none
Unable to delete ActiveSync devices for users that no longer exist RRS feed

  • Question

  • We have several ActiveSync devices listed (when running Get-ActiveSyncDevice) that belong to users that no longer have mailboxes / AD accounts.  How can I go about getting rid of them?  I noticed this when attempting to run an ActiveSync clean-up script for devices that hadn't made contact in over 60 days.  Here's what I'm seeing:

    [PS] C:\>Get-ActiveSyncDevice | where-object { $_.Identity -like "*someuser*" } | ft Identity, DeviceID

    Identity                                                    DeviceId
    --------                                                    --------
    domain.local/Users/Someuser... Appl***
    domain.local/Users/Someuser... Appl***

    If I try to pipe the results to Remove-ActiveSyncDevice it tells me the user no longer exists (which I'm aware of):

    [PS] C:\>Get-ActiveSyncDevice | where-object { $_.Identity -like "*SomeUser*" } | Remove-ActiveSyncDevice
    Couldn't find 'domain.local/Users/SomeUser' as a recipient.
        + CategoryInfo          : InvalidArgument: (:) [Remove-ActiveSyncDevice], RecipientNotFoundException
        + FullyQualifiedErrorId : E0D8617C,Microsoft.Exchange.Management.Tasks.RemoveMobileDevice

    Couldn't find 'domain.local/Users/SomeUser' as a recipient.
        + CategoryInfo          : InvalidArgument: (:) [Remove-ActiveSyncDevice], RecipientNotFoundException
        + FullyQualifiedErrorId : E0D8617C,Microsoft.Exchange.Management.Tasks.RemoveMobileDevice

    Any ideas on removing these orphaned records?  Also, why is it that they were not removed when the user's mailbox / AD account was deleted?


    Thursday, July 26, 2012 2:41 PM

Answers

  • Hi

    If the account is disabled you can move it back to the right OU and then remove the partnership.

    You can also use ADSI edit to remove the old partnerships:

    CN=ExchangeActiveSyncDevices container under the user object

    • Marked as answer by tyler gohl Thursday, July 26, 2012 3:58 PM
    Thursday, July 26, 2012 3:51 PM
    Owner

All replies

  • Hi

    If the account is disabled you can move it back to the right OU and then remove the partnership.

    You can also use ADSI edit to remove the old partnerships:

    CN=ExchangeActiveSyncDevices container under the user object

    • Marked as answer by tyler gohl Thursday, July 26, 2012 3:58 PM
    Thursday, July 26, 2012 3:51 PM
    Owner
  • I guess ADSIEdit will have to be the answer as the Accounts no longer exist.  Is it typical for ActiveSync devices to not be automatically deleted when users are purged?

    Edit: Nevermind, I see the issue now.  The mailboxes were removed, but the (disabled) user accounts still exist in AD.  I assume I need to create a new mailbox, make sure it is in the correct OU and then try to remove the partnership.  Thanks!

    • Edited by tyler gohl Thursday, July 26, 2012 3:58 PM
    Thursday, July 26, 2012 3:53 PM
  • Yes you can re-create the mailbox for that user and try again, here is some more info:

    http://patrickhoban.wordpress.com/2011/11/22/1344/

    Thursday, July 26, 2012 4:03 PM
    Owner
  • Here is how I resolved this issue. You don't need to re-create the mailbox or manually look them up in Adsiedit. There are three reasons that I know of when you see the error, one is, the user object is still around and disabled, another is if the mailbox has been removed. So, first, I look up all of the mobile devices (We have both Exchange 2010 and 2016, so run this from one of your Exchange 2016, or 2013 servers), pipe that out, get the distinguishedname, locate the user it used to belong to, and see if that user is disabled or missing a mailbox (no need for a mobile device if the mailbox doesn't exist), and remove that mobile device object from Active Directory. First, the one-liner that I use, then I'll break it up so it's easier to understand.

