Script: Listing Distribution Groups a recipient is a member of

It's easy to get a list of all members of a Distribution Group. The Exchange shell (EMS) ships with the Get-DistributionGroupMember cmdlet that makes it a short one-liner (compared to 100s of lines of code in VBS).

However, how do we get all Distribution Groups a user, group, or contact is a member of? There's no equivalent cmdlet that can list a recipient's distribution group memberships using the shell. From the AD side, a recipient's memberOf attribute is a back-linked attribute, which I briefly talked about in memberOf Attribute can now be used in OPATH filters!. A group's membership is stored in the group's member attribute.

In the following command/script (what's the boundary between a command and a script?? when do a bunch of commands become a script?), we look at all distribution groups in AD, look at each member and determine if it matches the one we're looking for.

$contact = get-contact "foo@somedomain.com"; Get-DistributionGroup | foreach {$dg = $_ ; write-host "Looking at: "
$dg; Get-DistributionGroupMember $dg | foreach {if ($_.identity -like $contact.identity) {"Member of : " + $dg} }}

Clearly, this isn't very efficient!

Using the ADSI provider

The shell can also look at the AD objects natively using the ADSI provider. It's not as friendly or easy to use (as a native AD provider for Powershell would probably be), but it's a huge improvement over VBScript. There's no need to grab AD objects into ADO recordsets— that part is taken care of by Powershell.

Here's one way to do this using the ADSI provider:

$dn = "LDAP://" + (Get-Contact foo@somedomain.com).distinguishedName; $foo=[ADSI]$dn; $foo.memberOf | foreach {$dg = $_; get-distributiongroup $dg}

Here's a script with some changes and validation: Get-DGMembership.zip

What it does: Uses the ADSI provider to get list of all groups a recipient is a member of, determines if the group is a Distribution or Security group, outputs names of Distribution Groups.
Usage:

.\Get-DGMembership.ps1 Mailbox1@mydomain.com

.\Get-DGMembership.ps1 Mailbox1@mydomain.com Contact2@somedomain.com

What we can really use is a native AD provider that lends the same automation capabilities to AD management tasks that the Exchange shell and Powershell lend to Exchange and Windows management tasks.

Bulk mailbox creation revisited: Adding Active Directory attributes

The instructions in Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell allow you to quickly create mailboxes in bulk using the New-Mailbox command.

Continuing from where we left off in that post, another scenario is being able to add Active Directory attributes to the new user object created by New-Mailbox. Note, the New-Mailbox command can populate only a limited set of AD attributes for an object - those related to Exchange. These are listed in the documentation for New-Mailbox.

To add AD attributes, the logical choice would be to use the New-User command to create the user, and mailbox-enable it by using Enable-Mailbox. This would work great, except for the fact that the New-User command doesn't exist! The key thing to remember is - Exchange provides only the commands necessary to create Exchange recipients. So you have commands like New-Mailbox, New-MailUser, New-MailContact, New-PublicFolder/New-MailPublicFolder, and New-DistributionGroup. However, there are no AD-equivalents like New-User, New-Contact (to create a Contact that's not mail-enabled), New-SecurityGroup or New-Group.

PowerShell and Active Directory

Active Directory isn't really PowerShell-enabled, as other components of Windows - like the file system, registry, etc., and Exchange Server 2007 are. There are no AD-related commands (Cmdlet? Shell folks, was it really necessary to introduce another word to the jargon - one that uses the entire word "command"? Perhaps something shorter would've been nicer if you wanted to have a unique word... :-) You can use the Directory Services provider, but that essentially leaves you in VBScript mode, with some PowerShell goodness! A little easier, but not natively shell, as you are used to with Exchange commands.

Quest adds these much-needed commands through its free add-on Management Shell for AD. Download it here. Quest has named them so they're differentiated from future commands that will be available natively in PowerShell. For the time being, the quirkiness of typing commands with a Q - as in New-QADUser instead of New-ADUser or New-User - is something we will have to live with, until AD is PowerShell-enabled.

Kudos to the folks at Quest for making these available for free.

Also take a look at PowerShell Community Extensions - it has an Active Directory provider that lets you navigate AD like a file system.

If you already have a user created, you can use the Set-User command to populate its AD-related attributes.

