Resolving DirSync user permission errors (another cool script)

Let’s start with this image. DirSync is unable to perform the appropriate reads and write backs to these users.


This is because the “Inheritance is blocked” on these users. This is normal for users that belong to Domain Admins. In the event that someone does something stupid and applies the wrong permissions to the domain or OU, it won’t apply to users that are members of Domain Admins. For example, what if we applied Deny all rights to the Everyone group at the domain level? It would basically break all access to active directory. So there is a built in service on domain controllers that un-checks this box on users that are members of the Domain Admins group… and keeps them from being completely locked out… but I’m getting off topic…

What we need to do to fix these DirSync issues is hunt down each of these users using active directory users and computers and perform a series of steps.

I labeled each of these steps with a number.

  1. Find the user, check the box to enable inheritance
  2. Click apply
  3. Un-check the box
  4. Choose Add, this will add the DirSync permissions onto the user
  5. Take a sip of coffee
  6. Click Apply
  7. Click Yes
  8. Click Ok






Wow, that’s a lot of clicking.

Here is a script to make it easy.

Step 1) Right click on the error in DirSync and click Save to file…
It will be in XML format… call it whatever you want, like DirSyncErrors.xml


The XML file will look like this


Step 2) Run these two PowerShell commands from the directory where the xml file is located. This will extract the users distinguished names.

$xmlFile = [xml] (Get-Content ./DirSyncErrors.xml)
$xmlFile.SelectNodes('//export-error')|select -expand dn > UsersToFix.txt

The output will look like this text file. I called mine UsersToFix.txt


Now download the Quest ActiveRoles Managment Shell tools from here:

Step 3) Create a script, I called it FixInheritance.ps1 that has the following code. Start the Quest ActiveRoles Shell and run this script in the shell.

$File = Get-Content './UsersToFix.txt'
Foreach ($user in $File) {
Set-QADObjectSecurity $user -UnlockInheritance
Set-QADObjectSecurity $user -LockInheritance

This will perform the same 8 steps shown above and it’s a whole let less clicking, and keep those scripts in your toolbox folder for future Office 365 deployments.


Easily add Hybrid email address to users that don’t follow e-mail address policy

When attempting to move a mailbox to Office 365 one of most common failures is due to the user not containing the hybrid email address. This is because this check box is unchecked and this is done because the user has a custom email address that does not follow the conventions of the email policy.

In other words, because the check box with the green arrow is unchecked, the email address with the red arrow is not created. The email address with the red arrow is the hybrid address. It’s form is mail alias@<tenant name> An example would be


This first powershell one liner will find all the mailbox users with this box unchecked and dump the results into a csv file.

Get-Mailbox -ResultSize Unlimited | Where {$_.EmailAddressPolicyEnabled -eq $False} |select Alias,PrimarySmtpAddress |export-csv -NoTypeInformation MailboxesPolicyUnchecked.csv

The second one I called “AddTenantHybridSMTP.ps1” and the contents of that script is below. Without this script you woudl have to hunt down each of these users and check the box, select apply, then un-check the box and then designating the non standard email as the default email address, then click apply again.(Whew, that’s a lot of clicking !)

This script just adds the hybrid address to the user.
You will want to change the tenant name to the appropriate value; I have it as XYZ.

$CSV = Import-CSV ./MailboxesPolicyUnchecked.csv
foreach ($entry in $CSV) {
$TenantEmail = $entry.alias + ""
set-mailbox $entry.PrimarySMTPAddress -EmailAddresses @{Add=$TenantEmail}



I had an issue that some users didn’t have the hybrid address even though the “apply policy” was indeed checked.

Not sure why that happened and I don’t care (LOL)

The script below will find the users that do not have a hybrid email address; you would need to modify the red “bvhs” part to the customer’s tenant name

Get-Mailbox -ResultSize Unlimited -Filter "emailaddresses -notlike '*'" |select alias,primarysmtpaddress |export-csv -NoTypeInformation UsersWithOUTHybrid.csv

In some ways, it’s better than my first script, which is…

Get-Mailbox -ResultSize Unlimited | Where {$_.EmailAddressPolicyEnabled -eq $False} |select Alias,PrimarySmtpAddress |export-csv -NoTypeInformation MailboxesPolicyUnchecked.csv

Because that only lists the users where the email policy is not applied…. But for some strange reason… there are users without the hybrid address but the policy is indeed checked.

Office 365 Move Report

I have been doing a lot of Office 365 lately and I’ve been getting very “tired” of checking the status of mailbox moves at night. I get on the pc, check the status of the moves, then go back to the family. Yea, right…. I check the moves, go to youtube, and 40 mins later my wife asks “Have I lost you again to the box?”

I have to first connect to the cloud with the three magical commands in powershell.

 $O365Cred = Get-Credential
 $O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $O365Cred -Authentication Basic -AllowRedirection
 Import-PSSession $O365Session

The script emails me a progress report of mailbox moves every 10 mins. It needs to “relay out”, so I make sure I’m either pointing to the exchange server (or another server) that allows me to do this.

The “how many times it emails me” can be changed by modifying the do-while loop parameter. Currently the loop is set to 5 times. {while ($i -le 6)}
The “how often it emails me” can be changed by modifying the Start-Sleep parameter, which is set to 600 seconds {Start-Sleep -s 600}
Change the smtp server from   $smtpServer = “”   to the server that will relay for you. Change the From and To addresses to your liking, and you are all set.

