Exchange

Stellar Exchange Tookit Review

Stellar Data Recovery reached out to me to see if I was interested in reviewing their product. I only accept these when I can see a personal interest in what the product does. The 5 key things this product does are:

1. Repair corrupt EDB files
2. Mailbox Extractor for Exchange Server
3. OST – PST conversion
4. Mailbox Extractor for Exchange Backup
5. Password Recovery for MS Exchange

Primarily I was interested in OST to PST conversion, as I’ve tried to do this before and had no luck with free solutions, and wanted to try a paid product that could solve the problem. (It’s also worth noting this isn’t cheap software. Also if you only want a more basic OST to PST converter, they sell that by itself for a lot less.)

I tested the Exchange Toolkit on an Outlook 2016 OST file I’d copied off another computer, that was 2GB in size. It does take a little while to process, but displays the results in a nice Outlookesque GUI:

There’s also a search function, which is handy if you’re just after a particular email from the OST.

If you need to export the results, there’s a bunch of useful options:

I was impressed with the options to export directly to Exchange Server and Office 365! But for me, I was happy with a PST. The resulting PST file was readable via Outlook 2016, so the product does exactly what it says on the virtual box.

Another part of the toolkit I looked at, was the Mailbox Extractor. Again, there’s several options, but I tried connecting to a live Exchange 2010 server to extract emails:

After connecting, again I was presented with an Outlook style of emails. I then realised there’s a few use cases for this tool that are handy to me personally; if I need to go into a mailbox to get something out, this is much easier than adding a second mailbox or profile. It also then lets me take out those emails in a variety of ways – for example, I can select a folder and then export all contents of that folder into several formats, such as PST, MSG, PDF, HTML and RTF. For HTML and PDF, it will create a file per email with the same subject name.

I can see the other functions of this product being useful for someone who’s often dealing with other companies’ data, old data that needs to be restored, or extracting out a mailbox from an online Exchange server. It’s an interesting array of tools, and I’ll try to report back on whether this tool does the job well or not.

Worth checking out these tools if you run into a scenario where you need them – sometimes there’s a freeware or open source solution, but often they don’t work, are old, unreliable or limited in functionality. Stellar Exchange Toolkit seems to do what it claims well, and I look forward to trying more features in the future.

Blank Page For Skype For Business Web App

skypeforbusiness

I had an issue recently where remote clients couldn’t connect to Skype for Business online meetings – when clicking the link, all they saw in the browser was a blank page. The tab of the browser showed ‘Skype for Business Web App’ but the page area had nothing.

This didn’t seem to affect all external clients (internal was fine), when I tested on Windows Server 2012 R2 from home it worked fine. Windows 7 however was affected, and I’m not sure on Windows 8, 8.1 or 10.

This technet post mentions it breaks ‘Conferencing Functionality and PowerPoint Presentations’ as well as ‘ White Boarding, polling’ which was caused by KB3142030. Hoping that was our problem, I uninstalled the update and rebooted – but no luck.

The next check was around .NET framework 4.6.1 which is unsupported on Exchange and Skype for Business Servers (Lync too!) but we didn’t have that installed, due to using the suggested registry setting in the linked article to block the install.

After an evening of troubleshooting and rebooting servers and firewalls that didn’t help, our support found the problem for us – a misconfigured load balancer, that had an incorrect IP for one of the front-end Skype for Business servers. Updating the IP immediately resolved the issue.

Looking back on it, that explains why I had some clients work and not others – it just appeared to be in a pattern that was OS related due to the luck of round robin routing on a load balancer!

Due to the way Skype for Business handles the web requests, by first hitting an edge server then an internal front end server, you may have multiple load balancers in the way and get partial page loading.

Another lesson learnt!

Mass Import PSTs To Different Folders In A Single Mailbox

I had a scenario come up where someone had 50 or so PST files. I wanted to add them all into their mailbox, but have a separate folder for each PST’s contents to go to.

This was on Exchange 2010 SP3 but should apply to newer versions too, and this is assuming you have at least Exchange 2010 SP1 – importing was done differently before this.

For starers, ExchangeServerPro covers the basics of PST importing. PeteNetLive delves a bit deeper into batch importing, which was close to what I wanted but had to modify somewhat.

I had the PST files in a UNC path, so started by navigating there – in Powershell, you can just ‘cd //server/sharename/’ (even though “cd” is an alias for “Set-Location”, I can’t help but use it!)

