Remove From My Forums

ActiveSync Problem - Can't Remote Wipe because of different identities!

Question
0

Sign in to vote

Hey everyone...

I really... REALLY need some help with this one. We are trying to implement the remote wipe feature for the phones, but it's not working. When I run the cmdlet, I get the error "The ActiveSyncDevice (mailbox) cannot be found"

I have discovered the reason why it cannot be found. It's because Exchange is looking in the wrong location or rather an old location in Active Directory.

When I run

Get-ActiveSyncDevice -Mailbox "(user)", everything shows up correctly
BUT

When I run

Get-ActiveSyncDeviceStatistics -Mailbox "(user)", the Identity path shows up incorrectly... and this is the path that the Clear-ActiveSyncDevice cmdlet is looking for.

What has happened is that OU that the user is in has been renamed. It was renamed due to a change in the company. So for some reason, in the ActiveSyncDeviceStatistics, the identity never got updated properly when the name of the OU changed. I have tried moving the user to a builtin container and another OU and it still will not update. It updates it fine when I run Get-ActiveSyncDevice, but not the statistics cmdlet.

For instance I would this (I omitted some fields for info protection):
[PS] C:\Users\jberg\Desktop>Get-ActiveSyncDevice -Mailbox "(username)"

DeviceType              : iPhone
DeviceModel             : iPhone
FirstSyncTime           : 11/5/2010 11:52:05 AM
UserDisplayName         : *****/MAIN CAMPUS/(OU)/Users/(username)
DeviceAccessState       : Allowed
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 14.0
AdminDisplayName        :
ExchangeVersion         : 0.10 (14.0.100.0)
Name                    : *****
DistinguishedName       : CN=******,CN=ExchangeActiveSyncDevices,CN=(username),OU=Users,OU=****,OU=MAIN CAMPUS,DC=*****,DC=local
Identity                :******/MAIN CAMPUS/OU/Users/(username)/ExchangeActiveSyncDevices/
                          (Device ID)
ObjectCategory          : *****/Configuration/Schema/ms-Exch-Active-Sync-Device
ObjectClass             : {top, msExchActiveSyncDevice}
WhenChanged             : 4/6/2011 6:40:10 AM
WhenCreated             : 11/5/2010 11:52:05 AM
WhenChangedUTC          : 4/6/2011 11:40:10 AM
WhenCreatedUTC          : 11/5/2010 4:52:05 PM
OrganizationId          :
OriginatingServer       : ****
IsValid                 : True

Now when I run Get-ActiveSyncDeviceStatistics

[PS] C:\Users\jberg\Desktop>Get-ActiveSyncDeviceStatistics -Mailbox "(username)"

FirstSyncTime                 : 2/1/2011 3:25:17 PM
LastPolicyUpdateTime          : 4/6/2011 11:40:10 AM
LastSyncAttemptTime           : 4/29/2011 6:27:02 PM
LastSuccessSync               : 4/29/2011 6:27:02 PM
DeviceType                    : iPhone
DeviceWipeSentTime            :
DeviceWipeRequestTime         :
DeviceWipeAckTime             :
LastPingHeartbeat             : 1200
RecoveryPassword              : ********
DeviceModel                   : iPhone
DeviceImei                    :
DeviceFriendlyName            :
DeviceOS                      :
DeviceOSLanguage              :
DevicePhoneNumber             :
MailboxLogReport              :
DeviceEnableOutboundSMS       : False
DeviceMobileOperator          :
Identity                      : ******/GLOBAL/OU/Users/(username)/ExchangeActiveSyncDevices
                                /(DeviceID)
IsRemoteWipeSupported         : True
Status                        : DeviceOk
StatusNote                    :
DeviceAccessState             : Allowed
DeviceAccessStateReason       : Global
DeviceAccessControlRule       :
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
LastDeviceWipeRequestor       :
DeviceActiveSyncVersion       : 14.0
NumberOfFoldersSynced         : 31
SyncStateUpgradeTime          :

I bolded the part that was incorrect. Originally we had an OU called global, but it was renamed to MAIN CAMPUS as per the results of the Get-ActiveSyncDevice. Can anyone tell me how to get this updated??

Thanks!!
JB

Friday, April 29, 2011 6:37 PM

All replies

0

Sign in to vote

Have you tried all three options below?

Results all the same, i.e you cant remote wipe?

http://technet.microsoft.com/en-us/library/aa998614.aspx

Sukh

Sunday, May 1, 2011 10:23 AM
0

Sign in to vote

Yes. All 3 options fail to perform a remote wipe on the phone.
JB

Sunday, May 1, 2011 11:52 AM
0

Sign in to vote

Just so i'm clear from my original, the 2 cmdlets Get-ActiveSyncDeviceStatistics and Get-ActiveSyncDevice return 2 different identites in the identity parameter. When I run the cmdlet, the error message is coming up with the OLD identity information. The GLOBAL OU doesn't exist anymore.... and when the cmdlet to wipe the device is ran, it continues to look in the old location for that persons user account instead of the correct location.

