Updated script that applies retention tag to items in a default folder

Articles in the "Retention tag on default folder items" series

  1. Use EWS to apply retention policy to items in a default folder
  2. Script to set retention tag on default folder items updated to v1.1.1
  3. Default folder retention tag script updated to 1.3
  4. Updated script that applies retention tag to items in a default folder [This article]

Edit 12/1/17: The issue with the retention tag GUID not being set by Exchange Online has been resolved.  Therefore, I have removed the code that distinguishes between online and on-premises so that the GUID is always applied.

My script that adds a personal tag to items in a default folder stopped working correctly recently.  Even though it was applying a tag to matching items, the collection size was never getting smaller.  After investigating, I found that a change has been made in Exchange Online.  The property that holds the GUID of the applied tag is no longer used by Exchange Online.  This is also the property I am using to search for items to tag.  You can tell Exchange to set a value for the property, and it will respond without error, but it doesn’t actually update the property.  So my script kept getting items that had already been updated.  I suspect this has something to do with added support for labels from the Security and Compliance Center.

I have updated the script to instead filter items that do not have a retention period set.  To accommodate this distinction from how Exchange on-premises still operates, I have added the Environment parameter, which defaults to Exchange Online, so that the GUID will still be applied when run against an on-premises mailbox.  The code that handles changed result sets (where the number of items in the results changes while in the middle of processing) had a display issue where it would double the number of items processed (it didn’t affect the items, but was only a display issue); I have changed the processing loop to now retrieve all items first, then process them in one batch, rather than retrieving and processing them in 50-item batches.

  Set-DefaultFolderItemsTag.ps1 (9.4 KiB)

Delegate management module updated

The module has been updated to version 1.5.1. This version adds automatic support for localization of the Sent Items and Deleted Items folders. If the display name of those folders in the owner’s mailbox is not in English, the localized display name of the folder will be used when getting, setting, or removing delegates.

I have also added permission validation to the owner’s mailbox for the person executing a cmdlet. When using impersonation, if you don’t have permission to a mailbox Exchange responds with an error indicating as much. But if using full access, Exchange doesn’t respond with such an error, just failing on whatever request is being made. Usually when permission is the issue, the error contains “The specified object was not found in the store,” so the module checks for that error, informs you that it appears you don’t have permission, and then gracefully aborts the cmdlet.

Download the updated module and overwrite your existing copy.  If you were already using v1.5.0, keep your existing settings file so your specific settings remain.

  DelegateManagement.zip (9.2 KiB)

Delegate management module updated to v1.5.0

It had been some time since I updated the delegate management PowerShell module. I started to update it last year after I decided to move the admin configuration settings to their own file, but didn’t complete it.  After a user of the module recently contacted me about adding one of the supported options for delegate meeting forwarding, I went back and finished updating it.  These are the changes:

  • Configuration settings have been moved to a file.  This allows for drop-in updates to the module without you having to reconfigure your settings again.  The file, DelegateManagementSettings.xml, should be located in the same directory as the module.  A default file is included in the download, but you can also use the new Set-DelegateManagementSetting cmdlet with the CreateDefaultFile parameter to have the module create one for you.  You can run Get-DelegateManagementSetting to view your current settings.  If you want to change one or more settings for the current session, the Set-DelegateManagementSetting cmdlet can do that, and you can use the Persist parameter if you want the changed setting to be written to the file.  (Comment-based help is available for both new cmdlets, e.g., Get-Help Set-DelegateManagementSetting.)
  • The following functionality has been moved from static values to configurable settings: whether to use Autodiscover, specifying an EWS URL, whether to use impersonation, and if permission should be added/set by default for the Deleted Items and Sent Items folders when adding a delegate.
  • The Azure AD module is no longer needed for managing delegates in Exchange Online.
  • The ability to specify that meeting requests for the owner/manager should not be forwarded to delegates.  (This is supported with Exchange 2013+ and Exchange Online mailboxes.)  NoForward has been added as a valid value with the MeetingRequestDeliveryScope parameter.
  • All functions for connecting via PowerShell to on-premises Exchange and Exchange Online have been removed.  Connection to the appropriate environment should be handled externally to the module, as would usually be done with any other module or cmdlet.  The exception to this is for Exchange Web Services (seeing as it is a stateless connection).  If managing delegates in Exchange Online, the first time you run a delegate cmdlet it will prompt for EWS credentials, which will be used for all future cmdlets in the same shell.  On-premises will use the current user credentials.  If you would like the module to be able to store and recall credentials automatically (in Credential Manager, for example), specify credentials for on-premises, or other credential options, let me know.