Once in the share that contains the PST files (and it HAS to be a share, can’t be an admin $ share, and needs the correct permissions as per ExchangeServerPro’s article), you can run this command:

dir *.pst | %{ New-MailboxImportRequest -BatchName Recovered -Mailbox alias -name $_.BaseName -FilePath “$_.” -TargetRootFolder $_.BaseName}

This will get the list of files, and run a mailbox import request against each one. “alias” needs to be changed to the mailbox name. The Filepath is just being called as itself “$_.” and the Target Root Folder is using BaseName, which is the filename without the extension .pst.

I’m also using the filename as the name for the job, if you leave that out it’ll hit a wall after 10 jobs and want a unique name (if not specified, the name is MailboxImport, then MailboxImport1, MailboxImport2 etc and hits a wall at MailboxImport9). That also makes it easy if one of the jobs fail, to work out which PST was involved.

This worked really well for me, so hopefully it helps someone else out there!

Turning Out Of Office Off and On via Script

There has been a long-lacking feature in Outlook – the ability to automatically set your Out of Office message to turn on and off on a scheduled basis.

It would be great to be able to have a bounce back on anything sent outside your working hours, but it isn’t easily possible natively unless you use a vbs script inside an Outlook rule – requiring Outlook to actually be running.

I decided to come up with my own solution. This isn’t good for individuals, but is good for centralised mailboxes, say an IT Helpdesk mailbox that you want people to know when someone will look at their request or not.

Step 1 – Set the Out Of Office message you want on your mailbox manually. Outlook, OWA, however you do it, it doesn’t matter. Your message will be saved on the server.

Step 2 – Save the script below as a .ps1, and change the variables to what you want. I have two scripts, one that enables, and the other that disables Out of Office

Step 3 – Create two Scheduled Task on a server. One will be when you want the Out of Office on, and the other when you want it off. Below I’ve created one for the ‘on’ part, which triggers weekly on Monday, Tuesday, Wednesday, Thursday and Friday at 7:30am. The Off would do the same, but at 5pm.

snip1

The conditions of the Scheduled Tasks would be to run the powershell script files, again matching up the on and offs. The command to use is “powershell.exe” and the arguments pointing to the location of your newly created ps1 scripts in the format ” -file “C:\scripts\admin\Out Of Office On.ps1″ ”

snip2

The task needs to be set to ‘Run whether user it logged on or not’.

The account used to run the task needs to have the correct role based permissions to connect to Exchange, and make changes to the auto reply config.

The script will also generate an email to advise that the status of Out Of Office has been changed, pulling the value afterwards so you can check that it’s toggled correctly.

If the script doesn’t run automatically, you may need to adjust your Execution Policy settings.

That’s it. You should have two scheduled tasks that run to turn Out of Office off and on against the mailbox you want.

PowerShell Script:

#TODO – Definie Mailbox name and state enabled or disabled
$mailbox = “name”
$state = “enabled”
$exchangeserver = “exchange server name”

#Connect To Exchange PowerShell Session
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$exchangeserver/Powershell -Authentication Kerberos
Import-PSSession $session
#Turn Out Of Office On
Set-MailboxAutoReplyConfiguration $mailbox -AutoReplyState $state
$results = Get-mailboxautoreplyconfiguration $mailbox |select Autoreplystate

#Emails the current status
send-mailmessage -to “Displayname 1 <email@contoso.com>” -from “Displayname 2 <anotheremail@contoso.com>” -subject “IT Help OOO Status” -body “The OutOf Office Message is now $results” -SmtpServer smtp.yourserver.com.au

Remove-PSSession -Session $session

 

Update 15th March 2016

I’ve also realised that Softera Adaxes which I reviewed previously, can do the above quite easily. Here’s how their scheduled tasks work, but simply put you can create a scheduled task to run on weekdays, that sets the Out of Office message and turns it on today, then off today +1 day (i.e. tomorrow), and run that daily to update the date! That’s a more elegant solution, but you need to buy Adaxes or already have it. I’m still using it and recommend it, and decided to do the above this cleaner way. This isn’t a sponsored comment :)

Script to Change Multiple Out Of Office Messages

This is probably an inefficient script, but I needed to create it as a once off to change the wording of any user with an Out Of Office message. It will go through every account, and change any instance of swearword and replace it with censored (no, this isn’t what I needed to use it for!).