In other words, when i try to wipe a device, it looks for the user in the OU called 'global' as what is shows in the Get-ActiveSyncDeviceStatistics. That is what needs to be updated. I need it to look in the correct OU for the user in order to perform the remote wipe.

I have tested a remote wipe and checked the 2 Get- cmdlets above, and when both identities match, it works. But when a user doesn't match, when the identity is listing the user in the old location, it fails... because the the Remote Wipe cmdlet looks for the old location of the user.

i hope this clears up any confusion.
JB

Sunday, May 1, 2011 12:04 PM
0

Sign in to vote

Quote: “I have tried moving the user to a builtin container and another OU and it still will not update”

Have you tried to create a new OU with the old name “GLOBAL”, move the problematic user into it, and then try to remote wipe?

Please go into the “CN=ExchangeActiveSyncDevices” container of the problematic user via ADSI Editor, and then check the values of the attributes of the device entry

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Wednesday, May 4, 2011 6:25 AM
0

Sign in to vote

How's the issue currently? Any further information?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Friday, May 6, 2011 9:49 AM
0

Sign in to vote

Hi James,

Sorry I haven't responded in a while. I've been swamped with other things.

I ran ADSIedit and checked on a few users. I found one attribute that might be the culprit.

I looked down at the attribute: msExchUserDisplayName.

This is incorrect. Some of the users had actually been moved from OUs after they had been synced and this attribute has not updated the moved. So apparently, something is preventing this attribute from updating properly.

I'll do some more testing and change this manually to the correct OU path and name and see what happens. I'll keep you posted.

In the mean time, any idea why this attribute is not updating?

JB

Monday, May 9, 2011 1:58 PM
0

Sign in to vote

I assume the issue is transient if the symptom only happens on this single user
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Tuesday, May 10, 2011 6:06 AM
0

Sign in to vote

here is what im noticing about it. once i sync a mobil device, its correct to begin with. but if i were ever to make a change to the user li.e. move to another OU, change the name, etc), that one single attribute never updates. it stays pointing to the original location of the user when the device was first synced.

i actually have several users that we synced before the OU name change as stated above that this attribute has not updated.
JB

Tuesday, May 10, 2011 11:43 AM
0

Sign in to vote
I'm revisiting this to see if anyone has come up with additional info.

The ActiveSyncDeviceStatistics cmdlet identity still shows old OU locations from when the sync initially took place. If that user object ever gets moved, it never updates.

I can, however, move the user back to where the Get-ActiveSyncDeviceStatistics identity tells where the sync first took place. I can then move the user back to that OU or, if the OU has been renamed or removed, I can recreate the OU, move the user, make sure Exchange is updated with the location, and then perform the remote wipe.

If i have to do it this way, i will for security reasons, but the fact is that the remote wipe is such a wonderful security function. It helps us deal with lost or stolen devices, and/or, prep them for a new employee. It would be nice if Exchange would look to the correct OU location if i ever have to move a user from one OU to another.

I'm surprised that we're the only ones having this issue. Is no one else having similar issues? Does the identity of the activesync device change or stay the same when someone runs the Get-ActiveSyncDeviceStatistics cmdlet?

JB
- Edited by JBerg712 Tuesday, October 4, 2011 3:49 PM
Tuesday, October 4, 2011 3:48 PM
0

Sign in to vote

I'm having the same issue now. I'm still looking for a fix.

Thursday, December 29, 2011 7:45 PM
0

Sign in to vote

hi chris,

im glad im not the only one having this issue.

we've been able to get by on recreating the original location of the user account when they first synced their mobile device, erego the place exchange wants to look for the object to perform the remote wipe, and get by doing that.

im surprise and disappointed by Microsoft that there isnt a cmdlet that allows us to force some update to the identity parameter. i have a feeling this is a bug possibly that they will have to patch.

JB
JB

Friday, December 30, 2011 1:02 AM
0

Sign in to vote

Let me join the club, I have the exact same issue as decribe at the beginning. Changed a user from one OU to another and renamed a few OU's. the statistics show the old OU where the user was when the SyncDevice show the correct OU.

Now... how long before M$ gets us a fix for it?

If it is like the issue where you could not close EMC that took 1 year to do then we are in for a long wait!

Tuesday, January 3, 2012 2:50 PM
0

Sign in to vote

I can confirm the above statement in which if you move the user back to the OU in which the sync was created then you are able to remove the partnership and remote wipe, etc...