    Get-MobileDevice -ResultSize Unlimited | %{$dname = $_.DistinguishedName;$id = ([regex]::
    split($_.Id,'\/ExchangeActiveSyncDevices'))[0];$user = Get-User $id;if( $user.AccountDisabled -eq 'True' -or $user.Mailb
    oxLocations.DatabaseLocation -eq $Null ) {Write-Host "Remove $($dname)";Remove-ADObject -Identity $dname -Confirm:$false
    }}

    Now, to see what's going on a bit easier, first, get all mobile devices:

    $mobileDevices = Get-MobileDevice -ResultSize unlimited

    Scroll through that list and find the users who the device belonged to that are either disabled or missing a mailbox:

    Foreach( $device in $mobileDevices ) {

      $dname = $device.DistinguishedName  #distinguished name of the mobile device, used for removing it later

      $id = ([regex]::split($device.Id,'\/ExchangeActiveSyncDevices'))[0] #split up the Id of the mobile device and keep only the first part, which contains the distinguished name of the user who the device used to belong to

      $user = Get-User $id #get the user information

      if( $user.AccountDisabled -eq 'True' -or $user.MailboxLocations.DatabaseLocation -eq $Null ) { #if the user is disabled or doesn't have a mailbox database location, then take some action on that mobile device

        Write-Host "Remove $($dname)" #display the object you're about to remove, you could save it to a text file by doing this: Add-Content RemovedMobileDevices.txt $dname

        Remove-ADObject -Identity $dname -Confirm:$false #remove the mobile device object

    }

    After cleaning up all of the old stale mobile devices that will error out if you're trying to check the last time they synched, you can now check the last time they synched using this and remove anything older than 30 days for example:

    Get-MobileDevice -ResultSize Unlimited | Get-MobileDeviceStatistics | ?{$_.LastSuccessSync -le (Get-Date).addDays(-30)} | Remove-MobileDevice

    Which works for most, although I still had some error out (which is the third reason you might see the OP's error), because the Mobile Device was connected to the user object, then the user quit using the device and the users object was moved inside of Active Directory. Now we're left with a mobile device that is associated with a user object and that user object is no longer in the same location, so you get the same message that the OP had. To resolve this, take the similar approach that i did above, you have to collect the GUID of the device itself, then determine if it needs to be removed by checking the MobileDeviceStatistics and remove the AD object for the device using the GUID.

    Get-MobileDevice -ResultSize Unlimited | Get-MobileDeviceStatistics | ?{$_.LastSuccessSync -le (Get-Date).addDays(-30)} | %{Remove-ADObject -Identity "$($_.GUID)" -Confirm:$False}


    • Edited by Andy_B_ Friday, February 17, 2017 9:41 PM
    • Proposed as answer by Andy_B_ Friday, February 17, 2017 9:41 PM
    Friday, February 17, 2017 9:39 PM
  • I took what you had and had to tweak it because yours wasn't running for my Exchange 2013 Environment:
    $devices = Get-MobileDevice -ResultSize Unlimited #grab all devices
    ForEach ($device in $devices) #iterate through all devices
    {
        $dname = $device.DistinguishedName #grab Device DN
        $id = ($device.Id -split("/"))[2] #grab user's AD Name from the device ID; in my environment, my users are all within 1 container, so the $device.id is returned as "domain/OU/User Name"; you'll have to modify this to suit your needs.
        $user = Get-ADUser -filter 'Name -eq $id' -properties * #grab user object
        if($user.msExchMailboxGuid -eq $Null) #if no Exchange Mailbox Present
        {
            Write-Host "Remove $($dname)"
            Remove-ADObject -Identity $dname -Confirm:$false #remove the object
        }
    }

    Worked like a charm for me

    *Just remembered that the split
    Friday, March 10, 2017 3:43 PM
  • Hi Will,

    We have similar issue however i want to remove the Device DN in batch wise.

    I have exported all the device DN value in a excel sheet.

    Could you please advice how to do that..

    I tried creating a csv file and had added two columns ID and Distinguish Name.

    In the script i have replaced the first command with below parameter.

    $devices = import-csv "Path of the csv file"

    but getting error

    Get-aduser : Cannot find an object with identity the "Ou location where the user resides."

    Could you please advice on how to remove the DN value of old mobile device batch wise

    Saturday, April 14, 2018 3:28 AM