There Is No Editor Registered To Handle This Attribute Type

KB ID 0001837

Problem

If you attempt to edit the authOrig attribute of a mail enabled group using ADSIedit you will get the following error.

There is no editor registered to handle this attribute type.

Why would you be doing this? This is done when you want to restrict who can email a group.

Solution

If you are running either on-premises Microsoft Exchange (or are running in Hybrid Exchange mode, and have retained an Exchange server for management,) You can simply use the Exchange Admin Center to add the person or group that you want to restrict access to.

Recipients > Groups > Group-Name > Edit > Delivery Management > Set accordingly.

Note: As I’m in Hybrid mode, and have AAD Sync setup, if I attempt to look at this group in O365  / Exchange online, it simply says.

You can only manage this group in your on premises environment. Use Active Directory users and groups, or Exchange AdminCenter tools to edit or delete this group.

Technical Pedantry: The fact it’s been called ‘Active Directory Users and Computers‘ since Windows 2000 makes my OCD flinch at that comment.

Use PowerShell

You can (if you have no access to Exchange Management tools) simply use PowerShell, the syntax is as follows.

[box]

Set-ADGroup -Identity "The-Group" -Server The-Domain-Controller -Add @{authOrig=@('The User or Group to Grand access to')}

e.g.

Set-ADGroup -Identity "CN=DG-Test-Disty-Group,CN=Users,DC=pnl,DC=com" -Server PNL-MGMT.pnl.com -Add @{authOrig=@('CN=Pete Long,CN=Users,DC=pnl,DC=com')}

[/box]

Then to prove it’s not all ‘smoke and mirrors’ you can go back to ADSIedit and check.

Related Articles, References, Credits, or External Links

NA

PowerShell to Exchange Online

PowerShell to Exchange Online KB ID 0001814

Problem

While attempting to PowerShell to Exchange Online today, I tried to do this by using my usual method, and repeatedly got this error.

[box]

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

[/box]

I double checked the username/password was correct, and that the user was a global admin.

PowerShell to Exchange Online: Solution

After some searching it would seem that if the user is using MFA or you need to connect via modern authentication this can happen! Open an administrative PowerShell window, and execute the following commands;

[box]

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Then Press A {Enter}
Install-Module -Name PowerShellGet -Force

If Prompted Press Y and {Enter}

Install-Module -Name ExchangeOnlineManagement -Force
Connect-ExchangeOnline -UserPrincipalName username@domain.com -ShowProgress $true

Log on interactively

[/box]

Then continue as normal.

Related Articles, References, Credits, or External Links

NA

Group Won’t Accept Mail From ‘Outside’

KB ID 0001771

Problem

Exchange has been this way for a long time here’s me explaining this very problem with older versions of Exchange. If you create a ‘Group’, be that a Distribution Group, or a ‘Microsoft 365’ Group, the default setting is to NOT ALLOW mail from anyone outside your organisation. If you attempt to send mail to that group you will see errors like these;

Errors;

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender not authenticated when sending to the group’

550 5.7.193 UnifiedGroupAgent; Delivery failed because the sender isn’t a group member or external senders aren’t permitted to send to this group.

Allow External Senders (On Premises & Hybrid Exchange)

If you have your own on premises Exchange server, this includes those of you that have migrated to Exchange online, but are in Hybrid Mode and are syncing your domain objects into Microsoft/Office 365 (Azure). Then you should change this setting in the on premises Exchange Admin Centre.

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

Note: Remember in hybrid mode this will need to sync to Microsoft online, so apply the ‘cup of coffee rule’ before testing it.

Allow External Senders Office/Microsoft 365 (Exchange Online)

Classic Exchange Admin Center

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

 

New Exchange Admin Center

Microsoft 365 Groups: Recipients > Groups > Microsoft 365 > ‘Double Click’ the group in question > Settings  > Allow external senders to email this group > Save.

Distribution Groups: Recipients > Groups > Distribution List > ‘Double Click’ the group in question > Settings  > Edit Delivery Management.

Allow messages from people inside and outside my organisation > Save changes.