The updated module, along with a settings file, is here:

  DelegateManagement.zip (9.2 KiB)

Meeting cancellation script updated

Articles in the "Meeting cancellation script" series

  1. Cancel future meetings in a mailbox
  2. Meeting cancellation script updated [This article]

I have updated the Cancel-MailboxMeetings.ps1 script. These are the changes:

  • Changed the date parameters to align with Microsoft’s Remove-CalendarEvents cmdlet.  StartDate is now QueryStartDate and EndDate is now QueryWindowInDays.  The default time frame is still one year from the query start date, but is now specified as an integer of days instead of a specific date.
  • Added a preview mode via the PreviewOnly switch parameter (also to align with Microsoft).  Using the parameter will list which meetings (by subject and start date, first occurrence start date if a recurring meeting) would be affected.  To provide enough detail, it will indicate if it is a standalone meeting or series and whether the meeting is being canceled (because the mailbox is the organizer) or declined (because the mailbox is an attendee).  If you use the EndOrganizedRecurringMeetings parameter, it will also use wording to show that a meeting series’ end date would be updated instead of canceled.
  • Added detection of modified occurrences that will be lost if a recurring series’ end date is changed.  Because exceptions to a meeting (only modifications, not deletions) are removed when a series’ end date is changed, the script checks for modified occurrences that occurred in the past of the query start date and prompts you to confirm that you want to update that meeting.
  • Added a switch parameter named SuppressLostExceptionPrompt.  Use this if you want to prevent the confirmation prompt about lost modified occurrences and have it change the end date anyway.  This parameter only has an effect if also used with EndOrganizedRecurringMeetings.
  • Although added only while I was testing, but decided to leave in, are some extra details written to the screen if you use the Verbose parameter.

The code in the first post has been updated, as has the downloadable version:

  Cancel-MailboxMeetings.ps1 (11.1 KiB)

Cancel future meetings in a mailbox

Articles in the "Meeting cancellation script" series

  1. Cancel future meetings in a mailbox [This article]
  2. Meeting cancellation script updated

One of the long-running woes of the Exchange admin is that you can’t transfer “ownership” of a meeting to someone else when the owner leaves the company. While you still can’t do that, Microsoft recently announced the Remove-CalendarEvents cmdlet for mailboxes in Exchange Online.  Its intention is to allow the administrator to cancel all future meetings for a terminated employee so that someone else can create new meetings in their place.

Because it works only for cloud mailboxes, I wrote a script to do the same thing for on-premises mailboxes (though it will also work for cloud mailboxes).  It uses EWS to get all future meetings for a mailbox and cancel them.  The default settings are to cancel all meetings that occur in the next year where the mailbox is the organizer.  You can also choose to have it cancel (decline) meetings where the mailbox is an attendee, and you can specify text that should be added to the cancellation or decline message.  Additionally, if you don’t want to wholly cancel recurring meetings because the history of all those occurrences will be lost for the attendees, you can instead have organized recurring meetings end so that only future occurrences are canceled, but historical occurrences remain.

Because of the way calendar items are stored, you can get an item and then see when it occurs, if it is recurring, etc., but if it is a recurring meeting you only see the first occurrence.  To work with occurrences, you use a calendar view (time frame) and let Exchange worry about whether an occurrence of a recurring item should be included in the window.  But you can have multiple occurrences of the same meeting in the time frame, and you want to delete the series, not an occurrence.  In a calendar view, you can see if a meeting is an occurrence and, if so, get the corresponding master for that series.

