Exchange 2007 Outlook Web Access Error The Password does not meet the minimum security requirements

In Microsoft Exchange OWA (outlook web access) a user will attempt to change the account password and encounter an error “The password supplied does not meet the minimum security requirements”. This error happens even though the GPO Policy has password complexity disabled.

OWA error message

The cause of the error is the minimum password age in one or more of the applied GPOs on the OWA host.

Change the Policy for Minimum password age to 0. Then either run GPUPDATE /FORCE or just reboot the host.

GPO for Min Password Age

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.

 

Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website. https://www.mozilla.org/en-US/thunderbird/

 

Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete

 

Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.

 

Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at http://www.1st-setup.nl/wordpress/?page_id=551

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird

 

Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.

 

Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.

 

That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

Prevent Users from changing Pictures in Exchange 2013

Yes, in Exchange 2013, users were given the ability to edit their user pictures that is stored in the LDAP for display on their profile across Microsoft’s suite of products.

Seems like a harmless function right? Microsoft is so desperate to be viewed as a ‘cool social media like product’ that users will take advantage of the customizable settings. Well, if left unchecked, the user photos quickly become a mixture of Kittens, logos, TV characters, and borderline raunchy images. No good, especially since users have NO IDEA that these images might be viewed by outside entities. Highly unprofessional!!!

So the Goal here is to allow the use of Photos that the Admin or a security person can upload into LDAP, let users view the photos, but keep users from changing the photo.

The only way I’ve found to do this is by using a mailbox policy.

Open up a powershell session on exhcange 2013 and run the following.
1st we set list the mailbox policies and set the option to enable photos to False.
2nd we apply the policy to all mailboxes.

Get-OWAMailboxPolicy | set-owamailboxpolicy -setphotoenabled:$false
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

To test, sign into OWA as a user and check the 2 spots where users can change photos and ensure the options to edit photos are gone.
1) Under the Photo in the main display.
2) User User’s profile options in the ‘My account’ page.

NOTE: Be aware, that the last time I updated a Cumulative Upgrade, these settings reverted back to the default behavior and I had to re-apply the mailbox policy.

Setup Exchange 2013 Mailbox on Outlook without Autodiscover

I have had this issue come up a few times.    I had the need to setup an employee’s laptop with access to an Exchange 2013 mailbox. However, the employee was using a laptop that was not a domain member and could not use autodiscover to automate Outlook setup.

In Exchange 2010 and earlier, one could just manually configure the Exchange account with a server name of the Exchange server i.e. mail.company.com.
In Exchange 2013, the Exchange server name now uses the format of GUID@company.com where GUID is the Mailbox guid and is unique to each user. That basically means that end users now need a specific value in the server field that is provided by an Exchange administrator.

So the 1st thing we need is the GUID for the account mailbox. Use the Exchange Powershell get-mailbox cmdlet to get the information.

Get-Mailbox  | fl name, exchangeguid

You should get something like the following:

Name         : Clark Kent
ExchangeGuid : 39f83854-18b3-4bb2-baf1-9cc03c721c6b

Now go to the client’s system. We need to create a new account either by running Outlook for the 1st time or in the “Account Settings” window. You can get to this windows through Outlook from TOOLS -> ACCOUNT SETTINGS or from the CONTROL PANEL -> MAIL -> EMAIL ACCOUNTS.

Note that the labels vary slightly from outlook 2007 to 2010 to 2013, but the steps are essentially the same.
1. Click NEW to add a new account.

2. Select Microsoft Exchange. Click Next.

3. In the Account Setup section, Check the option to “Manually configure server settings” and click Next.

4. From the E-Mail service window, select Microsoft Exchange and Click Next.

5. In the Exchange Server Field enter the GUID@company.com using the GUID returned from the Get-Mailbox Cmdlet and the mailbox domain (i.e. company.com).

6. In the Username Field enter the user email address (i.e. clark.kent@company.com).

7. Click the “More Settings” button. Select the Connection Tab, check the “Connect to Microsoft Exchange using HTTP” and click the “Exchange Proxy Settings” Button (See image for reference)2013-manual-setup

8. In the Proxy Settings Window, enter the mailserver CAS host’s FQDN in the Proxy server field.2013-manual-setup2

9. Click OK to apply the changes and NEXT to Finish the setup.

That should get the client connected to the Exchange 2013 mailbox.

I honestly don’t see how this is an improvement over Exchange 2010 where all users could be given a simple set of instructions and could setup their own mailbox if autodiscover didn’t work for them. 2013 requires Administrator Support for each user that needs a manual setup since users can’t run the Exchange Cmdlet needed to get the GUID. And before anyone says “Why don’t you just use Autodiscover”, there are times in the real world when you can’t use it. Not every Domain is run like it would be in an enclosed lab.

If someone knows why this is better, please leave a comment and enlighten me.

