Exchange Virtual Directory HTML Report

Update 12/09/2016: script updated to version 1.8:

  • Included support for Exchange 2016 CU2+
  • Made some minor changes to the code + output now shows a message if successful/unable to write the html file.

Previous updates in version 1.7:

  • Added more recent Exchange build numbers
  • Updated download location to TechNet Script Gallery

You can download v1.8 here

Hi,

as a consultant, I regularly come across situations in which I have to troubleshoot an existing Exchange server environment or perhaps have to make an assessment, health report, etc.

Almost every time, I found myself looking up the information from the different (commonly used) virtual directories like: Autodiscover, ActiveSync, OWA, ECP, Web Services, OAB… That’s why I thought it became about time I automated this process so that I didn’t have to type the commands in manually anymore.

The result is a simple script which will query the Exchange Client Access Servers in your environment and will query them for their virtual directory information. Depending on the use of the virtual directory, different object are shown:

image

Blog Exchange PowerShell

Speeding up retrieval of Send-As permissions

Many Exchange administrators are familiar with the Get-ADPermission cmdlet. In the contrary to the Get-MailboxPermission cmdlet, the Get-ADPermission cmdlet retrieves Active Directory permissions for an object, instead of permission in Exchange itself. For instance, the Get-ADPermission cmdlet will reveal e.g. Send-As permissions whereas the Get-MailboxPermission cmdlet will tell you e.g. who has Full Access permissions on the mailbox.

If you need to do a quick search for Send-As permissions, and for a limited set of mailboxes, you will find that using the Get-ADPermission cmdlet is pretty simple and straightforward:

Get-ADPermission <mailbox> | ?{$_.ExtendedRight -like "*Send-As*"}

If you are dealing with a large number of mailboxes (e.g. several thousands of mailboxes), using the Get-ADPermission cmdlet can be quite limiting. During recent testing, I noticed the command took anywere from 2-8 seconds per mailbox to complete. In this particular scenario, I was helping a customer to move user accounts from their (old) account forest into the new resource forest.

As part of the process, we would enumerate all mailbox permissions (including Send-As), and check if any of them were assigned to a user account in the account forest. However, because the source environment has tens of thousands mailboxes, the Get-ADPermission approach was not feasible.

Normally, querying AD is not a problem. If you’ve ever written an LDAP query, you probably noticed that most of them complete within several seconds –depending on the result set size, of course. But either way, talking directly to AD should be a lot faster. As such, and given that Send-As permission are assigned to the user account in AD, I figured that using the Get-ACL cmdlet would be best suited.

The first particularity to keep in mind is that, for easy processing, you should change your current location in PowerShell to Active Directory:

Import-Module ActiveDirectory
Set-Location AD:

Next, you can e.g. run the following command to get the ACL for an object. Notice how I’m using the distinguishedName of the object. Although there are other ways to quickly get the DN for an object, I referred to using the Get-Mailbox cmdlet, because I had to run it earlier in the script anyway:

$mbx = Get-Mailbox &lt;mailbox&gt;
(Get-ACL $mbx.distinguishedName).Access

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : EXCHANGELAB\Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : ab721a54-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : 00000000-0000-0000-0000-000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : EXCHANGELAB\UserA
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : WriteProperty
InheritanceType       : All
ObjectType            : 934de926-b09e-11d2-aa06-00c04f8eedd8
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : EXCHANGELAB\Exchange Servers
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

The result of the cmdlet will look similar to what you see above. For brevity purposes, I’ve omitted some of the results. Nonethelss, it should give you a good picture of what to expect.

As you can see from the results, there’s a LOT of entries on each object. Because I was solely interested in the Send-As permission, I decided to filter the results based on the ActiveDirectoryRights attribute. Given that Send-As is an ExtendedRight, I used the following:

$mbx = Get-Mailbox &lt;mailbox&gt;
(Get-ACL $mbx.distinguishedName).Access | ?{$_.ActiveDirectoryRights -eq "ExtendedRight"}

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : EXCHANGELAB\Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : ab721a54-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : 00000000-0000-0000-0000-000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : EXCHANGELAB\UserA
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

So far, so good. However, none of the entries mentioned “Send-As” anywhere. As it turns out, the objectType attribute contains a GUID which refers to the actual permission. AD stores information about Extended Rights in the configuration partition, in a container unsurprisingly called “Extended-Rights”. Using ADSIEdit, you can navigate to the Send-As Extended Right, and look for the rightsGuid attribute. I’ve checked in various labs and environments, and the Guid always turns out to be ab721a54-1e2f-11d0-9819-00aa0040529b.