Once the series is canceled (or ended, if you choose that option), there still can be more occurrences of that canceled series in the search results.  If you try and get the recurring master for an occurrence whose master has already been canceled, you’ll get an error.  So, these occurrences can be skipped, but you have to know which ones can be skipped.  To solve that, I store the recurring meeting’s global object ID (which is the same for a recurring master and all of its occurrences because it is really just one meeting as stored in the calendar) in an array.  For every meeting in the search results that is an occurrence, I check if the global object ID is in the array.  If so, I skip it because its master has already been deleted.  If not, I add the global object ID to the array, then cancel the meeting.

The script has comment-based help so you know what all the parameters are for, and there are inline comments so you can see what is being done throughout.  While you can use current credentials or specify one, if you want it to prompt if you don’t specify credentials and don’t want to use default credentials, you can comment and uncomment the the necessary lines at 81-84.  Likewise for the EWS URL, it is hard-coded to EXO, which you can change, but if you want to use autodiscover, you can comment and uncomment the necessary lines at 91-93.

Download the script via the link below, but you can see the code and copy it below, too.

  Cancel-MailboxMeetings.ps1 (11.1 KiB)

<#
	.Synopsis
		Cancel meetings within a specified timeframe for a mailbox
	.Description
		Ideal for terminated employees, this script will cancel all meetings
		organized by the mailbox, and optionally where the mailbox is an attendee,
		within a given timeframe.  The default is one year from run time.
	.Parameter EmailAddress
		Email address of the mailbox to process.  Pipeline support allows piping
		from Get-Mailbox.
	.Parameter QueryStartDate
		Start date of the timeframe to look for meetings to cancel.  Default is now.
	.Parameter QueryWindowInDays
		Number of days after the start date to look for meetings to cancel.  Default is 365 days.
	.Parameter IncludeAttendeeMeetings
		Switch to also cancel meetings where the mailbox is an attendee
	.Parameter EndOrganizedRecurringMeetings
		Switch to end organized recurring meetings instead of canceling them.
		The end date of the series is set to the cmdlet's StartDate.  This will leave 
		past meeting occurrences on attendee calendars.
	.Parameter SuppressLostExceptionPrompt
		Switch to silently acknowledge that past occurrences of series that have
		been modified will be deleted if EndOrganizedRecurringMeetings is used
	.Parameter PreviewOnly
		Switch to display the meeting subjects and dates that would be canceled
	.Parameter CancellationText
		Text to add to the body of the cancellation message
	.Parameter Credential
		Optional credential object to use instead of asking for or using current credentials
	.Parameter UseImpersonation
		Switch parameter to use impersonation instead of FMA or folder permission
	.Example
		Cancel-MailboxMeetings.ps1 -EmailAdress johndoe@company.com
	.Example
		Cancel-MailboxMeetings.ps1 janedoe@company.com "6/1/17" "8/1/17" -IncludeAttendeeMeetings -CancellationText "Jane is no longer here."
	.Example
		Get-Mailbox johndoe | Cancel-MailboxMeetings.ps1 -Credential (Get-Credential) -EndOrganizedRecurringMeetings
	.Notes
		Required permission: 
			*Editor role to calendar will work for meetings (attendee or organizer)
			- or -
			*Impersonation right to the target mailbox
			- or -
			*Full mailbox access; Send As is not required
		Version: 1.3
		Date: 8/3/17
#>
#Version 3 is only required because of use of the [pscredential] type accelerator for the Credential parameter
#requires -Version 3
[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='High')]
Param (
	[Parameter(Position=0,Mandatory=$true,ValueFromPipelineByPropertyName=$true,HelpMessage="Email address of user")]
		[Alias("PrimarySMTPAddress")][string]$EmailAddress,
	[Parameter(Position=1,Mandatory=$false)][DateTime]$QueryStartDate = (Get-Date),
	[Parameter(Position=2,Mandatory=$false)][int]$QueryWindowInDays = 365,
	[switch]$IncludeAttendeeMeetings,
	[switch]$EndOrganizedRecurringMeetings,
	[switch]$SuppressLostExceptionPrompt,
	[switch]$PreviewOnly,
	[Parameter(Mandatory=$false)][string]$CancellationText,	
	[Parameter(Mandatory=$false)][PSCredential]$Credential,
	[switch]$UseImpersonation
	)

begin
	{
	#Check for EWS API
	$apiPath = (($(Get-ItemProperty -ErrorAction SilentlyContinue -Path Registry::$(Get-ChildItem -ErrorAction SilentlyContinue -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Web Services" |
				Sort-Object Name -Descending | Select-Object -First 1 -ExpandProperty Name))."Install Directory") + "Microsoft.Exchange.WebServices.dll")
	if (Test-Path $apiPath)
		{
		Add-Type -Path $apiPath
		}
	else
		{
		Write-Error "The Exchange Web Services Managed API is required to use this script." -Category NotInstalled
		break
		}

	$exchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP2
	$exchangeService = New-Object -TypeName Microsoft.Exchange.WebServices.Data.ExchangeService($exchangeVersion) 
	}

process
	{
	if (-not($Credential))
		{
		#$Credential = Get-Credential
		#$exchangeService.Credentials = New-Object -TypeName Microsoft.Exchange.WebServices.Data.WebCredentials($Credential)
		# Or
		$exchangeService.UseDefaultCredentials = $true
		}
	else
		{
		$exchangeService.Credentials = New-Object -TypeName Microsoft.Exchange.WebServices.Data.WebCredentials($Credential)
		}

	#$exchangeService.AutodiscoverUrl($EmailAddress, {$true})
	#Or use hard-coded URL
	$exchangeService.Url = "https://outlook.office365.com/EWS/Exchange.asmx"

	if ($UseImpersonation)
		{
		$exchangeService.ImpersonatedUserId = New-Object -TypeName Microsoft.Exchange.WebServices.Data.ImpersonatedUserId(
			[Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, $mailbox.EmailAddress)
		}
	
	#Bind to the calendar
	$folderID = New-Object -TypeName Microsoft.Exchange.WebServices.Data.FolderId(
		[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Calendar,$EmailAddress)
	$calFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($exchangeService,$folderID)

	#Create a view to get all events during the specified timeframe
	$StartDate = $QueryStartDate
	$EndDate = $StartDate.AddDays($QueryWindowInDays)
	$calendarView = New-Object -TypeName Microsoft.Exchange.WebServices.Data.CalendarView($StartDate, $EndDate)
	$properties = New-Object -TypeName Microsoft.Exchange.WebServices.Data.PropertySet(
		[Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
	#Add Clean Global Object ID to property set so it can be used to correlate occurrences of the same meeting
	$propCleanGOID = New-Object -TypeName Microsoft.Exchange.WebServices.Data.ExtendedPropertyDefinition(
		[Microsoft.Exchange.WebServices.Data.DefaultExtendedPropertySet]::Meeting, 35,
		[Microsoft.Exchange.WebServices.Data.MapiPropertyType]::Binary)
	$properties.Add($propCleanGOID)
	$calendarView.PropertySet = $properties
	$searchResult = $exchangeService.FindAppointments($calFolder.Id,$calendarView)

