0 votes

I want to create a custom Deprovission command which exports the mailbox of the user to a pst file, when it's completed the account should be deleted. Can this be done with adaxes?

Thnx Remco

by (780 points)
0

Hello Remco,

Yes, this can be done. You can use a PowerShell script that exports a mailbox to a PST file and add it to the Deprovision Custom Command with the help of the Run a program or PowerShell script action. However, there is one issue with such a solution. The thing is that exporting a PST can take quite long, and the script will 'hang' Adaxes until the mailbox is exported or until the 10-minute limit set for executing scripts in Adaxes gets expired. So, there is a possibility that if a mailbox is quite large, it will exceed the 10-minute limit.

To workaround the issue, we suggest the following approach: the Deprovision Custom Command will only start the mailbox export and then exit if the script doesn't complete in, let's say, 9 minutes. Also, a certain property of the user account will be modified to a certain value. The property will simply serve as a flag that the user's mailbox is being exported. For this purpose, you can use one of Adaxes virtual properties that can store boolean (true/False) values, for example, CustomAttributeBoolen1. Virtual properties are not stored in AD, but they can be used the same as any other properties of AD objects.

Also, you'll need to create a Scheduled Task that checks mailbox export requests for all users who have the flag set. As soon as mailbox export is complete, it will delete the user's account.

Will such a solution suit you? By the way, what do you mean by "the account should be deleted"? Does it mean that the user's account should be deleted from AD or that the mailbox associated with the user should be deleted from Exchange?

0

The solution would be perfect. When the mailbox is successfully exported to a pst file then the mailbox and the AD account should be deleted...

Remco

0

Hello Remco,

OK, our script guys are already working on a script for you. We've got one more thing to clarify: What the script should do if mailbox export fails?

0

Great!!! If the export fails then an e-mail should be send to the initiator and further processing should be stopped. The mailbox and AD account must NOT be deleted.

Thnx Remco

0

Remco,

OK, we'll update this topic as soon as our script guys complete the job.

0

Any update? Is it a bit more difficult than expected ;-)?

Remco

0

Hello Remco,

Yes, our script guys have run into a couple of issues. They promised to provide the scripts tomorrow.

0

that's ok, rather a good script then a buggy one. Much appreciated by the way!!

Remco

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello Remco,

Thank you for your good words, we really appreciate it.

The script is ready. As mentioned before in this topic, you will need to modify the Custom Command that you use for user deprovisioning and create a Scheduled task that will check the mailbox export status periodically and delete the account. To do this:

Modify the Custom Command for User Deprovisioning:
First of all, you need to extend the Custom Command for user deprovisioning with an action that initiates export of the user's mailbox to a file. Also, it will set a certain property to a certain predefined value. The property will serve as a flag to determine that the user's mailbox is being exported. Also, it will store the initiator's e-mail to be able to send the report in case mailbox export fails. For the flag and storing the initiator's email, we suggest using Adaxes virtual properties. They are not stored in Active Directory, but can be used as any other property of AD objects. The scripts below use the CustomAttributeBoolean1 property as a flag and the CustomAttributeText1 property for storing the initiator's e-mail. To modify the Custom Command:

  1. Launch Adaxes Administration Console.

  2. Expand the service node that represents your Adaxes Service.

  3. Navigate to and select the Custom Command that you use for deprovisioning users.

  4. Click the Add action to a new set link.

  5. Select the Run a program or PowerShell script action.

  6. Paste the following script to the Script field. It will initiate mailbox export to a PST file, set a flag indicating that the user's mailbox is being exported and store the initiator's e-mail.