ExtendedRight

Now that we have this information, it is very easy to filter the results from the Get-ACL cmdlet:

$mbx = Get-Mailbox &lt;mailbox&gt;
Get-ACL $mbx.distinguishedName | ?{($_.ActiveDirectoryRights -eq "ExtendedRight") -and ($_.objectType -eq "ab721a54-1e2f-11d0-9819-00aa0040529b")}

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : ab721a54-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : EXCHANGELAB\UserA
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

While benchmarking this approach, we were able to return results for approximately 1-5 mailboxes per second. Quite an improvement over before!

The one caveat is that Get-ACL does not return the same result set (in terms of what attributes are shown) as the Get-ADPermission cmdlet. If all you care about it the permission itself, or if you already have all the other information for the mailbox (e.g. because you previously ran Get-Mailbox), than the speedy approach using Get-ACL might just offer all you need.

Blog How-To's PowerShell

A closer look at the “Minimal Hybrid Configuration” option

Just a few weeks ago, Microsoft announced a new feature in its line-up of hybrid Exchange capabilities: the Minimal Hybrid Configuration option. With the introduction of this new capability, Microsoft seems to have responded to a long-standing question from customers who can now move mailboxes to Office 365 without the need to deploy a ‘full’ Hybrid configuration.

Blog Exchange Hybrid Exchange Office 365

New challenges ahead!

“Choose a job you love, and you will never have to work one day in your life. ~ Confucius”

Work is an important part of our everyday life. Given that, on average, one probably has to work about 40 years until retirement, it makes absolutely sense for someone to follow their passion!

A little over 20 months ago, I embarked on a journey with ENow as Director of Product Research. During that time, I’ve had the honor to work with great people and fantastic customers around the world, and I’m grateful for the opportunity I was given. I worked on exciting products and stood at the verge of very exciting times for ENow. Admitted: I loved every moment of it. But, all good things come to an end. Despite a fantastic job at ENow, and lots of interesting stuff to look forward to, I recently decided to take a different route.

Since April 1st (no joke!), I started working as an independent consultant and trainer again, albeit through my own company VH Consulting & Training. Being and independent consultant doesn’t mean working less. However, it does allow me to set my own schedule, and it enables me to pursue another passion of mine: Krav Maga. (I recently started training to become a Krav Maga Instructor and I hope being able to open up a training location near Kortrijk (Belgium), sometime later this, or next year.)

In the meantime, I won’t sit still of course! I look very much forward to my first challenge which brings me to Fujitsu Technology Solutions in Belgium, helping them further grow their Microsoft Services practice. I will also continue to work with ENow on an independent basis, continuing to provide professional services and working relentlessly to build the best-in-class monitoring solution! Should you also be interested in working with me, you can get in touch at www.vhct.be.

Aside from all that, I plan to continue writing, and I look forward to (hopefully) speak at a few conferences later this year! For now, however, I will return to writing new things for the next version the Office 365 e-book, due later in May. There is a lot of content that needs to be rewritten, and although it’s all very exciting stuff, things don’t write themselves!

Until soon,

Michael

 

Blog

Exchange Hybrid Deployments and cross-premises Full Access permissions

Nothing but excellent news in the hybrid Exchange realm these days! Microsoft recently updated the support statement for cross-premises permissions in a hybrid deployment. As of now, Full Access delegate permissions are supported cross-premises. I know many customers will be delighted to hear this as this has been a big ask for quite some time now.

It’s important to understand that the support only applies to Full Access permissions, as stated here. Other permissions like Send-As, Receive-As or Send-on-Behalf are still not supported. Note that Microsoft is in the process of updating its documentation; you should see a more consistent message across TechNet over the next few days!

Although full access permissions have been reported to work intermittently, no cross-premises permissions were supported previously. As such, you could not rely on them working either. From what I understand, the plumbing was already in place for a while but the intermittent results were partially due to the Outlook client not honoring them quite as one would expect. Provided you have the November 2015 update to Outlook 2013, you should no longer run into any problems.

As you move mailboxes to Office 365, permissions are migrated along. If you already had permissions assigned before the move, there is nothing you need to do. Although the permissions were also migrated previously, you had to move connected mailboxes at the same time so they would be hosted in the same organization in order for them to work. Not too long ago, I was talking to a customer who started out with a handful of mailboxes to move to Office 365 but ended up with a huge migration batch because of the interweaved permissions… As of now, this is no longer needed, making planning for migration batches a lot easier!

