Exchange mailbox/folders permissions – dependency graph between users.

Following solution uses GraphViz application to visualize mailboxpermissions dependencies in the company.

Some time ago I published a scripts for reading mailbox permissions:

and mailbox folder permissions:

If some of you are wondering what GraphViz is, a quick look on google graphics and phrase “graphviz”, gives us an idea of how gorgeous graphs it can create:


All the GraphViz needs is to have properly formatted input file – that’s it!


The need of having such script showed up as one time I was standing in front of migrating users to Exchange Online. I started to wonder how shall I visualize in a simply way, who need to be migrated together…


It was not an easy task, going though a excel/csv file, or even creating lists were not satisfying for me, so I started to think about it more, even during meals…


And then I found GraphViz:

It was looking really good! So now just a matter of quick reading about it checking if it will apply…


…reviewing the idea…


…some calculations…


And after all that research the idea became clear…


As I mentioned at the beginning, input file can be done with one of the mailbox permissions / mailbox folder permissions reading scripts – links provided on the top (you might need to change delimiters a little bit as I guess in these files are “;” but go for adventure and modify something :))

The proper input should look like:


So it has columns named “Mailbox”, “User” and “AccessRights”

And now the script. In organization I was building script for – it appeared that we have so many permissions I almost shat brikcs when I saw the actual output (graph)…

Just take a look by yourself, here is just a very small piece of graph when I was checking dependencies of just one mailbox – mine:



Let’s go closer:



Imagine now that whole dependency graph contained like 10 more same chunks/pieces, 10 more, 10 fuck*ng times!

Well, I needed somehow to…


So the idea of migrating people together in chunks fell down and broke into pieces :] but at least we have that nice script.

  1. First thing is to get GraphViz application and install it:

Here you can find it:

After installation all you need to to read your mailbox permissions – you can choose to read it with scripts from links given at the beginning of that article.

     2. Next thing, is to set up 3 variables:


$GraphImageFile = “GraphImageFile.png” -> this is the name/path of your output file – actual graph

$GraphGraphVizFile = “GraphVizFile.gv” -> this is the name/path of the input file that will be passed to GraphViz to visualize your data, it will look similar to this one:


$CSVPermissionsFile = “Permissions.csv” –> and finally this is the input file for the script – so output from your script that reads permissions from mailboxes

    3. Having CSV we can start reading permissions, so here are some examples.

After running below:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz”


We will get:


Users mentioned in “Users” array will be marked on blue, nice arrows will show direction of permissions 🙂

After running:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -SingleUser $true


We will get:


And finally after running same but with “level” set to 1 we will get:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -Level 1


That will runthough the whole file ONLY ONE TIME, and what we will get would be something like:


So summing up – for me script does a good job when it comes to visualize data that would be actually really hard to see from a excel file.

It is just an easy script, please note that you can add here features like:

  • adding description to each “connection” saying to which folder permissions are given
  • reading mailboxes sizes and adding them to the graph so it can ease planing of migration of certain groups of people
  • remember – possibilities are endless:




Script can be found on TechNet and GitHub.


Exchange 2016 how to change ECP language

Just installed Exchange 2016, opened OWA – I chose polish language, then opened ECP and first impression was like: ‘Ok, Great! Now how to change language to English…’ 🙂 Same like Exchange 2013, if we choose timezone and language for OWA, same will be set for us in ECP (actually same like in other versions, but in Ex2013 we really use that ECP as we do not have other console).

So here is nice Nuno’s article telling how to change it:

Easiest way: simply add ?mkt=EN-us to the EAC’s URL:

SingleItemRecovery in Exchange 2013, recovering emails from Purges folder with Search-Mailbox cmdlet.

Sometimes I got a call from a user claiming that some data from his mailbox has been removed by an invisible force.

Usually I am able to find lost folder/files under other sub folder (Well! Would you look at that!)

User then tries to tell he/she didn’t do anything. IT WAS OUTLOOK!

tea_thinkerYup, definitely Outlook…

There are moments when items indeed haven’t been moved but deleted. What options do we have? Here I would like to highlight functionality called “Single Item Recovery”. To enable it we can use:

Set-Mailbox <mailbox_name> -SingleItemRecoveryEnabled $true


What happens when user deletes data from his mailbox? Those go to “Deleted items” on the first place, later, if item has been removed from there as well it goes to “Recover Deleted Items”, that allows user to recover items from Outlook doing those 4 steps:


When user removed the elements from above place, items go to another folder that is not visible for user – called “Purges”.

