Just a quick post on useful PowerShell commands to get some ActiveSync config and statistics. Basic, but I wanted them quickly accessible for my own reference đŸ™‚
Get-MailboxStatistics -Identity username | fl
Get device statistics:
Get-ActiveSyncDeviceStatistics -Mailbox username
Get more info for specific user, for example if they have ActiveSyncAllowedDeviceIDs configured.
Get-CASMailbox -Identity username | fl *ActiveSync*
Get a list of users and info regarding their device:
Get-Mailbox -ResultSize:Unlimited | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity} | ft Identity,Devicemodel,DeviceOS,DeviceUserAgent,DeviceType,LastSuccessSync
Will more or less output the same result but another syntax:
$Mailboxes = Get-Mailbox –ResultSize Unlimited
$Devices = $Mailboxes | %{Get-ActiveSyncDeviceStatistics -Mailbox $_.Identity}
$Devices | ft Identity,DeviceType,DeviceModel,DeviceOS,DeviceFriendlyName,DeviceUserAgent
To remove ONE of the DeviceID’s specified in ActiveSyncAllowedDeviceIDs:
$CasDevice = Get-CasMailbox username $CasDevice.ActiveSyncAllowedDeviceIDs -= "12345111" Set-CasMailbox username -ActiveSyncAllowedDeviceIDs $CasDevice.ActiveSyncAllowedDeviceIDs
Instead of allowing all users to use ActiveSync, it’s pretty common I configure the TMG/ISA to only allow a specific GROUP to sync. Then it would be great to be able to get a list of those users and their ActiveSyncAllowedDeviceIDs, just to doublecheck no user is configured incorrectly. Now, bear in mind I’m no PowerShell wizard so if you have a way of doing this without involving a vbscript – please comment! I’d love to solve it without a script.
'***********************************************
' Bind to group with Distinguished Name.
'***********************************************
strGroup = "CN=GROUPNAME,OU=Organization,DC=lab,DC=com"
strOutput = "C:\Temp\ActiveSync_members.txt"
Set objGroup = GetObject("LDAP://" & strGroup)
Wscript.Echo "Outputs the members of the group: " & strGroup
Wscript.Echo "Both to screen and file: " & strOutput
Wscript.Echo ""
Set fso = CreateObject("Scripting.FileSystemObject")
'***********************************************
' Change name in case the file exists
'***********************************************
'Delete file
if fso.FileExists (strOutput) then
Set dFile = fso.GetFile(strOutput)
dFile.Delete
end If
Set ts = fso.OpenTextFile(strOutput, 8, True)
'***********************************************
' Get members
'***********************************************
For Each objMember In objGroup.Members
Wscript.Echo objMember.sAMAccountName
ts.WriteLine (objMember.sAMAccountName)
Next
ts.Close
Then we have a script to get the result!
Get-Content C:\Temp\ActiveSync_members.txt | Foreach-Object {Get-CASMailbox -Identity $_ | select sAMAccountName,ActiveSyncAllowedDeviceIDs}
Hope you find them useful and please comment if you have any great PowerShell commands you often use.
How can I used the cmd below to get results for only Ipad users? Can you help?
So in a csv file how can I pull Username, department and device (filtered)?
Thanks
Get-Mailbox -ResultSize:Unlimited | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity} | ft Identity,Devicemodel,DeviceOS,DeviceUserAgent,DeviceType,LastSuccessSync
Here’s how I restrict my ActiveSync (and other mail protocol users). I set up a group for ActiveSync, EAS_Policy, POP3, IMAP, etc. I put the people in the appropriate group and schedule this PowerShell script to run at 6am, noon, and 6pm.
Watch the line wraps:
#This script checks the named Active Directory groups for membership and enables the protocol if the user is listed in the group or
#disables the protocol if the user is either removed from the group or never placed in the group to begin with.
#It can be scheduled to run via Windows Task Scheduler and is currently scheduled to run at 6am, noon, & 6pm.
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
#Set POP3 access
$AD = (get-group ‘Mail_POP_Enabled’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.PopEnabled} | select Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -PopEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -PopEnabled $true}}
#Set IMAP access
$AD = (get-group ‘Mail_IMAP_Enabled’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.ImapEnabled} | select Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -ImapEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -ImapEnabled $true}}
#Set OutlookAnywhere access
$AD = (get-group ‘Mail_OutlookAnywhere_Enabled’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.MAPIBlockOutlookRpcHttp -eq 0} | select Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -MAPIBlockOutlookRpcHttp $true}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -MAPIBlockOutlookRpcHttp $false}}
#Set ActiveSync access
$AD = (get-group ‘Mail_ActiveSync_Enabled’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.ActiveSyncEnabled} | select Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -ActiveSyncEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -ActiveSyncEnabled $true}}
#Assign Android ActiveSync Policy (EAP)
$AD = (get-group ‘Mail_ActiveSync_Android’).members | select ObjectGuid | ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name, DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.ActiveSyncMailboxPolicy -eq “Android”} | select Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -ActiveSyncMailboxPolicy $none}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName}) -notcontains $_.DistinguishedName) {Set-CASMailbox -identity $_.DistinguishedName -ActiveSyncMailboxPolicy “Android”}}
what is the command to check or monitor active sync users using certificate based authentication