Powershell: Remove stale Activesync mobile device partnerships
We will describe in this post how to remove stale Exchange ActiveSync device partnerships. You can already find a script on the MS Exchange forum that performs this operation, but with that method the deletion can fail in some cases.
Let’s take an AD account located in a given OU, each OU represents a site/region of the company. We launch the Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics for this account, and look at the identity parameter:
The value of the identity parameter given by both cmdlets is identical. Now, assume that your employee leaves to another region/site of your company, then the AD account is moved to the OU corresponding to his new location:
The user returned the mobile device to his former site, therefore it is no longer in use (by the same user). Once the account moved, we re-launch the Get-ActiveSyncDevice and the Get-ActiveSyncDeviceStatistics cmdlets:
You will notice that the value of the identity parameter was updated for the Get-ActiveSyncDevice cmdlet with the new OU, but it was not updated for the Get-ActiveSyncDeviceStatistics cmdlet.
As a consequence, if you apply the following onliner in order to remove stale ActiveSync device partnerships (i.e. not synchronized during the last 90days), the deletion will fail:
Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} | Remove-ActiveSyncDevice |
The following error message will be displayed:
Couldn’t find ‘ldap389.info/BSR2/test-vpn’ as a recipient.
+ CategoryInfo : InvalidArgument: (:) [Remove-ActiveSyncDevice], RecipientNotFoundException
+ FullyQualifiedErrorId : 2060141F,Microsoft.Exchange.Management.Tasks.RemoveMobileDevice
The trick to avoid this error and complete the removal is to use the GUID value of the identity parameter as a primary key between both cmdlets: This value never changes, and is common between both cmdlets. So in order to delete ActiveSync device partnerships that did not synchronize during the last 90days use the following script:
$guids = Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-90)} | select guid,identity foreach($guid in $guids){ $UniqueID = [string]$guid.guid remove-activesyncdevice $UniqueID -confirm:$false} |
AD accounts can be moved from one OU to another, and the deletion of the mobile device partnership is still successful.
This post is also available in: French
10 Comments
Other Links to this Post
RSS feed for comments on this post. TrackBack URI
By D Man, November 21, 2012 @ 8:47 pm
You ROCK! THANKS!
By ldap389, November 21, 2012 @ 10:19 pm
Thanks D Man 🙂
Sent from my ActiveSync device
By Dan Sheehan, December 19, 2012 @ 11:02 pm
I’m still not clear why “| Remove-ActiveSyncDevice $_Guid” wouldn’t work as I got the wierd response:
The input object cannot be bound to any parameters for the command either because the command does not take pipeline
input or the input and its properties do not match any of the parameters that take pipeline input.
+ CategoryInfo : InvalidArgument: (@{Guid=b8a15f9e…8-06af2090ccbf}:PSObject) [Remove-ActiveSyncDevice],
ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Remove-ActiveSyncDevice
But… it was late in the day and your code solved the problem so I didn’t have to beat my head against the wall.
So thank you very much!
By Mike Crowley, January 10, 2013 @ 8:39 pm
@Dan, its because the $_.guid attribute is not being passed as a string, which is what remove-activesyncdevice requires.
This would actually be my preference: $DevicesToRemove | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}
By ldap389, January 11, 2013 @ 9:49 am
Hi Mike,
Thanks for your comment. This is a cool onliner:
Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-90)} | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}
🙂
By Dan Sheehan, January 11, 2013 @ 7:58 pm
Thanks for the follow up guys!
By Liam, July 8, 2013 @ 7:10 pm
Hi, I am just getting into MDM so I have never had to remove anyone from EAS this way.
I really want to use this script but it brings up users and devices that are still in the environment.
Is there a way to parse this script or to add the Unique ID one by one??
That would be awesome!
Thanks
By ldap389, July 22, 2013 @ 8:33 pm
Not sure if I understand well your request, but if you want to confirm the deletion one by one for each device replace “-confirm:$false” with “-confirm:$true”
Regards
By Jon, March 5, 2014 @ 3:32 am
I have a more interesting issue.
We have users that we disabled and when trying to clean them up they still throw:
“Couldn’t find user as a recipient” and the RecipientNotFoundException. I’m not sure how we can clean these up as its not a GUID issue but the fact their mailbox is disabled and their account is disabled also.
By ldap389, March 7, 2014 @ 11:05 pm
If the mailbox is disabled and user account also you cannot use the Exchange cmdlet.
In order to clean the ActiveSync part, I would delete the user’s leaf object with AD Cmdlets:
$user = Get-ADuser %USERNAME%
$objs = Get-ADObject -Filter * -SearchScope oneLevel -SearchBase $user.DistinguishedName
if($objs){$objs | Remove-ADObject -Recursive}
The ActiveSync device is in fact a subcontainer of the user’s object.