There is a great article about that work-flow on technet:

Below picture comes from there as well:

single_item_recovery_3On testuser1 I have removed everything from “recover deleted items” but one item – just to let you see how it would be visible. To get number of items that are sits in “Purges” we can use below command:

Get-MailboxFolderStatistics -Identity “<mailbox_name>” -FolderScope RecoverableItems -IncludeAnalysis | ft

single_item_recovery_4So we clearly see here that there is something we can recover, there is also one item in “Deletions” and that folder shows us items in “Recover Deleted Items” option in Outlook.

Now how to get those elements from there? We can use Search-mailbox query for that:

Search-Mailbox <source_mailbox_name> -TargetMailbox <destination_mailbox_name> -TargetFolder ODZYSK3 -SearchDumpsterOnly

With SearchDumpsterOnly we specify scope of our search only for “Deletions” and “Purges” – it is not searching in “Deleted Items” folder as you would think of.


single_item_recovery_6Interesting thing is, if any of the messages that have been recovered has had already been read – here in that example where we haven’t had read any of them – that status would be remembered, and that status would be also reflected in the target mailbox after recovery. So for example if 4 messages that were in purges were read, the unread counter on the Purges folder in target mailbox will show us 3135.

What we can do now is to export that to PST and import to the proper mailbox 🙂

We need to do it that way as we cannot give name of the target mailbox same as the source mailbox in Search-Mailbox cmdlet.

So hey! We have recovered the deleted elements! We didn’t let to surprise ourselves, we were prepared! Just like Ross 😀


Circular logging and adding new (second) database copy in Exchange 2013 DAG

Database “<DB_NAME>” has circular logging enabled. It is not possible to add or remove database copies while circular
logging is enabled. Please disable circular logging before adding or removing mailbox database copies. – this kind of error you might receive when trying to run command: Add-MailboxDatabaseCopy

Adding new (second) mailbox database copy in DAG enforces on us turning off JET circular logging on the database, of course we need to do it only when creating the first copy.

When you try to do it without it you might see below error:


Disabling DB copy can be made using command:

Set-MailboxDatabase wrodb02 -CircularLoggingEnabled $false

So after that we are getting below message with a reminder abut dismounting database:

circular_logging_2But let’s say what will happen if we won’t believe in that and we will try to add DB copy without re-mounting the database?

We may get:

The seeding operation failed. Error: An error occurred while performing the seed operation. Error: Failed to open a
log truncation context to source server ‘<SERVER_NAME>’. Hresult: 0xc7ff07db. Error: Failed to open a log
truncation context because ESE-level circular logging is enabled. Please dismount and then mount the database.

circular_logging_3Ok, so now I definitely see that this cannot be done this way, I knew that, but now we’ve tested it.

It ain’t that I don’t understand what they give in books.

circular_logging_9I just want to try what would happen! 😉

However, after re-mounting the DB, and trying to add DB copy we got another error though:

The database “WRODB02” already has a copy hosted on server “<SERVER_NAME>”. Choose a different server.


Weird, so it looks like the database is already mounted, checking that…and yeah, it is!:

circular_logging_5Ok! So let’s resume the database copy:


Hell yeah! So actually I was thinking that despite of warning it worked, no need to re-mount the database. Buuut.. my joy was not lasting long, after few minute I got “FailedAndSuspended” status. I thought that it was somehow fault of “ContentIndexState” was “Suspended”, but repairing that didn’t help:

circular_logging_7So..I ended up with full update of the database from the other server.

After the database is already in DAG, there is no need for dismounting it when switching On/Off from circular logging, that goes smoothly without need of re-mounting it:


Creating DAG on Windows Server 2012 R2 and Exchange 2013 SP1 without Administrative Access Point? YES!

So we know that creation of DAG was always connected to creating a DAG computer object in AD, when using Windows Server 2012 or 2013 R2 pre-staging of  the CNO in AD is required.

So we use one additional computer account, and an IP address. However, Is it possible to create a DAG not having those at all? The answer is – YES and here is the great article telling us how to do it:

Cluster Administrative Access Point and Database Availability Group


Dynamic memory for Exchange 2013 – why not supported?

Recommendation why to not to use dynamic disks on crucial applications might be explained quite easily – since system is saving new stuff on the disk, each save operation equals disk expansion – which takes valuable time. But what is so special with Exchange and dynamic memory which usage is also not recommended by Microsoft?

