In the comments of my article on user-initiated remote wipes for Exchange ActiveSync devices, Jonathan has described a situation in which administrator-initiated remote wipes fail if the user account has been moved to a different OU after the ActiveSync device association was created.
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Mahera Bawa\Apple-iPhone2C1/902.206
FailedError:
The ActiveSyncDevice exchangeserverpro.net/Company/Head Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS cannot be found.
Click here for help… http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.309.2&t=exchgf1&e=ms.exch.err.Ex0FBD0CExchange Management Shell command attempted:
Clear-ActiveSyncDevice -Identity ‘exchangeserverpro.net/Company/Head Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS’Elapsed Time: 00:00:00
Reproducing the Error
Consider the following scenario:
- A user connects a new mobile device to Exchange ActiveSync
- The user object is later moved to a different OU
- The user leaves the organization
- A remote wipe is issued for the device by an administrator, using the Exchange Management Console
In this situation the error occurs.
The root cause of the issue, as identified by Jonathan in his comment, is a mismatch between the identity strings returned by two different cmdlets; Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics.
Checking for the Problem in Your Exchange Organization
I’ve written this short script to check for the issue.
$easdevices = @(Get-ActiveSyncDevice)
foreach ($easdevice in $easdevices)
{
$easdevstats = Get-ActiveSyncDeviceStatistics $easdevice
Write-Host $easdevice.UserDisplayName -NoNewLine
if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString()))
{
Write-Host -ForegroundColor Green " - IDs match"
}
else
{
Write-Host -ForegroundColor Red " - IDs don't match"
Write-Host -ForegroundColor Yellow $easdevice.Identity
Write-Host -ForegroundColor Yellow $easdevstats.Identity
}
}
Copy that code into Notepad or your ISE and save it as EASDeviceIDs.ps1, then run it from the Exchange Management Shell.
If all is well then you should see a result similar to this:
If there are any mismatches detected you should see this type of result instead:
Looking closer at the two yellow identity strings, the problem is clear. When the user was moved from Head Office to Branch Office the mismatch was created.
Resolving the Problem and Performing a Remote Wipe
The most obvious solution is to move the user object back to its original OU. However this is not always going to be practical, so other options are needed.
According to my testing the different remote wipe options have the following results.
User-Initiated Remote Wipe via Exchange Control Panel
If the user themselves performs a remote wipe via the Exchange Control Panel it still works, and the device is wiped successfully assuming all other requirements are met.
Administrator-Initiated Remote Wipe via Exchange Management Console
A remote wipe issued from the EMC will fail if the user object is not first moved to its original OU at the time the device association was created.
Administrator-Initiated Remote Wipe via the Exchange Control Panel
As with the user-initiated remote wipes this option appears to work fine even if the identity mismatch is occurring.
Administrator-Initiated Remote Wipe via the Exchange Management Shell
If an administrator uses PowerShell and the Clear-ActiveSyncDevice cmdlet to perform the remote wipe, it will be successful as long as the correct identity is specified.
I’ve written a script to detect the mismatch and use the correct identity for the remote wipe.
Firstly, if the user has no ActiveSync devices associated then the script will not do anything further.
If the script detects a device association but the identity values match, then it will let you know and do nothing further.
If the script detects an identity mismatch, then it will let you know and then initiate the remote wipe using the identity that will work. You’ll be prompted to confirm this.
In my own test lab this seems to work fine however there may be real world scenarios where it does not, so please feel free to leave a comment below if you encounter a situation that this doesn’t fix.
Here is the script code.
param (
[parameter(mandatory=$true, ValueFromPipeline=$true)]
[string]$user
)
$mailbox = Get-Mailbox $user
$name = $mailbox.Name
$easdevices = @(Get-ActiveSyncDevice | where {$_.UserDisplayName -like "*$name"})
$count = $easdevices.count
Write-Host -ForegroundColor Yellow "$count ActiveSync devices found for $mailbox"
foreach ($easdevice in $easdevices)
{
$easdevstats = Get-ActiveSyncDeviceStatistics $easdevice
if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString()))
{
Write-Host -ForegroundColor Green "IDs match, normal remote wipe process should work."
