jwcchelpdesk
asked on
Removing Active Sync from disabled accounts
We are currently using Forefront Identity Manager to create\disable\delete accounts through the assistance of a 3rd party company that assists colleges for integration with Ellucian Banner. Anyway, we are coming across an issue that when FIM disables an account and tries to move it to our Disable Accounts OU, it is unable to do so. The common factor is these accounts have active sync on them.
The 3rd party company suggested to us that we manually delete the EAS from the disabled accounts. We can manually remove the EAS from the accounts, then FIM will move the account(s) to the proper OU on its next sync. However when more and more accounts have EAS, it seems counter-productive. My question to the Experts is this: is there a Powershell script that we can run that will remove all of the EAS from any disabled accounts so that FIM can move the accounts to the proper OU?
Thanks!
The 3rd party company suggested to us that we manually delete the EAS from the disabled accounts. We can manually remove the EAS from the accounts, then FIM will move the account(s) to the proper OU on its next sync. However when more and more accounts have EAS, it seems counter-productive. My question to the Experts is this: is there a Powershell script that we can run that will remove all of the EAS from any disabled accounts so that FIM can move the accounts to the proper OU?
Thanks!
ASKER
Will this actually remove the EAS folder from their account in AD, or just disable it in Exchange? We need the folder deleted, then FIM can move the account.
EAS-folder-in-AD.PNG
EAS-folder-in-AD.PNG
Try this: (Have not tried by myself now)
$devices = Get-Mailbox -resultsize unlimited | where { $_.ExchangeUserAccountControl -match 'AccountDisabled'}
foreach ($device in $devices)
{
Remove-ActiveSyncDevice -Identity $device -confirm:$false
}ASKER
Here's the error message i receive when i run the above script to remove devices from accounts:
Remove-ActiveSyncDevice : Cannot bind parameter 'Identity'. Cannot convert the "<Name of User>" value of type "Microsoft.Exchange.Data.D
Management.Mailbox" to type "Microsoft.Exchange.Config
At C:\Scripts\ActiveSync\Acti
+ Remove-ActiveSyncDevice -Identity <<<< $device -confirm:$true
+ CategoryInfo : InvalidArgument: (:) [Remove-ActiveSyncDevice],
+ FullyQualifiedErrorId : CannotConvertArgumentNoMes
Management.Mailbox" to type "Microsoft.Exchange.Config
At C:\Scripts\ActiveSync\Acti
+ Remove-ActiveSyncDevice -Identity <<<< $device -confirm:$true
+ CategoryInfo : InvalidArgument: (:) [Remove-ActiveSyncDevice],
+ FullyQualifiedErrorId : CannotConvertArgumentNoMes
ASKER
I think i have figured it out. I also want to be sure it outputs to a csv file which accounts EAS was removed from, but i think i may have my export in a wrong spot. Here is what i have:
#Variables
$FilePath = "C:\Scripts\ActiveSync\removed-eas.csv"
$OuDomain = "<OU location has been removed>"
$StaleDevices = Get-Mailbox -resultsize unlimited -OrganizationalUnit $OuDomain | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity} `
| where { $_.ExchangeUserAccountControl -match 'AccountDisabled'} | select -expand Identity
foreach ($device in $StaleDevices)
{
Remove-ActiveSyncDevice -Identity $device -confirm:$true
}
| Select-Object DisplayName , Alias | Export-Csv $FilePath -NoTypeInformationASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I posted my problem on EE, and another site, and between the two sites giving great help, i came up with the script.
Open in new window
If you are happy try this:
Open in new window
For all the mailboxes in a given OU:
Open in new window