In the comments of my article on user-initiated remote wipes for Exchange ActiveSync devices, Jonathan has described a situation in which administrator-initiated remote wipes fail if the user account has been moved to a different OU after the ActiveSync device association was created.
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Mahera Bawa\Apple-iPhone2C1/902.206
FailedError:
The ActiveSyncDevice exchangeserverpro.net/Company/Head Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS cannot be found.
Click here for help… http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.309.2&t=exchgf1&e=ms.exch.err.Ex0FBD0CExchange Management Shell command attempted:
Clear-ActiveSyncDevice -Identity ‘exchangeserverpro.net/Company/Head Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS’Elapsed Time: 00:00:00
Reproducing the Error
Consider the following scenario:
- A user connects a new mobile device to Exchange ActiveSync
- The user object is later moved to a different OU
- The user leaves the organization
- A remote wipe is issued for the device by an administrator, using the Exchange Management Console
In this situation the error occurs.
The root cause of the issue, as identified by Jonathan in his comment, is a mismatch between the identity strings returned by two different cmdlets; Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics.
Checking for the Problem in Your Exchange Organization
I’ve written this short script to check for the issue.
$easdevices = @(Get-ActiveSyncDevice) foreach ($easdevice in $easdevices) { $easdevstats = Get-ActiveSyncDeviceStatistics $easdevice Write-Host $easdevice.UserDisplayName -NoNewLine if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString())) { Write-Host -ForegroundColor Green " - IDs match" } else { Write-Host -ForegroundColor Red " - IDs don't match" Write-Host -ForegroundColor Yellow $easdevice.Identity Write-Host -ForegroundColor Yellow $easdevstats.Identity } }
Copy that code into Notepad or your ISE and save it as EASDeviceIDs.ps1, then run it from the Exchange Management Shell.
If all is well then you should see a result similar to this:
If there are any mismatches detected you should see this type of result instead:
Looking closer at the two yellow identity strings, the problem is clear. When the user was moved from Head Office to Branch Office the mismatch was created.
Resolving the Problem and Performing a Remote Wipe
The most obvious solution is to move the user object back to its original OU. However this is not always going to be practical, so other options are needed.
According to my testing the different remote wipe options have the following results.
User-Initiated Remote Wipe via Exchange Control Panel
If the user themselves performs a remote wipe via the Exchange Control Panel it still works, and the device is wiped successfully assuming all other requirements are met.
Administrator-Initiated Remote Wipe via Exchange Management Console
A remote wipe issued from the EMC will fail if the user object is not first moved to its original OU at the time the device association was created.
Administrator-Initiated Remote Wipe via the Exchange Control Panel
As with the user-initiated remote wipes this option appears to work fine even if the identity mismatch is occurring.
Administrator-Initiated Remote Wipe via the Exchange Management Shell
If an administrator uses PowerShell and the Clear-ActiveSyncDevice cmdlet to perform the remote wipe, it will be successful as long as the correct identity is specified.
I’ve written a script to detect the mismatch and use the correct identity for the remote wipe.
Firstly, if the user has no ActiveSync devices associated then the script will not do anything further.
If the script detects a device association but the identity values match, then it will let you know and do nothing further.
If the script detects an identity mismatch, then it will let you know and then initiate the remote wipe using the identity that will work. You’ll be prompted to confirm this.
In my own test lab this seems to work fine however there may be real world scenarios where it does not, so please feel free to leave a comment below if you encounter a situation that this doesn’t fix.
Here is the script code.
param ( [parameter(mandatory=$true, ValueFromPipeline=$true)] [string]$user ) $mailbox = Get-Mailbox $user $name = $mailbox.Name $easdevices = @(Get-ActiveSyncDevice | where {$_.UserDisplayName -like "*$name"}) $count = $easdevices.count Write-Host -ForegroundColor Yellow "$count ActiveSync devices found for $mailbox" foreach ($easdevice in $easdevices) { $easdevstats = Get-ActiveSyncDeviceStatistics $easdevice if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString())) { Write-Host -ForegroundColor Green "IDs match, normal remote wipe process should work." } else { Write-Host -ForegroundColor Red "IDs don't match" Write-Host $easdevice.Identity Write-Host $easdevstats.Identity Clear-ActiveSyncDevice -Identity $easdevice.identity } }
Copy the code into Notepad or your ISE and save it as Clear-EASDevice.ps1. To execute the script run a Get-Mailbox for the mailbox you want to target, and pipe that into the script.
