During a recent migration of Exchange 2003 to Exchange 2010 we needed to find out how many users had a mailbox and were not disabled.

In the end I used Active Directory Users and Computers snap in to create a saved Query.

1. Open ADUC and right click on Saved Queries and chose new –> Query

2. Give it a name and click on Define Query button

3. Select Custom Search from the drop down menu and then click on the Advanced tab:

4. In the box put in the following:

(&(&(&(!UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*)(objectClass=User))))

5. Click on Ok and the query should fetch out all users with mailboxes in Exchange 2003 and that are not disabled.

Cheers

Paul

We had a request come through which asked us to get all the users that were created after a certain date.

A good tool for this is the ADFind.exe which can be obtained from here:

http://www.joeware.net/freetools/tools/adfind/index.htm

Download and extract it to a folder, open a administrative command prompt, browse to the location that you extracted the file to and type in adfind.exe and press enter for basic help with the command.

After downloading and extracting the file I started to build my query by getting the first name and surname all of the users in a certain OU:

adfind -b ou="OU Name",DC=domain,DC=local -f "&(objectclass=user)" givenName sn

I then put in the date object that would only fetch out the users that were created after the 1st of March 2011:

adfind -b ou="OU Name",DC=domain,DC=local -f "&(objectclass=user)(whenCreated>=20110301000000.0Z)" givenName sn

You can simply change the date to what ever you need or change the greater than operand to less than. All we need do then is put it into a more readable format by exporting it to a csv which can be done running the following command:

adfind -csv -b ou="OU Name",DC=domain,DC=local -f "&(objectclass=user)(whenCreated>=20110301000000.0Z)" givenName sn >> file.csv

You can use any of the AD attributes to export, below is a quick run down of some of the ones that I have used, they are case sensitive:

mail = Primary Email Address

msRTCSIP-PrimaryUserAddress = Instant Messaging address (OCS or Lync)

ProxyAddresses = Any additional email addresses

In order to add an attribute to export for a user just add them to the end of the line before the >> with a space. For example an export of a users first name, surname and email address would look like this:

adfind -csv -b ou="OU Name",DC=domain,DC=local -f "&(objectclass=user)(whenCreated>=20110301000000.0Z)" givenName sn mail >> file.csv

Cheers

Paul

You receive the following error when logging into a client machine on your domain with a specific user account:

“Your account is configured to prevent you from using this computer.”

Solution:

Ensure the user account is not configured to only logon to specific machines via Active Directory Users and Computers:

Here’s a quick command you can run in AD PowerShell that will give you a list of all Expired accounts in your domain.

Search-ADAccount -AccountExpired | fl Name , AccountExpirationdate

This will give you a list like below.

Name                                    : User1

AccountExpirationdate         : 30/03/2011 00:00:00

Name                                    : User2

AccountExpirationdate         : 23/04/2011 00:00:00

Here’s a quick command you can run in AD PowerShell that will give you a list of all disabled accounts in your domain.

Search-ADAccount -accountdisabled | FL SamAccountName

This will give you a list like below.

SamAccountName : User1

SamAccountName : User 2

SamAccountName : User3

SamAccountName : User4

If you are using this very useful tool to change users home directory paths in AD and you need to input the path according to the user name, you may find that the regular %username% does not work with ADModify. The username value that the program does understand is:

%’sAMAccountName’%

For example a users home drive may be set using the following syntax:

\\server\homedriveshare\%’sAMAccountName’%

Hope this helps.

Paul

Recently we got tasked with protecting all objects in a specific  OU from accidental deletion. There were about 60 users in this OU so we wanted to script this and by scripting this we would also be able to set up a scheduled task so that the change got applied to new users who got added to the OU also.

First of all open PowerShell and run “Import-Module activedirectory”

Now run the following but obviously change the DN name so that it points at the OU relevant for your domain.

Get-ADobject -Filter * -SearchBase “OU=Users,DC=Domain,DC=com” | Set-adobject -ProtectedFromAccidentalDeletion $true

All users in the OU should now be protected from accidental deletion

Just a quick useful command that you can run to find out which DCs hold which FSMO Role.

“netdom query fsmo”

We had the following alert appear on our Exchange Server recently.

“Process powershell.exe (PID=19640). Object [CN=Username,OU=Mailboxes,OU=OU,DC=Domain,DC=com]. Property [HomeMTA] is set to value [Domain.com/Configuration/Deleted Objects/Microsoft MTA
DEL:d016338e-12ce-409b-a82a-da6217c8e67f], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.”

Basically the issue is that the user referenced in event has an incorrect homeMTA value. If you browse to the user via ADSI edit and view the attribute homeMTA you will see that it references deleted objects.

To sort this issue run the following command

get-mailbox –identity USERNAME | Update-Recipient

We came across an issue recently where we were receiving Event ID 2937 in our event logs in regards to the offline address pointing to the deleted objects container in Active Directory.

Process powershell.exe (PID=14836). Object [CN=Exchange 2010 OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=servername,DC=net]. Property [PublicFolderDatabase] is set to value [servername.net/Configuration/Deleted Objects/PF
DEL:f03f8b36-7d36-4d3d-98a7-a0f6e2f325a6], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible

We resolved this issue by doing the following.

1. Open ADSIedit
2. Navigate to “CN=Exchange 2010 OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=Name,CN=Microsoft Exchange,CN=Services,CN=Configuration”
3. Right click Exchange 2010 OAB and choose properties.
4. Navigate to the siteFolderServer attribute and you will see the same value specified here as in the event id.
5. If you choose clear on this and apply the setting.
6. Now open the Exchange Management Shell navigate to Organization Configuration > Mailbox > Offline Address Book
7. Right click the OAB in question and browse to the distribution tab.
8. Now uncheck “enable folder distribution” and choose ok
9. Now if you go back to the same setting and re-enable “enable folder distribution “
10. This should now have fixed your issue, you can refresh ADSIEDIT and check the siteFolderServer attribute just to make sure it no longer references the deleted object container.