You should now also be able to add the Full Access permissions after mailboxes have been moved. This means you can give an on-premises mailbox access to a mailbox in Office 365 and the other way around without having to set the permissions prior to moving the target mailbox to Office 365.

In order to explain things more clearly, I have put together a Q&A. I hope this helps!

Until later,

Michael

What cross-premises permissions are supported in a hybrid deployment today?

Full Access only. Other delegate permissions like Send-As, Receive-As or Send-on-Behalf are not. There are no changes to cross-premises calendar delegation either. That continues to work the same way it did before.

Will the permissions work both ways?

Yes. On-premises mailboxes can access Office 365 mailboxes and vice versa.

What do I need to do to make this work?

Nothing, really. Just make sure you are using an up-to-date Outlook client. For Outlook 2013, this means you need at least the November 2015 Cumulative Updates. Needless to say, the more up-to-date you are, the better!

In order to add permissions for a recipient in the other organization, you can either use PowerShell or the Exchange Admin Center. Unlike the EAC in Office 365, you cannot use the on-premises EAC to grant an Office 365 mailbox access to an on-premises mailbox. For that you must revert to using PowerShell.

How do I add permissions to an Office 365 mailbox for an on-premises recipient?

Follow these steps to add Full Access permissions to an Office 365 mailbox for an on-premises recipient:

  1. Login to the EAC in Office 365 (Exchange Online)
  2. Navigate to recipients > mailboxes and then select properties of the mailbox you want to add Full Access permissions for.
  3. In the properties window, navigate to mailbox delegation
  4. Scroll down to you get to the Full Access From there, use the recipient picker (plus-sign) to add the on-premises mailbox you wish to grant permissions to:
    hybridperm1
  5. Click save.

How do I add permissions to an on-premises mailbox for an Office 365 recipient?

As mentioned earlier, you cannot use the EAC to add permissions for an Office 365 recipient. Instead, you must use the on-premises Exchange Management Shell. Don’t worry it’s quite simple!

Add-MailboxPermission –Identity <On-Prem_mailbox_to_give_permissions_for> -User <O365_mailbox_to_give_permissions_to> -AccessRights FullAccess –AutoMapping $false

For example:

Add-MailboxPermission –Identity onpremmbx@domain.com –User clouduser@domain.com –AccessRights FullAccess –AutoMapping $false

Unlike for permissions in the same environment, the AutoMapping feature is not supported. Hence why I specified the –AutoMapping $false parameter. I suspect the permissions to work without adding the parameter too!

What will my users see?

There is no difference in how Outlook displays an Office 365 mailbox over an on-premises mailbox you have access to. However, an on-premises user might get prompted for credentials when trying to access a mailbox in Office 365. This is because, in the back, the Outlook client must establish a connection with the Office 365 service first.

How that looks, depends on a number of things like the version of the Outlook client, whether you use Modern Authentication and whether or not they already have another Office 365 mailboxes in their Outlook profile.

Blog Exchange Hybrid Exchange News Office 365

Force Azure AD Connect to connect to specific Domain Controllers only

Consider the following scenario: you are about to implement directory synchronization for Office 365. You have multiple Active Directory sites across several, geographically dispersed, locations all over the world. Unsurprisingly, some of these locations have better connectivity than others and you might not want AAD Connect to connect to Domain Controllers in locations with a slow or high latency connection at the risk of slowing down the entire process.

When Azure AD Connect connects to a new forest, it uses DNS to locate domain controllers it needs to connect to. Without additional configuration, it is very difficult to control or know exactly which Domain Controllers AAD Connect will connect to. I believe that within the domain it is installed in, AAD Connect will try and connect to Domain Controllers within the same site first –but I’m still waiting on getting that confirmed. Even if that is true, that would not necessarily be the case for remote forests as there is no way for AAD Connect to know which site in the remote forest is closest.

Once AAD Connect is installed, you will find that it is relatively easy to define a (static) list of Domain Controllers that AAD Connect should connect to.

  1. First, open up the Synchronization Service Manager on your AAD Connect server. This executable (miisclient.exe) is typically located in “C:\Program Files\Microsoft Azure AD Sync\UIShell”
  2. Navigate to Connectors and locate the connector, specific for your domain (forest). Note that the screenshot below only shows a single domain. If you are in a multi-forest environment and you might see multiple:
    aadc-1
  3. Right-click the connector and choose Properties.
  4. In the properties window, go to Configure Directory Partitions and make sure to check the box next to Only use preferred domain controllers:
    aadc-2
  5. In the Configure Preferred DCs window, add the domain controllers you want AAD Connect to interface with. You can order the domain controllers preference by moving them up/down the list.
  6. Click OK to confirm the changes.