Get-Mailbox mahera.bawa | .\Clear-EASDevice.ps1
You can append an notification email address to the Clear-ActiveSyncDevice command in the script as well, for example:
Clear-ActiveSyncDevice -Identity $easdevice.identity -NotificationEmailAddresses administrator@exchangeserverpro.net
Summary
This appears to simply be a bug in how Exchange detects a user object that has moved between OUs and does not update both identity values correctly.
Or perhaps the issue is that the Clear-ActiveSyncDevice cmdlet as it is executed from the management console is referencing the wrong object’s identity value, since we seem to be able to work around the problem by specifying the correct one in the shell.
You may find it simpler to just use the Exchange Control Panel to initiate your remote device wipes. However the scripted option is available if you prefer that.
Thanks for your write-up of this, & the code, it helped me solve a similar issue for one user trying to Remove-MobileDevice (removes the device listing, does not wipe the mobe) that would not remove, causing app problems. The mismatched Identity info was the clue.
I was using the GUID as -Id for Remove-MobileDevice, but it kept erroring, “connection not found”.
The solution:
$MD = Get-MobileDevice -mailbox
$MDS = Get-MobileDeviceStatistics -mailbox
Then
Remove-MobileDevice -Id $MD.Identity
and
Remove-MobileDevice -Id $MDS.Identity
Thanks for the $var.Identity insight! Worked a treat.
Should say:
$MD = Get-MobileDevice -mailbox username
$MDS = Get-MobileDeviceStatistics -mailbox username
;\>)
I know this post is pretty old but I am desperately seeking help. I have a phone that wont respond to the remote wipe request from the EMC, or at least that’s what it seems. I’ve initiated several device wipe requests however, I have not received any kind of device wipe acknowledgement. I’ve verified on that phone that it is still able to sync to the Exchange Server and retrieve emails, etc. With that said, I still do not get an acknowledgement. Do you have any ideas why this might happen. Any help would be appreciated, thanks.
Paul,
Thank you for the script to identify ID mismatches.
I did not understand the procedures when the user was renamed and now I receive ID’s mismatch.
Can you clarify?
Hi Paul,
Nice article. I just had some issues with removing activesync devices that were linked to a deleted mailbox. The AD user account still exists.
Error:
Couldn’t find ” as a recipient.
+ CategoryInfo : InvalidArgument: (:) [Get-ActiveSyncDeviceStatistics], RecipientNotFoundException
+ FullyQualifiedErrorId : 396B03C0,Microsoft.Exchange.Management.Tasks.GetMobileDeviceStatistics
+ PSComputerName :
I consider MFCMAPI as the last option but to simply fix this, I created a mailbox and linked to the problematic user account. After that, I was able to remove all activesync devices registered to that user.
Hope this helps. Thanks.
Hi,
Your article is very helpful. I have the same issue and resolve it with the article and your script. Thank you very much.
In the case I was dealing with – the ExchangeActiveSync “folder” attached to the AD user was removed. Hence the device(s) could not be removed using the Clear or Remove commands. Had to go to MFCMapi tool –> Open the Mailbox –> Expand the “ExchangeSyncData” –>Hard Delete the objects from there to allow new active sync connections. When I went back to ECP the stale items disappeared.
Thank you all for your input.
Hi guys,
Is there a way to fix the error with the two ous without to wipe the device?
Thanks and Greetings
Michael
I have the same question. I don’t want to wipe any BYOD devices, I just want to remove the stale partnerships.
I’ve tried remove the the partnership based on GUID:
Get-ActiveSyncDevice -id
I get an error that the GUID can’t be found.
I’ve tried:
Get-ActiveSyncDevice | where {$_.DeviceId -eq “Appletcetc”} | Remove-ActiveSyncDevice
The command completes and doesn’t throw errors, but it doesn’t remove it either.
I’ve logged into OWA with full access rights on the mailbox and while the stale device is listed, attempts to remove it gives an error popup.
