de-DEen-GB
rss

Granikos Technology Blog

Exchange Server LogoExchange Server and Exchange Online use retention policies to group retention tags. A retention tag defines how and when Exchange should delete a mailbox object automatically or move it to the archive mailbox. Most of the time, you think of emails when talking about Exchange mailbox objects. We stay with emails for this article.

Sometimes, retention policies show an unexpected behavior, and you want to clean up the retention information from a mailbox.

To understand how to clean up the policies, we need to know the basics.

 

Policy tags: Default tags and Personal tags

Default tags and personal tags specify what the Managed Folder Assistant should do with the emails. You assign one or more retention tags to a retention policy. You then assign the retention policy to a mailbox.

Default tags are assigned to the whole mailbox. End users can set personal tags to folders or single elements. The third tag, the default folder tag, is primarily used in delete policies.

 

Retention policy

A retention policy can have one or more default or personal retention tags. A single mailbox can only have one policy assigned.

The following screenshot shows the default retention policies for user and arbitration mailboxes, and two additional test policies.

Screenshot showing the Exchange rention policies

 

If you want to know more about retention tags and policies, I recommend reading the Microsoft documentation.

 

Cleaning up retention tags in an Exchange mailbox

But what exactly would we like to remove from a mailbox?

  • Policy Tags and Personal Policy Tags

Removing a retention policy from a mailbox is simple. You replace the assigned policy with another policy, or you set the attribute to $null to remove the policy assignment. Removing or replacing a retention policy does not remove personal tags assigned to folders by the user.

If you want to remove a personal tag from a mailbox, Microsoft has the answer for you:

  • Purge the tag from the Exchange Organization

But what if other users in your Exchange organization also use this personal tag? Deleting a personal retention tag from the Exchange Organization will remove this tag from all mailboxes.

 

Solution

Supposed you have a delete policy (default tag) set on a mailbox. Also, you allow the user to exclude folders with a personal tag. Removing this personal tag for all mailboxes will lead to significant calls for your helpdesk because the Managed Folder Assistant will delete all emails from all mailboxes. Not to say that you must restore the mails.

But help is on the way. The tool RemovePersonalRetentionTag helps you cleaning up retention tags.

  • GitHub Link

With this tool, you can remove one or more personal tags from the folders in a single mailbox without deleting the tag from your Exchange Organization.

You need impersonation rights for the mailbox you want to clean up. And basic authentication needs to be enabled for Exchange Online if the mailbox is an EXO mailbox. At this time, the code uses Exchange Web Services to remove retention tags.

If you want to remove all personal tags from a mailbox, it is simple:

RemovePersonalRetentionTag.exe -mailbox "user@example.com" -impersonate

 

If you want to remove a specific tag, you must know the retention tag id.

First, grab a list of the retention tag ids in your environment:

  • Execute in an Exchange (Online) PowerShell session
Get-RetentionPolicyTag -Types Personal | Select Name,RetentionId | ft -a

Screenshot Exchange Management Shell

 

  • Remove a single tag
RemovePersonalRetentionTag.exe -mailbox "user@example.com" -impersonate -retentionid "a7966968-dadf-4df7-ae87-4482686b4634"


 

  • Or multiple tags
RemovePersonalRetentionTag.exe -mailbox "user@example.com" -impersonate -retentionid "a7966968-dadf-4df7-ae87-4482686b4634, 414c6a14-3ed5-432e-9edb-c6620a8278f0"

 

This tool is very useful when personal MRM policies are assigned to system folders like “Yammer.”

 

 

Weiterlesen »

This interview Adnan and I talk about the challenges in the current situation with COVID-19. Companies are forced into enabling remote work at a pace they cannot control efficiently. At the same time, the fast-rising numbers of users utilizing collaboration tools put additional load on company networks that those were never planned for. IT departments are required to deliver the same high-quality standard for remote workers as for the on-premises workforce. 

Here is the recording, available on Adnan's iMentorCloud YouTube Channel. Enjoy.

 

Video-Link: https://go.granikos.eu/iMentorCloudMar2020-1

 

Adnan Rafique

Adnan Rafique is a Collaboration Architect for Microsoft Exchange and Office 365. He is a subject matter expert in this area since the days of Exchange Server 2007.

 

Links

 

Weiterlesen »

Adnan Rafique is a Collaboration Architect for Microsoft Exchange and Office 365. He is a subject matter expert in this area since the days of Exchange Server 2007.

He reached out to me to record an interview on Office 365, the impact of cloud technologies to the daily operations of IT administrators, and the requirement for life-long learning.

Here is the recording, available on Adnan's YouTube Channel. Enjoy.

 

Video-Link: https://go.granikos.eu/iMentorCloudFeb2020

 

A future interview will cover Microsoft Teams and how it helps to transform the way your work.

 

Links

 

Weiterlesen »
On August 26, 2019
2198 Views

If you want to share free and busy details between two Exchange organizations, you usually use the Microsoft Federation Gateway. Sometimes this is not possible, e.g., for compliance reasons, or other business reasons. But there exists a way to do this, even without an Active Directory trust between two organizations.

Let us say we have two Exchange organizations: contoso.com and adatum.com.

The prerequisites are:

  • you can resolve and access the target AutoDiscover-endpoint from the source domain infrastructure (hint: you can use pin-point DNS zones)
  • you can resolve and access the Exchange Web Services (EWS) endpoint from the source domain infrastructure (note that the Availability Service (AS) accesses the InternalUrl)
  • you add an account in each Active Directory forest which does not have any specific permissions assigned (membership of "Domain Users" security group is sufficient, no mailbox needed). 

