Recovering deleted mail items

It’s pretty common (and yes, annoying) for people to inadvertently delete mail from time to time.

If the deletion occurs within your Exchange database’s retention period you can use the single item recovery feature to retrieve it without using backup software.

For example, let’s say items were deleted from Fred Agave’s mailbox named “fagave“. Fred is looking for mail from Napoleon with a subject containing the word “Elba”.  You can search Fred’s mailbox for all items meeting the search criteria by using the following Powershell script:

Search-Mailbox fagave -SearchQuery “from:’Napoleon’ AND Elba” -TargetMailbox “fagave” -TargetFolder “Recovered Mail” -LogLevel Full

In which, mail found via the search is copied into a folder (created by the process) named Recovered Mail.

For a more detailed treatment of this topic, go to the Technet blog…

Restoring a disabled or soft-deleted mailbox

Let’s a say a user has left the company (or perhaps gone on extended leave): their Active Directory user account was disabled or deleted and the Exchange mailbox along with it.

And let’s say they’re rehired or return; if this happens within your Exchange server’s mailbox database retention period, it’s possible to re-connect the detached mailbox object to the user’s new (or re-activated) AD account.

Here’s how.

Step 1.) Find your disconnected mailbox by running the following command from the Exchange Management Shell:

Get-MailboxDatabase | Get-MailboxStatistics | where {$_.DisconnectReason -ne $null} | ft displayname,database,disconnectreason –auto

Note: Pay attention to the mailbox database listed for the disconnected mailbox, you’ll need this to reconnect the mailbox to its original database location.

Step 2.) (If necessary) Create an AD user account to which the mailbox will be reconnected

Step 3.) Run the following PowerShell command, which reconnects the orphaned mailbox object to the AD account:

Connect-Mailbox -Identity “Mailbox Name” -Database “database name” -User AD User Name

So, for example…

Connect-Mailbox -Identity “jdoe” -Database “Database One” -User “John Doe

In which, we connected the mailbox with the name (or identity) of jdoe to the Active Directory account named John Doe.

Exchange 2010 and Certificates

Exchange 2010 uses secure (SSL) communication for a variety of its key functions – both with clients and inter-operationally (is that a term?).

The article linked at the bottom describes these functions in detail. Although it focuses on Exchange 2007 much (well, all) of it still applies to version 2010.

Here’s an excerpt:

There are several components in Exchange 2007 that rely on certificates for encryption, authentication or both. In this article I will provide you with an overview of the different Exchange components that use certificates. I will then go deeper into the features of the by-default generated self-signed certificate. In part 2 of this article I will cover the naming requirements of a certificate you need to keep in mind when getting your certificates. To end, in part 3 of this article I will take a closer look at the different Exchange Management Shell cmdlets that are available to create, manage, and remove Exchange certificates.

Full at –

Certificate Principal Mismatch Errors

I ran the Exchange Best Practices Server Analyzer tool and it reported, among other things, a “Certificate Principal Mismatch” on one the servers in my DAG.

Here’s what Microsoft has to say:

If the common name of the certificate does not match the URL that Analyzer used to access the resource, the tool issues a Certificate Principal Mismatch warning message. This means that users may not be able to connect to their mailboxes by using Microsoft Office Outlook® Web Access for Microsoft Exchange Server 2003, for Outlook Anywhere for Exchange Server 2007, for Exchange Server ActiveSync, or for RPC over HTTP.

In this scenario, user may repeatedly be prompted for credentials when they try to connect to Exchange, or users may receive the following error message when they try to connect to the Exchange resource…

full at

The gist is that the name used by the Outlook provider setting must match what’s referenced in the cert used by Exchange.

Here are some PowerShell commands:

To view the current setting:


To change the setting (note that this is used by Outlook for connectivity to Exchange via Outlook Anywhere):

Set-OutlookProvider EXPR -CertPrincipalName:”msstd:<FQDN used>”

for example:

Set-OutlookProvider EXPR

CAS Access Troubleshooting

This Microsoft KB article details troubleshooting Outlook (various versions) connectivity to Client Access Servers.


After you’ve installed the Client Access server role on a computer running Microsoft Exchange Server 2010, you may have to test the functionality of the server or solve problems related to client connectivity. The following information will help you troubleshoot common errors and test to ensure that your Client Access server is configured correctly.

More at

Auditing Mailbox Access

A nice overview of permissions auditing (focused on msexch 2007 but still relevant) from

“In every organization, there are always mailboxes with sensitive information. These might be the mailboxes of the CEO, directors, users from the HR or Payroll departments, or simply mailboxes for which you have to perform discovery actions to demonstrate compliance with regulatory or legal requirements. Although normally administrators are not concerned with the content of user’s mailboxes, there might be someone less honest that attempts to access someone’s mailbox in order to obtain information of value for their own benefit.”

full at

Archiving Requirements

A general (and mostly non-technical) overview of Exchange 2010’s archiving feature:

Microsoft Exchange Server 2010 accounts can be set up with an Personal Archive by your Exchange administrator. This is a specialized Exchange mailbox in addition to your primary Exchange mailbox. In Microsoft Outlook 2010, the Personal Archive appears in the Navigation Pane beneath your primary Exchange mailbox folders.

Full at


Generate a report of activesync users


Some examples of the script logic in action:
1.) Create a variable ($EASMailboxes) and input mailbox data for users with ActiveSync enabled –

$EASMailboxes = Get-CASMailbox -Filter {HasActiveSyncDevicePartnership -eq $True -and DisplayName -notlike “CAS_{*”} | Get-Mailbox

2.) With the variable defined, you can generate reports and pipe the output to a CSV file

$EASMailboxes | Select SamAccountName,DisplayName,PrimarySMTPAddress | Export-CSV .\EASMailboxes.csv -NoTypeInformation

3.) A more detailed report –

$EASMailboxes | Select-Object SamAccountName, DisplayName, PrimarySMTPAddress, @{Name=”EASDeviceCount”;Expression={(Get-ActiveSyncDevice -Mailbox $_.Identity).Count}} | Export-CSV .\EASMailboxes.csv -NoTypeInformation