To accomplish what we want to do here (thanks to Evan Dodds for the input), we use the New-Mailbox command, and pipe the output to Set-User to populate AD attributes. In the following example, we add the Phone attribute, besides using the Alias, Name and UserPrincipalName attributes used to create the mailbox.

Add the Phone column in our CSV/spreadsheet, so it looks like the following:

Alias,Name,UPN,Phone
User_One,User One,userone@yourUPNsuffix.com,650.555.1121
User_Two,User Two,usertwo@yourUPNsuffix.com,650.656,2221
User_Three,User Three,userthree@yourUPNsuffix.com,650.797.3321

Now we modify the script/commands from the previous post:

$password=Read-Host "Enter Password" -AsSecureString

Import-CSV "c:\CreateRecipients.csv" foreach {new-mailbox -alias $_.alias -name $_.name -UserPrincipalName $_.UPN -database "Mailbox Database" -org "Users" -Password $password | set-user -phone $_.phone}

The above command(s) create the user account as part of New-Mailbox. When we pipe that to Set-User, we still have a reference to that object, and can use Set-User to populate the AD attribute Phone. (Changes made to the command from previous post highlighted.)

Related Posts:
- Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell
- Exchange Server 2007: Bulk mailbox-enabling users using Exchange Shell

SCRIPT: Turning on Filter Junk Email

OWA users who never logon using Outlook do not have their Junk Mail filtering option turned on by default. Exchange MVP Glen Scales has a script here that allows you to turn this on programmatically for Exchange Server 2007 users.

DST 2007: Script to export Calendar items (before you rebase!)

MIIS (Microsoft Identity Integration Server) MVP Jason Sherry recently shared this script to export Calendar items, which should come in handy to export items from the affected "extended" DST period, before you start rebasing items.

In case something goes wrong during rebasing and appointments are off by an hour or two before or after their actual scheduled time, the output from this script should serve as a handy reference to determine the actual appointment times.

(Of course, as noted a few times earlier throughout my posts, adding the meeting time to the subject line of each meeting during this affected period should go *a long way* in "defending" yourself from any rebasing-related issues... however, the simplest solution is quite frequently the first one to be dismissed by many folks, including users and IT pros... - Bharat)


The script also has an option to disable Direct Booking of resource mailboxes while you rebase items. The account running this script should have Full Mailbox Access or Receive As permissions on mailboxes, (and just like requirements for the Exchange Calendar Update Tool - the account should not have Exchange Full Admin delegated to it, which creates a Deny ACE for Full Mailbox Access for the account).

The script uses MAPI, and like the rebasing tools - it should be run from a computer with Outlook installed.

Std. disclaimers from Jason: the script is a work in progress, please test in a non-production environment and use at your own risk.

Download ExportCalendar.vbs from here.

Download and read the documentation before you proceed.

Getting Dell Service Tag using PowerShell

A popular script on this blog uses the Win32_SystemEnclosure WMI class to get the Dell Service Tag from Dell computers [read previous post "Getting Dell Service Tag using WMI"].

Powershell's get-wmiobject commandlet makes it a one-liner:

Get-WmiObject win32_SystemEnclosure | select serialnumber

SCRIPT: Show mailbox quotas (including Store & Policy quotas)

I had earlier posted a script that lists users' mailbox limits/quotas [read previous post "SCRIPT: Show mailbox limits"]. That script only picks up users who have their mailbox limits set individually, bypassing the "normal" users who have their mailbox storage limits set by the Store or a System Policy.

(A related script that resets the mailbox storage limits of all such users who have it set individually - SCRIPT: Reset mailbox limits).

Here's another one on those lines - this script lists mailbox storage limits for *all users*, even if set by the Store or a System Policy. In case it is set by the Store, it displays the quota set by the Store. If a System Policy is applied to the Store (on which the mailbox resides) to enforce mailbox storage limits, it displays limits enforced by the Policy.

The script can output results to a file - use the /f: switch with filename/path - e.g.

checkmailboxquotas.vbs /f:c:\docs\Quotas.txt

You can also compress console output (the actual mailbox limit data - run-time info will still be output to the console. This shows which Store it is connecting to, et al.. ).

It was a little harder to code than it appears from the description above. :) Want to know more about the things I tried? Read previous post "Conflicting Mailbox Store Policies")

If for some reason it doesn't work for you, please post the issue in comments for this post.