I will use user account freebusy in this example.

Execute the following in contoso.com Exchange organization using Exchange Management Shell:

$TargetSmtpDomain = 'adatum.com'
$TargetDomainAccount = 'adatum.com\freebusy'

Add-AvailabilityAddressSpace - Forest $TArgetSmtpDomain -AccessMethod OrgWideFB -Credentials (Get-Credentials -User $TargetDomainAccount) 

Set-AvailabilityConfig -OrgWideAccount $TargetDomainAccount.Split('\')[1]

 

Execute the following in adatum.com Exchange organization using Exchange Management Shell:

$TargetSmtpDomain = 'contoso.com'
$TargetDomainAccount = 'contoso.com\freebusy'

Add-AvailabilityAddressSpace - Forest $TargetSmtpDomain -AccessMethod OrgWideFB -Credentials (Get-Credentials -User $TargetDomainAccount) 

Set-AvailabilityConfig -OrgWideAccount $TargetDomainAccount.Split('\')[1]

 

Exchange Server in the source organization must be able to resolve the recipient address for requesting free/busy information from the target organization. Exchange Server can determine a target address accurately when you create the recipient object as a contact in the source Exchange organization. 

For this example, you create contact objects in adatum.com for all user in contoso.com and vice versa. You can use GalSync or any other identity management (IDM) software that can handle object synchronization.

 

Problem

When using Exchange Server 2013, or 2016, you may run into a problem.

The HttpProxy log of the requesting Exchange Server log will state that AutoDdiscover failed for generic mailbox 01B62C6D-4324-448f-9884-5FEC6D18A7E2@contoso.com (or adatum.com).

HttpProxy log excerpt:

2019-07-26T07:19:24.649Z,2827102f-75b1-4ecb-ae6c-36b075bb8e93,15,1,1779,2,,Autodiscover,autodiscover.contoso.com,/autodiscover/autodiscover.xml,,Basic,true,CONTOSO\freebusy,,MailboxGuid~01b62c6d-4324-448f-9884-5fec6d18a7e2,ASAutoDiscover/CrossForest/EmailDomain//15.01.1779.002,172.16.0.20,CONTOSO-EX1,404,,MailboxGuidWithDomainNotFound,POST,,,,,AnchorMailboxHeader-MailboxGuidWithDomain-NoUser,,,,381,,,,0,,,0,1;0;,1,,0,1,,0,4,0,,,,,,,,,0,3,0,,3,,3,3,,,,BeginRequest=2019-07-26T07:19:24.646Z;CorrelationID=<empty>;ProxyState-Run=None;AccountForestGuard_contoso.com=1;AccountForestGuard_contoso.com=1;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2019-07-26T07:19:24.649Z;I32:ADS.C[CONTOSO-DC1]=2;F:ADS.AL[CONTOSO-DC1]=0.8201787,HttpProxyException=Microsoft.Exchange.HttpProxy.HttpProxyException: Cannot find mailbox 01b62c6d-4324-448f-9884-5fec6d18a7e2 with domain contoso.com.    
at Microsoft.Exchange.HttpProxy.AnchorMailbox.CheckForNullAndThrowIfApplicable[T](T ret)    
at Microsoft.Exchange.HttpProxy

 

Reason

If DNS is used to resolve the AutoDiscover endpoint of the target Exchange organization, the source Exchange organization queries AutoDiscover information for a mailbox with that uid. SCP-based AutoDiscover lookup does not use this dedicated uid-based email address.

 

Solution

To solve this issue, you add the required SMTP address found in the HttpProxy log to one user mailbox in the target organization.

In the contoso.com organization:

Set-Mailbox -Identity 'someuser@contoso.com' -EmailAddresses @{add='01B62C6D-4324-448f-9884-5FEC6D18A7E2@contoso.com'}

 

In the adatum.com organization:

Set-Mailbox -Identity 'someuser@adatum.com' -EmailAddresses @{add='01B62C6D-4324-448f-9884-5FEC6D18A7E2@adatum.com'}

 

Links

Weiterlesen »

When you configure an Outlook profile to use Cached Mode the client software uses a special address book to resolve email addresses and other information. This address book is named Offline Address Book (OAB) and is built and provided by the Exchange Organisation hosting the mailbox. The client downloads OAB changes when Outlook starts and checks for further OAB changes in intervals. 

OAB provides address resolver capabilities when there is no network connection to Exchange Server or a domain controller available. In addition to resolver capabilities, the OAB contains other important information, e.g., send-as permissions and information regarding public folders.

For security reasons it might be necessary to disallow the download of the Offline Address Book by an Outlook Client. In this case, you control the download functionality with the Windows System Registry. You can disable the OAB download using the following registry key:

Path: HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Cached Mode
Value type: REG_DWORD
Value name: DownloadOAB
Value: 0 to not download the OAB

 

Replace <version> with the appropriate Office version number.

Version   Version number
Outlook 2007   12.0
Outlook 2010   14.0
Outlook 2013   15.0
Outlook 2016   16.0
Outlook 2019   16.0
Office 365   16.0

 

With a deactivated OAB download name resolution in Outlook Cached Mode requires network access to an Exchange Server

 

The information was available with Knowledge Base article 921927. This article is not available anymore.

 

Links 

 

Enjoy Exchange Server.

 

 

Weiterlesen »