     $exchangeServer =  "exchangeserver.example.com" # TODO: modify me
     $filePath = "\\server\ExportedMailboxes\%username%.pst" # TODO: modify me
     $defaultEmail = "recipient@mail.com" # TODO: Modify me
     $waitTime = 540000 # TODO: modify me. Time in milliseconds
    
     # Script block to initiate mailbox export
     $scriptBlockToExecute = @"
     & {
         `$session = New-PSSession -configurationname Microsoft.Exchange -connectionURI 'http://$exchangeServer/PowerShell'
    
         Import-PSSession `$session -DisableNameChecking
    
         Get-MailboxExportRequest -Name "%username%" | Remove-MailboxExportRequest -Confirm:`$False
         try
         {
             New-MailboxExportRequest "%username%" -FilePath '$filePath' -Name "%username%" -ErrorAction Stop
         }
         catch
         {
             `$_.Exception.Message
         }
         Remove-PSSession `$session
         }
     "@
    
     # Start Windows PowerShell as a separate process and run the script block in that process
     $arguments = @("-noninteractive", "-noprofile", "-executionpolicy bypass", "-Command $scriptBlockToExecute")
     $powershellPath = "$env:windir\syswow64\windowspowershell\v1.0\powershell.exe"   
     $starProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
     $starProcessInfo.FileName = $powershellPath
     $starProcessInfo.Arguments = $arguments
     $starProcessInfo.WindowStyle = "Hidden"
     $starProcessInfo.CreateNoWindow = $True
     $starProcessInfo.UseShellExecute = $False
     $starProcessInfo.RedirectStandardError = $True
     $process = [System.Diagnostics.Process]::Start($starProcessInfo)
     $result = $process.StandardError.ReadToEnd()
     $process.WaitForExit($waitTime)
    
     # If $result is not empty, an error occurred while creating a mailbox export request
     # Give error and exit
     if (-not([System.String]::IsNullOrEmpty($result)))
     {
         $Context.LogMessage($result, "Error")
         return
     }
    
     # Set a flag indicating that the user's mailbox is being exported
     # and store the initiator's email address
     if ([System.String]::IsNullOrEmpty("%adm-InitiatorEmail%"))
     {
         # The initiator doesn't have an email address. Notifications will be sent to the default address
         $Context.TargetObject.Put("adm-CustomAttributeText1", $defaultEmail)
     }
     {
         $Context.TargetObject.Put("adm-CustomAttributeText1", "%adm-InitiatorEmail%")
     }
    
     $Context.TargetObject.Put("adm-CustomAttributeBoolean1", $True)
     $Context.TargetObject.SetInfo()
    
  7. In the script:

    • $exchangeServer - specifies the Fully Qualified Name (FQDN) of the computer where your Exchange Server is installed,
    • $filePath - specifies a template for the PST file path,
    • $waitTime - is the time (in milliseconds) to wait for mailbox export to complete before the export process to be considered too long.

    Modify the script to your requirements.

  8. Enter a short description for the script and click OK.

  9. Also, you need to add a condition for this action to be triggered only if the user has an Exchange mailbox. Right-click the action that you've just added and click Add Condition.

  10. Select the If has an Exchange mailbox condition type.

  11. Select has.

  12. Click OK and save the modified Custom Command.

Create a Scheduled Task that deletes the user account after the export is complete
To create such a Scheduled Task:

  1. Create a new Scheduled Task.

  2. On the 3rd step of the Create Scheduled Task wizard, select the User object type.

  3. On the 4th step, add the Delete the User action.

  4. Click OK.

  5. Now, you need to add a condition for this action to be triggered only if the flag for the user is set. Right-click the action that you've just added and click Add Condition.

  6. Select If <property> <relation> <value> condition type.

  7. Expand the <property> drop-down list.

  8. Select the CustomAttributeBoolean1 property.

  9. Select equals and True.

  10. Click OK.

  11. Also, you need to add a condition for this action to be triggered only if the mailbox export has been completed. Right-click the action and click Add Condition.

  12. Select the If PowerShell script returns True condition type.

  13. Paste the following script to the Script field. The script will return True only when mailbox export completes successfully.

     $exchangeServer = "exchangeserver.example.com" # TODO: modify me
     $to = "%adm-CustomAttributeText1%" # TODO: modify me
     $subject = "Mailbox export failed." # TODO: modify me
     $message = "Mailbox export request status: {0}. The user will not be deleted"
    
     $Context.ConditionIsMet = $False
    
     $session = New-PSSession -configurationname Microsoft.Exchange -connectionURI http://$exchangeServer/PowerShell
     Import-PSSession $session -DisableNameChecking
    