Download ShowMailboxQuotas.zip

Disclaimer: View all downloaded code/scripts with suspicion, including mine. Try them in a test environment first. I (or whoever posts such scripts on the web) could just as easily include code that deletes all your recipients and other AD objects :). These scripts do not come with any warranties or support, nor confer any rights.

SCRIPT: Show OWA Users

This is a modified script that shows current OWA/HTTP logons to the Store(s) on a given server(s). The script takes NetBIOS names of servers as command-line arguments (separated by spaces), uses the Exchange_Logon WMI class to connect to a server and retrieve list of users currently logged on.

ShowHTTPLogons.vbs EXCH1 EXCH2 EXCH3

[If Cscript is not your default scripting engine, it is advisable to add Cscript when you run this: cscript SHOWHTTPLogons.vbs EXCH1 EXCH2 EXCH3]

It omits any non-HTTP logons, and displays the mailbox (display name), logged on user, and the Store name in a comma-separated format.

To dump output to a CSV file, simply add ">MyOutputFileName.csv" to the end of the command when running the script. E.g. cscript ShowHTTPLogons.vbs EXCH1 EXCH2 EXCH3 >MyOutputFileName.csv

The script does not display logons by the System account (NT AUTHORITY\SYSTEM), but these are counted and displayed as a summary, in addition to the number of actual HTTP logons by users. Please note, even in one OWA session, you could have multiple HTTP logons on the Store, so this is by no means a way to calculate the actual number of users currently logged on using OWA. You will see repeated entries for mailboxes because of this (... it's not a very tidy script, but written in a hurry....hopefully I will be able to fix that at a later date).

Download:
showHTTPLogons.zip

Note: You will need to extract the file and rename it with a VBS extension.

SCRIPT: Get Store GUIDs

Background: Exchange Server 2003 SP2 allows raising the Store size limit. If you're using Exchange Server 2003 Standard Edition, the default is raised from 16 Gb to 18 Gb, and the maximum size of a Store has been raised to 75 Gb. To raise the Store size limit, you need to insert the Database Size Limit DWORD value in:
HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<servername>\Private-<ObjectGUID of the store>
(Refer to "Database Size Limit Configuration and Management", Exchange Server 2003 Technical Reference Guide)

Issue: You want to raise the storage limit of a Store.

When you go to the Registry, the name of the subkey looks something like this:
Private-e633bea6-9daf-4752-b5a9-efffae29af2b


When you check the objectGUID attribute of a Store (in ADSIEdit), it looks like this:
A6 BE 33 E6 AF 9D 52 47 B5 A9 EF FF AE 29 AF 2B



The objectGUID is an octet string - the octets will appear reversed.

One way of finding out the GUID is to go to the Microsoft Exchange System Objects container, finding the SystemMailbox{GUID} object - where the GUID matches the registry subkey, and checking the object's homeMDB attribute. This reveals the name of the Store that GUID belongs to.

GetStoreGUIDs.vbs script will dump Store name, the distinguishedName, objectGUID (in a readable format, the way it shows up in the registry), and the legacyExchangeDN of all Stores in an Exchange Organization.

Download:
GetStoreGUIDs.zip

Besides the above script, you will also need a Microsoft DLL file that converts data types (variants). Download ArrayConvert.exe from KB 250344: SAMPLE: ARRAYCONVERT.EXE Variant Conversion Functions.
- Expand ArrayConvert.exe into a folder
- Navigate to the folder where you expanded the files
- Use the following command to register the DLL on the computer that you'll run the script on:
regsvr32 ads.dll

UPDATES
3/4/2006: Script shows Organization name, Store type (Public/Private) and Server name.
12/27/2006: Added link to Database Size Limit Configuration and Management, and images showing GUID in registry and ADSIEdit.

8/7/2007: Note about downloading ArrayConvert.exe and registering ADS.DLL added.

SCRIPT: List Distribution Groups

I was able to modify this script I wrote a while back for general use.

