I would like to introduce Kamran Safavi blog — www.activedirectorytools.com . His blog focus on Active Directory tools. Kamran is a software developer in Phoenix, Arizona. You can also find him on twitter at www.twitter.com/safavid. If you know of any interesting AD software products please let him know.
As nature of the business, employees come and go. This turnover rate is often higher in large demographic areas such as New York. Once user leaves the company, IT team performs the usual termination process. This article will discuss what happen to Exchange / Outlook meetings that were owned by a user when she leaves the company. When a meeting organizer leaves the company, her Exchange mailbox is either archived or deleted. This means her meetings were never canceled. As a result, company resources such as conference rooms are tied up with these stale reoccurring meetings. It is almost impossible to ask end-users to cancel these meetings. There are ways to handle this:
Manually cancel meetings
Inefficient but simply method is to login to departed user mailbox and manually cancel all reoccurring meetings. This ensures that conference room resources are no longer tied by the user.
Use Z-Term to cancel user meetings
You can use Z-Term to cancel meetings on behalf of the user with a simple click. This tool simply goes through user mailbox and cancels all future meetings. There are two options when using this tool, you can choose to cancel meetings behalf of the user as noted above or go through conference room mailboxes and remove user’s bookings.
At one time or another as IT administrators, our organization will have to go through mergers and acquisition process. Mergers and acquisition usually requires organizations to integrate two systems together. From IT administrator perspective this means creating user accounts from Excel spreadsheet that’s provided by HR. Especially if two organizations are running heterogeneous systems. Creating user accounts from Excel file is fairly a simple process. I will talk you through how this can be done in mere minutes. First step is to generate an excel file with employee names and second step is to create a script to process the excel file.
The most important part of the process is taking the Excel spread sheet from HR department with list of users and generating unique username for these users. This list contains employee’s information such as Firstname, Lastname, Employee number, etc. We need to add additional column named “username” to the spreadsheet. This will be unique SamAccountName of the new users. Since SamAccountName needs to be unique, we need to find a way to detect duplicate accounts in your current Active Directory environment. Best way to accomplish this is to export current Active Directory user information, paste it in new Excel worksheet and perform vlookup function against it.
Let dive into this deeper in more details. To create the username column, use an excel function to put together the firstname and lastname column. In below screenshot, I am using the firstinitial lastname format so “LEFT(“ Excel function is used.
Export list of samaccountnames from your current Active Directory environment and paste it into the “CurrentADexport” worksheet. It should look like something below.
Next step is to perform vlookup against the “CurrentADexport” worksheet to detect duplicate samaccountname. Create a new column “DuplicateLookup” and configure vlookup function as seen in below screenshot. Make sure you use the “$”—dollar signs in the formula. This will compare data from username column to all data from “CurrentADexport” worksheet. Once duplicate names are solved, move on to next step below.
Now, save the “NewUserListFromHR” worksheet to proper format our script can understand.
# Script to process Excel spread
# and create user accounts in Active Directory, Exchange and Lync
$data=Import-Csv -Path .\UsersExport.csv
foreach ($user in $data)
{
New-ADuser -SamAccountName $user.username -Firstname $user.firstname -Lastname $user.lastname
}
#Add Exchange
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
#region ExchangeCHECK
$exchangeusercheck = $false
do {
#code block
$ADExchangecheck = get-user $user.username
if ($ADExchangecheck -ne $null) {$exchangeusercheck = $true}
if ($ADExchangecheck -eq $null) {
Write-Host "Sleep for 20 secs"
sleep 20
}
}
while ($exchangeusercheck -eq $false)
#endregion #ExchangeCheck
Enable-Mailbox $user.username
sleep 10
#Add Lync
Import-Module Lync
#Region LyncStuff
sleep 90
Enable-csuser $user.username -registrarpool "lyncFE01.zohno.com" -SipAddressType emailaddress -SipDomain zohno.com
One of the main responsibilities of a Lync administrator is to create Lync account for new users. This can be very time consuming and tedious. This article will describe how you can streamline this task and how powershell script below can be used for this process. In fact, this article will cover Active Directory, Lync and Exchange. In most organizations, most Lync users uses the same settings and this can be scripted. Below PowerShell script will start off by asking basic user information such as Fristname, Lastname, Displayname, SamAccountName and password. It creates AD account using this information. Duplicate username check is run before proceeding. This ensures that username entered is allowed and prevent future errors. If duplicate user already exists in Active Directory, PowerShell script will automatically exit to avoid errors. Once script ensures that there are no duplicates, it will proceed to creating a new Active Directory user. Line #32 in the script is where this occurs and can be modified to fit your needs. For example, you may want to place the user in different OU, set other attributes such as….