	#region Functions
	function Process-Cancellation ($meeting, $attendeeType, $goid)
		{
		if ($meeting.IsRecurring)
			{
			#Skip processing if recurring master has already been canceled
			if ($meetingIds -notcontains $goid)
				{
				#Determine whether occurrence or master
				if ($meeting.AppointmentType -ne [Microsoft.Exchange.WebServices.Data.AppointmentType]::RecurringMaster)
					{
					#Get recurring master
					$master = [Microsoft.Exchange.Webservices.Data.Appointment]::BindToRecurringMaster($exchangeService,$meeting.Id)
					}
				else
					{
					$master = $meeting
					}
				#Add Global ID to array so remaining occurrences in collection can be ignored
				$meetingIds.Add($goid)
				if ($attendeeType -eq "Organizer")
					{
					#If ending instead of canceling, end only if first occurrence is in the past, else cancel
					if ($EndOrganizedRecurringMeetings -and ($StartDate -gt $master.Start))
						{
						Write-Verbose "EndOrganizedRecurringMeetings is true and first occurrence is in past"
						#Check for modified exceptions that will be lost
						if ($master.ModifiedOccurrences)
							{
							Write-Verbose "Meeting series has modified occurrences"
							$hasException = $false
							foreach ($occurrenceId in $master.ModifiedOccurrences)
								{
								$propertySet = New-Object -TypeName Microsoft.Exchange.WebServices.Data.PropertySet(
									[Microsoft.Exchange.WebServices.Data.BasePropertySet]::IdOnly,
									@([Microsoft.Exchange.WebServices.Data.AppointmentSchema]::Start))
								$occurrence = [Microsoft.Exchange.WebServices.Data.Item]::Bind($exchangeService,$occurrenceId.ItemId,$propertySet)
								if ($occurrence.Start -lt $StartDate)
									{
									Write-Verbose "Meeting series has modified occurrence in the past"
									$hasException = $true
									break
									}
								}
							}
						if ($hasException)
							{
							if ($PreviewOnly)
								{
								Update-MeetingEndDate -meeting $master
								}
							elseif ($PSCmdlet.ShouldProcess("Meeting series with the subject `"$($master.Subject)`" that has one or more past occurrence exceptions that will be lost if the series`' end date is changed") -or $SuppressLostExceptionPrompt)
								{
								Update-MeetingEndDate -meeting $master
								}
							}
						else
							{
							Update-MeetingEndDate -meeting $master
							}
						}
					else
						{
						Send-MeetingCancel -meeting $master 'Series'
						}
					}
				else
					{
					Send-MeetingDecline -meeting $master 'Series'
					}
				}
			}
		else #Non-recurring meeting
			{
			if ($attendeeType -eq "Organizer")
				{
				Send-MeetingCancel -meeting $meeting 'Meeting'
				}
			else
				{
				Send-MeetingDecline -meeting $meeting 'Meeting'
				}
			}
		}

	function Update-MeetingEndDate ($meeting)
		{
		if ($PreviewOnly)
			{
			Write-Output "Series whose end date would be updated: `"$($meeting.Subject)`" on $($meeting.Start.ToShortDateString())"
			}
		else
			{
			$meeting.Recurrence.EndDate = $StartDate
			$meeting.Update([Microsoft.Exchange.WebServices.Data.SendInvitationsMode]::SendToAllAndSaveCopy)
			Write-Output "Series end date updated: $($meeting.Subject)"
			}
		}
	
	function Send-MeetingCancel ($meeting, $type)
		{
		if ($PreviewOnly)
			{
			Write-Output "$type that would be canceled: `"$($meeting.Subject)`" on $($meeting.Start.ToShortDateString())"
			}
		else
			{
			[void]$meeting.CancelMeeting($CancellationText)
			Write-Output "$type canceled: $($meeting.Subject)"
			}
		}
		
	function Send-MeetingDecline ($meeting, $type)
		{
		if ($PreviewOnly)
			{
			Write-Output "$type that would be declined: `"$($meeting.Subject)`" on $($meeting.Start.ToShortDateString())"
			}
		else
			{
			#Decline method does not support custom message, so create decline message
			if ($CancellationText)
				{
				$declineMessage = $meeting.CreateDeclineMessage()
				$declineMessage.Body = $CancellationText
				[void]$declineMessage.Send()
				Write-Output "$type declined: $($meeting.Subject)"
				}
			else
				{
				[void]$meeting.Decline($true)
				Write-Output "$type declined: $($meeting.Subject)"
				}
			}
		}
	#endregion
	