What it does: Lists mail-enabled groups in a domain including following attributes:
- Group Name
- Group type (Security/Distribution group)
- Description (if the description field is populated)
- Manager
- Members

What needs to be added...
- If the group only receives from authorized senders (msExchRequireAuthToSendTo = TRUE)
- list of authorized senders - if "Only from" is selcted in Exchange Gneeral (authOrig)
- list of users who cannot send to this group - if "from Everyone except" is selected in Exchange General (unAuthOrig)

Download the zip file from here

Update 3/19/2007:
- Added option /f: to add output file path, creates output in a file:
ListDistGroups.vbs /f:"c:\MyOutputFile.csv"
- Option to suppress console output: /s:y
- Option to get help: /help
- Changed link to point to exchangepedia.com/blog

SCRIPT: Reset Mailbox Limits

I had posted a script that reports all users with their mailbox storage limits set individually on the user account properties in my earlier post titled "SCRIPT: Show mailbox limits".

I have just added another script to that post that will reset those mailboxes (with storage limits set individually). Once the script resets storage limits on the account, the account will get any mailbox storage limit policies. [zipped resetMailboxLimits.vbe]

README FROM THE SCRIPT:
This script will look for all user accounts that have their mailboxstorage size modified individually.
This includes accounts that have **any** following attributes:- Use mailbox store defaults is unchecked- Issue warning at (KB) is set- Prohibit send at (KB) is set- Prohibit send and receive at (KB) is set

Usage:resetmailboxlimits.vbe
Options:
/s:y will run script in silent mode*make sure you use the /f option to save output to a file if you'reusing silent mode
/f:[path to output file.txt] - will save output in a text file
/help
resetmailboxlimits.vbe /s /f:c:\somedir\output.txt*above command will run this script in silent mode and produce output in the output.txt file in c:\somedir

SCRIPT: Show mailbox limits

At times the user's mailbox limits are adjusted to bypass the limits set on a store or all stores by a policy. This is done by unchecking 1) "Use mailbox store defaults" in user's properties --> Exchange General --> Storage Limits.

New values can be added for 2) "Issue warning at (KB):", 3) "Prohibit send at (KB):", and 4) "Prohibit send and receive at (KB):" fields.

The corresponding attributes in AD are:
1. mDBUseDefaults
2. mDBStorageQuota
3. mDBOverQuotaLimit
4. mDBHardQuotaLimit

Unchecking number 1 and not adding any values to 2, 3 & 4 result in user having a mailbox with no limits.

Here's a script that lists all mailboxes that have their limits changed to bypass store defaults (mDBUseDefaults=FALSE), and lists the 3 attributes above if present. [zipped showMailboxLimits.vbs]

Usage:

showMailboxLimits.vbs /f:outputfilename.txt

adding a /s:y suppresses console output

Output produced is comma separated, can be opened in a spreadsheet.

Update:
1/17/2007: New script that shows mailbox quotas for all users, including those applied by the Store and any System Policies that may be applied to the Store:
" SCRIPT: Show mailbox quotas (including Store & Policy quotas)"

Exporting Sender Filter List

Messages from specific senders can be blocked by implementing sender filtering. Blocked senders are specified in Global Settings Message Delivery properties Sender Filtering tab (see screenshot).

The Senders list is saved in the msExchTurfListNames attribute of the Default Message Filter object. It is a multi-valued attribute. It can be exported using ldifde/csvde if you take the trouble to find out distinguishedName or objectClass of the attribute.

Here's a little script (... quite complicated actually, considering it can be done using either of the above methods using a single command... ) that will export the list to a text file -
getSenderFilterList.vbs (zipped).

Usage:
getSenderFilterList.vbs /f:filename.txt - exports to file
getSenderFilterList.vbs /f:filename.txt /s:y - exports to file and suppresses console output

List users with email forwarded

Here's a script written in response to ng post today on microsoft.public.exchange.admin.

Requirement: List users with email being forwarded to another recipient. This can be done easily in ADUC console on Windows Server 2003 by creating a saved query.
Query text: (&(homeMDB=*)(altRecipient=*))

The other half of the requirement is to actually list the name of the user/mailbox being forwarded to. This is something ADUC can't do - there's no choice to add and display altRecipient in a column next to each user.

The script will show the user being forwarded to, and also if messages are being delivered to both places - the original recipient's mailbox and the alternate recipient.

Download the script here: listForwardingEnabled.zip

HOW TO: Export all email addresses from a domain

Background: AD Users & Computers UI lets you list the mail column for each object, which displays the default (SMTP:) address for objects. You can export it from ADUC as csv/txt. However, those objects may have additional email addresses. These are listed in the proxyAddresses attribute.

There's no GUI to list/export all email addresses, including the ones listed in the object's proxyAddresses attribute.

