Exchange – Undeliverable – 0x80070005-0x0004dc-0x000524

I use a few distribution groups with my Exchange Online-hosted personal email.  I delegate myself the ability to send as these groups so that I can send from other email addresses without having to have other mailboxes.

Recently, when when setting up a few distribution lists, I ran into this error when sending as them:

Your message did not reach some or all of the intended recipients.
Subject: test 123
Sent: 4/2/2016 8:09 PM
The following recipient(s) cannot be reached:
nonesuch on 4/2/2016 8:09
This message could not be sent. Try sending the message again later, or contact your network administrator. You do not have the permission to send the message on behalf of the specified user. Error is [0x80070005-0x0004dc-0x000524].

This was in spite of me having permission to do so. A quick Google search led to this Microsoft forum post.  At the very bottom user SteveLindsey states that this error occurs when the distribution lists are hidden.  Sure enough, when I unhid the distribution lists from the GAL, I was immediately able to send these emails.  SteveLindsey claims that this is a known issue by Microsoft, though I was unable to find a KB during my brief search.

At the time of this post, I am not certain if this is specific to Exchange Online/Office365 or Exchange 2013 in general.

Exchange Online – Bulk Import SMTP Aliases

I recently moved my personal email to Exchange Online.  I had been using SMTP aliases associated with my mailbox at my old provider, and wanted to continue doing so.

I was able to create a script to /u/life_manager and /u/RampageUT on this thread on Reddit.  Thanks to their scripts, I was able to create a script that was able to migrate a list of SMTP aliases to my new mailbox, without even having to install the Exchange admin tools on my machine.

The script is as follows.  The only changes that you need to make are to the array of SMTP aliases, and the mailbox name, both of which are at the top.

$aliasArray = @( # put SMTP aliases here
"example1@example.com",
"example2@example.com"
)
$mailbox = "username" # put mailbox ID here

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

$user = Get-Mailbox -Identity $mailbox

foreach ($alias in $aliasArray) {

 Set-Mailbox -Identity $user.Identity -emailaddresses @{add=$alias}

}

Remove-PSSession $Session

(Exchange) Delete a User’s Mailbox Immediately Without Deleting Active Directory Account

You can delete an Exchange mailbox immediately via the Remove-Mailbox command with the syntax:

Remove-Mailbox -Identity "firstname.lastname" -Permanent $true

Doing so will also delete the Active Directory account, however.

You can also use the Disable-Mailbox command, which will not delete the AD account, but will not immediately remove the mailbox store.  Instead it will delete it according the organisation’s policy on disabled mailboxes, which is 30 days by default.

If you want to immediately rid the server of a mailbox, the key is to use the Disable-Mailbox command in conjunction with Remove-StoreMailbox.  For instance:

Disable-Mailbox -Identity "firstname.lastname"
Remove-StoreMailbox -Identity "Lastname, Firstname" -Database "DatabaseName" -MailboxState "Disabled"

Note that you cannot use the AD account name any more, as the account is no longer associated with AD; i.e., you must use Exchange’s DisplayName attribute.  If you cannot recall what the display name is, simply run:

Get-MailboxStatistics –Database “DatabaseName” | Where-Object {$_.DisconnectReason –eq “Disabled”}

PowerShell Script for Departed Employees

This script:

• Disables the account
• Moves it to a “Departed Employees” OU
• Removes all groups except Domain Users and/or Domain Guests
• Changes the description to note when it was disabled
• Changes the company name to “script_disabled”
  • I did this so that a transport rule in Exchange can be used to send a bounceback message.
• (Optionally) disables OWA and ActiveSync
• (Optionally) hides it from the Exchange GAL

#User/site specific variables
$Username = "username"
$MoveOU = "OU=DepartedEmployees,DC=example,DC=com"
 
$Account = Get-ADUser $Username -Properties memberOf
$UserGroups = $Account.memberOf | ForEach-Object {Get-ADGroup $_}  | Where-Object {$_.name -notmatch '^Domain (Users|Guests)$'}

Disable-ADAccount -Identity $Account

$UserGroups | ForEach-Object {
	Remove-ADGroupMember -Identity $_ -Members $Account -Confirm:$false
}

set-aduser -Identity $Account -Company "script_disabled" -Description ("disabled on " + (Get-Date).ToString("yyyy-MM-dd"))

Move-ADObject -Identity $Account -TargetPath $MoveOU

#These Require Exchange Admin Shell
#Set-CASMailbox -Identity $Account -OWAEnabled $false -ActiveSyncEnabled $false
#Set-Mailbox -Identity $Account -HiddenFromAddressListsEnabled $true

To have it perform the Exchange maintenance, uncomment the bottom two lines and invoke the script from the Exchange Admin Shell. I intend to use this script in conjunction with another script to delete the mailbox/AD account after a period of time.

Articles I Found Useful During the Exchange 2013 Migration

The Technet and PeteNetLive write-ups provided good general references.

This Exchange Management Shell command was useful for monitoring the progress of the mailbox moves:

Get-MoveRequestStatistics -MoveRequestQueue "MBXDB02"

When I had trouble with the logon form for OWA/EAC, where it would accept my credentials and apparently do nothing but refresh the page, I was able to resolve the issue by enabling and disabling the forms authentication for OWA:

Get-OwaVirtualDirectory -Server Exchange2013 | Set-OwaVirtualDirectory -FormsAuthentication $True
Get-OwaVirtualDirectory -Server Exchange2013 | Set-OwaVirtualDirectory -FormsAuthentication $False

I’m not sure if it was necessary, but I did the same for ECP as well:

Get-EcpVirtualDirectory -Server Exchange2013 | Set-EcpVirtualDirectory -FormsAuthentication $True
Get-EcpVirtualDirectory -Server Exchange2013 | Set-EcpVirtualDirectory -FormsAuthentication $False

IIS had to be reset afterward:

iisreset

Technet was once again invaluable for migrating the Public Folders.

This article was helpful in determining how to import a wildcard certificate.  (Importing via the EAC simply caused it to fail):

Import-ExchangeCertificate –FileData ([byte[]](Get-Content –Path <c:\certificate.pem> –Encoding Byte –ReadCount 0)) –Password (Get-Credential).password –Server Exchange2013

(Incidentally, after attempting to import the certificate via the EAC, I had to delete it via the MMC certificate app, even though the certificate did not show up in Exchange.)

And finally, I wanted to provide a default domain for the OWA logon form:

Get-OwaVirtualDirectory -Server Exchange2013 | Set-OwaVirtualDirectory -LogonFormat Username -DefaultDomain example.com
iisreset

Use nginx as a Reverse Proxy for OWA

This configuration automatically redirects HTTP to HTTPS and passes on requests to the Exchange server.

#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
worker_connections  1024;
}

http {
include       mime.types;
default_type  application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
listen       80;
server_name  owa.example.com;
rewrite      ^ https://$server_name$request_uri? permanent;

#charset koi8-r;

#access_log  logs/host.access.log  main;

#location / {
#root   html;
#index  index.html index.htm;
#}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root   html;
}
}

# HTTPS server
#
server {
listen       443 ssl;
server_name  owa.example.com;

ssl_certificate      example.pem;
ssl_certificate_key  example.key;

location / {
proxy_pass https://mail.example.com;
}
}
}