If you can’t see the troubled user’s free/busy data and you get this error message.

This means that user’s calendar has more than 1000 items in the calendar. You would be asking “Why this limitation?” “Can I increase this limit?”. I don’t think so. I didn’t any information on it yet.

Your solution is to tell the user to delete some items (especially any recurring meetings, if he/she can).

Source: https://support.microsoft.com/en-us/help/2962513/you-can-t-view-free-busy-information-on-another-user-s-calendar-in-exc

If you try to add (or Remove) member(s) to a mail-enabled security group in Exchange Admin Console or Shell, you will hit a wall with this error.

You don't have sufficient permissions. This operation can only be performed by a manager of the group.

 + CategoryInfo : NotSpecified: (:) [Add-DistributionGroupMember], OperationRequiresGroupManagerException
 + FullyQualifiedErrorId : [Server=LV-EXCH04,RequestId=dba1bbc1-125a-4dcf-ac18-5db54f0c4a70,TimeStamp=5/21/2019 4:39:26 AM] [FailureCategory=Cmdlet-OperationRequiresGroupManagerException] 9175D35D,Microsoft.Exchange.Management.RecipientTasks.AddDistributionGroupMember
 + PSComputerName : exchsvr.company.com

So, What the hell this means? This simply means manage your damn security group members in Active Directory.

Obviously, you can open Active Directory Users and Computers or Admin Center to add a member easily. But you if you are writing a PowerShell script, how do you do it?

To add an User or group, use Add-ADGroupMember -Identity <GroupName> -Members <User1>,<Group1>

But I needed to add a mail contact to the mail-enabled security group. I found Add-ADGroupMember doesn’t work to add Contacts. This how you can do it.

#Get LDAP path of the mail-enabled group
$MailEnabledSecurityGroup = "LDAP://" + (Get-OPDistributionGroup "MyADSecurityGroup").distinguishedName
#Get LDAP path of the mail contact
$MailContact = "LDAP://" + (Get-Contact $RoutingAlias).distinguishedName

#Open ADSI connection 
$ADGroup = [ADSI] $MailEnabledSecurityGroup
#Add the contact as member
$ADGroup.Add($MailContact)
#Ta..Da..!! It's done.

A Shared mailbox is not show up in Outlook or not able to open in OWA, and it gives this error in OWA:

“Your Account has been disabled”

Do not check the Active Directory Account. It is nothing to do with the user account. Error message means OWA is disabled on the mailbox.

Solution:

Exchange Admin Console:

• Find the mailbox and click to select
• On the right-side pane, find Outlook on the Web under Email Connectivity.
• Enable the OWA
• Open Mailbox Properties and select Mailbox Features
• Find and enable MAPI

Exchange Admin Shell:

Set-CASMailbox <Mailbox Alias> -OWAEnabled:$true -MapiEnabled:$true

If you run this command, OWAEnabled should show True:

E:\ Get-CASMailbox SharedMailbox@company.com 
Name ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled
---- ----------------- ---------- ---------- ----------- ----------- --------------------------------
offers True True False False False

How many time have you researched where the account lockouts are happening? which computer is locking the AD account? It could be

• disconnected remote desktop session
• scheduled task
• Application on a server
• Service running with AD account context
• Wireless profile with PEAP setup on Phones and devices

So I wrote this PowerShell script to query the Security events from domain controller, and list the callercomputer of where the lockouts are happening.

This following script takes two parameters. Username and domain controller name.

Note: You need run this script as Domain Administrator or at least with server operations privilege.

e.g.,
Search-Lockout-Events.ps1 -username JohnDoe -DomainControllerName HQ-IT-DC01.company.com

Here is the script, either download is from HERE or copy/paste from below:

<#
    Script: Search-Lockout-Events.ps1
    Parameters:
    UserName : SAMAccountName of the user
    DomainControllerName: domain Controller name (FQDN is better)

    Purpose: Search given domain controller for "bad password attempts" and
    "Account lock out" events from the Security Event Logs and list the 
    CallerComputer of where the account lockouts are coming from. 

    Written By: Anand, the Awesome, Venkatachalapathy
#>
param($Username,$DomainControllerName)

#Filenme to store the lockout events
$ReportFile = ".\$Username-Lockedout-Events.txt"

#Query the domain controller event log for lockout events
$LockoutEvents = Get-WinEvent @{logname='Security';starttime=[DateTime]::Today;id=644,4740,4625} `
    -ComputerName $DomainControllerName | ?{$_.Message -like "*$username*" } 

#Display the Date and caller computer from the event logs
"Date/time`t`tCallerComputer"
foreach($LockoutEvent in $LockoutEvents)
{
    $message = ($LockoutEvent.Message).Split("`n`r")
    $TimeCreated = [String] $LockoutEvent.TimeCreated

    #Find the Caller Computer from the event log message
    foreach($line in $message) 
    { 
        if($line -like '*Caller Computer Name:*')
        { $CallerComputer = $line  ; $CallerComputer = $CallerComputer.Replace("Caller Computer Name: ","")} 
    }

    $TimeCreated + "`t`t" + $CallerComputer

    #Store the event log details to the file
    $LockoutEvent | Format-List |  Out-File -FilePath $ReportFile -Append
    
}
#  * * * End of the Script * * * 

It’s a one line code. Make sure you run this code on a SQL server. OR on your computer where SQL Admin Console is installed.

Note: Make sure SQL Browser service is started on the computer you are running this code.

Open PoweShell, copy/paste this line:

[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()

That is it. Here is the sample Output:

Well, there are situations you need to delete an Office 365 (MSOL) account permanently.

E.g., I need to create a new account with the same name but for a different user. Since there is a deleted MSOL account still exists, you can’t create the new user.

It is very easy. Open PowerShell and connect to AzureAD:

Connect-MSOLService -Credential (Get-Credential)

First you need to get the ObjectID of the deleted account. Here is how you do it.

Command: Get-MsolUser
-ReturnDeletedUsers -searchstring *UserUPN here* | fl UserPrincipleName,
ObjectID

Example: Get-MsolUser -ReturnDeletedUsers -searchstring JohnDoe@mycompany.com | fl UserPrincipleName, ObjectID

Now note down the ObjectID from the above command and use it for next command. Then we need to purge the deleted account.

Command: Remove-MsolUser
-ObjectID *ObjectID here* -RemoveFromRecycleBin -Force

Example: Remove-MsolUser
-ObjectID c4d86044-bd23-7218-c226-e556a25a2dac -RemoveFromRecycleBin -Force

That’s it. You sent this specific MSOL account to Hell forever.

Now, do you want to “Purge” all deleted MSOL accounts? Get Nasty. Here is how you do it.

Get-MsolUser -ReturnDeletedUsers -All |
Remove-MsolUser -RemoveFromRecycleBin -Force

After you created an Exchange Retention Policy either in Exchange Online or On-Prem Exchange, you have to make this new retention policy as Default, so new mailboxes will get this policy automatically.

To see the available retention policies, type

Get-RetentionPolicy 

To change your Default Retention Policy for all users, run the following (Copy the retention policy name from the results of the above command):

Set-RetentionPolicy -Identity "Your Policy Name" -IsDefault:$true  

Now, we need to assign this policy to all existing mailboxes.

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RetentionPolicy "Your Policy Name"

That’s it. Enjoy!