Related Articles, References, Credits, or External Links

NA

No Mail Flow On-Premises To/From Office 365

KB ID 0001631

Problem

I upgraded my On-Premises Hybrid Exchange server recently, from Exchange 2016 to Exchange 2019. I remembered to add the new server onto the Office 365 send connector, but there was no mail flow between an on premises mailbox and an office365 mailbox?

Solution

This happens because, (even if you are using the same certificate on the new and old servers) the certificate that is used for TLS security between your on-premises Exchange server and Exchange online, does not get ’embedded’ properly on the send/receive connectors. You may see either (or both) of the following two problems.

Check The Office 365 Mail Flow

Log into Office 365 > Admin > Exchange Admin Center > Mail Flow > Connectors > Select the ‘Outbound’ connector > Validate this connector.

Herein lies the problem!

450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch] [LastAttemptedServerName={on-prem-fqdn}] [LastAttemptedIP={on-prem-ip}}:25] [{outlook-FQDN}]

At first I thought the on-premises server was presenting the wrong cert for TLS, turns out it was not presenting a cert at all! You can check by executing the following command on the RECEIVE CONNECTOR;

[box]

Get-ReceiveConnector "{SERVER-NAME}\Default Frontend {SERVER-NAME}" | fl TlsCertificateName  

[/box]

If it returns no entry (like the image below), then you need to simply attach the correct certificate. To do that first get the ‘thumbprint’ of the correct certificate;

[box]

Get-ExchangeCertificate  

[/box]

Copy the correct thumbprint, and embed it with the following commands;

[box]

$tlscert=Get-ExchangeCertificate {THUMBPRINT}
$tlscertname="<I>$($TLScert.Issuer)<S>$($TLSCert.Subject)"
Get-ReceiveConnector "{SERVER_NAME}\Default Frontend {SERVER_NAME}" | Set-ReceiveConnector -TlsCertificateName $tlscertname
Restart-Service MSExchangeTransport

[/box]

Now test validation again from Office 365 portal.

Check The Office On-Premises Mail Flow

To do this, open Exchange Tools > Queue Viewer, and you will probably see something like this;

454 4.7.5 The certificate specified in TlsCertificateName of the SendConnector could not be found.

To fix this, the procedure is much the same as above, only this time you perform the procedure on the SEND CONNECTOR ;

Note: I’m assuming you are using the same Thumbprint you used above,

[box]

$tlscert=Get-ExchangeCertificate -Thumbprint {THUMBPRINT}
$tlscertname = (‘<I>’+$tlscert.issuer+'<S>’+$tlscert.subject)
Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname
Restart-Service MSExchangeTransport

[/box]

By the time you go back to Queue viewer the queues should have started to empty.

Related Articles, References, Credits, or External Links

NA

Office 365 Retention Policies

KB ID 0001620

Problem

Most things in Office 365 operate on a 30 day retention principle, but what if you are governed by restrictions that require you to retain your data for 5 years or 7 years in some cases? We have had Retention policies in Exchange for years, and I knew you could create a policy in exchange online, but what about OneDrive or SharePoint data?

Well with O365 you can specify a ‘top level’ retention policy that applies to ‘most’ of your data. I say most because some application data is not 100% retained.

BE AWARE: Despite the name containing ‘retention’ this is also how you specify when to automatically delete old files (if that is MORE your requirement).

Solution

From Office 365 admin > Admin Centers > Security and Compliance.

Information governance > Retention > Create.

Give your policy a name > Next.

Obviously we want to choose ‘Yes I want to retain’ > I would change the retain based on to ‘when it was last modified’ > Next.

Note: You can choose the second option to automatically delete files that are a certain age.

Note2: You can add a specific policy for files containing certain words/phrases or specific date i.e. financial, (at present this does not apply to Teams).

Specify ‘What’ you want to apply the policy to, by default it’s off for Skype and Teams Data, and Exchange public folders strangely? > Next.

Review the settings > Create this policy.

