Exchange

Turning Out Of Office Off and On via Script

There has been a long-lacking feature in Outlook – the ability to automatically set your Out of Office message to turn on and off on a scheduled basis.

It would be great to be able to have a bounce back on anything sent outside your working hours, but it isn’t easily possible natively unless you use a vbs script inside an Outlook rule – requiring Outlook to actually be running.

I decided to come up with my own solution. This isn’t good for individuals, but is good for centralised mailboxes, say an IT Helpdesk mailbox that you want people to know when someone will look at their request or not.

Step 1 – Set the Out Of Office message you want on your mailbox manually. Outlook, OWA, however you do it, it doesn’t matter. Your message will be saved on the server.

Step 2 – Save the script below as a .ps1, and change the variables to what you want. I have two scripts, one that enables, and the other that disables Out of Office

Step 3 – Create two Scheduled Task on a server. One will be when you want the Out of Office on, and the other when you want it off. Below I’ve created one for the ‘on’ part, which triggers weekly on Monday, Tuesday, Wednesday, Thursday and Friday at 7:30am. The Off would do the same, but at 5pm.

snip1

The conditions of the Scheduled Tasks would be to run the powershell script files, again matching up the on and offs. The command to use is “powershell.exe” and the arguments pointing to the location of your newly created ps1 scripts in the format ” -file “C:\scripts\admin\Out Of Office On.ps1″ ”

snip2

The task needs to be set to ‘Run whether user it logged on or not’.

The account used to run the task needs to have the correct role based permissions to connect to Exchange, and make changes to the auto reply config.

The script will also generate an email to advise that the status of Out Of Office has been changed, pulling the value afterwards so you can check that it’s toggled correctly.

If the script doesn’t run automatically, you may need to adjust your Execution Policy settings.

That’s it. You should have two scheduled tasks that run to turn Out of Office off and on against the mailbox you want.

PowerShell Script:

#TODO – Definie Mailbox name and state enabled or disabled
$mailbox = “name”
$state = “enabled”
$exchangeserver = “exchange server name”

#Connect To Exchange PowerShell Session
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$exchangeserver/Powershell -Authentication Kerberos
Import-PSSession $session
#Turn Out Of Office On
Set-MailboxAutoReplyConfiguration $mailbox -AutoReplyState $state
$results = Get-mailboxautoreplyconfiguration $mailbox |select Autoreplystate

#Emails the current status
send-mailmessage -to “Displayname 1 <[email protected]>” -from “Displayname 2 <[email protected]>” -subject “IT Help OOO Status” -body “The OutOf Office Message is now $results” -SmtpServer smtp.yourserver.com.au

Remove-PSSession -Session $session

 

Update 15th March 2016

I’ve also realised that Softera Adaxes which I reviewed previously, can do the above quite easily. Here’s how their scheduled tasks work, but simply put you can create a scheduled task to run on weekdays, that sets the Out of Office message and turns it on today, then off today +1 day (i.e. tomorrow), and run that daily to update the date! That’s a more elegant solution, but you need to buy Adaxes or already have it. I’m still using it and recommend it, and decided to do the above this cleaner way. This isn’t a sponsored comment :)

Script to Change Multiple Out Of Office Messages

This is probably an inefficient script, but I needed to create it as a once off to change the wording of any user with an Out Of Office message. It will go through every account, and change any instance of swearword and replace it with censored (no, this isn’t what I needed to use it for!).

This is using the Exchange Management Shell:

$data = get-mailbox -resultsize unlimited
foreach ($user in $data){
$currentreply = Get-MailboxAutoReplyConfiguration $user.alias
$newreply = $currentreply.internalmessage -replace “swearword”, “censored”
Set-MailboxAutoReplyConfiguration $user.Alias -InternalMessage $newreply -ExternalMessage $newreply
}

You can also use this to find any accounts with an Out Of Office message containing a certain word or phrase:

$data = get-mailbox -resultsize unlimited
foreach ($user in $data){
Get-MailboxAutoReplyConfiguration $user.alias | Where-Object {$_.internalmessage -like “*swearword1 swearword2*”}
}

Used on Exchange 2010, but should work on 2007 and 2013 also. You may notice the results of InternalMessage and ExternalMessage are hard to read, as by default they’ll show the HTML coding – you may need to factor this into any searches or replaces you perform.

Full Mailbox Access to All Mailboxes in Exchange 2010

I’ll start this out by saying ‘Full Mailbox Access to All Mailboxes’ is generally a bad idea. It should be done on demand with the appropriate approvals and paper trails, but there are times when this may be needed – for example a service account for 3rd party software that has to read or add things to everyone’s mailbox in the company.

In my last post “End User Management of Distribution Groups in Exchange 2010” I explained how the new Role Based Access Control (RBAC) worked. Although this can be used to configure many things, it won’t give you full access to a mailbox as it’s an Active Directory based permission.

You can manually do this on a per mailbox level by either using the Exchange Management Console, or the Exchange Management Shell by following the Microsoft Technet documentation here and it’s fairly easy to convert this to all mailboxes in powershell, but that won’t help you with newly created mailboxes after running the command.

Yes you could run a daily task to get around that, but an alternative is giving AD access at the database level. Any existing or newly created mailbox will get permissions this way.

So, with that all in mind, the Exchange Powershell command to run on a particular database is:

Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll

If you don’t know what your databases are, just run ‘Get-MailboxDatabase’ or if you want to just apply the permissions to all databases:

Get-MailboxDatabase | Add-ADPermission -user [username] -AccessRights GenericAll

You can apply this to a AD group rather than a user which I’d suggest (no changes to the command required apart from typing the group name rather than user name), because it’s then easier to manage the members of the AD group than re-run this command. Also if you apply the settings to a particular user, and that user launches Outlook, all mailboxes they have full access to will auto-load into their Outlook session. Not ideal if you’ve got hundreds!