That’s all there is to it. Now, Azure AD Connect will only talk to the Domain Controllers you have specified.

Blog Office 365

Looking forward to 2016…

…also means looking back at 2015. 🙂

First of all, let me start by wishing all of you a happy (belated) New Year. I hope that 2016 is off to a good start!

As you might have noticed, it’s been a little quiet around here these past few months. There’s a few good reasons for that:

  • I’ve been writing a lot for my employer, ENow. As a matter of fact, you could consider ENow’s solution Engine, also known as “ESE blog” (pun intended) as my new “primary” blog location. However, I realize I could do a better of “cross-posting” articles here, which I will vigorously keep an eye on in 2016. In the meantime, you can go to http://blog.enowsoftware.com to see what others and I have been writing about lately.
  • It’s been super busy at work (in a good way)! We are in the process of creating something entirely new and that has been keeping me busy –along with some really interesting consulting engagements! In due time, I’ll share more details on what exactly it is that we are doing. Needless to say, 2016 will be an interesting year @ ENow.
  • The Office 365 book for Exchange Professionals has been taking up quite a bit of time (rightfully so!). As Tony reported earlier, there have been a massive amount of changes in 2015 –all of which need to go into the book in one way or another. Throw in the release of Exchange 2016 and there’s plenty of things to keep you busy for a while. The upside of all this is that the latest version of the book is really, really good and very up-to-date –something that would not be possible when publishing in a traditional way. If you haven’t picked up your copy so far, you can do so here.

Anyway. A new year wouldn’t be one without proper resolutions, would it? The good news is that after some necessary downtime in December, my batteries are fully charged again and ready to hit to road running!

  • The Belgian “Pro-Exchange” user group is shortly moving to a new website (and platform). The team is seizing this opportunity to revitalize the community as well. Expect some big announcements in the days and weeks to come. I can share that we will be introducing a new name and we plan on having (more) regular in-person events. Because of everyone’s busy schedules we only had a few but successful events last year.
  • I look forward to the next release of the Office 365 book for Exchange Professionals. Although the book is updated incrementally (there’s a new release every few weeks), we find ourselves with a major update once or twice a year (there were two major releases, last year). I am in full writing mode as we speak, and you can expect a lot of new content from me evolving around authentication (Passport, Windows Hello, Multi-factor authentication), mail flow, hybrid deployments (and caveats) and hybrid recipient management. Keep in mind that I’m not the only one working on the book. Both Tony and Paul are also continuously adding new content to their chapters, so there’s much more to discover with every update/release!
  • The fall will be quite a busy time. First, there’s Ignite in Atlanta in September, followed by IT/DEV Connections in Vegas (in October) and the UK/UC Day as well. Although I am a little skeptical about Ignite as a conference, it is a must-attend event if you want to know what is happening in the Microsoft ecosphere. It’s as simple as that.
    For the past few years, I have been lucky enough to be allowed to speak at IT/DEV Connections. Compared to Ignite this is a very small conference, but very technical with lots of deep insights from the real world. Whereas Microsoft-hosted events sometimes tend to be a big heavy on the marketing-side of things, IT/DEV Connections is the independent voice which tells you what the world really looks like. I like the conference for a variety of things. First of all, it’s in Vegas (doesn’t need more explaining). I like speaking there and I thoroughly enjoy attending a lot of the sessions. But foremost, because the conference runs at a much smaller scale, it is the perfect opportunity to socialize with the attendees and have lots of great conversations. A fellow-MVP once described it to me as almost having a user group feeling is pretty close to what it is. If you don’t believe me: just take a look at last year’s sessions or perhaps purchase access to the session recordings. You’ll have to agree.
    Last but not least there’s the UK UC Day. It was organized for the first time, last year, and I was impressed by how well it was organized and by the amount of sessions and the quality of them. Given the reactions from the attendees, I’m confident that this year’s edition will be equally if not more successful.
  • Although I’m not making any commitments yet, I think 2016 would be a good year to write a successor to the Exchange 2013 High Availability e-book that Paul Cunningham, Steve Goodman and myself created. However, I wouldn’t expect it until later this year because none will really start deploying Exchange 2016 until after the first CU (or two)…
  • On a more personal level, I have taken it upon myself to read more books –other than tech e-books and (finally?) pursue my Instructor degree in Krav Maga.

Either way, I better get going to make all this happen! I don’t like waiting for the sun, the stars and the moon to align properly.

Until next time,

-Michael

Blog News