated users

 

$CASServers = Get-ClientAccessServer | where {$_.WorkloadManagementPolicy -ne $null}

 

#Loop through each CAS2013 and recycle the IIS App Pools

foreach ($CAS in $CASServers) {

Write-Host "Recycling App Pools on $CAS..."

$appPool = Get-WmiObject -Authentication PacketPrivacy -Impersonation Impersonate -ComputerName $CAS -namespace "root/MicrosoftIISv2" -class IIsApplicationPool | Where-Object {$_.Name -eq "W3SVC/AppPools/MSExchangeAutodiscoverAppPool" }

$appPool.Recycle()

$appPool = Get-WmiObject -Authentication PacketPrivacy -Impersonation Impersonate -ComputerName $CAS -namespace "root/MicrosoftIISv2" -class IIsApplicationPool | Where-Object {$_.Name -eq "W3SVC/AppPools/MSExchangeSyncAppPool" }

$appPool.Recycle()

}

 

OR MANUAL:

Do an IISRESET (Thats is not the same as above!!!!) Just a base step!

If that does not work > Also recycle the IIS folders and Reboot the Exchange.

Open IIS Konsole

Go to "Application Pools"

  • On right side "Select" Recycle
  • From "Defaultpool" downwards to "MSexchagesyncappool" press Recycle RIGHT side in IIS console

   

  

 

Dump all permission of the Exchange Virtual Directory (iis). This will help to get an overview of the permission set on IIS and within Exchange.

http://www.butsch.ch/post/Exchange-20132016.aspx

The Russian blog has an excellent description of this script:

http://sysmagazine.com/posts/204454/

http://msbro.ru/index.php/archives/4705

 get-website | ForEach-Object -Process {

$xSite="IIS:\sites\"+$_.Name

cd $xSite

$xSite

$myWebApp=get-webApplication

$myWebApp | Format-Table -AutoSize Path ,

@{Label= "anonim:" ; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/anonymousAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Basic:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/basicAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "ClientCert:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/clientCertificateMappingAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Digest:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/digestAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "IIS client Cert:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/iisClientCertificateMappingAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Windows"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/windowsAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "SSL Flags"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/access -Name * -PSPath $xSite -location $_.Path).SSLflags }}

}

 

 

 

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

 

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

https://testconnectivity.microsoft.com/

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

Good explanation from John Pollicelli

https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

 

 

http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx

Resolution:

FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.

 

The Red part below (RED-X)

Activesync Log from https://testconnectivity.microsoft.com/

 

  

blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pRRBknDTp58DusHBvAN8ud7YydsWys9YscJ5Agm9F2a7b6qIT%2bZ%2frM9%2btPQRyan97mInwoRsp1cgvsaffQtFPq9%2b%2fUjmh5g4UMvjYsM%2fVzVR2Of0c43FBQRBOkBfuavQW%2fwf%2fpr8BtFs28meQ0AAA%3d%3d_S111_Error:ADOperationException1%3aActive+Directory+operation+failed+on+MUNWDC1.butsch.ch.+This+error+is+not+retriable.+Additional+information%3a+Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_Mbx:EXCHANGE2013BUTSCH.butsch.ch_Dc:MUNWDC1.butsch.ch_Throttle0_SBkOffD:L%2f-470_DBL7_DBS1_CmdHC-1477255686_TmRcv08:05:50.2747716_TmSt08:05:50.2747716_TmDASt08:05:50.4310224_TmPolSt08:05:50.4622759_TmExSt08:05:50.4935244_TmExFin08:05:50.9622794_TmFin08:05:51.0716528_TmCmpl08:06:10.27494_ActivityContextData:ActivityID%3d5eeffb0c-62d3-46fe-994c-X-DiagInfo: EXCHANGE2013BUTSCH

X-BEServer: EXCHANGE2013BUTSCH

Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-FEServer: EXCHANGE2013BUTSCH

 

Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.

  • Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN

  • Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN

  • Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN

    Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.

     

Exchange 2007 > 2013 Transition/Migration, POPUP on Outlook 2010 or Public Folder can’t be open from 2007

 

Exchange 2007 > 2013 Transition/Migration, POPUP on Outlook 2010 or Public Folder can't be open from 2007

 

Error1: When you click a Public Folder which lies on 2007 in Outlook.exe

"Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance."

Event 401 is logged in IIS log file on 2007 side

Error2: Even if you have selected the option not to DOWNLOAD and other resources or public folder you Recieve constant authentication POPUPS "Windows Security" with username password. Outlook.exe shows password need at some point. Even if you chose remember my Credentials.

Quick Reason:

You have to change the Authentication for "Outlook Anywhere" on old 2007 side to NTLM.

A general reason is that Exchange 2013 works OVER "Outlook Anywhere" all the time. To make it correct you could enable "Outlook anywhere" backwards/afterwards on the old Exchange 2007. Warning: However this function will run from 10-60 Minutes depending on your Exchange 2007. Read and search more if it not enabled on the old Exchange 2007 and you want to do that while the old 2007 is productive. Most blogs don't mention that and most of them do 2007>2010>2013 and some 2007>2013 direct. However they assume you have "Outlook anywhere" on 2007 already on before you begin the swing Transition (Migration).

Explained:

Exchange 2007 and 2013 Coexistence:

  • Exchange 2013 runs with Outlook Anywhere
  • If you have Outlook Anywhere on 2007 change the a) Authentication b) Internal and External URL to something else than on the 2013
  • Both Authentication settings for the "Outlook Anywhere" Option have to be the same. As example "NTLM" only.

     

  • You have an Exchange 2007 existing running and a fresh 2013 setup
  • Exchange 2013 is ready and ALL Virtual directories are changed in Powershell
  • The SAN/UC Certificate with a) The old exchange name sample old.company.ch, Autodiscover.company.ch and newserver.company.ch is ordered imported and activated
  • Just ONE User was moved from 2007 > 2013, rest of them still on 2007 side
  • Autodiscover is setup correct in DNS also the old name (important can be whatever some use the term legacy [It does not have to be legacy.customer.ch!]) and also a new names for the new exchange 2010.

 

 

Check Logfiles on Exchange 2007 under:

C:\inetpub\logs\LogFiles\W3SVC1\*.*

Search for string "/rpc/rpcproxy.dll"

This is the Health check the Exchange 2013 does:

RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 192.168.20.198 HttpProxy.ClientAccessServer2010Ping 401 2 5 0

Controll the Settings on the Exchange 2007.

get-OutlookAnywhere -Server "servername2007" | fl identity, IISAuthenticationMethods

Set-OutlookAnywhere -Identity " servername2007\Rpc (Default Web Site)" -IISAuthenticationMethods Ntlm

Or in GUI on the Exchange 2007

Do an IISRESET

If that does not work > Also recycle the IIS folders and Reboot the 2007.

Open IIS Konsole

Go to "Application Pools"

  • On right side "Select" Recycle
  • From "Defaultpool" downwards to "MSexchagesyncappool" press Recycle RIGHT side in IIS console

 

 

IIS Logfile after the change should be with a 500 value.

2016-04-26 14:20:35 192.168.20.13 RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 192.168.20.198 HttpProxy.ClientAccessServer2010Ping 500 0 64 45021

 

Change on client side

IF account still under 2007 and using ONLY Outlook Anywhere you then have to change something in outlook.exe on each client THAT is laptop or workgroup and not domain joined. If Autodiscover and the EXPR-Record are correct this should work by itself.