	if ($searchResult.TotalCount -gt 0)
		{
		#Exclude non-meetings
		$meetings = $searchResult.Items | Where-Object {$_.IsMeeting}
		if ($meetings)
			{
			Write-Output "Processing $($meetings.Count) meeting occurrences."
			#Create array to hold list of recurring master IDs
			$meetingIds = New-Object -TypeName System.Collections.Generic.List[System.String]
			foreach ($item in $meetings)
				{
				#Get meeting global ID from extended properties collection
				$cleanGOID = $null
				[void]$item.TryGetProperty($propCleanGOID, [ref]$cleanGOID)
				
				if ($item.MyResponseType -eq [Microsoft.Exchange.WebServices.Data.MeetingResponseType]::Organizer) #Mailbox is organizer
					{
					Process-Cancellation -meeting $item -attendeeType "Organizer" -goid $cleanGOID
					}
				elseif ($IncludeAttendeeMeetings) #Decline meetings where mailbox is attendee
					{
					Process-Cancellation -meeting $item -attendeeType "Attendee" -goid $cleanGOID
					}
				}
			}
		else
			{
			Write-Output "There are no meetings in the specified timeframe."
			}
		}
	else
		{
		Write-Output "There are no meetings in the specified timeframe."
		}
	}

AutoDL module updated yet again

Articles in the "AutoDL management module" series

  1. PowerShell module for managing automated distribution groups
  2. AutoDL module updated yet again [This article]

Edit 3/27/17:  Rather than add another post, this entry has been updated to reflect the addition of the Find Groups button added for group mirroring.

When automating distribution lists, eventually someone will want one that doesn’t use its own filter, but contains the same members as another group.  (Usually it is a security group when there is separation between DLs and security groups.)  The module has always supported group mirroring, but it required a specific syntax (the LDAP filter had to be prefixed with “guid:”) and that the object’s GUID be entered (without curly braces).

The module has been updated so that it is much easier to use group mirroring.  The GUI now has a separate field for entering the groups to mirror:

AutoDL Group Mirroring

A group’s filter now separates using either an LDAP filter or group mirroring.

You select the radio button for either using an LDAP filter or mirroring the membership of other groups.  You no longer manually enter the GUID of the object, but enter the distinguished name of the object and it will be converted to the objectGUID when saving the filter.  (Using the objectGUID allows membership updates to continue even if the source group is moved and its distinguished name changes.) You can also add groups to the list by clicking the Find Groups button and searching for them.  This functionality is provided by an external library that is included in the download.  Put the DLL in the same directory as the module and it will automatically be loaded.  I have added a check for the library, so if it isn’t found, the Find Groups button will simply be disabled and a label will be displayed next to it that says the dependent file could not be loaded.

When running Get-AutoDLFilter and Set-AutoDLFilter, the objectGUIDs will be converted into the current DNs for display.  The GUI output of Get-AutoDLFilter has also been updated to reflect whether it is using an LDAP filter or group mirroring and, if the latter, doesn’t display the sections for the display-formatted and raw filters.

The distinguished name of the object(s) will be validated when the focus leaves the text box (unless clicking the Cancel button), checking that it resolves to an existing group object.  If updating a group’s filter from the command line, the MirrorGroup parameter has been added to the Set-AutoDLFilter cmdlet.  The same DN validation occurs when updating from the command line, and the LDAPFilter and MirrorGroup parameters are in separate parameter sets so that they are mutually exclusive.

Any existing groups using group mirroring are compatible with this version:  Nothing has changed on the “back end,” only how the groups being mirrored get added to a filter has been updated.

Download the module and AD object picker library here:

  AutoDLManagement.zip (22.7 KiB)


If you want just the module, it is here:

  AutoDLManagement.psm1 (55.4 KiB)