Sunday, December 15, 2013

Disabling Exchange 2010 ActiveSync, OWA, POP, IMAP or MAPI access for mailboxes with PowerShell

I’ve recently been asked by an administrator at a school to suggest the best way of preventing students from setting up an Outlook profile for their mailboxes.  The first thought that I had was that we could simply disable MAPI access via the Mailbox Features tab in the Exchange Management Console


Enable or Disable MAPI for a User Mailbox

The challenge was that there are thousands of students in the school and manually clicking in the GUI to disable the MAPI feature wasn’t the best choice so we turned to PowerShell.

The 2 cmdlets we’ll be using to turn off MAPI access are the following:



The first Get-Mailbox is to retrieve the mailboxes which will then be piped into the Set-CASMailbox cmdlet.

The following is an example of retrieving all of the mailboxes from a mailbox database then piping it into the set cmdlet to disable MAPI:

Get-Mailbox -Database "Students Database" | Set-CASMailbox -MAPIEnabled $false


Note that if you have more than 1000 objects returned from the Get-Mailbox cmdlet then you will receiving the warning:

WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of items returned. To return all items, specify "-ResultSize Unlimited". Be aware that, depending on the actual number of items, returning all items can take a long time and consume a large amount of memory. Also, we don't recommend storing the results in a variable. Instead, pipe the results to another task or script to perform batch changes.

I’ve ran this cmdlet in a few environments and noticed that it applies the changes to more than 1000 objects but just to be the safe, I usually run it with the additional -ResultSize unlimited switch:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Set-CASMailbox -MAPIEnabled $false


From here, you can randomly select users to ensure the MAPI feature is turned off


Note the warning message:

There are more results available than are currently displayed. To view them, increase the value for the ResultSize parameter.

You can change this limit of 1000 objects returned setting as shown in the following article:

Click on the Recipient Configuration node on the left Modify the Maximum Number of Recipients link on the right:


Then change the vaue for Maximum recipients to display:


The GUI may not be the most optimal way of reviewing the configuration change so going back to PowerShell, you can use the following cmdlet to list all of the recipient objects in a store with their mailbox feature settings:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox


If the list is too long, you can either use the | more command at the end as such:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox | more

… or simply pipe the output to a text file:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox > C:\mailboxfeatures.txt


Note that to disable or enable the other features, simply replace -MAPIEnabled with any of the following:

  • ActiveSyncEnabled
  • OWAEnabled
  • PopEnabled
  • ImapEnabled

Quick way to adjust send and receive connector limits in Exchange 2010 and 2013

I find myself referencing a note I have in my drafts to quickly change send and receive limits for connectors on Exchange 2010 and 2013 so just in case I ever lose that the draft email I have, I thought I’d just blog the commands so I can reference it if I don’t have access to my mailbox.

Use the following cmdlets to quickly set send and receive size limits on all connectors configured on an Exchange server:

Set-TransportConfig -MaxSendSize 100MB -MaxReceiveSize 100MB

Get-ReceiveConnector | Set-ReceiveConnector -MaxMessageSize 100MB

Get-SendConnector | Set-SendConnector -MaxMessageSize 100MB

Saturday, December 14, 2013

Attempting to move a mailbox from Exchange 2003 server throws the error: “Mailbox database ‘2d14e873-68fc-4475-acf6-1eb3f3909753’ is offline.”


You attempt to move a mailbox from Exchange 2003 server with the New Local Move Request but receive the following error:

image image

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:05


Mailbox database '2d14e873-68fc-4475-acf6-1eb3f3909753' is offline.

MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=1010)
Diagnostic context:
    Lid: 11672   dwParam: 0x6D9      Msg: EEInfo: NumberOfParameters: 4
    Lid: 8856    dwParam: 0x6D9      Msg: EEInfo: prm[0]: Unicode string: ncacn_ip_tcp
    Lid: 8856    dwParam: 0x6D9      Msg: EEInfo: prm[1]: Unicode string:
    Lid: 12952   dwParam: 0x6D9      Msg: EEInfo: prm[2]: Long val: -545057711
    Lid: 12952   dwParam: 0x6D9      Msg: EEInfo: prm[3]: Long val: 382312662
    Lid: 45169   StoreEc: 0x824    
    Lid: 44273 
    Lid: 59431   EMSMDB.EcDoConnectEx called [length=110]
    Lid: 34855   EMSMDB.EcDoConnectEx returned [ec=0x3F2][length=56][latency=0]
    Lid: 56945 
    Lid: 59431   EMSMDB.EcDoConnectEx called [length=110]
    Lid: 34855   EMSMDB.EcDoConnectEx returned [ec=0x3F2][length=56][latency=15]
    Lid: 59505   StoreEc: 0x3F2    
    Lid: 52465   StoreEc: 0x3F2    
    Lid: 60065 
    Lid: 33777   StoreEc: 0x3F2    
    Lid: 59805 
    Lid: 52209   StoreEc: 0x3F2    
    Lid: 56583 
    Lid: 52487   StoreEc: 0x3F2    
    Lid: 19778 
    Lid: 27970   StoreEc: 0x3F2    
    Lid: 17730 
    Lid: 25922   StoreEc: 0x3F2    
Click here for help...

Exchange Management Shell command attempted:
' Students/S4 Students/KAKnights-Fubler' | New-MoveRequest -TargetDatabase 'BBS Alumni Database'

Elapsed Time: 00:00:00


While there are various reasons why this error would be thrown, one of them is that the Exchange 2003 server’s mailbox store does not have proper permissions.  Check the permissions on the store’s properties to ensure that the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. is selected:




Sunday, December 8, 2013

Configuring Netscaler VPX appliance throws the error: “Java Applet could not be loaded”


NetScaler VPX Version: NS10.1: Build, Date: Oct 18 2013, 10:25:05


Internet Explorer Version: 9.0.8112.16421


Java Version: Java 7 Update 45



I don’t think I’ve ever been as frustrated with web administration consoles that are browser based and rely on Java as the NetScaler VPX appliance, Compellent and Cisco UCS.  Earlier versions of Java last year was easily to fix as all you needed to do was uncheck the Keep temporary files on my computer then delete the files:

image image


… but the later versions with the error:

Downloading Applet…

image image

… then after being stuck at 1% for a period of time, the following is presented:

Cannot load Applet

Java Applet could not be loaded


Possible reasons:

JRE(Java Runtime Environment) not installed.

JRE is installed but not running.

Java browser plug-in is not installed or not enabled.


I’ve gone on to try disabling verification as some forums suggested:

image image

… or looking for the security option to switch to a lower medium level which does not appear to be present for the latest Java version I downloaded today (December 8, 2013).

After spending over 30 minutes researching solutions which non corrected the issue, I went ahead and tried Google Chrome 31.0.1650.64 which ended up working.  


Not exactly the best solution but it was enough for me as all I wanted was to make a small change to the NetScaler VPX appliance.

Thursday, December 5, 2013

Unable to search GAL with less than 4 characters via Exchange Server 2010 ActiveSync


You attempt to search the Global Address List (GAL) via a phone that uses Exchange Server 2010 ActiveSync but notice that the search fails when you search with 3 characters or less:

image image image

**Note that the screenshots above are from a Blackberry z10 device’s Look up… feature.

Searching with 4 characters or more works as expected:

image image image

Reviewing the IIS Logs on the CAS server in the directory:



Reveals the following:

2013-12-05 14:11:43 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Search&DeviceType=BlackBerry& 443\KAB RIM-Z10-STL100-1/ 200 0 0 265


The text that identifies the search string too short in the log is:



A bit of research on the internet revealed that in Exchange Server 2010, the default minimum amount of characters required to search the GAL via ActiveSync is 4 characters instead of 2 which is the default setting for Exchange 2003 (the Exchange 2007 organization I had to troubleshoot also exhibited the same behavior). As a result of this change, attempting to search with 3 or less characters on a BES 10 device which uses a BES 10 server that uses ActiveSync to retrieve information from Exchange Server 2010 would fail.  To correct this issue, edit the web.config file on all of the CAS servers at the following directory:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Sync


Backup the web.config file prior to making the change:


Locate the <appSettings> section:


Add the following text with the appropriate value desired (we’ll use 2 for this example to allow searching with 2 characters) between the <appSettings> and </appSettings> tag as such:

<!-- Sets the minimum number of characters required for searching -->

<add key="MinGALSearchLength" value="2"></add>


Perform a iisreset command on the CAS server once the changes have been made:


Searches with 2 characters should now work:

image image image

Hope this helps anyone who may come across this issue.

