Interview with Frank Carius

Another TechEd video! Microsoft MVP Frank Carius from http://www.msxfaq.de describes how PowerShell helps him manage Exchange 2007 and 2010, and Lync Server 2010, how he creates and debugs his scripts, and how he uses automated policies for secure mailbox access provisioning:

Enjoy!

Advertisement

Manage Email addresses without Exchange cmdlets

AD cmdlets 1.4 added new cmdlets and parameters which let you manage email addresses in your environment even if you do not have Exchange Management Shell. This is very handy if you are on Exchange 2003, do not have Exchange cmdlets installed, or just don’t want to switch between snapins.

Here’s the quick overview of what we have added:

Retrieving accounts by any proxy addresses:

Now Get-QADObject, Get-QADGroup, and Get-QADUser all have PrimaryProxyAddress, ProxyAddress and SecondaryProxyAddress parameters which can let you be more specific in your queries and thus retrieve objects much faster (compared to just supplying the address as identity parameter and relying on default resolution).

For example, you could do:

Get-QADUser -ProxyAddress 'x400:C=US;A= ;P=Quest Software;O=Aliso Viejo;S=Sotnikov;G=Dmitry;I=A;'

or

Get-QADUser -SecondaryProxyAddress '*Sotnikov@algorithm.aelita.com'

Adding email addresses:

Just use Add-QADProxyAddress and specify various parameters for specifics (pair with Clear-QADProxyAddress to replace previous addresses):

Get-QADUser company\jsmith |
  Add-QADProxyAddress -Address 'smtp:jsmith@company.com' |
  Add-QADProxyAddress -Type SMTP -Address 'john.smith@company.com' -Primary |
  Add-QADProxyAddress -CustomType 'sip' -Address 'john.smith@company.com'

Removing all addresses:

Did I mention Clear-QADProxyAddress?

Get-QADUser company\jsmith |
  Clear-QADProxyAddress |
  Add-QADProxyAddress -Address 'smtp:jsmith@company.com' |
  Add-QADProxyAddress -Type SMTP -Address 'john.smith@company.com' -Primary |
  Add-QADProxyAddress -CustomType 'sip' -Address 'john.smith@company.com'

Removing individual addresses:

Use Remove-QADProxyAddress and it’s parameters to operate on a specific address or a set of addresses:

Get-QADUser |
  Remove-QADProxyAddress -Pattern '*@company.com'

Modifying addresses:

Set-QADProxyAddress lets you pick and replace specific addresses:

Get-QADUser |
  Set-QADProxyAddress -From '*@source.com' -MakePrimary

or

Get-QADUser |
  Set-QADProxyAddress -From '*@before.com' -To '*@after.com'

Enabling or disabling email address policy:

Enable-QADEmailAddressPolicy and Disable-QADEmailAddressPolicy are your respective friends and can be applied to individual objects. For example:

Get-QADUser DomainName\UserName | Disable-QADEmailAddressPolicy

Get-QADUser -City London | Enable-QADEmailAddressPolicy

Happy scripting!

What’s New in AD cmdlets 1.4

Don’t get confused by the version number – this is a major update to the free QAD cmdlets adding significant new functionality and making Active Directory management from PowerShell easier than ever before.

Here is a quick list of what is new in this release.

You can read more about each cmdlet and parameter by following the corresponding links – or waiting till I blog about all the new functionality throughout the coming weeks.

32 new cmdlets!

