Exchange 2007 Outlook Web Access Error The Password does not meet the minimum security requirements

In Microsoft Exchange OWA (outlook web access) a user will attempt to change the account password and encounter an error “The password supplied does not meet the minimum security requirements”. This error happens even though the GPO Policy has password complexity disabled.

OWA error message

The cause of the error is the minimum password age in one or more of the applied GPOs on the OWA host.

Change the Policy for Minimum password age to 0. Then either run GPUPDATE /FORCE or just reboot the host.

GPO for Min Password Age

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.

 

Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website. https://www.mozilla.org/en-US/thunderbird/

 

Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete

 

Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.

 

Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at http://www.1st-setup.nl/wordpress/?page_id=551

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird

 

Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.

 

Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.

 

That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

Prevent Users from changing Pictures in Exchange 2013

Yes, in Exchange 2013, users were given the ability to edit their user pictures that is stored in the LDAP for display on their profile across Microsoft’s suite of products.

Seems like a harmless function right? Microsoft is so desperate to be viewed as a ‘cool social media like product’ that users will take advantage of the customizable settings. Well, if left unchecked, the user photos quickly become a mixture of Kittens, logos, TV characters, and borderline raunchy images. No good, especially since users have NO IDEA that these images might be viewed by outside entities. Highly unprofessional!!!

So the Goal here is to allow the use of Photos that the Admin or a security person can upload into LDAP, let users view the photos, but keep users from changing the photo.

The only way I’ve found to do this is by using a mailbox policy.

Open up a powershell session on exhcange 2013 and run the following.
1st we set list the mailbox policies and set the option to enable photos to False.
2nd we apply the policy to all mailboxes.

Get-OWAMailboxPolicy | set-owamailboxpolicy -setphotoenabled:$false
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

To test, sign into OWA as a user and check the 2 spots where users can change photos and ensure the options to edit photos are gone.
1) Under the Photo in the main display.
2) User User’s profile options in the ‘My account’ page.

NOTE: Be aware, that the last time I updated a Cumulative Upgrade, these settings reverted back to the default behavior and I had to re-apply the mailbox policy.

Exchange 2010 List ActiveSync Devices removed from Quarantine and other States

Exchange 2010 has this feature in active sync where the admin can setup rules to allow certain devices to connect via ActiveSync Access Rules. Device Access Rules can be setup so that only certain devices can connect and all other devices will be quarantined until an admin can act on it.

This works well for companies that only issue certain devices (i.e. blackberries) and want to block all android/iPhones from using Active sync. However, there are always exceptions. Especially when the CEO wants to use his iPhone. So the Admin can explicitly allow the CEO’s iPhone to connect. However, the GUI interface does not report on what devices are allowed, which met policy, which are given individual exemptions.

Here’s how I discovered how to get that info using Exchange PowerShell:

This command will list all active ActiveSync devices that have been issued an individual examption.

Get-ActiveSyncDevice -filter {DeviceAccessStateReason -eq 'Individual'}

The DeviceAccessStateReason can also include:

DeviceAccessStateReason

The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.

 

 

The same Cmdlet can be used to filter on any of the attributes of the Active Sync Item:

Attribute Description
FriendlyName The name that the user called their mobile device
DeviceId A unique identifier used by Exchange ActiveSync to identify each device’s partnership
DeviceImei  The International Mobile Equipment Identity (IMEI) number of the mobile device
DeviceMobileOperator The mobile operator to which the mobile device was last connected
DeviceOS    The name and version number of the operating system that is running on the mobile device
DeviceOSLanguage    The language used by the operating system
DeviceTelephoneNumber The last four digits of the phone number
DeviceType    The device family. If you want to control access for all device models in a device family, you can create a device access rule for that device family. See Create a New Device Access Rule.
DeviceUserAgent    The device’s network protocol name, which characterizes the client to the server
DeviceModel    The device model. If you want to control access for a specific device model, you can create a device access rule for that device model only. See Create a New Device Access Rule.
FirstSyncTime    The date and time the device first requested to connect with Exchange ActiveSync. This field provides an idea of how old the device partnership is. If you want to get more information about the latest device connections, you can view the mobile device information from the user’s mailbox or user settings, or use the Get-ActiveSyncDeviceStatistics cmdlet. For more information, see Get-ActiveSyncDeviceStatistics.
UserDisplayName    The name of the person who is using the device
DeviceAccessState The access state of the device: Allowed, Blocked, Quarantined, or DeviceDiscovery. The last value indicated the device is temporarily quarantined while it is being identified by Exchange ActiveSync.
DeviceAccessStateReason The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.
DeviceAccessControlRule   The name of the rule that is affecting the device’s current access state, if any
DeviceActiveSyncVersion  The version of the Exchange ActiveSync protocol used by the given device

For a Summary of the Active Sync Devices, try the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceType

To view a count of devices of each device model, run the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceModel

All these values are stored in AD and could also be queried via an LDAP search or a well-formed dsquery|dsget command.

AD attribute for MSAccessState

AD attribute for MSAccessState