company
Department
departmentNumber
Description
Desktop-Profile
Division
E-mail-Addresses
Employee-ID
Employee-Number
Employee-Type
Home-Directory
Home-Drive
photo
Physical-Delivery-Office-Name
Physical-Location-Object
Picture
Next part of the script from line 38 ensures that Exchange server can see the Active Directory user prior to creating the mailbox. This is very important because script will error and halt if we attempt to create a Mailbox before Active Directory replication occur. This block of code from line 38 to line 50 checks to make sure Exchange server can see the Active Directory user before proceeding. If it doesn’t see the user, it will simply sleep for 20 seconds and checks again. Line 51 runs the enable mailbox command that creates the mailbox. There are a lot of customizations that can be performed here. See below of list of switches you can use….
Equipment
Room
Shared
AddressBookPolicy
Archive
DomainController
ManagedFolderMailboxPolicy
PrimarySmtpAddress
Line 57 in the script finally create the Lync user account. This is simply running the powershell command and specifying the registrarpool. A lot of customizations can be done here also..such as…
RegistrarPool
SipAddress
SipAddressType
Line 59 adds the lync user to lync polices. There are the list of polices you can choose from.
Set-CsArchivingPolicy
Set-CsBandwidthPolicyServiceConfiguration
Set-CsClientPolicy
Set-CsClientVersionPolicy
Set-CsClientVersionPolicyRule
Set-CsConferencingPolicy
Set-CsExternalAccessPolicy
Set-CsHostedVoicemailPolicy
Set-CsLocationPolicy
Set-CsNetworkBandwidthPolicyProfile
Set-CsNetworkInterSitePolicy
Set-CsPinPolicy
Set-CsPresencePolicy
Set-CsVoicePolicy
Set-ExecutionPolicy
#Script Starts here
Write-Host "Enter user's Firstname"
$first=Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's Lastname"
$last=Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's DisplayName"
$displayname = Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's username"
$username=Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's password"
$password=Read-Host
Write-Host "-----------------------------"
$username = $username.Replace(" ","")
Write-Host "---See Below for User Info---"
#region Create_individual_AD
$cnname = $first + " " + $last
$upnname = $username + "@zohno.com"
#username check
$namecheck = Get-qaduser $username
if ($namecheck -ne $null) {
Write-Host "Duplicate username exist" -ForegroundColor red
Exit
}
New-QADUser -name $cnname -FirstName $first -LastName $last -SamAccountName $username -ParentContainer "zohno.com/Users" -UserPassword $password -UserPrincipalName $upnname -DisplayName $displayname
sleep 10
#endregion # Create_Individual_AD
sleep 60
#Add Exchange
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
#region ExchangeCHECK
$exchangeusercheck = $false
do {
#code block
$ADExchangecheck = get-user $username
if ($ADExchangecheck -ne $null) {$exchangeusercheck = $true}
if ($ADExchangecheck -eq $null) {
Write-Host "Sleep for 20 secs"
sleep 20
}
}
while ($exchangeusercheck -eq $false)
#endregion #ExchangeCheck
Enable-Mailbox $username
sleep 60
#Add Lync
Import-Module Lync
#Region LyncStuff
sleep 120
Enable-csuser $username -registrarpool "lyncFE01.zohno.com" -SipAddressType emailaddress -SipDomain zohno.com
sleep 60
Grant-csConferencingpolicy $username -policyname "ConfPolicy"
Grant-CSExternalAccessPolicy $username -policyname "ExternalAccessPolicy"
#endregion # LyncStuff
Windows Server 2012 Active Directory recycle bin allow administrators to restore active directory user objects natively. Previously this can only be done by 3rd party products. Note that Windows Server 2012 recycle bin only allow restores for objects in the domain partitions. This means Configuration objects such as Exchange servers are not allowed for restore. Luckily, AD user objects are allow for restore. Another down side to this recycle, it only restore single objects and sub level objects. For example, if you restore an organizational unit, it will not restore the Active Directory users under the organizational unit. Before we enable Widows Server 2012 Active Directory recycle bin, the forest must be in “Windows server 2008 R2” functional level.
