I create log files or transcripts all the time with my PowerShell scripts. I needed a reliable filename with date and time. So I wrote an quick function to format the date and time that easy to read and identify the list of files.

Here it is. Use the function for your purposes. The code includes an example code on how I use the function.

<#
 Function to return current date and time formatted to use log file
 name. 
 How it works: Call the function and use the returned value to 
 create an log file name in your code. 
 E.g., 
 $logfilename = "My-Script-" + (date_time()) + ".log"
 #>
 function date_time()
 {
     return (Get-Date -UFormat "%Y-%m-%d_%I-%M-%S_%p").tostring()
 }


# Example use of function
# Create an log file name and assign to $logfilename variable
 $logfilename = "My-Script-" + (date_time) + ".log"
 
# Display the log file name
 $logfilename

Example file name created by this script:

My-Script-2019-06-12_08-26-30_PM.log

If the user’s ActiveSync device is blocked (Quarantined), User might be getting this email:

Subject: Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access.

Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don’t need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator.

There are 3 ways to unblock the mobile device in Exchange On-Prem and Exchange Online. I will show you here all 3 ways. I personally use PowerShell. So, the PowerShell way first.

Unblock the ActiveSync Device using PowerShell

1. Open PowerShell and connect to Exchange server Or Exchange Online
2. Run Get-CASMailbox command and NOTE Down the “blocked ActiveSync device id”. E.g., See Below. Notice the blocked device id: androidc274977591

PS E:\> Get-CASMailbox -Identity anandTheAwersome | Select-Object "*ActiveSync*"
ActiveSyncAllowedDeviceIDs         : {4E6F74657361613733653433336533}
ActiveSyncBlockedDeviceIDs         : {androidc274977591}
ActiveSyncMailboxPolicy            : Default
ActiveSyncMailboxPolicyIsDefaulted : True
ActiveSyncDebugLogging             : False
ActiveSyncEnabled                  : True
HasActiveSyncDevicePartnership     : True
ActiveSyncSuppressReadReceipt      : False

3. Add the noted blocked device id into Allowed Devices in CAS Mailbox Properties.

Set-CASMailbox -Identity anandTheAwersome -ActiveSyncAllowedDeviceIDs @{Add='androidc274977591'}

4. To verify, Run the Get-CASMailbox again to see the device id is in ActiveSyncAllowedDeviceIds list.

PS E:\> Get-CASMailbox -Identity anandTheAwersome | Select-Object "*ActiveSync*"
ActiveSyncAllowedDeviceIDs         : {4E6F74657361613733653433336533,androidc274977591}
ActiveSyncBlockedDeviceIDs         : {}
ActiveSyncMailboxPolicy            : Default
ActiveSyncMailboxPolicyIsDefaulted : True
ActiveSyncDebugLogging             : False
ActiveSyncEnabled                  : True
HasActiveSyncDevicePartnership     : True
ActiveSyncSuppressReadReceipt      : False

That’s It. Give it a minute or two. The Mail/Calendar client App in the device will start synchronizing. Now, for the underlings who gets scared of PowerShell, I will show how to do this in Exchange Admin Console.

(Way 1) Unblock the Active Sync Device in “Mobile Device Details”

1. Open ECP console in your favorite browser
2. Go to Mailboxes and find and select the user’s mailbox.
3. On the right-side pane, click on “View Details” under “Mobile Devices”
4. Select the blocked device (Status says “Access Denied”). Click on the Second Icon to “Allow” the device.

1. Click “Save” button.

(Way 2) Unblock the Active Sync Device in “Mobile Device Details”

1. In Exchange Console Panel, Select Mobile
2. In “Mobile device access” tab, find the user and blocked device in “Quarantined Devices”
3. After you find and select the device, click on the second button to “Allow” the device

1. Give it a minute or two, client app will start synchronizing.

Hope that was easy. If you like this blog, leave me a “holla”.

You are running Invoke-WebRequest and hit with “Could not create SSL/TLS secure channel”, It simply means TLS 1. 2 is not being used.

Windows selects most strong cryptography from the list. How do you know what’s your crypto list?

Display the list of cryptos form this .Net Class variable:

PS E:> [Net.ServicePointManager]::SecurityProtocol

Tls, Tls11, Tls12

My computer shows three cryptos and most strong one is TLS 1.2. If you get the above error message ( “Could not create SSL/TLS secure channel” ), that means the most strong crypto is not supported by the web site you are accessing. (Is Tls12 missing?)

Since this is PowerShell, you can fix it two ways. For temporarily enable TLS 1.2 and make a Invoke-WebRequest,

Run this command before you run Invoke-WebRequest cmdlet. Young only need to set the security protocol to TLS 1.2 only once in the script.

[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12

Obviously when you finish running the script, security protocol assignment is lost. It goes back to computer’s default setting.

If you need to make it permanent, you could add TLS 1.2 in the cryptography list in Registry. Open PowerShell in Administrative mode (Run as Admin), then add these registry entries:

Set strong cryptography on 64 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord 

Set strong cryptography on 32 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord  

You have close all PowerShell Windows and reopen it to take effect the registry settings.

Did that help? leave me a reply.

If you can’t see the troubled user’s free/busy data and you get this error message.