Certificate and Public Key Infrastructure (PKI) management

• Get-QADLocalCertificateStore
• New-QADLocalCertificateStore
• Remove-QADLocalCertificateStore
• Get-QADCertificate
• Where-QADCertificate
• Add-QADCertificate
• Import-QADCertificate
• Show-QADCertificate
• Edit-QADCertificate
• Export-QADCertificate
• Remove-QADCertificate
• Remove-QADPrivateKey
• Get-QADCertificateRevocationList
• Add-QADCertificateRevocationList
• Import-QADCertificateRevocationList
• Export-QADCertificateRevocationList
• Remove-QADCertificateRevocationList
• Get-QADPKIObject
• Publish-QADCertificate
• Unpublish-QADCertificate
• Publish-QADCertificateRevocationList
• Unpublish-QADCertificateRevocationList

Email address management

• Add-QADProxyAddress
• Set-QADProxyAddress
• Remove-QADProxyAddress
• Clear-QADProxyAddress
• Enable-QADEmailAddressPolicy
• Disable-QADEmailAddressPolicy

Auxiliary cmdlets for Progress Bar and Inactive Account Reporting

• Set-QADProgressPolicy
• Get-QADProgressPolicy

• Set-QADInactiveAccountsPolicy
• Get-QADInactiveAccountsPolicy

20 New Parameters

Parameters	Added for Cmdlets
–
ExpiredFor Inactive InactiveFor NotLoggedOnFor PasswordNotChangedFor	Get-QADUser
–
Inactive InactiveFor NotLoggedOnFor PasswordNotChangedFor	Get-QADComputer
–
PrimaryProxyAddress ProxyAddress SecondaryProxyAddress	Get-QADObject Get-QADGroup Get-QADUser
–
ShowProgress ProgressThreshold Activity	Get-QADComputer Get-QADGroup Get-QADGroupMember Get-QADManagedObject Get-QADMemberOf Get-QADObject Get-QADPasswordSettingsObject Get-QADPasswordSettingsObjectAppliesTo Get-QADUser Get-QARSAccessTemplate Get-QARSAccessTemplateLink Get-QARSWorkflowDefinition
—
Disabled Enabled KeepForeignSecurityPrincipals	Get-QADGroupMember
—
ResolveForeignSecurityPrincipals	Get-QADObject
—
Control	Add-QADGroupMember Add-QADMemberOf Add-QADPasswordSettingsObjectAppliesTo Deprovision-QADUser Disable-QADComputer Disable-QADUser Enable-QADComputer Enable-QADUser Get-QADComputer Get-QADGroup Get-QADGroupMember Get-QADManagedObject Get-QADMemberOf Get-QADObject Get-QADPasswordSettingsObject Get-QADPasswordSettingsObjectAppliesTo Get-QADUser Get-QARSAccessTemplate Get-QARSAccessTemplateLink Get-QARSWorkflowDefinition Move-QADObject New-QADComputer New-QADGroup New-QADObject New-QADPasswordSettingsObject New-QADUser New-QARSAccessTemplateLink Publish-QARSGroup Remove-QADGroupMember Remove-QADMemberOf Remove-QADObject Remove-QADPasswordSettingsObjectAppliesTo Remove-QARSAccessTemplateLink Rename-QADObject Reset-QADComputer Restore-QADDeletedObject Set-QADComputer Set-QADGroup Set-QADObject Set-QADUser Set-QARSAccessTemplateLink Unlock-QADUser Unpublish-QARSGroup

SearchRoot parameter now accepting arrays

This lets you retrieve objects from multiple containers with one call. The change affects the following cmdlets:

Get-QADComputer

Get-QADGroup

Get-QADObject

Get-QADPasswordSettingsObject

Get-QADUser

Get-QARSAccessTemplate

Get-QARSAccessTemplateLink

Get-QARSWorkflowDefinition

Summary

To get full list of all QAD cmdlets please see AD cmdlets online reference.

Download AD cmdlets 1.4 here and let us know what you think.

Check who can send email to a group

Today I wanted to get a list of people who had rights to send messages to a few distribution lists in our company. This information is not readily available in Outlook, but turned out to be very easy to retrieve using PowerShell – this is literally just a few attributes to retrieve from your Active Directory.

Here’s a sample output of my script:

PS:\> Get-DLRestriction "Worldwide Everyone"
Checking restrictions for Worldwide Everyone

The following users can send messages to this list:

Anne Smith
John Able

Members of this group can send messages to this list: Domain\Communicators) :

Susan Gallings
Terry Adams

Only authenticated users can send messages to this list.
External senders get blocked.

