Finding and removing emails from exchange mailboxes

In this case security office has sent notification, that potentially malicious email that bypassed antimalware protection has to be removed from user's mailboxes. In order to find out who has received the specified email (the sender of the malicious email was provided in the escalation information from the security office), in case of multirole exchange servers, I've checked the message tracking logs using following syntax:

Get-ExchangeServer | Get-MessageTrackingLog -start (Get-date).AddDays(-1) -End (Get-date)  -ResultSize unlimited -eventid deliver -Sender "malicioussender@domain.some"

Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the message with sender "malicioussender@domain.some" and send the results log to some auditor's mailbox (messages are not removed from the affected mailbox):

Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -LogOnly -LogLevel Full

In order to delete the message from the affected mailbox, Search-Mailbox has DeleteContent parameter. For using the DeleteContent parameter, user running the search-mailbox cmdlet, also has to have the Mailbox Import Export management role assigned.
For assigning Mailbox Import Export Role to a Role Group, please follow the TechNet article https://technet.microsoft.com/en-us/library/ee633452(v=exchg.141).aspx .

Now, it's time to remove the messages from affected mailbox, and copy them auditor's mailbox:

Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -DeleteContent

Messages were successfully deleted from affected mailbox, and copied to a auditor's mailbox.
 

Exchange Powershell in Multi Domain Environment

This is quick one, if you're using Exchange PowerShell for managing environment where exchange recipients are located across multiple domains in forest, you might be wondering why by default you will not be able to manage recipient objects that are located in different domains. The reason for this behavior is that by default, you will be able to manage objects that are located in the domain where Exchange servers are located.
In order to change this behavior, for example to manage recipient objects located across forest Set-AdServerSettings cmdlet is your friend:

Set-AdServerSettings -ViewEntireForest $true

One thing to notice is that, the change of this view scope is only limited to current open session.
 

Warning Event 9327 from MSExchangeSA

In this case Warning Event 9327 from source: MSExchangeSA was logged in Application Event log on Exchange 2010 server responsible for OAB generation by default every day on 5 AM:

Log Name:      Application
Source:        MSExchangeSA
Date:          12/1/2014 5:04:50 AM
Event ID:      9327
Task Category: (13)
Level:         Warning
Keywords:      Classic
User:          N/A
Description:
OALGen skipped some entries in the offline address list '\Global Address List'.  To see which entries are affected, event logging for the OAL Generator must be set to at least medium.
- \Default Offline Address List

By default, event logging for the OAL Generator is set to lowest level. In order to see why some entries are skipped by OAL Generator, event logging level must be set to at least medium. One way to set this requirement is by using PowerShell :

Set-EventLogLevel -Identity "ExchangeServerName\msexchangesa\oal generator" -Level Medium

Setting the logging level to Medium for the OAL generator will produce a lot of events during the generation of OAB. Informational events generated from MSExchangeSA with Event ID 9359 can be safely ignored, but error events with id 9325 are the one that are triggering the event id 9327 from MSExchangeSA. For example:

Log Name:      Application
Source:        MSExchangeSA
Date:          12/25/2014 5:04:03 AM
Event ID:      9325
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Description:
OABGen will skip user entry 'John Doe' in address list '\Global Address List' because the SMTP address '' is invalid.
- \Default Offline Address List

John Doe was not having email address, but was having "ShowInAddressBook" property populated. So, in order to fix this behavior, I've created mailbox for this user, and after that immediately disabled the mailbox for this user, and all exchange related properties were cleared from this user.

Now, return (set) the event logging level for the OAL generator to default (lowest) value:

Set-EventLogLevel -Identity "ExchangeServerName\msexchangesa\oal generator" -Level Lowest

And, warning Event 9327 from source: MSExchangeSA was not logged in Application Event log on Exchange 2010 server responsible for OAB generation in 5 AM.
 

