Monthly Archives: November 2014

Unable to hide a mailbox from the GAL? Reset RBAC roles.

ever get the feeling you’re being ignored? my customer did. They were unable to hide users from the GAL. We had a look to see what happened when they ran the PowerShell cmdlet:

Set-mailbox -identity -hiddenfromaddresslistsEnabled $true

Everything completed with no errors, but… the user is still there. let’s try that again, using the –v switch… this is on a test mailbox, in my lab.

[PS] C:\Windows\system32>Set-Mailbox caroline1 -hiddenfromaddresslistsenabled $true –v

VERBOSE: [07:16:52.353 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Read Address List for organization “” from
domain controller Exch2k10loner.exch2k10.local.

VERBOSE: [07:16:52.650 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Found Address List “\barry”.

VERBOSE: [07:16:52.665 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Remove Address List “\barry” to
AddressListMemberShip of the recipient.

VERBOSE: [07:16:53.991 GMT] Set-Mailbox : The properties changed on the object ‘caroline test’ (CN=caroline
test,CN=Users,DC=exch2k10,DC=local) are: “{ AddressListMembership[showInAddressBook]={ ‘\All Mailboxes(VLV)’, ‘\All
Recipients(VLV)’ }, HiddenFromAddressListsValue[msExchHideFromAddressLists]=$True,
ReadOnlyAddressListMembership[showInAddressBook]={ ‘\All Mailboxes(VLV)’, ‘\All Recipients(VLV)’ },
HiddenFromAddressListsEnabled[msExchHideFromAddressLists, msExchRecipientTypeDetails]=$True }”.
VERBOSE: [07:16:54.007 GMT] Set-Mailbox : Saving object “exch2k10.local/Users/caroline test” of type “ADUser” and state
“Changed”.

I’ve cut a lot out of there, but the lines we are interested in are highlighted. The address lists the user belongs to are found, and then removed from the AddressListMemberShip attribute of the recipient in AD.

When we look at the verbose output from the live system, we see that although the address lists are found, they are never removed from the AddressListMemberShip attribute:

[PS] C:\Windows\system32>Set-mailbox -identity brianbloke@customer.co.uk -hiddenfromaddresslistsEnabled $true –v

VERBOSE: [10:23:44.220 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Read Address List for organization “” from
domain controller customerLDC01.customer.co.uk.

VERBOSE: [10:23:44.236 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Found Address List “\All Rooms”.

VERBOSE: [10:23:44.408 GMT] Set-Mailbox : The properties changed on the object ‘Brian bloke’ (CN=Brian
bloke,OU=some town,OU=someUsers,DC=customer,DC=co,DC=uk) are: “{
ExchangeUserAccountControl[msExchUserAccountControl]=’AccountDisabled’, AddressListMembership[showInAddressBook]={  },
PoliciesIncluded[msExchPoliciesIncluded]={  }, ReadOnlyAddressListMembership[showInAddressBook]={  },
ReadOnlyPoliciesIncluded[msExchPoliciesIncluded]={  } }”.

the last output shows that the cmdlet isn’t even trying to remove stuff.  this is pretty strange, but i recalled Bhargav’s RBAC sessions from the MCM course – specifically, how to reset everything… let’s make sure that the accounts have the correct role assignments and can do the things they should.

    1. Launch the Exchange Management Shell (EMS)
    2. Run “Add-PsSnapin Microsoft*” to load the snap-ins that you need to install RBAC
    3. Run the “Install-CannedRBACRoles” cmdlet to install the out-of-the-box RBAC roles that you’d expect to be defined for Exchange 2010 SP1.
    4. Run the “Install-CannedRBACRoleAssignments” cmdlet to install the out-of-the-box role assignments (that obviously depend on the roles that you’ve just installed).
    5. Close EMS
    6. Restart EMS to create a new session. During session initialization, Exchange will reload the roles and role assignments that are available to the user, so you should be able to retry the failed operation to see whether the reinstallation of the RBAC roles and role assignments has fixed the problem.
    so, my customer ran through that, restarted the EMS and hey presto! accounts are disappearing from the GAL all over the place. Cheers Bhargav!
Advertisements