I’ve uploaded the script to poshcode, but for your convenience also posting it here:

function Get-DLRestriction {
  param([System.String]  $DLName  )

  "Checking restrictions for $DLName"

  $DL = Get-QADGroup $DLName `
      -IncludedProperties AuthOrig, UnauthOrig, dLMemRejectPerms,`
                      dLMemSubmitPerms, msExchRequireAuthToSendTo

  # we'll set this to true if we see a restriction
  $restricted = $false

  # if the group with such a name is found
  if ( $DL -ne $null ) { 
    
    if ( $DL.AuthOrig -ne $null ) { 
      $restricted = $true
      "`nThe following users can send messages to this list:"
      $DL.AuthOrig | Get-QADUser
    }
    
    if ( $DL.UnauthOrig -ne $null ) { 
      $restricted = $true
      "`nAnyone BUT the following users can send messages to this list:"
      $DL.UnauthOrig | Get-QADUser
    }
    
    if ( $DL.dLMemSubmitPerms -ne $null ) { 
      $restricted = $true
      "`nMembers of this group can send messages to this list: $($DL.dLMemSubmitPerms | Get-QADGroup)) :"
      Get-QADGroupMember $DL.dLMemSubmitPerms
    }
    
    if ( $DL.dLMemRejectPerms -ne $null ) { 
      $restricted = $true
      "`nAnyone BUT members of this group can send messages to this list: $($DL.dLMemRejectPerms | Get-QADGroup)) :"
      Get-QADGroupMember $DL.dLMemRejectPerms
    }
    
    if ( $DL.msExchRequireAuthToSendTo ) { 
      $restricted = $true
      "`nOnly authenticated users can send messages to this list.`nExternal senders get blocked."
    }
    
    if ( -not $restricted ) {
      "`nThis list is not restricted. Anyone can email it."
    }
  } else {
    "`nDL $DLName not found."
  }
}

Exchange 2010 PowerPack is here

For all PowerGUI administrators, Konrad Sagala has just posted his first release of PowerPack for Exchange Server 2010.

PowerPacks are extensible open-source add-ons for PowerGUI Administrative Console. Once you import them into the console you get rich MMC-like UI for a new platform. It is great to see that Exchange 2010 support is now available for PowerGUI and great to see a member of the PowerGUI community stepping up to provide that!

Download the Exchange 2010 PowerPack and post your comments to the page (log in required to post comments) to let Konrad know what you think.

Exchange 2003 PowerPack Updated

If you manage your Exch 2003 with PowerGUI make sure you upgrade to the latest version of the PowerPack which Jonathan Medd has made available.

It adds a nice Database Whitespace report added, and more importantly autoupdate capabilities – so from now on getting new patches and features becomes way easier.

Get the PowerPack here or read more in Jonathan’s blog here.

The Experts Conference 2010

TEC is one of the most advanced (400 level sessions are norm!) conferences you can find out there. This is probably the only event with so much technical information, amazing speakers (Microsoft product teams and real-world practitioners), and great audience (MVPs, chief IT architects, and so on.)

The topics range from Active Directory and Forefront Identity Manager (FIM) to Exchange and SharePoint technologies (follow the links to read the abstracts of the sessions which have been announced).

There will obviously be a fair bit of PowerShell on the way – e.g. Brandon Shell will be amazing everyone by totally scripting read-only domain controllers deployments.

TEC 2010 takes place April 25-28, 2010, at the brand new JW Marriott LA Live Hotel in the heart of Los Angeles. Learn more at www.theexpertsconference.com, register today and ask for the early bird discount! 😉

Skype for administrators

Call any user in Active Directory or Exchange right from your administrative console, with a single click dial into any conference call (with participant passcode dialed for you ;)) – all of that is possible with the latest extension for PowerGUI.

PowerGUI Skype PowerPack adds Call buttons for all user accounts and mailboxes, as well as people in your corporate organizational chart. In addition to this you can obviously call any of your Skype contacts or any conference call appointments listed in your Outlook.