Exchange 2010 List ActiveSync Devices removed from Quarantine and other States

Exchange 2010 has this feature in active sync where the admin can setup rules to allow certain devices to connect via ActiveSync Access Rules. Device Access Rules can be setup so that only certain devices can connect and all other devices will be quarantined until an admin can act on it.

This works well for companies that only issue certain devices (i.e. blackberries) and want to block all android/iPhones from using Active sync. However, there are always exceptions. Especially when the CEO wants to use his iPhone. So the Admin can explicitly allow the CEO’s iPhone to connect. However, the GUI interface does not report on what devices are allowed, which met policy, which are given individual exemptions.

Here’s how I discovered how to get that info using Exchange PowerShell:

This command will list all active ActiveSync devices that have been issued an individual examption.

Get-ActiveSyncDevice -filter {DeviceAccessStateReason -eq 'Individual'}

The DeviceAccessStateReason can also include:

DeviceAccessStateReason

The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.

 

 

The same Cmdlet can be used to filter on any of the attributes of the Active Sync Item:

Attribute Description
FriendlyName The name that the user called their mobile device
DeviceId A unique identifier used by Exchange ActiveSync to identify each device’s partnership
DeviceImei  The International Mobile Equipment Identity (IMEI) number of the mobile device
DeviceMobileOperator The mobile operator to which the mobile device was last connected
DeviceOS    The name and version number of the operating system that is running on the mobile device
DeviceOSLanguage    The language used by the operating system
DeviceTelephoneNumber The last four digits of the phone number
DeviceType    The device family. If you want to control access for all device models in a device family, you can create a device access rule for that device family. See Create a New Device Access Rule.
DeviceUserAgent    The device’s network protocol name, which characterizes the client to the server
DeviceModel    The device model. If you want to control access for a specific device model, you can create a device access rule for that device model only. See Create a New Device Access Rule.
FirstSyncTime    The date and time the device first requested to connect with Exchange ActiveSync. This field provides an idea of how old the device partnership is. If you want to get more information about the latest device connections, you can view the mobile device information from the user’s mailbox or user settings, or use the Get-ActiveSyncDeviceStatistics cmdlet. For more information, see Get-ActiveSyncDeviceStatistics.
UserDisplayName    The name of the person who is using the device
DeviceAccessState The access state of the device: Allowed, Blocked, Quarantined, or DeviceDiscovery. The last value indicated the device is temporarily quarantined while it is being identified by Exchange ActiveSync.
DeviceAccessStateReason The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.
DeviceAccessControlRule   The name of the rule that is affecting the device’s current access state, if any
DeviceActiveSyncVersion  The version of the Exchange ActiveSync protocol used by the given device

For a Summary of the Active Sync Devices, try the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceType

To view a count of devices of each device model, run the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceModel

All these values are stored in AD and could also be queried via an LDAP search or a well-formed dsquery|dsget command.

AD attribute for MSAccessState

AD attribute for MSAccessState

Android Phone Email Provisioning Errors with Exchange Active Sync

This problem came for me recently. Several employees where trying to setup Android phone email clients to check mail on an Exchange 2010 mail server. They would constantly get the following message: “Remote Security Administration, The Server requires that you allow it to remotely control some security features of your phone.”

Android Email Client Active Sync Error

There was a similar issue in Android with email account setups traced to some bug in the way Android handles Active Sync Policies.    This time around, we confirmed this to be the case with all versions of android from 2.2 through ICS using the stock client.

The Fix / Workaround:

To get around this issue, we removed the default Active sync policy on the accounts in question.   Not a great fix since you don’t get the ability to force pins and the like, but since the policy wasn’t applied correctly anyway, it was an easy choice.

Step 1 – In Exchange MMC, Create a blank A.S. policy.   MMC -> Organization Config -> Client Access -> Active Sync Policy Tab.     Create the new policy here and call it “Deleteme”     Highlight the policy and make it the default.

Step 2 – Since the GUI forces you to select a default policy, open up the Power shell.   Run the following command:

 Set-ActiveSyncMailboxPolicy “Deleteme” -IsDefaultPolicy $False

This forces the Deleteme policy to not be the default. The GUI should now show no default policy at all.

Step 3 – Assign the Deleteme policy to the mailbox for the user. MailBox Properties -> Mailbox Features -> Exchange ActiveSync (Click properties). Browse and select the Deleteme policy.

Step 4 – Go back to MMC -> Organization Config -> Client Access -> Active Sync Policy Tab and delete the Deleteme policy.

Now check the assigned Active sync policy on the mailbox and it should be blank.  

Have the user test the email account setup.    After I did this, all the mailboxes could be provisioned correctly and would no longer get that popup error.

I also found out that after any Service Pack or Rollup pack was applied to the Exchange Server, a Default Active Sync Policy was recreated.    I had to run through the same procedure again after the update to SP2 and to Rollup 4.