}
else
{
Write-Host -ForegroundColor Red "IDs don't match"
Write-Host $easdevice.Identity
Write-Host $easdevstats.Identity
Clear-ActiveSyncDevice -Identity $easdevice.identity
}
}
Copy the code into Notepad or your ISE and save it as Clear-EASDevice.ps1. To execute the script run a Get-Mailbox for the mailbox you want to target, and pipe that into the script.
Get-Mailbox mahera.bawa | .\Clear-EASDevice.ps1
You can append an notification email address to the Clear-ActiveSyncDevice command in the script as well, for example:
Clear-ActiveSyncDevice -Identity $easdevice.identity -NotificationEmailAddresses administrator@exchangeserverpro.net
Summary
This appears to simply be a bug in how Exchange detects a user object that has moved between OUs and does not update both identity values correctly.
Or perhaps the issue is that the Clear-ActiveSyncDevice cmdlet as it is executed from the management console is referencing the wrong object’s identity value, since we seem to be able to work around the problem by specifying the correct one in the shell.
You may find it simpler to just use the Exchange Control Panel to initiate your remote device wipes. However the scripted option is available if you prefer that.
About Paul Cunningham
I ran into a similar issue a while back. My fix wasn’t quite as elegant.
http://patrickhoban.wordpress.com/2011/11/22/1344/
Paul, this article was extremely helpful. Thank you for taking the time and doing the research and coding.
I ran into the same issue with a name change.
Thank you for the article and research, it save me so much time.
Paul,
Thanks for the information. Is it possible to edit the incorrect ID (Get-ActiveSyncDevice/Stats) so the EMC can be used for remote wipe?
Possibly not via the shell, but maybe via ADSIEdit. I haven’t checked to be honest.
Paul you are always very helpful. I had the same problem while wiping device from Exchange Management Console but then right as you said, it worked from ecp without any complain! Thank you
Faisal khan
Paul, I have this problem in a somewhat harder way. We have some ActiveSyncDevice – Objects that were deleted directly in the “Active Directory Users and Computers” and the retention time for the deleted objects is over, so I really can’t find this objects any more.
The Get-ActiveSyncDeviceStatistics still claims, the Device is here, but any actions (remove-, clear-) end in “ActiveSync Device not found”
Any Idea how I can finally delete the remnants of these devices?
Thanks
AL
Paul,
Thanks for researching this. We currently went through an AD overhaul and users were moved from one OU to another. When trying to remote wipe phones through EMC, it still points to the old activesync device location.
I tried running a clear-activesyncdevice command and piping the new identity and it says its successful, but I never get an acknowledgement in EMC, nor do I get an ack email.
Do you know why this is?
@JD – Take a look at my blog post. I believe this will fix your issue.
http://patrickhoban.wordpress.com/2011/11/22/1344
Hi Paul
As usual an excellent post and helped us out with a security issue with one of our customers.
Script ran on Exchange 2010 as per the post. I think our issue might have been that the customer migrated from Exchange 2003 to 2010 and could of had some issues with the ActiveSync details in that process.
If you want to remove the stale activesync device, use the GUID instead of the actual Identity value:
Remove-ActiveSyncDevice -Identity 0622e300-c53a-4336-84da-0fb01c596d1f
I’ve had no issues with this method.
Hi Paul,
I am getting the same error while removing the device ,We had change the user name .
When I am running the script nothing found it says “No activesync devices associated ” , But when I am going to user properties there are two entries .
FYi, I have remove the both mobile entries through edsitedit also.
when I am trying through ECP wipe or remove the device it says “Black Ipad cound n’t found” Error code
There’s no article associated with the error you found, Error ID: Ex0FBD0C, but you can get help a couple of different ways. We recommend trying forums first.
I have resolved the issue through MFCMAPI
http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/76d4bd08-1d6c-4af8-b6a8-8dd5a9dde4b1