Moving from Exchange 2007 -> 2010, EAS, allow all devices in grace period

Posted on 2011-10-03
Last Modified: 2012-06-21
We are in the process of moving all mailboxes from 2007 to 2010. We have activated ActiveSync quarantine for all new devices.
Existing ActiveSync devices are set with the following after moving of mailbox:
 DeviceAccessState       : Allowed
 DeviceAccessStateReason : Upgrade
After 7 days the upgrade grace period ends and the device is quarantined untill specifically allowed.
We would like to set all devices with DeviceAccessStateReason "Upgrade" to "Individual" so that they do not get quarantined. All devices previously used with Exchange 2007 should be allowed
Is there a way to do this in EMC/EMS? Script?
Question by:tooore
    LVL 11

    Assisted Solution

    I'm unsure if you should change this, and I'm not certain exactly what the different values are so I urge you to check before trying.

    Import-Module ActiveDirectory

    Open in new window

    Is needed for this to work, will probably work with Quest ActiveRoles aswell, but with Get-QADObject instead of Get-AdObject.

    $Devices = Get-ActiveSyncDevice | where {$_.DeviceAccessStateReason -like '*upgrade*'}
    $Devices | foreach {$ASD = Get-ADObject -Properties msExchDeviceAccessStateReason $_.DistinguishedName
    					$ASD.msExchDeviceAccessStateReason = '1'
    					Set-ADObject -Instance $ASD

    Open in new window

    The value you want to change is called msExchDeviceAccessStateReason and has a numeric value if you look in active directory, which is translated to a readable value depending on the number. I don't know which one is what, only that 1 is Global.

    To check which number you want do this
    $Temp = Get-ActiveSyncDevice -ResultSize 1 | where {$_.DeviceAccessStateReason -like '*upgrade*'}
    (Get-ADObject -Properties msExchDeviceAccessStateReason $Temp.DistinguishedName).msExchDeviceAccessStateReason 
    $Temp = Get-ActiveSyncDevice -ResultSize 1 | where {$_.DeviceAccessStateReason -like '*Individual*'}
    (Get-ADObject -Properties msExchDeviceAccessStateReason $Temp.DistinguishedName).msExchDeviceAccessStateReason 

    Open in new window


    Author Comment

    Thank you for detailed help, I don't think I dare change these values.

    I just found that I can, sort of, accomplish what I want by setting the Device ID as allowed for the user with this EMS command:
    Set-CASMailbox -ActiveSyncAllowedDeviceIDs "123456789ABC" -Identity [user]

    The device wich was in Upgrade grace period now is set to allowed Individual.
    A bore doing this for many devices, but it works and I'm not good in PS scripting :)
    LVL 11

    Accepted Solution

    Where do you get this ID from?

    $Devices = Get-ActiveSyncDevice | where {$_.DeviceAccessStateReason -like '*upgrade*'}
    $Devices | foreach {Get-CASMailbox -ActiveSyncAllowedDeviceIDs $_.DeviceID -Identity $_.UserDisplayName}

    Open in new window

    Would this work?

    I'm unsure if the DeviceID is the one you want, but if you try
    Get-ActiveSyncDevice | fl

    Open in new window

    you should be able to determine which one you want to set.

    Author Closing Comment

    Thank you, DeviceID from Get-ActiveSyncDevice is what needs to be set in Set-CASMailbox -ActiveSyncAllowedDeviceIDs.

    But there is also a problem when users have multiple devices, so I think I'll put this to rest and perform the job manually.
    LVL 11

    Expert Comment

    You can create a script that will take that into account.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now