I guess MFCMapi is the last resort…
Hello,
I am not able to remove device patnership of few users from Exchange 2013 CU3 console as well as exchange powershell.
Getting error “The mobile device xxxxxxxxxxxxxxxxxx cannot be found”.
Able to see device detail through “Get-MobileDeviceStatistics”
User OU is same
Thanks in advance
Manish
this is very helpful for me and the exchange admin team.
many thanks Paul
I seem to be getting this error with a considerable number of users when running your script Paul:
Couldn’t find ‘Mobile Mailbox Settings’ as a recipient.
+ CategoryInfo : InvalidArgument: (:) [Get-ActiveSyncDeviceStatistics], RecipientNotFoundException
+ FullyQualifiedErrorId : E8C47191,Microsoft.Exchange.Management.Tasks.GetMobileDeviceStatistics
You cannot call a method on a null-valued expression.
At C:scriptsEASDeviceIDs.ps1:9 char:79
+ if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString <<<< ()))
+ CategoryInfo : InvalidOperation: (ToString:String) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
– IDs don't match
BlackBerry§Passport SQW100-1
The common issue I've been able to identify is that these users have multiple mobile devices. *AND* there's a device mismatch issue.
The Real Person!
The Real Person!
Could you email me some more details (paul at exchangeserverpro dot com), such as the exact command you’re running when you see the errors, the get-activesyncdevice output for the user you’re running against, and anything else you think might be relevant from your troubleshooting so far.
Hi Paul, I too got this error when i try to list out available active sync devices using command
“(Get-ActiveSyncDevice -Filter {DeviceType -ne ‘EASProbeDeviceType’}) | Select-Object guid | %{Get-ActiveSyncDeviceStatistics -Identity $_.Guid.ToString()}”
I got error “Couldn’t find ‘Mobile Mailbox Settings’ as a recipient.”
Please help me in resolving issue.
hi Paul,
I have a weird issue where a user has the option in EMC for manage mobile phone, however, no devices can be found anywhere. I cannot find any devices through ecp, nor through powershell. nothing seems to be linked to the user that I can see. how can I remove all assocations of any old devices from the user so that the manage mobile phone option is no longer available in emc?
Phil.
Paul,
I was wondering if there is a way to disable remote wipe for specific users. I have a client that is looking to prevent administrators from blocking owners. I have tried to convince them that this is a good feature for their business but they just don’t want it.
Thanks in advance for your help!
The Real Person!
The Real Person!
A custom RBAC role would do it. By default anyone who can manage recipients can perform remote wipes on mobile devices.
Pingback: disney coloring pages aristocats
Paul:
I came across this article while searching for information on another issue. I use a PowerShell script to produce a CSV listing with ActiveSync stats. It uses Get-ActiveSyncDeviceStatistics. What I’ve noticed is that the DevicePolicyApplied attribute doesn’t always seem to report the current policy set by the administrator to the user account even though the device has recently synced. Is this a case of the statistics in Exchange not updating? Or is this the mobile device failing to properly pick up the assigned policy? In such cases, the EMC clearly shows the correct policy applied to the user, and in some cases, if the user has two different devices – say an Android phone and an iPad, one may show the expected policy, while the other may not.
The Real Person!
The Real Person!
Hard to say as I’ve never seen that myself. Count be the device not reporting back successful application of the policy.
Pingback: Remote Wipe Doesn’t Work! | Exchange Source Book
Paul, is there a way to incorporate the LastSuccessSync filter from get-casmailbox into this script? I’m attempting to clean stale devices, but many of the accounts have been moved to a Terminated OU already.
The Real Person!
The Real Person!
Anything is possible with PowerShell 😉
This script for EAS devices does report that last sync timestamp, if you wanted an example:
https://www.practical365.com/powershell-script-activesync-device-report/
WOW.. all this headache because users were moved to a NEW OU in Active Directory and the EXCHANGE TEAM didn’t take this into account.
Job Security.. and end user pains.
Sorry 10,000 users.. please reset your device Mail Apps so that we can REMOTE WIPE it or REMOVE it if needed.
The Real Person!
The Real Person!
What end user pain? And why would you tell 10,000 people to do that?
