Thursday, March 29, 2018

Disable Exchange EWS for Mobile Applications (Enable Secure ActiveSync)



  1. EWS Access can be controlled on organization level or per user level
  2. During the testing it is recommended to run on per user level first till confirm all is working fine then to apply to organization level.
  3. User level access can be controlled using the command Set-CASMailbox

Example: Set-CASMailbox "Asif Gohar" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

  1. The Block/Allow lists work on the basis of the User Agent Strings generated by the EWS client. So, if you are looking to get a list of strings to block, you can take a look at your IIS logs.

A Log Parser command such as the following can be used:
logparser.exe “SELECT date,time,c-ip,cs-username,cs-uri-stem,cs(User-Agent) INTO C:\Temp\EWSLog FROM “\\EXCHSERVER01\c$\inetpub\logs\logfiles\W3SVC1\u_ex1207*.log” WHERE cs-uri-stem LIKE ‘/EWS/Exchange.asmx’ AND cs-username IS NOT NULL” –I:IISW3C –o:TSV –headers:Auto –filemode:1

Explanation of the LogParser command:
WHERE cs-uri-stem LIKE ‘/EWS/Exchange.asmx’ – Ensures we are dealing with the EWS access parts of the IIS logs.
AND cs-username IS NOT NULL – Ensures we get userIDs back
-o:TSV – outputs to a tab-delimited file
-filemode:1 – overwrites the output file if it exists
If subsequent date from other Exchange Servers is required to be amended to the output file, set filemode to ‘0’
You can then load the resulting TSV into Excel, and create a pivot table showing the User Agents that are accessing EWS.

  1. The below link contain more information about how to use this command to allow or block apps

  1. Also you can check below link which should provide some help with no guarantee form our side as it non-Microsoft website

  1. To manage this settings on organization level you can use below commands
-        To check default configuration before you start apply

[PS] C:\windows\system32>Get-OrganizationConfig | fl *EWS*



-        Example below to block Outlook for iOS and Outlook for android and how to verify settings has been applied

[PS] C:\windows\system32>Set-OrganizationConfig -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}
[PS] C:\windows\system32>Get-OrganizationConfig | fl *EWS*


Thursday, January 11, 2018

Microsoft SQL Database that was in Recovery Pending mode

Microsoft SQL Database that was in Recovery Pending mode

Fundamentally , this error is closely correlated to that Forcibly deletion process  of File stream file which I do think no other solution except waiting to finish recovery mode and either wise it will end with :

The most optimistic   probability  that it will end up with Online mode …So it will be fine and no need for any further action  ( Just you have to wait for a longer time if log file was such huge)..
The most pessimistic probability that it will end up with suspect  mode  ..SO it will be need to run the below process of DB Repair  but bear in mind that data loss might be there;
Stop SQL Server and remove transaction log file of this DB then restart again where DB should go with suspect mode ….If so you can run the below query

ALTER DATABASE [DB_Name] SET  SINGLE_USER WITH NO_WAIT

ALTER DATABASE [DB_Name] SET EMERGENCY;

DBCC checkdb ([DB_Name], REPAIR_ALLOW_DATA_LOSS  )

ALTER DATABASE [DB_Name] SET online;

ALTER DATABASE [DB_Name] SET  Multi_USER WITH NO_WAIT

Thursday, October 19, 2017

Force Update Exchange Address book


Below commands will update global address list and offline address book.
It will then inform the CAS server about the change.

Get-GlobalAddressList | Update-GlobalAddressList

Get-OfflineAddressBook | Update-OfflineAddressBook

Get-ClientAccessServer | Update-FileDistributionService

Tuesday, July 11, 2017

Account Lockout Tracking


Logon to domain controller.

1. Open CMD (not power shell)
2. CD Windows\debug
3. Start debug
4. nltest /dbflag:2080ffff

5. find /i "user-name" c:\windows\debug\netlogon.* >user-name.txt

Wednesday, April 5, 2017

Cross Forest Exchange Migration

AD PowerShell Cross Forest Migration


MyLocalDomain
$LocalCredentials = Get-Credential
TheirRemoteDomain
$RemoteCredentials = Get-Credential

Mydomain\Myadmin
Theirdomain\Theiradmin

Prepare Before Migration:
.\Prepare-MoveRequest.ps1 -Identity remoteuser@theirdomain.net -RemoteForestDomainController theirdomaincontrollerfqdn -RemoteForestCredential $RemoteCredentials -UseLocalObject -OverwriteLocalObject -TargetMailUserOU "OU=mydomain,DC=net"

Migrate:
New-MoveRequest -Identity remoteuser@theirdomain.net -Remote -TargetDatabase "MDB01" -RemoteGlobalCatalog "theirdomaincontrollerfqdn" -RemoteCredential $RemoteCredentials -TargetDeliveryDomain "mydomain.net" -RemoteHostName "theirdomain.net"

With Bad Items & Suspend:
New-MoveRequest -Identity remoteuser@theirdomain.net -Remote -TargetDatabase "MDB01" -RemoteGlobalCatalog "theirdomaincontrollerfqdn" -RemoteCredential $RemoteCredentials -BadItemLimit 500 -AcceptLargeDataLoss -LargeItemLimit 100 -TargetDeliveryDomain "mydomain.net" -RemoteHostName "theirdomain.net" -SuspendWhenReadyToComplete

Bulk Migration:

Import File:
$InputFile = "C:\Batch01.csv"

Prepare Migration:
Import-Csv $InputFile | Foreach{.\Prepare-MoveRequest.ps1 -Identity $_.PrimarySmtpAddress -RemoteForestDomainController "theirdomaincontrollerfqdn" -RemoteForestCredential $RemoteCredentials -UseLocalObject -OverwriteLocalObject -TargetMailUserOU "Mydomain,DC=net"}

Migrate:
Import-Csv $InputFile | Foreach{Update-Recipient –Identity $_.PrimarySmtpAddress}

Bad Items & Suspend:
Import-Csv $InputFile | foreach {New-MoveRequest -Identity $_.PrimarySMTPAddress -Remote -TargetDatabase MDB01 -RemoteGlobalCatalog "theirdomaincontrollerfqdn" -RemoteCredential $RemoteCredentials -BadItemLimit 200 -AcceptLargeDataLoss -LargeItemLimit 100 -TargetDeliveryDomain "mydomain.net" -RemoteHostName "mail.theirdomain.net" -SuspendWhenReadyToComplete}

Check Status:
Get-MoveRequestStatistics -Identity username@theirdomain.net
Resume after 95% completion:
Resume-MoveRequest -Identity "username@theirdomain.net


Sunday, May 29, 2016

Wednesday, January 27, 2016

ActiveSync does not work for one user

Open Active Directory Users and Computers.
On the menu at the top of the console, click View > Advanced Features.
Locate and right-click the mailbox account in the console, and then click Properties.
Click the Security tab.
Click Advanced.
Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.