Exchange On premises Configuration - David-Barrett-MS/PowerShell-EWS-Scripts GitHub Wiki

Exchange On-premises Configuration

All the EWS scripts in this repository require the EWS Managed API. This can be downloaded and compiled from the EWS Managed API Github Repository, or alternatively you can download and use the compiled binary I have included in this repository. Place the EWS API dll in the same folder as the script (that is where it looks first). If the EWS API is not found in the current folder, the script will search Program Files for it (it is often installed with Office), but this will add a possibly significant start-up delay.

To be able to successfully use any of the scripts in this repository against Exchange on-premises, the minimum you need is an Exchange account. It is helpful to also know the EWS URL of your organization (though the script will attempt to use AutoDiscover to find this if it is not supplied).

Run scripts as the mailbox owner

  • Open a PowerShell console (standard console, no administrator rights required). I recommend to run the scripts from a client computer (not from Exchange).
  • Configure the variables for your Exchange environment e.g.
$Mailbox = "[email protected]"
$credential = Get-Credential # This will prompt for you to enter the credentials to the mailbox.  These must allow FullAccess to $Mailbox (e.g. mailbox owner credentials).
$ewsUrl = "https://e1.e19.local/EWS/Exchange.asmx" # If you know your EWS URL, this saves time as AutoDiscover can be skipped
  • Call the relevant script, with the appropriate variables set e.g.
.\Remove-DuplicateItems.ps1 -Mailbox $Mailbox -RecurseFolders -MatchEntireMailbox -Credential $credential -EwsUrl $ewsUrl
  • Note that if the credentials supplied are not the mailbox owner, then FullAccess permissions are required to the mailbox (otherwise the script will fail as it won't be able to access the mailbox).

Run the scripts against mailboxes using ApplicationImpersonation

Set up an account with Impersonation rights

  • It is recommended to set up a new account that will be granted permission to access mailboxes using impersonation. This account will be used by the script to authenticate.
  • Follow the Configure Impersonation guide to grant impersonation rights e.g.
# We need to create a new user account to hold the impersonation role.  In this example, we use ActiveDirectory module to do so.
# You could also create the user via Active Directory Users and Computers.
Import-Module ActiveDirectory
$impersonationAccount = @{
    Name = 'EWSImpAccount'
    AccountPassword = (Read-Host -AsSecureString 'AccountPassword')
    Enabled = $true
}
New-ADUser @impersonationAccount

# We need Exchange cmdlets to configure impersonation, so connect and import (alternatively, skip the next two lines and run the code from an Exchange PowerShell console)
# https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://e1.e19.local/PowerShell/ -Authentication Kerberos -Credential (Get-Credential)
Import-PSSession $Session -DisableNameChecking

## Apply ApplicationImpersonation role.  In this example, we grant access to all mailboxes in the organization
New-ManagementRoleAssignment -name:EWSImpersonateAll -Role:ApplicationImpersonation -User:EWSImpAccount
  • The service account is used as the -Credential when calling the script. Note that -Impersonate parameter must also be included.

Run a script against a mailbox

  • Open a PowerShell console (standard console, no administrator rights required). I recommend to run the scripts from a client computer (not from Exchange).
  • Configure the variables for your Exchange environment e.g.
$Mailbox = "[email protected]"
$credential = Get-Credential # This will prompt for you to enter the credentials.  Enter the credentials of the account that has been granted ApplicationImpersonation permissions.
$ewsUrl = "https://e1.e19.local/EWS/Exchange.asmx" # If you know your EWS URL, this saves time as AutoDiscover can be skipped
  • Call the relevant script, with the appropriate variables set (-Impersonate must be specified) e.g.
.\Remove-DuplicateItems.ps1 -Mailbox $Mailbox -RecurseFolders -MatchEntireMailbox -Credential $credential -EwsUrl $ewsUrl -Impersonate

Run a script against multiple mailboxes

  • Some of the scripts support a CSV file as input for the -Mailbox parameter. For these scripts each mailbox listed in the file (one SMTP address per line) will be processed consecutively.
  • You could also use PowerShell to call a script against an array of mailboxes e.g.
$mailboxes = @("[email protected]", "[email protected]")
foreach ($mailbox in $mailboxes) {
    .\Remove-DuplicateItems.ps1 -Mailbox $mailbox -RecurseFolders -MatchEntireMailbox -Credential $credential -EwsUrl $ewsUrl -Impersonate
}