I’ve noticed an issue sometimes occurs when attempting to remove an activesync device relationship from a user’s mailbox. This behavior happens frequently with users who have left the company recently. All attempts to remove the device via the Manage Mobile Phone action in the Exchange console results in a device not found error. I hadn’t noticed a pattern to this behavior until today.
When a user leaves the company, the help desk usually moves the user’s account to the different OU in Active Directory (in our case, it's the "Disabled" OU). Although each device’s Identity and DistinguishedName properties reflect the new location of the account, it would appear that the Remove-ActiveSyncDevice command only looks at the UserDisplayName property, and that property does not get updated – it continues to reflect the location of the account at the time the device relationship was created. This causes the command to fail, since the object no longer exists at that location in AD. Here’s an example of a device that belongs to a former associate. Notice the highlighted fields, which show two very different locations.
UserDisplayName : domain.local/Field Management/District Managers/Joe Blow
Name : MOTOBLUR30
DistinguishedName : CN=MOTOBLUR30,CN=ExchangeActiveSyncDevices,CN=Joe Blow,OU=Disabled,DC=domain,DC=local
Identity : domain.local/Disabled/Joe Blow/ExchangeActiveSyncDevices/MOTOBLUR30
Guid : e6078fc3-bcff-43c9-a334-8c74e075d558
ObjectCategory : domain.local/Configuration/Schema/ms-Exch-Active-Sync-Device
To work around the problem and remove the device, go to the Exchange shell and run the following command:
Get-ActiveSyncDevice | where {$_.userdisplayname –like “*Joe Blow”} | Remove-ActiveSyncDevice
You will be prompted to confirm each device to be deleted, which is handy if the user has multiple devices and you only want to delete a particular device.
Subscribe to:
Post Comments (Atom)
Hey dude - wonderful article that saved me quite a bit of time. Not a full blown Exchange guy and ours is hard to catch up with; but I have DA rights so I took advantage of them :)
ReplyDeleteYou just saved my bacon, good sir!
ReplyDeleteHowever, in my case, it wasn't an issue with a disabled/moved account. It had to do with the fact that my user had the maximum number of mobile device connections (10), none of which were being used, and couldn't add the 11th (latest replacement iPhone). However, after the last one was added, she had changed her name, and now it broke. I had to use this Powershell command using the old display name, and it worked beautfully.
One minor other difference: I had an option for [A]ll devices, though it still defaulted to [Y], to confirm devices individually. Since I was confident all the other devices were no longer in use, I just used the [A] option.