 

Office 365 Retention Policies via PowerShell

As usual, you can do similar things with PowerShell;

[box]

New-RetentionCompliancePolicy -Name "PeteNetLive-Retention-Policy" -ExchangeLocation All -SharePointLocation All -ModernGroupLocation All -OneDriveLocation All -Enabled $true
New-RetentionComplianceRule -Name "PeteNetLive-Retention-Policy-Rule" -Policy "PeteNetLive-Retention-Policy" -RetentionDuration 2555

[/box]

Note: 2555 Days is 7 years.

Related Articles, References, Credits, or External Links

NA

Exchange Exporting Mailboxes to PST Files

KB ID 0001360

Problem

Applicable To: This procedure works on all versions of Exchange Newer than Exchange 2010 SP1 (update rollup 8). If your Exchange server is OLDER than that you will need to use the following link;

Exchange 2007 / 2010 (Pre SP1)- Export Mailbox’s to PST files

The following procedure exports a user mailbox to a PST file on a network share.

Solution

Note: Not Even ‘Exchange Organisation Administrators” have the right to import / export mailboxes, you need to grant those rights to your user object, (or a better approach would be to create an admin account just for this purpose, then delete it when you are finished).

[box]

New-ManagementRoleAssignment –Role "Mailbox Import Export" –User {username}

[/box]

Note: This grants import, and export rights.

Create a file share on a drive with plenty of space, ensure the Exchange Trusted Subsystem has read / write access. And ensure the SYSTEM account has full control.

To create the ‘Export Request’

[box]

New-MailboxExportRequest -Mailbox “mailbox-alias” -FilePath \\server-name\share\file-name.pst

[/box]

Note: Add “-IsArchive” to the end of the command for Archive Mailboxes.
Note2: If the export repeatedly fails, add -BadItemLimit 200 to the end and try again, you can also use the -AcceptLargeDataLoss in exceptional circumstances

To view progress;

[box]

Get-MailboxExportRequest
OR
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

 

[/box]

When complete, you need to remove the move request(s);

[box]Get-MailboxExportRequest | Remove-MailboxExportRequest
OR (If you still have movement requests running)
Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest[/box]

Using Content Filters

You can specify a content filter to only export emails after a certain date all mail received after 01/01/17 e.g.

[box]New-MailboxExportRequest -Mailbox {mailbox-alias} -ContentFilter {(Received -lt ’01/01/2017’)} -FilePath \\{server-name}\{folder}\{file-name}.pst[/box]

Or to export emails between two dates;[box]New-MailboxExportRequest -ContentFilter {(Received -lt ’31/12/2018‘) -and (Received -gt ’31/12/2017′)} -Mailbox {mailbox-alias} -FilePath {server-name}\{folder}\{file-name}.pst[/box]

Using IncludeFolders (and Exclude Folders)

You can specify IncludeFolders (or ExcludeFolders) to only export emails from certain folders, e.g.

Only export Inbox (and sub-folders) and Sent Items;

New-MailboxExportRequest -IncludeFolders “#Inbox#/*”,”#SentItems#” -Mailbox {mailbox-alias} -FilePath \\{server-name}\{folder}\{file-name}.pst

Don’t Export Sent Items and Deleted Items;

New-MailboxExportRequest -ExcludeFolders “#SentItems#”,”#DeletedItems#” -Mailbox {mailbox-alias} -FilePath \\{server-name}\{folder}\{file-name}.pst

Export ALL Mailboxes to  PST

[box]foreach ($Mailbox in (Get-Mailbox)) { New-MailboxExportRequest -Mailbox $Mailbox -FilePath “\\{server-name}\{folder-name}\$($Mailbox.Alias).pst” }[/box]

Related Articles, References, Credits, or External Links

Exchange 2000 / 2003 – Exporting Mail to .pst files with ExMerge

Exchange (2010 Post SP1 and Newer) Bulk Importing Mail From PST Files

Hybrid Exchange: ‘Mailbox Delegation’ Missing?

KB ID 0001607

Problem

This was asked on EE this morning, if you are on a Hybrid Exchange environment then you cannot allocate Mailbox Delegation to an Office365 mailbox;

However you can add ‘Mailbox Delegation’ to a ‘local mailbox’.

This is completely normal behaviour, to allocate mailbox delegation permissions to your Office 365 mailboxes, you need to use PowerShell.