Tuesday, January 3, 2012 3:52 PM
0

Sign in to vote

I am in the same boat as everyone, and my experiences are the same, though I have been able to remove the devices using

remove-activesyncdevice -identity "contoso.com/Accounts/Frank, Christian/ExchangeActivesyncdevices/WP10CCD7843F235LA234"
Christian Frank

Wednesday, February 15, 2012 3:28 PM
0

Sign in to vote
Hi Jberg,

Let me too join your club on this discussion topic. I have a same issue with my customer, and we are working on high severity based on this particular issue. so i'll let you know the solution ASAP and not an work-around, because our end goal is to perform remote wipe on the affected user, and there is lot of work-around exist to perform the operation.

But i'm working to find what is the root cause for it and will keep posted about the same.

---------------------------------------------------------------

Prashanna
- Edited by Prashanna Friday, March 2, 2012 1:00 PM
Friday, March 2, 2012 12:57 PM
0

Sign in to vote
I also experience this issue.

A solution would be deeply appreciated.
- Edited by Allan Pedersen Tuesday, April 17, 2012 9:09 AM
Tuesday, April 17, 2012 9:08 AM
0

Sign in to vote

We also have this issue. Does anyone have a solution for this issue?

Monday, May 7, 2012 1:20 PM
0

Sign in to vote

We had this issue too. Recently we had to rename OU's. One of our users lost his iphone; we saw that after trying to remove partnership of the mobile device via EMC the power shell was displaying the former OU structure, despite that EMC console showed the correct path.<o:p></o:p>

Long story short, we recreated the OU with the original structure, moved the user, and successfully removed the device's partnership.

It seems as if PowerShell and Exchange aren't in sync. I wonder if updating the schema would fix this.<o:p></o:p>

Friday, May 11, 2012 2:42 AM
0

Sign in to vote

Currenly our environment is still a SP1 environment. Are any of you running or upgraded to SP2 with the latest rollups?
JB

Thursday, May 17, 2012 12:08 PM
0

Sign in to vote
Yes. SP2RU2. Same problem.

Postmaster
- Edited by FYDIBOHF25TVDLT Thursday, May 24, 2012 11:00 AM
Thursday, May 24, 2012 10:58 AM
0

Sign in to vote

I can confirm that we get this issue and had to re-create the OU structure in order to get it working again.

Exchange 2010 Sp2

Used ADSI to see properties of the user but nothing showed the old OU

tried the command lines and didn't result in any changes.

Hopefully M$ will sort it out.

Monday, May 28, 2012 2:34 PM
0

Sign in to vote

Hello - has anyone found a solution to this? I have found that on my account which is a domain admin and I used several devices to test ActiveSync policies that if I run get-activesyndevicestatistics I show several devices.

If I try remove-activesyncdevice -identity and the identity of one of the devices I get an error that the device ID can not be found. I have searched ADSIEDIT and nothing appears. I run get-activesyncdevice and I see only 1 device and I remove that and it works.

Even odder is that it appears the ECP page isn't matching what get-activesyncdevicestatistics shows...But I'll figure that out if I can find out how to force remove the devices from get-activesyncdevicestatistics.

There is 1 device "identity" that shows my account when it was in another OU, but I move it back to that OU and I can't delete even the 1 device that shows the identity with that ID. Then I move it back to the account where the other devices are appearing in the identity name with the OU and it still won't remove them...

Any suggestions, I tried AD account permissions to reset my user account AD perms using the Reset to Default, I tried doing this on an account that isn't a domain "admin", I tried on a test account, it seems like it's more than just a user moved to another OU issue...

Monday, October 8, 2012 5:31 AM
0

Sign in to vote

http://support.microsoft.com/kb/2721428?wa=wsignin1.0

Hope this helps.

ExchangeGeek
(MCITP,Enterprise Messaging Administrator)

**My posts are provided “AS IS” without warranty of any kind**

Monday, November 12, 2012 2:28 PM
0

Sign in to vote

In reference to Microsoft's Article:

http://support.microsoft.com/kb/2721428?wa=wsignin1.0

So, the latest comment brings us to a Microsoft Article that has 3x WORK AROUNDS. Not very intuitive but gives you CLUES. One clue I wonder is the command:

MORE INFORMATION: Remove-ActiveSyncDevice cmdlet

Has anyone used this and how does it compare to the CLEAR / REMOTE WIPE (Clear-ActiveSyncDevice)command, which seems extreme?

-----------

Check out this article as it helps with OPTION #3 in the Microsoft Article

http://exchangeserverpro.com/exchange-2010-error-activesyncdevice-cannot-be-found-remote-wipe/

Thursday, December 5, 2013 4:06 PM