Bhargav Shukla and Paul Robichaux in their book “Core Solutions of Microsoft Exchange Server 2013 (MCSE)” explain why dynamic memory might be a problem for Exchange 2013, here is the piece that is very interesting:

“Exchange 2013 code is optimized to strike a balance between the efficient use of memory and reducing the I/O footprint. To achieve these efficiencies, Exchange relies on a calculated cache for each database being hosted on the server, as well as the memory reserved for Exchange subsystems. When dynamic memory is in use, this can result in incorrect memory calculations and it can cause Exchange to start with less memory than is available.”

So that makes sense, and here is the place where RAM allocation is shown in a really nice way:

Also interesting thing is that oversubscription of processor is supported, the recommended ratio is 1:1 (of course ;]), but supported is 2:1, so that would mean that for ex. 1 physical CPU of an ESX host, can be shared only between two machines (Exchange or any other).

Capacity planning for Exchange

As I am preparing now for MCSE in Exchange 2013 and reviewing book for 70-341 exam [Core Solutions of Microsoft Exchange Server 2013 (MCSE)].

Just going through chapter about capacity planning and found some useful links in relation to that, thought worth sharing:

How to Calculate Your Disk I/O Requirements (Exchange 2003)

Exchange 2013 Server Role Requirements Calculator v7.6

Disk Performance Testing with JetStress 2013

Exchange 2010 Sizing Cheat Sheet

Exchange 2013 Mailbox Role Counters (Advanced)

Ask the Perf Guy: Sizing Exchange 2013 Deployments

Virtualization of Exchange 2013

Removing mailbox database, word about arbitration mailboxes, and mailbox move statuses.

I was doing some work on my lab and re-configuring DAG on Exchange 2013, after creating new databases I decided to remove the old ones that were created along with exchange installation. I have moved all mailboxes, also I have checked if any archives are there, but surprisingly I got below error when trying to remove mailbox database through a PowerShell:

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes or
arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database
<Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of
archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all
public folder mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -PublicFolder. To get a
list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration.
To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox
<Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox
<Mailbox ID> -Archive. To disable a public folder mailbox so that you can delete the mailbox database, run the command
Disable-Mailbox <Mailbox ID> -PublicFolder. Arbitration mailboxes should be moved to another server; to do this, run
the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command
Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox.
Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID>
-Database <Database ID>.
    + CategoryInfo          : InvalidOperation: (Mailbox Database 0027173074:DatabaseIdParameter) [Remove-MailboxDatab
   ase], AssociatedUserMailboxExistException
    + FullyQualifiedErrorId : [Server=WROEX13A,RequestId=70a73e2f-b187-4e19-879d-67f6978b2d68,TimeStamp=8/29/2015 5:44
   :21 PM] [FailureCategory=Cmdlet-AssociatedUserMailboxExistException] E6FCD23B,Microsoft.Exchange.Management.System
    + PSComputerName        : wroex13a.zaic12.local


Same was with Exchange Administrative Center:


I must admit it was a…


…for me.

I was pretty sure I’ve moved everything:


Buuut… after getting into the actual message, noticed it was saying about one thing I haven’t checked – arbitration mailboxes.

More information about arbitration mailboxes can be found on Technet:

This one and many others are really nice described on this blog:

So after reading the actual error I have moved the mailboxes to a different database and removal worked properly:


giphyWhat you may have noticed are statuses of move requests above. “Finalization”, “Reliquished”, “Cleanup” and “InitialSeeding”, being honest I have never been patient enough to look on those statuses when working on production 🙂

So seeing those I was curios as previously all I remember to see were just a few statuses, decided to check help for that, unfortunately Technet is not explaining those under:

The only statuses described there are:


InitialSeeding” I guess is the first status that move is getting after being “Queued“, later status might go to “InProgress“, “Finalization” I guess is something that happens just after “CompletionInProgress” and “Cleanup“.

Here we can find even some more…:

…like “CopyingMessages” or “LoadingMessages“.

Status “Reliquished” was received while restarting “Microsoft Exchange Mailbox Replication” service (MRS) whilst mailbox was queued, or maybe I thought it was queued but changed to “InProgress” just a second after I checked that (or maybe I was just a little bit impatient :P)

Anyway, would be great if there was as article with explanation for each step within the move mailbox operation, also with those that have been mentioned here as we see that Technet is missing some of these.