If you’d like to know more about the Add-AdPermission command, and the possible AccessRights settings check out this Technet article.

End User Management of Distribution Groups in Exchange 2010

After migrating from Exchange 2007 to 2010 and addressing all immediate issues, we eventually hit a new issue. Managers of Distribution lists who previously could add and remove members, now couldn’t do it!

savedChanges to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.

So, why would this break going from Exchange 2007 to 2010, and why would there be a delay?

Role Based Access Control (RBAC) was a new feature introduced in Exchange 2010 which changed the way a lot of security worked. There’s a greatly detailed 4 part article from msExchange.org here http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html which explains this in detail.

As far as the groups are concerned, they stay in a 2007 mode until they get updated. When updated (by something like adding/removing a member) you’ll get prompted about changing the object:

To save changes on objectTo save changes on object “Silly name”, the object must be upgraded to the current Exchange version. After the upgrade, this object cannot be managed by an earlier version of hte Exchange Management Tools. Do you want to continue to upgrade and save the object?

Once you do this, that particular object (distribution group) now runs under the new RBAC security settings.

By default, the RBAC security settings out of the box don’t allow anyone to be able to add or remove members to distribution groups. The Exchange Team Blog explains this perfectly here: http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx and also leads onto a script which will probably set things up how you want. If you don’t read this carefully, you may end up applying the built in ‘MyDistributionGroups’ role to the ‘Default Role Assignment Policy’ which means everyone can create distribution groups – definitely not ideal in most environments. I started reading another blog post which said to do exactly that, but didn’t explain why or how it worked. Sure it fixes your immediate issue, but you’re opening up a lot more than what you should.

So it’s a fairly easy fix once you now how, but if you haven’t had to worry about RBAC before there’s a little bit to get your head around first before ticking boxes and hoping for the best.

A big thanks to @ExchangeGoddess and @24x7ITConnect for their assistance and guidance on this information.

What Happened To My Email? Mailbox Audit Logging

Hi,

A very common question. An email goes ‘missing’ from someone’s mailbox, and they want to know what happened. A fair enough question – rarely is it a fault of your Exchange servers, but it’s your problem to prove otherwise.

You can use Message Tracking (details here http://technet.microsoft.com/en-us/library/bb124926(v=exchg.141).aspx, and a great guide here http://exchangeserverpro.com/exchange-2010-message-tracking/) but that will just prove the email hit the person’s mailbox, which often we already know because they saw it. Keep in mind this won’t help you for past events, but if someone is making multiple claims of emails going missing you can enable this to find out for the next occurance.

To prove what happened next, you can use the Exchange 2010 and greater feature called Mailbox Audit Logging. This will track actions on individual emails, and save the log inside the person’s actual mailbox. This can not only log what the user themselves does, but also delegates and administrators. To see what you can log, have a look at this Technet article: http://technet.microsoft.com/en-us/library/ff459237.aspx

There is also a great guide from Paul Cunningham to get you started: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging/

My scenario requires a few more commands, as I want to log all actions rather than the default which doesn’t log anything the owner of the mailbox does.
First, enable MMailbox Audit Logging on the mailbox you’re concerned with via Powershell:

Set-Mailbox -identity Adam.Fowler -AuditEnabled $true

Easy. Now, if you run this command:

Get-Mailbox -identity Adam.Fowler | fl *audit*

You will see a few results. AuditEnabled should be true, and you’ll notice by default there are some different options between AuditAdmin, AuditDelegate and AuditOwner, with AuditOwner having no settings at all. To enable all possible logging options, for the Owner of the mailbox, run this command:

Set-mailbox -identity Adam.Fowler -AuditOwner Create, HardDelete, Move, MoveToDeletedItems, SoftDelete, Update

You can then run the previous command to see the extra options show up. Now that Mailbox Audit Logging is running on the mailbox, logs start to get generated. Once a few actions have been run on the mailbox, you can start looking at the results. Technet have some good examples here: http://technet.microsoft.com/en-us/library/ff522360.aspx

One example is if you are looking for an email with a subject that contains the word “test” within a date range:

Search-MailboxAuditLog -Identity Adam.Fowler -StartDate 7/21/2013 -EndDate 7/21/2013 -showdetails | where-object {$_.ItemSubject -like “*test*”}

If you want a glance at how many results you’re seeing, filter just to show the subject of each result and what happened to it (operation):

Search-MailboxAuditLog -Identity Adam.Fowler -StartDate 7/21/2013 -EndDate 7/21/2013 -showdetails | where-object {$_.ItemSubject -like “*test*”} | fl itemsubject, operation

Once you find the result you’re looking for, you’ll see a lot of helpful information – especially what device did the action. For example, under the ClientInfoString I can tell a particular action was done by my account on a Samsung Galaxy S3 via ActiveSync (aka Samsung I9300)

ClientInfoString : Client=ActiveSync;UserAgent=SAMSUNG-GT-I9300/100.40102;Action=/Microsoft-Server-ActiveSync/default.eas?Cmd=Sync&User=adam.fowler&DeviceId=SEC10FE7073DAC69&DeviceType=SAMSUNGGTI9300

The Operation field tells you what action was taken (e.g. MoveToDeletedItems), you’ll also get FolderPathName and DestFolderPathName (where the email went from and to). Of course this will help identify if a delegate has been cleaning up the owner’s emails, but also if a certain device they have is doing something it shouldn’t.

I would recommend only using Mailbox Audit Logging when required, due to the small amount of extra space and load you’ll use on your mailboxes, you would need to do extensive testing before enabling company wide.

Good luck!