How to configure Active Directory Recycle Bin in Windows Server 2012 (step by step)
1. Open Active Directory Administrator from Server Manager, Click on “Enable Recycle Bin” on the right pane. (Note that you can also run the Enable-ADoptionalFeature command from the commandline)
2. Once replication is completed, you will see “Deleted Objects” container.
Follow below simple to steps for bulk Active Directory user creation
#################### SCRIPT STARTS HERE ###########################
#Input CSV Excel spreadsheet must have below columns
#SamAccountName,FirstName,Initials,Lastname,DisplayName,OfficeName,Description,Mail,StreetAddress,L,PostalCode,CO,UPN,Company,Department,Title,Phone,Password
########### START CONFIG ##########################
$NewUsersOU = “OU=NewUsers,DC=testdomain,DC=com”
$CSVpath = “.\ad_users_list.csv”
$log = “.\log.log”
########### END CONFIG ############################
Import-Module ActiveDirectory
$i = 0
Import-CSV $CSVpath | ForEach-Object {
$SamAccountName = $_.SamAccountName
Try { $exists = Get-ADUser -LDAPFilter “(sAMAccountName=$SamAccountName)” }
Catch { }
If(!$exists)
{
$i++
$pwdinClearText = ConvertTo-SecureString -AsPlainText $_.Password -force
New-ADUser $SamAccountName -GivenName $_.FirstName -Initials $_.Initials -Surname $_.Lastname -DisplayName $_.DisplayName -Office $_.OfficeName -Description $_.Description -EmailAddress $_.Mail -StreetAddress $_.StreetAddress -City $_.L -PostalCode $_.PostalCode -Country $_.CO -UserPrincipalName $_.UPN -Company $_.Company -Department $_.Department -EmployeeID $_.ID -Title $_.Title -OfficePhone $_.Phone -AccountPassword $pwdinClearText
Move-ADObject -Identity $SamAccountName -TargetPath $NewUsersOU
}
Else
{
“User exist in AD: ” + $SamAccountName | Out-File $log -append
}
}
###################### SCRIPT ENDS HERE ###########################
Here are three services that make up the Transport pipeline in Exchange 2013.
| Mailbox Transport service | Mailbox server role is responsible for this service and made up of two components—Transport Submission and Transport Delivery. Hub service uses RPC protocol to deliver the message to mailboxes using Transport Delivery component. Transport submission is responsible for other way around – messages from Mailboxes to Hub service via SMTP. |
| Hub Transport service | Since Exchange 2013 doesn’t include a Hub role, This service runs on the Mailbox server. This service is a broker between Mailbox Transport service and FrontEnd services. |
| FrontEnd Transport service | As the name implies this service handles all transport from clients so it runs on the CAS server. All the SMTP transactions are proxy through CAS server and then to the FrontEnd Transport service which delivers it to Hub Transport service |
Exchange 2013 DLP Feature and Transport pipeline
DLP is a big topic in messaging security arena and a lot of vendors such as Symantec have solutions that can help prevent data loss. Now, Exchange 2013 has included a lot basic DLP functionality to Exchange and no longer requires 3rd party products. Exchange 2013 leverage existing Transport engine to apply DLP polices. In a nutshell, DLP polices are preconfigured Transport rules that is made up of actions and conditions using regular expressions. This feature allows admins to monitor the mailbox transport pipeline for known data leakage patterns such SSN formats or credit card numbers. TransportAgents in Exchange 2013 also allows 3rd party vendors to write software for Exchange that access messages during transit. You can use one of the existing templates from Exchange Administration Center. To do this Go to Procection => Data Loss Prevention.
Also, below PowerShell commands can be used to configure the TransportAgents.
Install-TransportAgent
Uninstall-TransportAgent
Enable-TransportAgent
Disable-TransportAgent
Get-TransportAgent
Set-TransportAgent
Exchange 2013 now offers only two roles, compare to four roles with Exchange 2010. This is designed to simply deployment and utilizes CPUs to its fullest. Client Access Server—CAS role and Mailbox server roles are two roles that’s part of Exchange 2013. Client Access Server acts as frontEnd server to all clients and refer connections to Mailbox Servers. As in Exchange 2010, Microsoft still offers the concept of CAS Arrays for high availability. Mailbox server roles also supports DAGs as it did in Exchange 2010. Microsoft removed EdgeTransport role from Exchange 2013 but it allows for coexistence with Exchange 2010 Edge Transport servers. This allows customers to upgrade to Exchange 2013 while leaving Exchange 2010 Edge servers in place.