This means that user’s calendar has more than 1000 items in the calendar. You would be asking “Why this limitation?” “Can I increase this limit?”. I don’t think so. I didn’t any information on it yet.

Your solution is to tell the user to delete some items (especially any recurring meetings, if he/she can).

Source: https://support.microsoft.com/en-us/help/2962513/you-can-t-view-free-busy-information-on-another-user-s-calendar-in-exc

If you try to add (or Remove) member(s) to a mail-enabled security group in Exchange Admin Console or Shell, you will hit a wall with this error.

You don't have sufficient permissions. This operation can only be performed by a manager of the group.

 + CategoryInfo : NotSpecified: (:) [Add-DistributionGroupMember], OperationRequiresGroupManagerException
 + FullyQualifiedErrorId : [Server=LV-EXCH04,RequestId=dba1bbc1-125a-4dcf-ac18-5db54f0c4a70,TimeStamp=5/21/2019 4:39:26 AM] [FailureCategory=Cmdlet-OperationRequiresGroupManagerException] 9175D35D,Microsoft.Exchange.Management.RecipientTasks.AddDistributionGroupMember
 + PSComputerName : exchsvr.company.com

So, What the hell this means? This simply means manage your damn security group members in Active Directory.

Obviously, you can open Active Directory Users and Computers or Admin Center to add a member easily. But you if you are writing a PowerShell script, how do you do it?

To add an User or group, use Add-ADGroupMember -Identity <GroupName> -Members <User1>,<Group1>

But I needed to add a mail contact to the mail-enabled security group. I found Add-ADGroupMember doesn’t work to add Contacts. This how you can do it.

#Get LDAP path of the mail-enabled group
$MailEnabledSecurityGroup = "LDAP://" + (Get-OPDistributionGroup "MyADSecurityGroup").distinguishedName
#Get LDAP path of the mail contact
$MailContact = "LDAP://" + (Get-Contact $RoutingAlias).distinguishedName

#Open ADSI connection 
$ADGroup = [ADSI] $MailEnabledSecurityGroup
#Add the contact as member
$ADGroup.Add($MailContact)
#Ta..Da..!! It's done.

A Shared mailbox is not show up in Outlook or not able to open in OWA, and it gives this error in OWA:

“Your Account has been disabled”

Do not check the Active Directory Account. It is nothing to do with the user account. Error message means OWA is disabled on the mailbox.

Solution:

Exchange Admin Console:

• Find the mailbox and click to select
• On the right-side pane, find Outlook on the Web under Email Connectivity.
• Enable the OWA
• Open Mailbox Properties and select Mailbox Features
• Find and enable MAPI

Exchange Admin Shell:

Set-CASMailbox <Mailbox Alias> -OWAEnabled:$true -MapiEnabled:$true

If you run this command, OWAEnabled should show True:

E:\ Get-CASMailbox SharedMailbox@company.com 
Name ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled
---- ----------------- ---------- ---------- ----------- ----------- --------------------------------
offers True True False False False

How many time have you researched where the account lockouts are happening? which computer is locking the AD account? It could be

• disconnected remote desktop session
• scheduled task
• Application on a server
• Service running with AD account context
• Wireless profile with PEAP setup on Phones and devices

So I wrote this PowerShell script to query the Security events from domain controller, and list the callercomputer of where the lockouts are happening.

This following script takes two parameters. Username and domain controller name.

Note: You need run this script as Domain Administrator or at least with server operations privilege.

e.g.,
Search-Lockout-Events.ps1 -username JohnDoe -DomainControllerName HQ-IT-DC01.company.com

Here is the script, either download is from HERE or copy/paste from below:

<#
    Script: Search-Lockout-Events.ps1
    Parameters:
    UserName : SAMAccountName of the user
    DomainControllerName: domain Controller name (FQDN is better)

    Purpose: Search given domain controller for "bad password attempts" and
    "Account lock out" events from the Security Event Logs and list the 
    CallerComputer of where the account lockouts are coming from. 

    Written By: Anand, the Awesome, Venkatachalapathy
#>
param($Username,$DomainControllerName)

#Filenme to store the lockout events
$ReportFile = ".\$Username-Lockedout-Events.txt"

#Query the domain controller event log for lockout events
$LockoutEvents = Get-WinEvent @{logname='Security';starttime=[DateTime]::Today;id=644,4740,4625} `
    -ComputerName $DomainControllerName | ?{$_.Message -like "*$username*" } 

#Display the Date and caller computer from the event logs
"Date/time`t`tCallerComputer"
foreach($LockoutEvent in $LockoutEvents)
{
    $message = ($LockoutEvent.Message).Split("`n`r")
    $TimeCreated = [String] $LockoutEvent.TimeCreated

    #Find the Caller Computer from the event log message
    foreach($line in $message) 
    { 
        if($line -like '*Caller Computer Name:*')
        { $CallerComputer = $line  ; $CallerComputer = $CallerComputer.Replace("Caller Computer Name: ","")} 
    }

    $TimeCreated + "`t`t" + $CallerComputer

    #Store the event log details to the file
    $LockoutEvent | Format-List |  Out-File -FilePath $ReportFile -Append
    
}
#  * * * End of the Script * * *