Check out this 7-minute demo here (highly recommended to watch in HD and full screen):

As always, all the code behind any nodes and actions can be found in their properties, so you can learn how this actually works, modify the pack to suite your needs or extend it to add calling capabilities to whichever other systems you are managing!

This blog post by Shafqat Ahmed helped me a lot when I started working on the PowerPack. My scripts in the pack are basically enhancements built on top of his excellent post.

Download Skype PowerPack here and let us know what you think.

Tags: AD, Active Directory, Demo, Exchange, PowerGUI, PowerPack, PowerShell, Skype
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

TechEd South Africa session on PowerGUI

If you are attending TechEd in Durban in a couple of weeks make sure you see Nicolas Blank delivering his UNC304 session:

PowerShell and Unified Communications: Taking the Mystery out of AD, Exchange and OCS Management using PowerShell (UNC304)

PowerShell is wonderful – if you know where to start or how to use it! This session will cover how to get started with PowerShell as well as moving into advanced areas of Exchange and OCS management with PowerShell. We will cover common management and migration scenarios where PowerShell can add value, learning how to run “one liners” that can “change the world” as well as using the Power of PowerShell in PowerGUI in order to have the best of both worlds – PowerShell flexibility and GUI management and much much more.

UNC304 | Mon 3 Aug (12:00 – 13:00) | 300 – Advanced| Session Room B1 | Speaker: Nicolas Blank | Breakout Session

Nicolas is an Exchange MVP and Unified Communications guru. He was one of the first guys who started using PowerShell to manage Exchange 2003 back in 2007. This year he is delivering 4 TechEd sessions! Quite an achievement. Congratulations to Nicolas and make sure you see him if you are at the show.

Tags: Conferences, Exchange, OCS, PowerGUI, PowerShell, TechEd
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Restore Exchange data from PowerShell

Working with mail backups can be a pain. Especially when you need to do some kind of bulk operations like scan backups for particular mailboxes and find all emails with certain keywords and then export then to a PST or add them to a public folder.

Quest has recently PowerShell-enabled its Exchange/Notes/PST backup/recovery product – and we got a lot of great functionality available for your scripts/command line.

Here are a few examples:

• Here’s how you can attach a standard Exchange backup and retrieve its messages as .msg files:

Attach-RMEExchangeDB -EdbPath "C:\Data\Edb\EdbSearchTest\EdbSearchTest.edb" | Get-RMEMessage | Export-RMEMessage -ExportPath "C:\Data\Exported\Msg" -Type Msg

• Or look for particular keywords in Lotus Notes data:

Attach-RMELotusDB "C:\Data\Nsf" | Get-RMEMessage -SearchIn Subject, Body -Text "test" | Export-RMEMessage -ExportPath "C:\Data\Exported\Eml" -Type Eml

• Or restore a folder to PST:

Attach-RMEExchangeDB "C:\Data\Edb\EdbSearchTest\EdbSearchTest.edb" | Get-RMEFolder "John Doe\Inbox" | Restore-RMEFolder -TargetPath "C:\Data\Restored\Pst"
Obviously you can restore to live mailboxes and public folders, work with attachments, and so on, and so forth.

Here’s full list of the cmdlets – each of the pages has examples and details on parameters, etc.:

• Get-RMEMailbox
• Restore-RMEMailbox

• Get-RMEFolder
• Restore-RMEFolder

• Get-RMEMessage
• Restore-RMEMessage
• Export-RMEMessage

• Export-RMEAttachment
• Get-RMEAttachment

• Attach-RMEExchangeDB
• Extract-RMEExchangeDB

• Attach-RMEExchangeMailbox
• Attach-RMEExchangePublicFolders

• Attach-RMEPersonalDB
• Attach-RMELotusDB

Note that unlike AD cmdlets these are actually a part of commercial product so there is cost involved. You can get a trial license from the product page. If you are a Microsoft MVP you can also get a free NFR license by applying here.