Now that CAS server is not running RPC service and acting as a “director”, it can take a lot more load. CAS server simply authenticates clients and passes the connections to the mailbox server. All the data processing happens on the mailbox server. There are two major functions of the CAS role: Client Access Service and FrontEnd Transport service. Here are the responsibilities of each.
| Client Access Service | FrontEnd Transport Service |
| - Authentication and security
- Process End Client requests - Direct client requests to proper Server - Responsible for routing |
- Distribute SMTP and End Client loads
- Figure out best route to deliver messages - Responsible for Edge message routing |
As mentioned earlier, Exchange 2013 still allows DAG and clustering. Minor improvements have been made to Exchange 2013 DAG by allowing automatic DAG network configureation. A lot of work have been done on the database engine including overhaul of store engine in managed code to reduce IO load. Unlike previous version of Exchanges, database now runs under its own process. Here are the responsibilities of a mailbox server
| Mailbox Service |
| - Moving clients, when Database fails over
- Responsible for processing MRM and Retention polices - High availability service via DAG - SmartSearch Feature of Exchange 2013 - Process email address polices - Public Folders and its replication - Mailbox Databases and its schedule jobs |
Exchange was released a few weeks ago, along with Lync 2013 and Sharepoint 2013. Microsoft has redesign Exchange 2013 to fit the growing trends and to help total cost of ownership. Exchange 2013 is now a lot more social than previous versions and allows users to merge contact information from social media sources. Microsoft smart search features sorts Exchange search results based on communication patterns. OWA—Outlook Web App is now has a metro feel to it and allows for better integration with other systems such as Lync. Outlook Web App is now a gateway hub for office apps. This integration goes further by allowing e-Discovery searches across Microsoft platforms suchs as Lync and Sharepoint. Exchange Server 2013 is designed to scale, utilize hardware and allows redundancy at cost of CPU. Now that processors are cheaper than ever, Exchange 2013 role has been reduced to two roles—CAS and Mailbox Server role. Typical services found in Exchange Server 2010—CAS, Hub, Mailbox and UM role are now all part of Mailbox Server. CAS server in Exchange 2013 is more of a proxy and allows for load balancing, redirection and authentication services. No data exist on CAS server but still process all the frontEnd services such as SMTP,IMAP,POP and HTTP. In Exchange 2013, CAS is more of a redirector and all the processing happens at the mailbox role. This means you no longer need a CAS server in every site. This new design allows for flexibility and ability to scale quickly. Remember the days where you always have to upgrade CAS server first, before anything else. That’s no more. Exchange 2013 design allows upgrade in any order. All the communications between Exchange and Outlook happens over HTTPS which allows CAS to run without RPC Client access service. Good news is Mailbox server role DAG design is unchanged from Exchange 2010. When it comes to managing Exchange 2010, we used two tools—Exchange Management Console and Exchange Control Panel. These tools have been rolled into one tool in Exchange 2013—Exchange Administration Center, aka EAC. EAC tool also allows admins to search for Mailbox audit log and administrator audit logs.
Overview major architecture changes:
- Only two roles and Exchange 2013—CAS and Mailbox
- No need to CAS server in every site.
- All Outlook connectivity is using RPC over HTTPS
- Only Outlook 2007 and higher
- Exchange Management Console and Exchange Control Panel is replaced by Exchange Administration Center.
- Exchange 2013 Public Folders are now part of DAG and replication is now handled by DAG.
Here is a good diagram from Microsoft on how CAS and Mailbox role interacts.
When an employee leaves the company, he or she will not usually clean up her calendar items where she is an organizer of. Especially, if they are power users such as project manager where she organize a lot of meetings. This can be very painful to clean up. Usually IT is notified by end-users complaining that conference rooms are booked by users who are no longer with the company. Then, IT guy usually has to go through the resource mailboxes and delete the calendar items manually. I’ve put together powershell commands that will go through the resource mailbox and delete the calendar items automatically.
Below command will allow you the test the command by using the “Estimateonly” switch.
search-mailbox -SearchQuery “from:meetingorganizer@yourdomain.net kind:meetings” -DeleteContent -force –Estimateonly
Below command will run the calendar cleanup.
search-mailbox -SearchQuery “from:meetingorganizer@yourdomain.net kind:meetings” -DeleteContent -force
Here are a few requirements for this to work:
- Exchange 2010 SP1 or higher
- Environment must be configured for mailbox import and export support by running below commands.
New-ManagementRoleAssignment -Name “Import Export Support” -SecurityGroup ImportExport -Role “Mailbox Import Export”
- User running the command must be part of the ImportExport group mentioned above.