Setting calendar permissions in Exchange 2010

This is quick post for reference, and is intended to show how to manage user's calendar permissions in Exchange 2010. Four PowerShell cmdlets are available for achieving this task:

• Get-MailboxFoderPermission
• Add-MailboxFolderPermission
• Set-MailboxFolderPermission
• Remove-MailboxFolderPermission

For example:

• To list (get) assigned calendar permissions on user Jane.Doe here is the syntax:

Get-MailboxFoderPermission -identity jane.doe:\calendar

• To assign John.Doe Reviewer permission on Jane.Doe calendar (John does not have any permission on Jane's calendar):

Add-MailboxFolderPermission -identity jane.doe:\calendar -user "John Doe" -AccessRights Reviewer

• To modify already assigned permission to John Doe on Jane Doe calendar from Reviewer to Editor:

Set-MailboxFolderPermission -identity jane.doe:\calendar -user "John Doe" -AccessRights Editor

•  And finally to remove already added permission for John Doe on Jane Doe calendar:

Remove-MailboxFolderPermission -identity jane.doe:\calendar -user "John Doe"

 

Cannot add send as permission for public folder on Exchange 2010

In this case Exchange Administrator was trying to delegate send as permission to a mail enabled public folder on Exchange 2010. Wizard for delegating Send As permission was failing with following error message:

Error:

Active Directory operation failed on domain.controller.name. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

 

The user has insufficient access rights.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.338.0&t=exchgf1&e=ms.exch.err.Ex6AE46B

 
This public folder was migrated from previous Exchange organization, and the admin user was having permission to manage public folders. When Exchange admin was creating new mail enabled public folder, he was able to delegate Send As permission. Checking the owner for public folder using ADSIedit (Default naming context->DC=Domain,Dc=name->CN=Microsoft Exchange System Objects), was showing SYSTEM for the "migrated" public folder, and for the newly created public folder it was Computername$ of the Exchange Server.
So, one way to fix this issue is to change the owner of the "migrated" public folder to Computername$ of the Exchange Server.

Reminder: User(s) will not be able to send on behalf of mail enabled public folder even if they have send as permission, if mail enabled public folder is hidden from address list.

 

How to search Exchange Admin Log in Exchange 2010?

In my case there was a situation when one of the exchange admins has created a mailbox for a user. Team group leader wanted to know who was responsible for a user's mailbox creation.
Microsoft Exchange 2010 has enabled administrator audit logging entries for each cmdlet that is run in EMC or Exchange Management Shell. Searching the the log is easy using Search-AdminAuditLog cmdlet. In my case, I was searching for user mailbox creation and the syntax for it is:

Search-AdminAuditLog -StartDate 09/01/2012 -EndDate 09/09/2012 -ObjectID domain.name/Users/user.name
 

You can dump all log entries using Search-AdminAuditLog > c:\temp\adminlog.txt .

More on Adminsitrator Audit Logging on http://technet.microsoft.com/en-us/library/dd335144.aspx

Email stuck in submission queue

In my case there were Exchange 2010 servers with mailbox, cas and hub roles installed with Forefront Protection for exchange 2010, and there was one email message that was stuck in submission queue and quarantined in forefront for exchange due to a realtime timeout error for archives. In order to remove this message from submission queue I have used remove-message cmdlet :

Get-Message -Filter {Fromaddress -eq "email address"} -Server name.of.server | Remove-Message

If you have stuck messages without sender, in a filter for fromaddress add "<>" .

Can't add users in message delivery restrictions for distribution group on Exchange 2010

In my case there were active directory and mailbox disabled users, that were listed as allowed senders for distribution group. When tried to add new users as allowed senders for distribution group, there was error message:

Error: Couldn't find object "domain/ou/disabled user". Please make sure that it was spelled correctly or specify a different object.

Resolution for this problem is to remove disabled users as allowed senders, which can't be seen from Exchange Management Console 2010. One way to do that is to enable advanced feature in active directory users and computer console and edit the authOrig attribute from Attribute Editor. Remove all disabled accounts, refresh Exchange Management Console and you will be able to add new users as allowed senders for distribution group.

How to change multivalued properties on Exchange 2010 (SP1,SP2) ?

In my case I wanted to change (add) trusted domains (senders) of Junk mail filter settings for members of distribution group. Set-MailboxJunkEmailconfiguration is the cmdlet for adding (changing) trusted senders and domain for user's outlook safe senders list. TrustedSendersAndDomains is multivalued property and values can be added or removed using following simple syntax without overwriting already populated values:

get-DistributionGroupMember -identity "alias" | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Add='emailaddress@domain.name','domain2.name', ...}

get-DistributionGroupMember -identity "alias" | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Remove='emailaddress@domain.name','domain2.name',....}

This syntax can be used for changing any multivalued properties not just TrustedSendersAndDomains property.

Asking yourself which w3wp.exe worker process represent IIS 7.5 application pool ?

In my case I had to find which IIS 7.5 application pool is running under w3wp.exe process on Exchange 2010 servers. In task manager you can enable PID column to identify w3wp.exe processes :

In IIS 7 and 7.5 there is appcmd utility located in %windir%\system32\inetsrv that will help you to identify w3wp.exe worker processes using appcmd list wp :

Error events FSEAgent event id 8056 and Microsoft Forefront Protection event id 7063

In my case on one of the Exchange 2010 multi role servers with installed Forefront Protection 2010 for Exchange in server's application log, error events from FSEAgent with event ID 8056 :

1 messages have been archived and purged due to an error while scanning. Please ensure that mail is not queuing.

 

and from Microsoft Forefront Protection with Event ID 7063 :

Archived undeliverable items exist.

started to appear every hour. And as error message is suggesting there was one message that was not processed and queues were not piled up, so user was notified to remove the problematic attachments and resend the message. To avoid these error events from showing up in exchange 2010 application log, I  deleted the "problematic" message from sub folder (for my case in) in drive:\install folder\Microsoft Forefront Protection for Exchange Server\Data\Archive\Undeliverable\ .

Can't modify message delivery restrictions properties on Exchange 2010 EMC

In my case there was a distribution group with defined message delivery restrictions. That distribution group could accept messages only from senders defined in list box. And, when I tried to modify the list of users I was receiving following error message :

"Set-DistributionGroup Failed: Error: Couldn't find object "domain/local/disabled users/user who is no longer in company." 

The disabled user was not on the list presented by Exchange 2010 EMC, so I can't remove it from the console.

Resolution for this problem can be done by Exchage 2007 EMC (you can see the disabled user in message delivery restriction's dialog list box) if you are in migration period from Exchange 2007, or using Active Directory Users and Computers console from Windows Server 2008 or ADSIEdit. From properties of "problematic" distribution group using attribute editor tab (aduc console), there is authOrig attribute value populated with users that can send email messages to that group. In authOrig attribute value you can see and remove the disabled account. After removing the disabled user you can modify message delivery restrictions properties using Exchange 2010 EMC.

How to create anonymous relay receive connector on Exchange 2010 ?

My best practice is to create another custom receive connector for anonymous users instead of using the default one, where you can limit by source IP address who will be able to anonymously relay emails. To do so you will have to grant anonymous connections extended right to accept any recipient email address (for example we have created new receive connector "AnoRel") :

Get-ReceiveConnector "AnoRel" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

More on this topic on http://technet.microsoft.com/en-us/library/bb232021.aspx

How to find delegated Send As on a user mailbox

If you would like to find delegated send-as permission on user mailbox, you can use the following powershell script :

Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like "*Send-As*") -and -not ($_.User -like "NT AUTHORITY\SELF") } | select Identity, User, ExtendedRights, IsInherited | FT -Wrap

For example you can use this script to find BES enabled users with delegated send as permission on BES admin user.

Changing logo on OWA Exchange 2010 SP1

If you would like to customize default owa logo after you log on to OWA 2010 :

you will have to change (replace) default OWA logo from the sprites file. You can find sprite and css file on following location : \Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\<version>\themes\base\ (csssprites.png and csssprites.css) . If you open the the sprites you will see the default logo:

If you open the css file, you will see that logo size should be 144x42 :

.sprites-logoowa-png{background-image:url(‘csssprites.png’);background-position:-62px 0px;width: 144px;height: 42px;}

After changing (inserting) new logo in the sprites file, you will be able to see your new logo after logging on to owa 2010 (note: be careful when modifying the sprites file).

Receiving warning event 1021 from MSExchangeTransport on Exchange 2010

You may experience following warning message on your Exchange 2010 HUB transport servers :

Receive connector <receive connector name> rejected an incoming connection from IP address a.b.c.d. The maximum number of connections per source (20) for this connector has been reached by this source IP address.

Receive connectors has parameter that specifies maximum number of inbound connections that receive connector serves at the same time from single IP address. You can change this value by using set-receiveconnector cmdlet (for example to set this parameter to 50 concurrent connections from same IP address:  set-receiveconnector "unique receive connector name" -MaxInboundConnectionPerSource 50 ). More on set-receiveconnector http://technet.microsoft.com/en-us/library/bb125140.aspx .

Insufficient access rights to perform the move mailbox operation from Exchange 2007 to Exchange 2010 organization

When moving mailbox from Exchange 2007 to Exchange 2010 organization I have experienced the following error message :

Error:

Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

Active directory response: 00002098:  problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.

