Cannot set the security descriptor of mailbox

You may come across this error in powershell – Cannot set the security descriptor of mailbox…. For me it was occurring in the beginning when we were doing a small number of mailbox migrations from Exchange 2010 to Exchange 2016 and assigning mailbox permissions.

Screenshot_1

“Cannot set the security descriptor of mailbox…….. in exchange mailbox database ……..”

Error appeared when I used below exchange powershell command to grant full access permission to userB on userA mailbox:-

Add-MailboxPermission -Identity "userA" -User "userB" -AccessRights FullAccess -InheritanceType All

Cause:-

Changes in user attributes in AD after migrating user from Exchange 2010 to Exchange 2016.

Powershell is throwing this error because the mailbox that you are trying to add the full access permission is now hosted in a higher version of exchange than the server you are running the powershell command from.

In my case, it means i should be running the Add-MailboxPermission command above in Exchange 2016 exchange management shell where the mailbox of userA is now hosted after it was migrated from Exchange 2010.

Solution:-

  1. Check which database the mailbox is currently on, and which version of Exchange server.

Get-Mailbox -Identity UserA | fl database,exchangeversion

2. Use Exchange powershell on a higher version of  exchange where the mailbox now resides after migration. If mailbox was migrated from Exchange 2010 to Exchange 2016, so you will have to run the command from Exchange 2016 management shell to add the permissions successfully.

Add-MailboxPermission -Identity "userA" -User "userB" -AccessRights FullAccess -InheritanceType All

You can always refer to this Microsoft technet link to know your versions of Exchange from the exchangeversion result you get ūüôā 

https://technet.microsoft.com/en-us/library/hh135098(v=exchg.150).aspx

Leave a comment and let me know if it worked for you.

The proxy address is already being used by Microsoft Exchange System Objects

One of my Exchange 2007 user encountered this error “The proxy address..is¬†already being used¬†by…. ” while trying to add a new SMTP email address to an existing mailbox account and it failed. He mentioned that the new SMTP address has never been assigned to any other mailbox in the organization.

Full Error:-¬† The proxy address “smtp:info@contoso.com” is already being used by “contoso.com/Microsoft Exchange System Objects/my-Folder”. Please choose another proxy address.

errorsystemobjects

The user mailbox is hosted on an Exchange 2007 mailbox database.

I suspect one of the public folder child item could be using this SMTP address, either it’s still in use or it’s orphaned.

To troubleshoot, I used ADSIEdit.msc tool to find the Exchange object causing the error, and under the attribute “class”  it is marked “Public Folder”, on the properties dialog, I could see under “proxyAddresses” , the email address in the error was listed there.

Next is to use the tool PFDAVAdmin for exchange 2007,

errorsystemobjects2

Using PFDAVAdmin I was able to connect to the public folders in the organization and find one of the subfolders that was using the SMTP address shown in the error.

I requested user to choose another SMTP address, just as the error prompt suggested, and that solved it.

If the Exchange object is already orphaned and no longer in use in your organization you can delete it or rename the proxy-addresses attribute.

Powershell command to quickly check licenses assigned to an Office365 user – Office365

Today I will share with you my powershell command I use to quickly know what licenses are provisioned for a user in office365. It’s faster and saves the time to do it via the admin panel.

First you will need to have Microsoft Azure Active Directory Module installed for your windows powershell. You only need to do this once if you don’t already have this module installed.

To download this Module for your powershell,  here is the OS requirements:-

  • Windows 10, Windows 8.1, Windows 8 or Windows 7 Service Pack 1 (SP1)
  • Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1

Follow the steps here to install it:- https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell

msazurepowershellmodule

Connect to Azure AD for your office365 subscription:-

  1. In your powershell screen enter the below commands:-

$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential

Type your Office 365 Administrator account user name and password, and then click OK. Now you are ready to check user license.

2. Enter the following command:-

(Get-MsolUser -UserPrincipalName myname@company.com).Licenses.ServiceStatus

getuserlicence

You can now see the service plans and licenses assigned to the user.

Create a New SendConnector – Exchange 2010

Today we will create a new send connector for our Exchange 2010 server.

Its always good to have your information ready and written down :-

  • Name of send connector to be created
  • SMTP address space – e.g *.mail.contoso.com
  • Smart hosts IP address – IP address of SMTP smarthost servers you want to associate this new connector with
  • Source servers that will route your emails – your Exchange hub transport servers

Once ready, you can run below Exchange powershell command, replace it with your own information:-

new-SendConnector -Name “MYSENDCONNECTORNAME” -Usage Custom -AddressSpaces “SMTP:*.mail.contoso.com;1” -IsScopedConnector $true -DNSRoutingEnabled $false -SmartHosts “[192.168.11.12]”,”[192.168.11.13]” -SmartHostAuthMechanism None -UseExternalDNSServersEnabled $false -SourceTransportServers “LAB-HCP01″,”LAB-HCP02″,”LAB2-HCP01″,”LAB2-HCP02”

You can refer to MS article below for a full detail information about each important attribute to be configured on your send connector such as:-

Usage type:- For Send connectors, the usage type is basically a descriptive label that identifies what the Send connector is used for. All usage type values receive the same permissions.

Network settings:–  Configure how the Send connector routes mail: by using DNS or by automatically forward all mail to a smart host.

Address spaces :- Configure the destination domains that the Send connector is responsible for.

Scope :- Configures the visibility of the Send connector to other Exchange servers in the organization.

Source servers:– Configure the Exchange servers where the Send connector is hosted. Mail that needs to be delivered by using the Send connector is routed to one of the source servers.

(https://msdn.microsoft.com/en-us/library/aa998662(v=exchg.160).aspx)

NOTE:-  You can specify SMTP address spaces or non-SMTP address spaces on Send connectors that are configured on Hub Transport servers. You can only specify SMTP address spaces on Send connectors that are configured on Edge Transport servers.

Add SMTP Server IP to SendConnector – Exchange 2010

First get the existing information of your send connector and any smarthosts IP already configured.

Open exchange management shell and run:-

Get-SendConnector NAMEOFSENDCONNECTOR| fl identity, smarthosts, sourcetransportservers

Result:-

Identity: MYSENDCONNECTOR

SmartHosts : {[192.168.3.4]}

SourceTransportServers : {BB0-MOB4-HUB01, BB0-MOB2-HUB01}


From above result we can see our old smarthost IP that we want to change with the new one and the source transport servers (exchange hub transport servers) which this send connector applies to.

Now set the new IP via exchange management power shell ( this will replace the existing one if it already exists ):-

Set-SendConnector NAMEOFSENDCONNECTOR -SmartHosts “192.168.3.5” -Confirm

Note:-
<smarthosts> parameter
This parameter takes one or more FQDNs, such as server.contoso.com, or one or more IP addresses, separated by commas. If you enter an IP address, you must enter the IP address as a literal as follows, for example: 10.10.1.1. The smart host identity can be the FQDN of a smart host server, a mail exchange (MX) record, or an address (A) record. If you configure an FQDN as the smart host identity, the source server for the Send connector must be able to use DNS name resolution to locate the smart host server.  (https://msdn.microsoft.com/en-us/subscriptions/aa998294(v=exchg.80).aspx)

To do this via Exchange Management Console in Exchange 2010:-   Click on Hub Transport -> Send Connectors -> double click on your send connector -> Network -> under route mail through the following send connector, edit to add the new IP and remove the old one if needed. Ok to accept changes, check that the new IP is added. Test and do a telnet to your new smarthost IP.

Screenshot-20180511114820-439x475