Exchange

Exchange Online Mail Enabled Security Groups

Posted on September 25, 2018September 25, 2018 by Adam Fowler

One of the things I’ve found out while migrating to Exchange Online was around access to shared mailboxes, and having to alter my methods slightly.

For Exchange On-Prem (Exchange 2010), whenever I created a shared mailbox I would control access with a security group. If the mailbox was called “Finance”, then I’d have an Active Directory Security Group called “Finance Mailbox Full Access” and give that group full access to the mailbox. Then, I’d add the staff that needed access to that group – meaning it was easier to track and manage who had access to what, particularly with nested group support so I could add a whole department in.

The extra win on this approach was around applying logic to the groups. When someone joined or left Finance, the user management process would ensure the user was added to a group for Finance. That would then feed into all the access that Finance were granted through the groups that single group was inside – and it works great.

The good news is that this is still possible going to Exchange Online, my nested and automated systems can continue to work. However, some changes were required to make this work.

Firstly, any security group that is going to be added to an Exchange Online mailbox for access must be mail enabled. This goes against my personal best practice as I liked complete seperation of security groups and email groups, because I didn’t want to deal with scenarios where ‘All Finance need this resource, but I don’t want them to get the emails about the same resource’. Still, having a descriptive security group name should avoid that happening.

This leads to another catch – to mail enable a security group, it has to be ‘universal’. In turn, that means every other group that those groups are inside also need to be universal.

For me this was easy, since all my security groups were cleanly in a single OU, and there was no impact to me on changing them to universal (check this for yourself though!)

Get-ADGroup -SearchBase
“ou=Security Groups,ou=ABC,dc=com” | Set-ADGroup -GroupScope DomainLocal

After that, ,ail enabling an existing security group is easy with the PowerShell command:

Enable-DistributionGroup

I was actually able to mail enable all my Security Groups that granted mailbox access at once, by getting all the groups and filtering them down to only ones that contained the word ‘Mailbox’

Get-Group -resultsize unlimited | where {$_.name -like “mailbox“} | Enable-DistributionGroup

You’ll also need to mail enable any groups inside the groups, and you should be able to work this out based on the above commands.

Keep in mind you’ll probably want to hide all these groups from the address book so users can’t see them – in Exchange 2010 the GUI lets you mass select and change this option, but it’s also easy to do from PowerShell (but you’d need to

Get-Group -resultsize unlimited | where {$_.name -like “mailbox“}| Set-DistributionGroup –HiddenFromAddressListsEnabled:$true

Note that if you use PowerShell to give a non mail-enabled Security Group access to a mailbox, it will appear in the Exchange admin center, but it won’t work. As far as EAC knows, it has no members because it’s not mail enabled. I found this out the hard way!

Removing Unwanted SMTP Records From Exchange Hybrid

Posted on November 7, 2017 by Adam Fowler

I’m still new to Exchange Online and Office 365 mailbox management, but got stuck on this scenario for a bit.

After testing an E-mail Address Policy, I wanted to remove what the policy had done. I’d already discovered that taking an address off a policy itself doesn’t remove it from the accounts, and run this simple script to remove the unwanted SMTP record off each account. However, accounts that had been migrated to Office 365 didn’t change and still had the unwanted SMTP record.

I checked on Exchange Online itself, and the address I’d added hadn’t flowed through. I believe this was because it was using a domain that Office 365 didn’t know about – but that also meant that I had no records to change at that end. I could however go into the mailbox itself via the Exchange console and remove the unwanted record.

It turns out, that I had to use the ‘Get-RemoteMailbox’ and ‘Set-RemoteMailbox’ command in place of the ‘Get-Mailbox’ command. Although I was working with Exchange PowerShell on-premises, the mailbox type is “RemoteUserMailbox’. ‘Get-Mailbox’ against any migrated item will not find those objects that live in the cloud.

If you want to see which Exchange objects have a particular SMTP record in Exchange 2010, regardless of what mailbox type they are or where it lives, there’s an easy way.

Make sure the ‘Recipient Configuration’ tree option in the Exchange Console is selected, and filter with E-Mail Addresses > Contains > your unwanted SMTP record:

This will make sure all object types (including groups, contacts etc) don’t have the unwanted SMTP record.

Stellar Exchange Tookit Review

Posted on June 23, 2017June 22, 2017 by Adam Fowler

Stellar Data Recovery reached out to me to see if I was interested in reviewing their product. I only accept these when I can see a personal interest in what the product does. The 5 key things this product does are:

1. Repair corrupt EDB files
2. Mailbox Extractor for Exchange Server
3. OST – PST conversion
4. Mailbox Extractor for Exchange Backup
5. Password Recovery for MS Exchange

Primarily I was interested in OST to PST conversion, as I’ve tried to do this before and had no luck with free solutions, and wanted to try a paid product that could solve the problem. (It’s also worth noting this isn’t cheap software. Also if you only want a more basic OST to PST converter, they sell that by itself for a lot less.)