The reason for this is that inheritable permissions are not turned on for the user. As a resolution for this error check the "Allow inheritable Permissions from this object's parent" check box from AD user's advanced security setting dialog:

After setting the check box move mailbox operation should complete successfully.

Receiving error event 4002 from MSExchange Availability on Exchange 2010

During upgrade process from Exchange 2007 to Exchange 2010 I was experiencing error event 4002 from Application log on Exchange 2010 servers. Here is a part of the error :

Process 5436: ProxyWebRequest IntraSite from S-1-1-0 to https://casserver2007.local.domain/EWS/Exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Web.Services.Protocols.SoapException: Microsoft.Exchange.InfoWorker.Common.Availability.TimeIntervalTooBigException: The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days. ---> The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days.

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)

at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)

at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)

at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling(). The request information is ProxyWebRequest type = IntraSite, url = https://casserver2007.local.domain/EWS/Exchange.asmx

By default, Exchange 2007 allows availability queries for 42 days, and for Exchange 2010 this limit is 62 days. So, when Exchange 2010 performs a request for a user on Exchange 2007, the request will fail because Exchange 2010 will be requesting for 62 days information, while Exchange 2007 expects maximum for 42 days request. To avoid this issue you can set maximumQueryIntervalDays value in EWS web.config located in exchange 2007 installation folder\ClientAccess\Exchweb\ews . maximumQueryIntervalDays must be added under appsettings section. By default, this value does not exists and Exchange 2007 is using the default interval of 42 days. Here is the sample how appsettings section should look like:

<appSettings>
<add key="maximumQueryIntervalDays" value="62" />
</appSettings>

After adding this setting, you will have to IISReset, and Exchange 2007 CAS server will accept the new value. This setting helped in my case for the error event 4002 on Exchange 2010 to disappear.

You're unable to activate database copy on Exchange 2010 mailbox server

If you receive the following error message when you try to activate mailbox copy one some of your DAG member servers :

An Active Manager operation failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'Mailbox Database 01' on server 'Server3.domain.name' has content index catalog files in the following state: 'Failed'..

You can check the status of the mailbox database content index with :

Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name              : Mailbox Database 01\Server3
ContentIndexState : Failed

Name              : Mailbox Database 02\Server3
ContentIndexState : Healthy

Also on the mailbox server where the content index is corrupted you can see the following event:

Event ID: 123
Level: Error
Source: ExchangeStoreDB

At <timestamp> the Microsoft Exchange Information Store Database <identity> copy on this server experienced a corrupted search catalog. Consult the event log on the server for other "ExchangeStoreDb" and "MSExchange Search Indexer" events for more specific information about the failure. Reseeding the catalog is recommended via the 'Update-MailboxDatabaseCopy' task.

To resolve this problem you can update content index on failed server with Update-MailboxDatabaseCopy  http://technet.microsoft.com/en-us/library/ee633475.aspx :

Update-MailboxDatabaseCopy "Mailbox Database 01\Server3" -CatalogOnly

After reseeding, the content index should be in healthy state:

Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\Server3
ContentIndexState : Healthy

Name : Mailbox Database 02\Server3
ContentIndexState : Healthy

Now, you can succesfully activate Mailbox Database 01 on Server 3.

Public folder database does not replicate on Exchange 2010

In my case Exchange organization was migrated from Exchange 2000 to Exchange 2007. Public folder replication between Exchange 2000 and 2007 servers was OK, before removing the last Exchange 2000 server. Also, after removing the last Exchange 2000 server, public folder replication was working fine, between Exchange 2007 mailbox servers. When Exchange 2010 mailbox servers were introduced into organization, email flow was OK, but public folder databases created on Exchange 2010 servers were not replicating with public folder databases mounted on Exchange 2007 mailbox servers. On Exchange 2010 mailbox servers event log I have found the following event :

Log Name: Application
Source: MSExchange Store Driver
Event ID: 1020
Level: Error
Description:

The store driver couldnt deliver the public folder replication message "Hierarchy (PublicFolder@domain.name)" because the following error occurred: The Active Directory user wasn't found.

The resolution for this problem is to delete the empty Servers container (using ADSI Edit) in Active Directory, which was from Exchange 2000 organization :

Microsoft has published article regarding this issue http://support.microsoft.com/?kbid=2487271 .