     # Get mailbox export status
     $result = Get-MailboxExportRequest -Name "%username%"
    
     Remove-PSSession $session
    
     if ($result -eq $NULL)
     {
         return
     }
    
     $requestStatus = $result.Status
     switch ($requestStatus)
     {
         "Failed"
         {
             $exportSuccessful = $False
         }
         "Suspended"
         {
             $exportSuccessful = $False
         }
         "Completed"
         {
             $exportSuccessful = $True
         }
         "CompletedWithWarning"
         {
             $exportSuccessful = $True
         }
         default
         {
             return
         }
     }
    
     # If export failed, send error, and exit
     if (-not($exportSuccessful))
     {
         $Context.SendMail($to, $subject, $message -f $requestStatus, $NULL)
         return
     }
    
     # If export successful, set $Context.ConditionIsMet to $True
     $Context.ConditionIsMet = $True
    
  14. In the script:

    • $exchangeServer - specifies the Fully Qualified Name (FQDN) of the computer where your Exchange Server is installed,
    • $to - specifies the recipient of an e-mail message to be sent if mailbox export failed. By default, it is set to %adm-CustomAttributeText1% that will be substituted with the value of the CustomAttributeText1 property of the target user's account. As mentioned above, the Custom Command used for deprovisioning will store the initiator's e-mail address in this property.
    • $subject - specifies the subject of the e-mail message,
    • $message - specifies the text of the e-mail message.

    Modify the script to your requirements.

  15. Enter a short description for the script and click OK.

  16. Finish creation of the Scheduled Task.

0

Thnx for the script!! However I'm running into the following problem when execute the export script:

The term 'Get-MailboxExportRequest' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:6 char:26 + Get-MailboxExportRequest <<<< -Name RSauer | Remove-MailboxExportRequest -C onfirm:$False + CategoryInfo : ObjectNotFound: (Get-MailboxExportRequest:String ) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException The term '.Exception.Message' is not recognized as the name of a cmdlet, functi on, script file, or operable program. Check the spelling of the name, or if a p ath was included, verify that the path is correct and try again. At line:13 char:20 + .Exception.Message <<<< + CategoryInfo : ObjectNotFound: (.Exception.Message:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

I've changed $exchangeserver and $filepath to the correct values...

Remco

0

Hello Remco,

The error means that the account that is used to connect to the Exchange Server does not have sufficient permissions to perform mailbox export in Exchange. When a script is run by a Custom Command, Business Rule or Scheduled Task, by default, the credentials of Adaxes default service administrator (the user account that you used when installing Adaxes) are used. To remedy the issue, you need to grant necessary permissions to the default service administrator by adding the administrator's user account to an appropriate Role Group in Exchange. For example, the Mailbox Import Export Role gives sufficient permissions. For more details, see the following article by Microsoft: http://technet.microsoft.com/en-us/libr ... 50%29.aspx.

0

All works well now. Yet agian thanx for the excellent support for a great product!!!

Remco

0

Thank you for your good words, we really appreciate it! :)

Related questions

0 votes
1 answer

I have need to produce the same product as the request documented in the following post: Export Exchange mailbox and delete account I created everything per documentation, but ... the script to be executed outside of the context of the remote session? Rob

asked Jul 17, 2014 by rgreggs (250 points)
0 votes
1 answer

Is it possible to remove the exchange mailbox, but leave the active directory account intact using an adaxes workflow? Rob

asked Oct 29, 2014 by rgreggs (250 points)
0 votes
1 answer

Hello Support We are in need of a process that will disable/delete the user mailbox after 30 days of deprovisioning a user. We already use Mailtip and forward email to the ... but sync from On Prem to Cloud only. Thank you as always for your support. Jay

asked Oct 11, 2017 by willy-wally (3.2k points)
0 votes
1 answer

We're using a powershell command to delete computer accounts from the domain. This works fine but even though it works, on refresh, the page shows ... ) Remove-AdmComputer -Identity "%cn%" -server $domainName -AdaxesService localhost -Confirm:$False

asked Feb 2, 2018 by VTPatsFan (610 points)
0 votes
1 answer

Hello, we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as ... $identity = "%distinguishedName%" Remove-AdmUser -Identity $identity -Confirm:$False regards Helmut

asked Nov 17, 2020 by a423385 (510 points)
2,740 questions
2,474 answers
6,475 comments
1,374,854 users