Script: Distribution List membership enumeration

net group "Name of Dist List" >c:\dist.txt would not give the Contacts who are members of that DL. Also it would be difficult to find the email addresses.

To retrieve the membership of a Distribution list to a file. (FullName,Sam Account,e-Mail ) use the below script.


On Error Resume Next

strPath = inputbox("Please enter in the path to your group in AD")

Set objGroup = GetObject ("LDAP://" & strPath)

objGroup.GetInfo

strArrMember = objGroup.GetEx("member")

dim fs,objWriteFile

set fs=CreateObject("Scripting.FileSystemObject")

set objWriteFile = fs.CreateTextFile("GrpMem.csv", True)

dim objDistinguishedName

objWriteFile.Write "FullName,Sam Account,e-Mail" & vbcrlf

For Each strMember in strArrMember

Set objUser = GetObject ("LDAP://" & strMember) objWriteFile.Write objUser.FullName & "," & objUser.sAMAccountName & "," & objuser.mail & vbcrlf

Mukul

Is a firewall blocking your Exchange Server's SMTP/POP3 communications!!!

It is interesting to note that if you have a cisco PIX firewall sitting in default security configuration somewhere between your exchange servers it is bound to cause hell lot of problems.

Exchange relies on three propreitary ESMTP verbs (X-EXPS, X-LINK2STATE and XEXCH50) for proper functioning and many others as well.
The stupid Mailgaurd feature, that is on by default, on Cisco PIX firewall allows ONLY RFC 821 SMTP commands to flow across (HELO, MAIL, RCPT, DATA, RSET, NOOP and Quit). All other commands are translated into X's.

When this happens, a number of symptoms can manifest:

• Link state table does not update correctly
• Mails keep pending to be submitted to sibling mail servers in a same Rotuing group
• Exchange servers can't authenticate each other.
• Seemingly commonplace commands are responded to with the 500 Unrecognized command error or one of its analogues.
• Normal commands produce completely unexpected responses

You would need get the Mailgaurd feature disabled in the PIX firewall that is sitting between any exchange servers within a same Exchange organization.
Symantec's Raptor Firewall has also been identified as another culprit in such cases.

http://support.microsoft.com/kb/295725/en-us

Unable to send email even though message size limits are set

With exchange 2007, you may have come across a situation when you have set message size restrictions correctly at all the four places as per Microsoft:

1. Global/Organizational Limit

2. Connector Limit

2.1 Send Connector

2.2 Receive Connector

2.3 Active Directory SiteLink Limit

2.4 Routing Group Connector Limit

3. Server Limits

4. User Level Limits

There may be times still that if you have set a 10 MB limit everywhere, users are not able to send/receive emails with attachments of 7 MB even. The problem happens because content conversion happens when Exchange converts an internet (MIME) message into Exchange (MAPI) format, and vice versa.

This conversion is done by Exchange while sending/receiving emails to/from Internet. Content conversion generally increases the message size - roughly by 30%.

------------ End of Document ------------------------
Tags: Exchange Server
Published Date: 20100817

Assign rights to helpdesk to give SendAs permissions

There are multiple ways to assign Recipient Administration permissions to the helpdesk users. Some of them are:

1. Add them to "Recipient Management" RoleGroup directly using Exchange Shell. This will assign them the two important Roles "Mail Recipients" and "Mail Recipient Creation"
2. Add them to "Recipient Management" Active Directory Group. This group is already added to the "Recipient Management" RoleGroup.
3. If you have a mixed environment (2007/2010) then the old "Exchange Recipient Administrators" group is already a member of "Recipient Management" group.

However the catch is that they still will not be able to give SendAs permissions to the users on shared mailboxes.

The cmdlet that is required to give SendAs permissions is Add-ADPermission. This cmdlet is available in "Active Directory Permissions" Role. Do not worry because this role has only the below cmdlets:

Remove-ADPermission
Get-User
Get-SecurityPrincipal
Get-RoleGroup
Get-Group
Get-DomainController
Get-ADPermission
Add-ADPermission

As you can see that all of them are Get cmdlets and only Remove-ADPermission and Add-ADPermissions cmdlets so it is safe to add Helpdesk to this Management Role. Further more the switches that can be used with the Add and Remove AD Permission cmdlet are also restricted.

Now you have identified the RoleGroup and the Role to be assigned to the helpdesk to enable them to give SendAs permissions also. One you have done this, you need to asign the Role to the RoleGroup. We will choose the built-in Role Group "Mail Recipients". I have chosen this RoleGroup because it already contains most of the Roles required by the heldpesk to perform Mail User management.

To assign a Role to a Role Group, we use New-ManagementRoleAssignement cmdlet. Here is the syntax in this case

New-ManagementRoleAssignment -Name "Active Directory Permissions-Recipient Management" -SecurityGroup "Recipient Managemen" -Role "Active Directory Permissions"

The standard naming convention for creating management Role Assignment is as above only.

Once you have done the above then the Recipient Managament Role Groups will have the following Roles assigned:

Distribution Groups
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Message Tracking
Migration
Move Mailboxes
Recipient Policies
Active Directory Permissions

The last Role has been assigned by the New-ManagementRoleAssignment cmdlet above. This will enable the helpdesk to do the complete management of the recipients including granting SendAs permissions.

------------ End of Document ------------------------
Tags: Exchange Server, Power Shell
Published Date: 20100805

RBAC console will not open in Exchange 2010

If you have a mixed environment (Exchange 2003, 2007 and 2010) then only those people can open RBAC console who have their mailbox on a 2010 server.

If people from other exchange servers try to open the RBAC console then they will get the following error.



------------ End of Document ------------------------
Tags: Exchange Server
Published Date: 20100728