I tested the Exchange Toolkit on an Outlook 2016 OST file I’d copied off another computer, that was 2GB in size. It does take a little while to process, but displays the results in a nice Outlookesque GUI:

There’s also a search function, which is handy if you’re just after a particular email from the OST.

If you need to export the results, there’s a bunch of useful options:

I was impressed with the options to export directly to Exchange Server and Office 365! But for me, I was happy with a PST. The resulting PST file was readable via Outlook 2016, so the product does exactly what it says on the virtual box.

Another part of the toolkit I looked at, was the Mailbox Extractor. Again, there’s several options, but I tried connecting to a live Exchange 2010 server to extract emails:

After connecting, again I was presented with an Outlook style of emails. I then realised there’s a few use cases for this tool that are handy to me personally; if I need to go into a mailbox to get something out, this is much easier than adding a second mailbox or profile. It also then lets me take out those emails in a variety of ways – for example, I can select a folder and then export all contents of that folder into several formats, such as PST, MSG, PDF, HTML and RTF. For HTML and PDF, it will create a file per email with the same subject name.

I can see the other functions of this product being useful for someone who’s often dealing with other companies’ data, old data that needs to be restored, or extracting out a mailbox from an online Exchange server. It’s an interesting array of tools, and I’ll try to report back on whether this tool does the job well or not.

Worth checking out these tools if you run into a scenario where you need them – sometimes there’s a freeware or open source solution, but often they don’t work, are old, unreliable or limited in functionality. Stellar Exchange Toolkit seems to do what it claims well, and I look forward to trying more features in the future.

Blank Page For Skype For Business Web App

Posted on September 4, 2016 by Adam Fowler

I had an issue recently where remote clients couldn’t connect to Skype for Business online meetings – when clicking the link, all they saw in the browser was a blank page. The tab of the browser showed ‘Skype for Business Web App’ but the page area had nothing.

This didn’t seem to affect all external clients (internal was fine), when I tested on Windows Server 2012 R2 from home it worked fine. Windows 7 however was affected, and I’m not sure on Windows 8, 8.1 or 10.

This technet post mentions it breaks ‘Conferencing Functionality and PowerPoint Presentations’ as well as ‘ White Boarding, polling’ which was caused by KB3142030. Hoping that was our problem, I uninstalled the update and rebooted – but no luck.

The next check was around .NET framework 4.6.1 which is unsupported on Exchange and Skype for Business Servers (Lync too!) but we didn’t have that installed, due to using the suggested registry setting in the linked article to block the install.

After an evening of troubleshooting and rebooting servers and firewalls that didn’t help, our support found the problem for us – a misconfigured load balancer, that had an incorrect IP for one of the front-end Skype for Business servers. Updating the IP immediately resolved the issue.

Looking back on it, that explains why I had some clients work and not others – it just appeared to be in a pattern that was OS related due to the luck of round robin routing on a load balancer!

Due to the way Skype for Business handles the web requests, by first hitting an edge server then an internal front end server, you may have multiple load balancers in the way and get partial page loading.

Another lesson learnt!

Mass Import PSTs To Different Folders In A Single Mailbox

Posted on July 6, 2016July 6, 2016 by Adam Fowler

I had a scenario come up where someone had 50 or so PST files. I wanted to add them all into their mailbox, but have a separate folder for each PST’s contents to go to.

This was on Exchange 2010 SP3 but should apply to newer versions too, and this is assuming you have at least Exchange 2010 SP1 – importing was done differently before this.

For starers, ExchangeServerPro covers the basics of PST importing. PeteNetLive delves a bit deeper into batch importing, which was close to what I wanted but had to modify somewhat.

I had the PST files in a UNC path, so started by navigating there – in Powershell, you can just ‘cd //server/sharename/’ (even though “cd” is an alias for “Set-Location”, I can’t help but use it!)

Once in the share that contains the PST files (and it HAS to be a share, can’t be an admin $ share, and needs the correct permissions as per ExchangeServerPro’s article), you can run this command:

dir *.pst | %{ New-MailboxImportRequest -BatchName Recovered -Mailbox alias -name $_.BaseName -FilePath “$_.” -TargetRootFolder $_.BaseName}

This will get the list of files, and run a mailbox import request against each one. “alias” needs to be changed to the mailbox name. The Filepath is just being called as itself “$_.” and the Target Root Folder is using BaseName, which is the filename without the extension .pst.

I’m also using the filename as the name for the job, if you leave that out it’ll hit a wall after 10 jobs and want a unique name (if not specified, the name is MailboxImport, then MailboxImport1, MailboxImport2 etc and hits a wall at MailboxImport9). That also makes it easy if one of the jobs fail, to work out which PST was involved.

This worked really well for me, so hopefully it helps someone else out there!

Share this:

Share this:

Share this:

Share this:

Share this: