Today I have observed an odd situation, similar to issues described in a number of other threads, but does not exactly seem to be of the same origin and so none of the previously proposed solutions seem to pertain to this. (We have not moved any objects involved in this scenario -between OUs - within AD)
Exchange 2010 SP2 w/ patches. Observations are confirmed using OWA ECP, the Exchange MMC and Exchange PS. We have activesync quarantine enabled by default so that all new devices must be manually approved by an administrator.
I have one user who has recently updated his smart(?)-phone. (It's an iPhone). When logging into OWA ECP to approve the device, I saw the following:
In addition to what appeared to be the current device's entry, the OWA ECP page showed 3 OTHER entries that seemed to equate to PREVIOUS devices and 1 additional entry that seemed to be a duplicate of the new/current device.
(There were 5 entries displayed in total.) Initially, I had allowed the current one and proceeded to attempt to delete the other, old objects. 3 of those objects simply would not delete. The ECP continued to show they exist, however
when trying to view details of those 3 objects I was receiving an error that ['The Activesync Device {GUID} cannot be found.'].
I have verified using Exchange PS and [get-activesyncdeviceSTATISTICS -mailbox 'User Name'], that there are 3 'statistics' objects attached to this user's mailbox. However, if I use [get-activesyncDEVICES -mailbox 'User Name'], I receive no results. It is almost as if Exchange has records of the sync details for activesync objects that no longer exist in AD.
There are a number of potential solutions proposed in other threads for issues that seem to display the same symptom, however none of them seemed to pertain to this issue. (ie. I did not find anything wrong when reviewing those solutions.)
--I checked for items in the [ExchangeActiveSyncDevices] container under the user container in AD-U&C and there are no objects there.
--I've double-checked permissions directly on the AD user object and made sure that 'Inheret permissions' was selected. Checked both the user object and the ExchangeActiveSyncDevices sub-container, all permissions seem ok. Double checked
this using the Exchange MMC.
--I've checked the user object in AD for any other mis-configured properties and didn't see anything that stood out of place. I DID see, in the user's AD object the Device IDs of each of the activeSync Objects. The one allowed (that has since been deleted
for troubleshooting purposes) under [msExchMobileAllowedDeviceIDs] and the other 4 that have been blocked from synchronization were found under [msExchMobileBlockedDeviceIDs]. 3 of those objects listed under the 'blocked' property are those
that I cannot delete. (I can match the [DeviceID] from the AD property to the DeviceID in the results of [get-activesyncdeviceStatistics])
--I've disabled activesync on the users mailbox entirely, hoping that the leftover objects would be cleaned up automatically. (No luck, but I haven't waited for a mailbox cleanup cycle yet...)
About the only thing that I've managed to find as a possible resolution points me in the direction of using MFCMAPI to manipulate the user's mailbox directly. Not necessarily my first choice if this can be accomplished by way of PS.
Does anyone know if there is any other way of forcing a clean-up of these statistical objects other than using MFCMAPI?
The solution is always the last thing you look at... -M