Thursday, July 21, 2011

The Ghost Delegate Exorcist

A Sumatra client called for help - a flood of NDRs were driving their Exchange server to its knees. The problem: a boss granted his admin delegate rights his calendar. Along with that, all calendar-messages were forwarded to to the admin. After the admin left the company, the admin's mailbox was deleted.

All was fine until someone invited the boss to a meeting. The boss received an NDR after the delegate forwarding rule sent that calendar message to the [now deleted] delegate. That NDR calendar message was sent back to the boss which got forwarded to the [still deleted] delegate, which generated another NDR......)

No big deal. They went into the boss' Outlook delegate and tried to remove the delegate, but couldn't -- Outlook reported the delegate was "(not found):"

The delegates are there but you can't delete them. Ghost delegates.....
The root cause: they didn't remove the delegate permissions and forwarding rules before they deleted the admin assistant's mailbox.

In this post, I'll talk about how to rid Exchange of those ghost delegates. In the next post, I'll talk about how to find and remove delegate permissions BEFORE you delete the terminated user's account.

For the curious, Glen Scales blogged about "How to deal with invalid delegates," and "Displaying delegate forward rules." Even better, Glen wrote some powershell code to exorcise our ghost delegate!

Here is what we did to remove the ghost delegates

  1. Download and install the Exchange Web Services Managed API
  2. Create a sub directory, and copy the Microsoft.Exchange.WebServices dll into the directory; Run Exchange Powershell (as administrator), and change to that sub directory.
  3. Set the execution policy, import the module, and create a credential variable (using your service account):
  4. set-ExecutionPolicy RemoteSigned -force import-Module ./Messageops-Exchange.psd1 $myCred=Get-Credential
  5. Next, define an exchange profile (as above, we provide our service account with impersonation or full access permissions. See our blog post on impersonation in Exchange 2007 or Exchange 2010), and point to our CAS server directly

    $newprofile = new-messageops.ewsprofile -casURL: -Credential:$myCred

  6. See the list of valid and invalid (ghost) delegates and rules:

    Get-MessageOps.MailboxDelegateReport -p:$newprofile

    Get-MessageOps.MailboxDelegatesInvalid -p:$newprofile

    Get-MessageOps.MailboxDelegateInvalidForwardingRules -p:$newprofile
  7. Finally, remove invalid forwarding rules, and THEN remove the delegates (in that order!)

    Remove-MessageOps.MailboxDelegateInvalidForwardingRules.unsupported -p:$newprofile

    Remove-MessageOps.MailboxDelegatesInvalid.UnSupported -p:$newprofile
I've pulled the URLs and commands into a text file that you can download to simplify typing....


No comments: