Tag Archives: Exchange Management Shell

User Cannot Set an Out of Office in Exchange 2010/2013 or EventID 3004 Appears in your Event Log

exchange 2007, Exchange 2010, Exchange 2013

Recently had an issue where a user was setting an out of office in their Outlook client, but when a different user emailed them, no Out of Office was sent.  We did the traditional troubleshooting steps, check rules on the far side, check junk box, check OWA to ensure the Out of Office was set.  Everything looked good.  Strange enough, if an internal user went to email the person going on vacation, they would receive a MailTip to that effect:

image

But, went you sent the email to Paul Ponzeka, you would not get an Out of Office back.  So what gives?

One of the steps we took was to check if Microsoft Exchange Mailbox Assistants service was running.  It was, we restarted it, but still same effect.  One of the responsibilities of the Microsoft Exchange Mailbox Assistants service is to handle enabling the Out of Office.  In this case, it didn’t resolve anything.

The next step we took was to try disabling, and re-enabling the Out of Office message, and then checking the event log on the Mailbox server.  Low and behold, we found our answer:

Untitled

The above is EventID 3004 from the MsExchangeMailboxAssistants.  As you can see, there is an error stating the rules quota of the mailbox has been reached and the automatic reply rules can’t be enabled or updated.

Well, we found our issue, how do we fix it?  There are two ways.

The first the user can go through their Outlook rules and edit or delete existing rules.  Keep in mind that the length of both the rule actions, as well as the NAMES of the rules themselves will affect the size of the rule

The second is, the Exchange admin can increase the size of the rules quota.  By default, all mailboxes have a 64 KB quota, think of this as mailbox limits for Outlook rules.  We can increase this up to 256 KB on Exchange 2007 and later.  Exchange 2003 we cannot increase the rule size unfortunately, but that’s okay, because you should be off Exchange 2003 by now!

So, how do we increase the quota?  Easy.  Open Exchange Management Shell.  We can check the existing quota of the user pponzeka by running the command:

Get-Mailbox –Identity pponzeka | select RulesQuota

image

As we can see, its set to 64 KB.  To increase it, we run:

Set-Mailbox –Identity pponzeka –RulesQuota 256KB

image

And there we go, we can check by running the same Get-Mailbox as above to confirm:

image

Now, you cannot go past 256KB, this is the error you get, in this example I tried to set it to 512KB:

Untitled2

Get a “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.” in Exchange 2010.

Role Based Administration

 

In our environment, like most bigger organizations, we have separate teams for helpdesk, and separate teams for engineering.  Helpdesk should have rights to perform actions on certain items, such as users and distribution groups, but not on the server level.  We utilize Role Based Administration in Exchange 2010 to give our helpdesk team the ability to manage end users, but not the servers.  I recently received a ticket regarding the helpdesk guys not being able to add certain users to a distribution list, they would receive the error “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.”:

 

image

There was a bug in Exchange 2010 SP1 that was fixed in RU 3 for 2010 SP1 (http://support.microsoft.com/kb/2487852), but we are running Exchange 2010 SP2 RU1, so we were way past that.

What was the issue?  Role based administration.  We had assigned the helpdesk group the “Recipient Management” role.  When I checked the group that the helpdesk tech was trying to add the user to, I noticed that the group was a Mail Universal Security Group.  The tech had no trouble adding the user to a Mail Universal Distribution Group.

We could see the issue when the tech tried to create a new distribution group.  A distribution group type worked fine, but when he tried to create a security group he got the error that “A parameter cannot be found that matches parameter name ‘Type’”:

image

So we needed to add the management role “Security Group Creation and Membership” to the group the helpdesk team was in.

Since we were running in a resource forest setup, we needed to create a new role group, and matching Universal Security Group in the management domain and add the role group to this group.  Then we could add the users we want to it.

In our management domain, aptly named management.corp we created a group called Group-HelpDesk-SecurityGroup and add our helpdesk technicians to this group.  Then in the Exchange Management Shell, as an Organization Admin we run:

$remotecred = get-credential

This will cause a windows pop up box, where we need to enter our security credentials for management.corp for later.

Then run:

New-RoleGroup “NameofRoleGroup” –LinkedForeignGroup Group-Helpdesk-SecurityGroup –LinkedDomainController DC01.management.corp –LinkedCredentials $remotecred –Roles “Security Group Creation and Membership”

Now, have the helpdesk technicians close and reopen their Exchange Consoles or Exchange Management Shell and they should be able to add the group members to distribution lists, as well as security groups.