Here's a script to do that - ListEmailAddresses.vbs
 Download

What does it exactly do?
- Queries Active Directory for Contacts & Groups
- Lists their email addresses
- Queries Users
- Lists enabled users' email addresses
- Lists disabled users' email addresses separately (was required for a certain project I did a long time back)
- Outputs to command line and also to a text file - c:\proxyaddresses.txt
- X.400 addresses are ignored

Updates:
08/07/2007: Download link updated to correct URL.

Getting Dell Service Tag using WMI

Need to maintain an accurate inventory of servers in datacenter. Dell servers have a Service Tag that is required when calling Dell support, and it makes sense to include this in the server list.

Here's how to retrieve the Service Tag from BIOS. This uses WMI, and therefore works on Windows servers only.

'Check for Arguments
If WScript.Arguments.Count = 0 Then
Wscript.Echo "Usage: GetDesllSvcTag.vbs computer1 [computer2] [computer3] ......"
WScript.Quit
End If

For Each strComputer In wscript.Arguments
Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSMBIOS = objWMIService.ExecQuery _ ("Select * from Win32_SystemEnclosure")
For Each objSMBIOS in colSMBIOS
Wscript.Echo strComputer & ": " & objSMBIOS.SerialNumber
Next

Next

The production script I use queries AD (using ADSI) for all computers running Windows Server 2003/2000, gets their OS, Service Pack, and date of computer account creation, then connects to each server using the above method to get the Dell service tag (and other info, like number of CPUs, RAM, etc.).

To enable others to dynamically generate this list on demand, it is web-enabled and generates a better formatted web page with the required details (with ability to click on a server name and drill down to gather further info like IP config, drive utilization, etc.). The drill-down's required because a) You can't put everything in a list on the first page, it would be unreadable - endless scrolling 2) Would involve too many WMI calls to each server after initial AD query, and slow down the list generation to a crawl.

Scripting: ExchangeClusterResource Class - Reply from Alain Lissoir

The ClusApi.h file, which is part of the PlatformSDK should contain this...

typedef enum CLUSTER_RESOURCE_STATE {
ClusterResourceStateUnknown = -1,
ClusterResourceInherited = 0,
ClusterResourceInitializing = 1,
ClusterResourceOnline = 2,
ClusterResourceOffline = 3,
ClusterResourceFailed = 4,
ClusterResourcePending = 128,
ClusterResourceOnlinePending = 129,
ClusterResourceOfflinePending = 130
} CLUSTER_RESOURCE_STATE;
HTH

Alain is (now) WMI Program Manager at Microsoft and author of :
1. Understanding Windows Management Instrumentation (WMI) Scripting and
2. Leveraging Windows Management Instrumentation (WMI) Scripting - 2 of the best references on WMI. He also writes for Windows Scripting Solutions newsletter (published by Penton Media, the publishers of Windows IT Pro & SQL Server magazines).

Scripting: ExchangeClusterResource class

The WMI ExchangeClusterResource class has 5 properties:
1) Name: returns name of Exchange cluster resource
2) Type: specifies the cluster resource type (IP Address, network name, etc.)
3) Owner: specifies the cluster node that the resource is running on (changes with failover)
4) VirtualMachine: returns name of the Virtual Machine that owns the resource
5) State: Shows the current state of resource, returns a numerical value.

The value I get for all online resources is 2 - but I haven't been able to find any cross-reference that translates the numbers into something, except for the Windows Clustering section of the Platform SDK that mentions the following values (not-numerical) for the GetClusterResourceState function.

Return Code		Description
ClusterResourceInitializing		The resource is performing initialization.
ClusterResourceOnline		The resource is operational and functioning normally.
ClusterResourceOffline		The resource is not operational.
ClusterResourceFailed		The resource has failed.
ClusterResourcePending		The resource is in the process of coming online or going offline.
ClusterResourceOnlinePending		The resource is in the process of coming online.
ClusterResourceOfflinePending		The resource is in the process of going offline.
ClusterResourceStateUnknown		The operation was not successful. For more information about the error, call the Win32 function GetLastError.

Assuming these values map serially to the numerical values returned by the WMI class, 2 would mean the resource is operational and functioning normally.

However, when moving the MSDTC resource, the numerical value returned while the resources were moving was 129. That blows holes in the theory.