Managing Mailbox Delegation Permissions in Office 396

I’ve covered elsewhere how to do this, but first connect to Office 365;

View Office 365 Mailbox Delegation Permissions

[box]

Get-MailboxPermission -Identity "Alias or email" | Format-Table

[/box]

Add Office 365 Mailbox Delegation Permissions

[box]

Add-MailboxPermission -Identity "Alias or Email of account granting rights TO" -User "Alias or Email of account granting rights FROM" -AccessRights FullAccess -InheritanceType All

[/box]

To check it worked simply use the Get-Mailboxpermission again;

Remove Office 365 Mailbox Delegation Permissions

[box]

Temove-MailboxPermission -Identity "Alias or Email of account removing rights TO" -User "Alias or Email of account removing rights FROM" -AccessRights FullAccess -InheritanceType All

[/box]

Related Articles, References, Credits, or External Links

NA

Exchange: ‘Can’t find the Organizational Unit that you specified’

KB ID 0001561

Problem

I’ve not actually seen this myself, but it was asked on a forum, and I managed to replicate it on the bench. When working on a user or mailbox in Exchange  you may see the following error;

Error
Can’t find the organisational unit that you specified, Make sure that you have typed the OU’s identity correctly

Solution

This happens because you have a ‘Slash’ ‘/‘in the Organisational Unit that the user object is inside in Active Directory, like so;

Rename the OU to something more sensible!

Why does this happen? It’s because when there’s a slash in the OU name, like ‘MyOU/Name‘ it gets rejected by the system, as programatically it should be ‘MyOU\/Name‘.

I Don’t Have a Forward Slash in My OU Name, and I’m Still Seeing this Error?

Make sure your user, is NOT in a ‘Container‘ rather than an OU. In the example above you can see the icon for ‘Users‘ is different from the icon for “PNL” or “Test” that’s because this is NOT an OU it’s a container, move your user to an OU, then try again. Note: This can happen to the Administrator amount as well, because that’s in a container called ‘Builtin‘.

Related Articles, References, Credits, or External Links

NA

Office 365: Stop One User Sending Attachments

KB ID 0001544

Problem

If you have one, (or more) users and you want to BLOCK those users from sending ANY email attachments, here’s how to do it;

Solution

Log into your Office 365 tenancy with administrative access > Admin > Admin Centers > Exchange Admin > Mail Flow > Rules > Add > Filter Message By Size.

Name: Give it a sensible name.
Apply This Rule If: The message size is greater than or equal to = 1.00 KB (we will change this in a minute!)
The Sender Is: Add the user(s) in question.
Do The Following: Reject the message with the explanation = “Enter some sensible text”.

Scroll down.

Tick: Stop processing more rules.

Save.

Now this blocks all attachments over 1KB (1024 bytes), but this still lets a user send a smaller attachment! The ONLY way to fix that, is to drop the limit using PowerShell.

Connect to Office 365 Exchange PowerShell

Then use the following syntax;

[box]

Set-TransportRule -Identity "Name" -AttachemtnSizeOver 1B

[/box]

 

Related Articles, References, Credits, or External Links

NA

Office 365: Allow Mail Relay Through Exchange Online

KB ID 0001480

Problem

If you are used to running ‘on-prem’ Exchange then allowing an IP/Hostname to relay mail (sent mail through without authenticating) it’s handy for things like older multifunction scanners, or applications that need to send emails. Now you SHOULD be sending mail through Office 365 ‘authenticated’, but that’s not always possible.

Solution

From Office 365,Launch The Exchange admin console.


Mail flow > Connections > Add.

From: Your Organisations email server.

To: Office 365

Give the connector a sensible name > Next.

Enter the PUBLIC IP or PUBLIC HOSTNAME > Next.

WARNING: Where possible ensure this IP is only used by the internal host that needs to relay, if you only have one public IP (And you NAT/PAT all your internal IPs to this public IP), then filter the hosts that can send mail ‘outgoing’ on your firewall. If you don’t, and an internal client gets infected it will be able to send unauthenticated mail though your office 365 account!

Text

Save.

Related Articles, References, Credits, or External Links

Allow a Server to “Relay” Through Microsoft Exchange