This is using the Exchange Management Shell:

$data = get-mailbox -resultsize unlimited
foreach ($user in $data){
$currentreply = Get-MailboxAutoReplyConfiguration $user.alias
$newreply = $currentreply.internalmessage -replace “swearword”, “censored”
Set-MailboxAutoReplyConfiguration $user.Alias -InternalMessage $newreply -ExternalMessage $newreply
}

You can also use this to find any accounts with an Out Of Office message containing a certain word or phrase:

$data = get-mailbox -resultsize unlimited
foreach ($user in $data){
Get-MailboxAutoReplyConfiguration $user.alias | Where-Object {$_.internalmessage -like “*swearword1 swearword2*”}
}

Used on Exchange 2010, but should work on 2007 and 2013 also. You may notice the results of InternalMessage and ExternalMessage are hard to read, as by default they’ll show the HTML coding – you may need to factor this into any searches or replaces you perform.

Full Mailbox Access to All Mailboxes in Exchange 2010

I’ll start this out by saying ‘Full Mailbox Access to All Mailboxes’ is generally a bad idea. It should be done on demand with the appropriate approvals and paper trails, but there are times when this may be needed – for example a service account for 3rd party software that has to read or add things to everyone’s mailbox in the company.

In my last post “End User Management of Distribution Groups in Exchange 2010” I explained how the new Role Based Access Control (RBAC) worked. Although this can be used to configure many things, it won’t give you full access to a mailbox as it’s an Active Directory based permission.

You can manually do this on a per mailbox level by either using the Exchange Management Console, or the Exchange Management Shell by following the Microsoft Technet documentation here and it’s fairly easy to convert this to all mailboxes in powershell, but that won’t help you with newly created mailboxes after running the command.

Yes you could run a daily task to get around that, but an alternative is giving AD access at the database level. Any existing or newly created mailbox will get permissions this way.

So, with that all in mind, the Exchange Powershell command to run on a particular database is:

Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll

If you don’t know what your databases are, just run ‘Get-MailboxDatabase’ or if you want to just apply the permissions to all databases:

Get-MailboxDatabase | Add-ADPermission -user [username] -AccessRights GenericAll

You can apply this to a AD group rather than a user which I’d suggest (no changes to the command required apart from typing the group name rather than user name), because it’s then easier to manage the members of the AD group than re-run this command. Also if you apply the settings to a particular user, and that user launches Outlook, all mailboxes they have full access to will auto-load into their Outlook session. Not ideal if you’ve got hundreds!

If you’d like to know more about the Add-AdPermission command, and the possible AccessRights settings check out this Technet article.

End User Management of Distribution Groups in Exchange 2010

After migrating from Exchange 2007 to 2010 and addressing all immediate issues, we eventually hit a new issue. Managers of Distribution lists who previously could add and remove members, now couldn’t do it!

savedChanges to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.

So, why would this break going from Exchange 2007 to 2010, and why would there be a delay?

Role Based Access Control (RBAC) was a new feature introduced in Exchange 2010 which changed the way a lot of security worked. There’s a greatly detailed 4 part article from msExchange.org here http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html which explains this in detail.

As far as the groups are concerned, they stay in a 2007 mode until they get updated. When updated (by something like adding/removing a member) you’ll get prompted about changing the object:

To save changes on objectTo save changes on object “Silly name”, the object must be upgraded to the current Exchange version. After the upgrade, this object cannot be managed by an earlier version of hte Exchange Management Tools. Do you want to continue to upgrade and save the object?

Once you do this, that particular object (distribution group) now runs under the new RBAC security settings.

By default, the RBAC security settings out of the box don’t allow anyone to be able to add or remove members to distribution groups. The Exchange Team Blog explains this perfectly here: http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx and also leads onto a script which will probably set things up how you want. If you don’t read this carefully, you may end up applying the built in ‘MyDistributionGroups’ role to the ‘Default Role Assignment Policy’ which means everyone can create distribution groups – definitely not ideal in most environments. I started reading another blog post which said to do exactly that, but didn’t explain why or how it worked. Sure it fixes your immediate issue, but you’re opening up a lot more than what you should.

So it’s a fairly easy fix once you now how, but if you haven’t had to worry about RBAC before there’s a little bit to get your head around first before ticking boxes and hoping for the best.

A big thanks to @ExchangeGoddess and @24x7ITConnect for their assistance and guidance on this information.