Is there a way to create a script about the issue with the ExchangeSyncData folder?
I was using EWSEditor (and also MFCMapi) and it’s solving our issue, but i’m facing couple of hundreds of users with a CNF record, according to AD problems. As I said, a delete of the ExchangeSyncData folder, plus a re-sync (and therefore a new partnership) is the solution, but I can’t do that manually for that amount of users.
Any Idea how to bring that into a script?
Hi,
Great Article,
I have a question but not totally related to the article, is it possible to edit / customize the error message sent by Exchange (outlook) when user exceed the allowed limited number of devices?
The Real Person!
The Real Person!
Not as far as I know.
Hi Paul,
Another good one. Even if we don’t have the permission to wipe the device same error pops-up for me.
I believe that’s the default behaviour, Am I right?
I was expecting an Access Denied 😀
Hi Paul, this article is really helpful. But I got an issue here. Since the user has been moved to another OU, why wasn’t this relationship replicated to our Exchange server?? Thanks in advance.
The Real Person!
The Real Person!
Exchange reads from AD. It doesn’t replicate from AD.
I agree it is not ideal that the attribute doesn’t update automatically when a user object is moved to a different OU. But that is just the way it is right now.
We had a user that got married and requested a change to her displayname and primary smtp address.
Not an unusual request but this was the first one I had for an OMA enabled user. Please note, we do not change the username.
While running some reports I realized her last sync date was early this year so I reached out and she confirmed the device was broken and access could be revoked (thanks for letting us know ;))
While trying to remove the partnership, I got this error message so a quick google search sent me this way.
Tried the scripts with the following results.
a) EASDeviceIDs, this script was useful to identify the ID mismatch
b) Clear-EASDevice, this script did not help me much and here’s why
First of all, I realized I needed to make a change to replace the name with the display name
$name = $mailbox.UserDisplayName
The output returned: 18 ActiveSync devices found for UserDisplayName
This seemed a bit odd since the user only had one device. I confirmed this using EMC, EMS, ADSI. Aside that, it found the mismatch IDs so I said, let’s give it a go.
After completion, I was hoping for 2 things, a) Device removal, b) Email notification.
Unfortunately, I got none.
In the end, I grabbed the Identity from the output of “EASDeviceIDs” and did it manually.
Remove-ActiveSyncDevice -Identity “blah”
Hope this helps
The Real Person!
The Real Person!
Interesting case, thanks for sharing.
Hey Paul, how about this? I have started playing with BES 10 and Work Spaces, so at first I was trying to connect using my domain admin account which is mailbox enabled and I could not get it working. For some reason I seem to see now Manage Mobile Phone but I dont see any devices and if I try to remove the partnership of this phantom connection I get “The operation cannot be performed because no device has been selected”…Any clues?
The Real Person!
The Real Person!
Your domain admin account will likely have the permissions inheritance turned off if you look at the Security tab of the user object in AD. That prevents stuff like OWA and EAS working properly because the Exchange ACLs aren’t on the object.
I recommend using a non-admin account for your testing.
You were right, I completely forgot that domain admin accounts are not the best accounts to use when testing functionality.
Followed your advice but even after disabling ActiveSync, I would still see “Manage Mobile Phone”, this was annoying me so I kept looking for a solution to make it go away.
I found the attribute responsible to make “Manage Mobile Phone” become available to the User Mailbox, here’s the description
Setting msExchMobileMailboxFlags to 1 will force the button to show up for the user whether they have a Mobile Device or not.
All I had to do is set the value to and listo!
Hope this helps cause I’m sure I’m not the only neat freak out there.
Thanks Paul
If you have a stale device that cannot be removed try this
Use MFCMAPI to delete “ExchangeSyncData” entries manually on the problematic mailbox:
1. Change problematic user’s outlook from cache mode to online mode
2. Launch MFCMAPI
3. “Session” Menu->choose “Logon and Display Store Table”->choose problematic user’s mail profile in jumped window (don’t need to choose if there’s only one profile on client)
4. Double-click “Mailbox – User Name” in the top-pane
5. In the next window->Expand Root Container-> Expand ExchangeSyncData container
6. Locate the stale device ID entry, right-click on it and choose “Delete Folder”
Hi……
Any One please help…… I can not find last success sync time in exchange 2007…..