ADDED BONUS:

If your wondering how to create a linked group and assign it to a role, follow the below.  In this case we want to add a group called REMOTE-ORGMGMT to the role “Organization Management” in Exchange 2010.

Create group in management.corp called “REMOTE-ORGMGMT” and add the admins to this group that you want to have this right.  In the Exchange Management Shell run:

$remotecred = get-credential

This will cause a windows pop up box, where we need to enter our security credentials for management.corp for later.

$roles = Get-RoleGroup “Organization Management”

New-RoleGroup “MANAGEMENT-OrganizationManagement” –LinkedForeignGroup “REMOTE-ORGMGMT” –LinkedDomainController DC01.management.corp –LinkedCredentials $remotecred –roles $roles.roles

Then have the Management.corp admin users close and re-open their Exchange Management Consoles and you should be all set.

How to Import Users via CSV in Exchange 2010

exchange 2007, Exchange 2010

Create an csv file with the necessary information across the top row of the file as such:

image

The top row is going to coordinate with the S_.value that you are going to use in the following Exchange Shell command:

Import-CSV “C:Mailboxes.csv” | foreach {new-mailbox –Name $_.name –Alias $_.alias –UserPrincipalName $_.userprincipalname –Database $_.Database –OrganizationalUnit $_.organizationalunit –password (ConvertTo-SecureString $_.password –AsPlainText –force)}

image

And you should see the mailbox’s created below:

Untitled

That’s it.  You can see how the values map with their respective column names.  You can add as many users as you want, and change it so they go to different database’s.

You can even create an automated job to export from your production servers, and them import them to your DEV Exchange Servers for testing. 

How to Apply Permissions to Public Folder and All Sub Folders in Exchange 2007/2010 Using Exchange Management Shell

exchange 2007, Exchange 2010, Public Folders

 

If you have a public folder that your working on, and you need to apply permissions to it using the Exchange Management Shell, its pretty easy.  The command is:

Add-PublicFolderClientPermission –Identity “Foldername” –user UserName –AccessRights PublishingEditor

For instance, to add the user pponzeka to the folder IT with the Publishing Editor permission, the command would be the following:

13-Nov01 11.12

This works great, but what if we have several subfolders under IT, and we want to apply the same user permissions to all of the subfolders as well?  A utility called PFDAVADMIN that was available from Microsoft used to allow you to do this, and it still works with Exchange 2007.  But, since the protocol it uses, WebDAV is no longer available in Exchange 2010, we no longer have this option.  Plus, the shell is easier to use anyway!

So, we have the IT public folder, and three subfolders:

13-Nov02 11.16

So, first, in the Exchange Management Shell, if we attempt to list the public folder IT, this is the result of what we’ll see.  The command used is Get-PublicFolder –Identity “IT”

13-Nov03 11.21

That’s odd, we know there are three folders underneath, why doesn’t it list these?  We need to add the –Recurse option to our command, so that it looks in the root, and everything underneath.  So the command should be Get-PublicFolder –Identity “IT” –Recurse

13-Nov04 11.23

Notice the Parent Path?  IT has listed, which means its a Top Level Folder in Public Folders.  The other three have IT listed, which means they are sub folders of IT.

So, back to the top.  The permission to add permission on a public folder was:

Add-PublicFolderClientPermission –Identity “Foldername” –user UserName –AccessRights PublishingEditor

So in our case it was:

Add-PublicFolderClientPermission –Identity “IT” –User pponzeka –AccessRights PublishingEditor

So, now, how do we apply these permissions to the root folder, in this case IT, and all three subfolders, in this case Documents, Emails and Plans?  Well, we use the piping command to pipe the entire list of folders to the Add-PublicFolderClientPermission command.

Get-PublicFolder –Identity “IT” –Recurse | Add-PublicFolderClientPermission –User pponzeka –AccessRights PublishingEditor

13-Nov05 11.30

Note that we don’t need to specify the Identity  in the Add-PublicFolderClientPermission because we piped that to it with the | command.

And there you go.  The user account has been given these rights to the root folder, IT, and all its subfolders.  This works for any number of subfolders, and you can also use the same method to remove access rights.