Powershell – Exch2010 – Remove ActiveSyncAllowedDeviceIDs for devices with no activesyncdevice

activesyncexchange-2010powershell

I have users with multiple ActiveSyncAllowedDeviceIDs, who only have 1 ActiveSyncDevice partnership. Note the android-deviceid is a real phone and testdevicepleaseignore is a device that was removed in the past with the device partnership.

[PS] C:\Windows\system32>Get-ActiveSyncDevice -Mailbox username

UserDisplayName         : org.local/Sites/IT Department/Users/Firstname Lastname
DeviceAccessState       : Allowed
DeviceAccessStateReason : Individual
Name                    : Android§android-deviceid
DistinguishedName       : CN=Android§android-deviceid,CN=ExchangeActiveSyncDevices,CN=Firstname Lastname,OU=Users,OU=IT Department,OU=Sites,DC=org,DC=local
Identity                : org.local/Sites/IT Department/Users/Firstname Lastname/ExchangeActiveSyncDevices/Android§android-deviceid
ObjectCategory          : org.local/Configuration/Schema/ms-Exch-Active-Sync-Device
ObjectClass             : {top, msExchActiveSyncDevice}


[PS] C:\Windows\system32>Get-CASMailbox username | fl


EmailAddresses                     : {SIP:username@orgname.tld, smtp:username@org.local, SMTP:username@orgname.tld}
PrimarySmtpAddress                 : username@orgname.tld
SamAccountName                     : username
DisplayName                        : Firstname Lastname
ActiveSyncAllowedDeviceIDs         : {testdevicepleaseignore, android-deviceid}
ActiveSyncBlockedDeviceIDs         : {}
ActiveSyncMailboxPolicy            : Default
DistinguishedName                  : CN=Firstname Lastname,OU=Users,OU=IT Department,OU=Sites,DC=org,DC=local
Identity                           : org.local/Sites/IT Department/Users/Firstname Lastname
ObjectCategory                     : org.local/Configuration/Schema/Person
ObjectClass                        : {top, person, organizationalPerson, user}

The problem is that if I remove a pairing for a device (or wipe a device for that matter) in the console, it doesn't remove it from the ActiveSyncAllowedDeviceIDs and a user can re-add that device without it ever going into quarantine.

Just wrote a quick and dirty powershell to do this. Could use some suggestions on how to speed this up:

This is a quck and dirty way that I just came up with. It takes forever (because it iterates over every device), but it does the job.

$casmbxs = Get-CASMailbox -ResultSize unlimited
foreach ($casmbx in $casmbxs){
    foreach ($asdevid in $casmbx.ActiveSyncAllowedDeviceIDs){
        $asdev = get-activesyncdevice | where {$_.DeviceID -eq $asdevid}
        if (!$asdev) {
            write-host "Removing " $asdevid " from " $casmbx.Identity
            Set-CASMailbox -Identity $casmbx.Identity -ActiveSyncAllowedDeviceIDs @{REMOVE=$asdevid}
        }
    }
}

Best Answer

Suggestion on how to speed up your PS:

$casmbxs = Get-CASMailbox -ResultSize unlimited
foreach ($casmbx in $casmbxs){
    $username = [String]$casmbx.SamAccountName
    foreach ($asdevid in $casmbx.ActiveSyncAllowedDeviceIDs){
        $asdev = get-activesyncdevice -Mailbox $username | where {$_.DeviceID -eq $asdevid}
        if (!$asdev) {
            write-host "Removing " $asdevid " from " $casmbx.Identity
            Set-CASMailbox -Identity $casmbx.Identity -ActiveSyncAllowedDeviceIDs @{REMOVE=$asdevid}
        }
    }  
}

No need to iterate over ALL ActiveSync Devices, only the ones pertaining to the user mailbox you're currently processing.

Related Topic