Thursday, November 28, 2013

Connecting to VMware View 5.1.2 desktop via PCoIP displays a black screen when in full screen


You’ve just added a new existing virtual machine into a VMware View pool and attempt to connect to it via the VMware View client but the following black screen:


What you notice is that if you restore the size of the VMware View client to a window instead of full screen, you are able to see the virtual desktop’s login screen properly.  Everything else works as expected when working in side this resized window:


You’ve confirmed that the resolution of the monitor you’re using which is 1920 x 1080:


… is either smaller or the same as the VMware View pool settings:


Note that the pool settings is configured with:

Max number of monitors: 2

Max resolution of any one monitor: 1920 x 1200

The settings for the virtual desktop indicates that VMware View has set the configuration to:

Number of displays: 2

Total video memory: 35.19


You notice that if you try to shutdown the virtual machine, change the video memory to 40MB, View would quickly change it back to 35.19MB.


What’s important to note is that it is expected behavior for View to change the video memory back to 35.19MB as that is the predefined settings for the monitoring configuration set in the pool and the only way to increase the memory for the desktops is to actually change the pool settings as such:

Max number of monitors: 4

Max resolution of any one monitor: 2560 x 1600


Once the pool settings are in, VMware View would reconfigure all of the desktops regardless of whether they’re powered on or off to the following settings:

Number of displays: 4

Total video memory: 125


What solved my issue was to increase the resolution in the pool settings to be higher than the resolution of monitor, wait till View has completed the changes to the video card, restart the virtual machine once so that the new video card settings are in effect, then shutdown the virtual machine and then power it back on.  Note that I’ve tried restarting the virtual machine multiple times but still received the black screen which I suspect is related to the description in the following KB:

Configuring PCoIP for use with View Manager (1018158)

I didn’t get to try restarting the virtual machine via the vSphere client but I believe it probably would have worked if I did.

Wednesday, November 27, 2013

Removing and adding a renamed desktop into a Citrix XenDesktop 5.6 Existing pool throws the error: “The computer domain\computername could not be imported because User domain\computername could not be found.”


You have a desktop in a Citrix XenDesktop 5.6 Existing pool that you need to rename so you proceed with the following:

  1. Remove it from the existing desktop group
  2. Delete it from the desktop catalog
  3. Clone the virtual machine in vCenter to a new name so that the flat files corresponds to the virtual machine name
  4. Log into the new virtual desktop and rename the Windows name
  5. Restart the desktop
  6. Right click on the same Existing catalog and select Add Machines
  7. Select the newly cloned virtual machine

What you notice is that as you get to the prompt where you select a Active Directory computer account and select the new renamed computer account, you receive the following error:

The computer domain\computername could not be imported because User domain\computername could not be found.

Clicking the OK button displays another window with the error:

Sequence contains no elements


I’m not exactly sure why but this has happened to me twice over the past month and the resolution for both incidents was to restart the DDCs.  Once the DDCs are restarted, I am then able to add the machines with the new account.

Sunday, November 17, 2013

Citrix XenApp and XenDesktop Pass-Through Authentication works with website authentication but not application or desktop authentication

To follow up with my previous post:

Connecting to Citrix XenDesktop 5.6 virtual desktops through a Web Interface configured with pass-through authentication fails after flashing a black screen

I finally found some time over the weekend to sit down and perform some uninterrupted troubleshooting to determine the root cause of why the environment’s pass-through authentication worked for authenticating the user through the Web Interface portal but does not work when launching an application where it would display the following prompt:


… or while launching a XenDesktop VDI (with the help of the registry key to disable enforce auto logon):


What ended up being the issue after combing through the configuration as I referenced an older blog post I wrote:

Lessons learned with Citrix Web Interface 4.6 Pass-Through Authentication

… was that the Active Directory GPO with the Citrix pass-through authentication only had the Computer Configuration portion configured:


… but not the User Configuration.  Once I got the User Configuration portion configured, pass-through authentication began functioning as it should:


Hope this helps anyone out there who may come across the same symptoms in their environment.