Any idea on how to clean up devices for users that have had their mailbox removed?
Couldn’t find ‘XYZ.local/Old_Users/User1’ as a recipient.
+ CategoryInfo : InvalidArgument: (:) [Get-ActiveSyncDeviceStatistics], RecipientNotFoundException
+ FullyQualifiedErrorId : D00BFA21,Microsoft.Exchange.Management.Tasks.GetMobileDeviceStatistics
XYZ.local/Office1/People/User1You cannot call a method on a null-valued expression.
At C:Usersadministrator.XYZDocumentseasdeviceids.ps1:9 char:79
+ if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString <<<< ()))
+ CategoryInfo : InvalidOperation: (ToString:String) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
– IDs don't match
XYZ.local/Old_Users/User1/ExchangeActiveSyncDevices/SmartPhone§B73CC1B2D8B6CF9D84C46BDC3B3DF888
Hi Paul,
I am getting the same error while removing the device ,We had change the user name .
When I am running the script nothing found it says “No activesync devices associated ” , But when I am going to user properties there are two entries .
FYi, I have remove the both mobile entries through edsitedit also.
when I am trying through ECP wipe or remove the device it says “Black Ipad cound n’t found” Error code
There’s no article associated with the error you found, Error ID: Ex0FBD0C, but you can get help a couple of different ways. We recommend trying forums first.
I have resolved the issue through MFCMAPI
http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/76d4bd08-1d6c-4af8-b6a8-8dd5a9dde4b1
Dinesh,
This was awesome. I tried everything in the book to fix this and this just handled. You are a gentleman and a scholar.
If you want to remove the stale activesync device, use the GUID instead of the actual Identity value:
Remove-ActiveSyncDevice -Identity 0622e300-c53a-4336-84da-0fb01c596d1f
I’ve had no issues with this method.
Hi Paul
As usual an excellent post and helped us out with a security issue with one of our customers.
Script ran on Exchange 2010 as per the post. I think our issue might have been that the customer migrated from Exchange 2003 to 2010 and could of had some issues with the ActiveSync details in that process.
🙂
@JD – Take a look at my blog post. I believe this will fix your issue.
http://patrickhoban.wordpress.com/2011/11/22/1344
Paul,
Thanks for researching this. We currently went through an AD overhaul and users were moved from one OU to another. When trying to remote wipe phones through EMC, it still points to the old activesync device location.
I tried running a clear-activesyncdevice command and piping the new identity and it says its successful, but I never get an acknowledgement in EMC, nor do I get an ack email.
Do you know why this is?
Paul, I have this problem in a somewhat harder way. We have some ActiveSyncDevice – Objects that were deleted directly in the “Active Directory Users and Computers” and the retention time for the deleted objects is over, so I really can’t find this objects any more.
The Get-ActiveSyncDeviceStatistics still claims, the Device is here, but any actions (remove-, clear-) end in “ActiveSync Device not found”
Any Idea how I can finally delete the remnants of these devices?
Thanks
AL
Though the EMC gui shows I have 4 devices (2 old iPhones, an iPhone 5 and an iPad), when I run this I get “0 ActiveSync devices found for “MAILBOX NAME”.
Any suggestions?
I’m using my mailbox as the test since I can simply re-add my devices to activesync if removed. My iPhone 5 and iPad are still syncing as well…
Paul you are always very helpful. I had the same problem while wiping device from Exchange Management Console but then right as you said, it worked from ecp without any complain! Thank you
Faisal khan
Paul,
Thanks for the information. Is it possible to edit the incorrect ID (Get-ActiveSyncDevice/Stats) so the EMC can be used for remote wipe?
The Real Person!
The Real Person!
Possibly not via the shell, but maybe via ADSIEdit. I haven’t checked to be honest.
I ran into the same issue with a name change.
Thank you for the article and research, it save me so much time.
Paul, this article was extremely helpful. Thank you for taking the time and doing the research and coding.
I ran into a similar issue a while back. My fix wasn’t quite as elegant.
http://patrickhoban.wordpress.com/2011/11/22/1344/