locked
How can I use the shell to get a list of all quarantined devices in 2010 SP1

    Question

  • You can use ECP to display all mobile devices that are quarantined.  I am trying to figure out what cmdlet is being run to get that list.  Since get- cmdlets aren't logged with administrator audit logging, I can't use that, and I don't even see that there is a way to enable auditing of get- cmdlets.  I have searched for how to get it from the shell, but everywhere I find only references using ECP.

    I can get the list for a specific user with the Get-ActiveSyncDeviceStatistics, filtering on the device access state.  But I don't want to have to query every user that has a partnership in order to find the few that have been quarantined.  I assume ECP isn't doing it this way because of how long it could take to run in a large environment.

    So, how is ECP doing it so I can replicate that from the shell myself?

    Wednesday, June 01, 2011 8:13 PM

Answers

  • The reason I was wanting this information is for some workflow automation with our ticketing system.  I want a way to be able to query AD for devices that are quarantined and then act on them (separately from the quarantine notification message).  I figured out how ECP gets the results so quickly: the data is stored in AD, not Exchange.  Every partnership has an AD object (whose class is msExchActiveSyncDevice) located as a child object of the user object whose mailbox has the partnership.  The state of the device is stored as an integer in an attribute of the object.  Therefore, you can just do an LDAP search for objects that are quarantined and do what you want from there.

     

    (&(objectclass=msexchactivesyncdevice)(msexchdeviceaccessstate=3))

     

    The device access state, while not documented on MSDN, is 1 for allowed, 2 for blocked, 3 for quarantined.

    • Marked as answer by Scott Bueffel Friday, June 03, 2011 7:07 PM
    Friday, June 03, 2011 7:03 PM
  • Using the where-object cmdlet as you indicate will require retrieving the object of every ActiveSync device first, which is the thing I am trying to avoid.  I haven't actually timed it; I am just making an assumption that retrieving all devices first will take far more time than I want to take.  But as I type this I realize that I can just use the -Filter parameter to do server-side filtering:

     

    Get-ActiveSyncDevice -filter {deviceaccessstate -eq 'quarantined'}

     

    It, of course, runs very quickly.  When there are no devices in that state, the prompt returns in less than one second.

     

    Scott

    • Marked as answer by Scott Bueffel Friday, June 03, 2011 7:07 PM
    Thursday, June 02, 2011 11:17 PM

All replies

  • How about logic something like below, construct the powershell

    Get-activesyncdevice where deviceaccessstate = quarantine

    Thursday, June 02, 2011 3:16 PM
  • Using the where-object cmdlet as you indicate will require retrieving the object of every ActiveSync device first, which is the thing I am trying to avoid.  I haven't actually timed it; I am just making an assumption that retrieving all devices first will take far more time than I want to take.  But as I type this I realize that I can just use the -Filter parameter to do server-side filtering:

     

    Get-ActiveSyncDevice -filter {deviceaccessstate -eq 'quarantined'}

     

    It, of course, runs very quickly.  When there are no devices in that state, the prompt returns in less than one second.

     

    Scott

    • Marked as answer by Scott Bueffel Friday, June 03, 2011 7:07 PM
    Thursday, June 02, 2011 11:17 PM
  • The reason I was wanting this information is for some workflow automation with our ticketing system.  I want a way to be able to query AD for devices that are quarantined and then act on them (separately from the quarantine notification message).  I figured out how ECP gets the results so quickly: the data is stored in AD, not Exchange.  Every partnership has an AD object (whose class is msExchActiveSyncDevice) located as a child object of the user object whose mailbox has the partnership.  The state of the device is stored as an integer in an attribute of the object.  Therefore, you can just do an LDAP search for objects that are quarantined and do what you want from there.

     

    (&(objectclass=msexchactivesyncdevice)(msexchdeviceaccessstate=3))

     

    The device access state, while not documented on MSDN, is 1 for allowed, 2 for blocked, 3 for quarantined.

    • Marked as answer by Scott Bueffel Friday, June 03, 2011 7:07 PM
    Friday, June 03, 2011 7:03 PM