I was able to check my email account and see updates from my phone.

Here is the script:

$i = 1
 do {
#Get Statistics on move requests, sort by percent complete
$Moves= Get-MoveRequest | Get-MoveRequestStatistics | select-object Alias, TotalInProgressDuration,PercentComplete| sort-object PercentComplete
$Moves  |ConvertTo-Html |out-file Moves.htm
#So i know what's happening, I have it write to the screen that it's sending mail
Write-Host "Sending Email"
     #SMTP server name
      $smtpServer = ""
     #Creating a Mail object
      $msg = new-object Net.Mail.MailMessage
     #Creating SMTP server object
      $smtp = new-object Net.Mail.SmtpClient($smtpServer)
     #Email structure 
      $msg.From = ""
      $msg.ReplyTo = ""
      $msg.subject = "MoveReport"
      $msg.IsBodyHTML = $true
      $msg.body = get-content .\moves.htm
     #Sending email 

#Pause for 600 seconds (10 mins) 
Start-Sleep -s 600
 while ($i -le 6)

Move Fails in office 365 with empty domain

I have had a few failed moves in office 365.
This is a hybrid configuration with adsync enabled.
Note the extra space where the arrow is in the first image, normally it would say something like “…domain abc.local because…”
In this case, it is just an extra blank space
Here is how I fixed it.
· I disconnected the mailbox from the user. (that is a disable in EMC)
· Forced sync to the cloud on the adsync server (see second image)
· Reconnected the mailbox to the original user in “disconnected mailbox” section of EMC
· Forced sync (again) to the cloud on the adsync server
· Then attempt a move and I it was successful !!

ADMT and FSMO roles

I recently ran a cross forest ADMT migration, because of subnetting conflicts between the two companies, not all domain controllers were accessible. In order to migrate SID history, the ADMT migration server must contact the FSMO master of the source domain. After several attempts and a sniffer trace, I found this to be true. Specifically its one of the domain level fsmo roles, so I assume it’s the pdc emulator. ADMT 3.2 


Import Export IP list on Allowed Relay Receive Connector

If you are migrating from Exchange 2003 to 2010, when you export the list of allowed relay devices, following this article the output will typically be in this format:

Name the file IPList.txt
So, with the script below, you can import the list of ip addresses on your receive connector

$RecvConn = Get-ReceiveConnector "Ex2010\AllowedRelay"
Get-Content .\IPList.txt | foreach {$RecvConn.RemoteIPRanges += "$_"}
Set-ReceiveConnector "Relay Connector" -RemoteIPRanges $RecvConn.RemoteIPRanges

When you are migrating from Exchange 2007 to 2010, we use powershell command to export the list, and a powershell script to import

Here is the powershell command to export the list. Change the exchange 2007\allowedrelay part to be the correct server\receive connector name.

(Get-ReceiveConnector "exchange2007\allowedrelay").RemoteIPRanges | select Lowerbound,Upperbound,RangeFormat | sort-object Lowerbound| export-csv c:\rc.txt –NoTypeInformation

Use this script to import it onto the exchange 2010, change the second line to be the correct exchange 2010 server name \ receive connector name

$csv = "c:\rc.txt"
$rc = "EX2010\RelayConnector"
$impcsv = import-csv $csv
foreach($line in $impcsv)
$ipAdd = $line.LowerBound
$conn = Get-ReceiveConnector $rc
$conn.RemoteIPRanges += $ipAdd
Set-ReceiveConnector $rc -RemoteIPRanges $Conn.RemoteIPRanges

Update fix to moving PST files

I wanted to automate the process of pushing this checkbox for all users who has a “OutlookArchive” Folder.

The unforeseen error on my part was this: I had the quest tool create all the archives on \\server\home\myadmin folder, then i used a PowerShell move command to move the files to each users home folder.

Because I moved the file, it was really fast, but it retained the original permissions from the source folder (hence, exadmin had rights to it, but not the user)

If I would have copied the file rather than moving the file, everything would have been ok, because coping the file makes a new file and the new file inherits the permissions of the parent folder (OutlookArchive), but it would have taken much longer to copy than to move.

That is why that person could not access their migrated.pst file due to permissions issue.

So, I want to automate this red box for all users with an OutlookArchive Folder and a Migrated.pst file in it.

To fix this, I made a batch file and used the free tool SETACL to reset the above inhermited permissions.

The batch file code:

Set _InputFile=allusers.txt
Echo off
For /F “tokens=*” %%I IN (%_InputFile%) DO (
IF EXIST \\server\home\%%I\OutlookArchive\Migrated.pst (
SetACL.exe -silent -on “\\server\home\%%I\OutlookArchive*” -ot file -actn setprot -op “dacl:np;sacl:np” -rec cont_obj -actn setowner -ownr “n:S-1-5-32-544;s:y” -actn clear -clr “dacl,sacl”
rem ELSE (

In English:

I created the alluses.txt from doing a dir at the \\server\home folder and piping it to a text file, then I used excel to clean up the file, so I had a listing of all the uses home folders.

The line “IF EXIST” checks to see if the file migrated.pst exists in each home folder, if it does, it runs the next line, which is the setacl command to do the same thing as the Red box in the graphic. (Thank you google)