Recently, I just found an old device put in quarantine on my Exchange environment (ECP\Mobile\Mobile Device Access).

Initially this was normal because I applied mobile device policy to put in quarantine all new mobile device – using ActivSync protocol to connect to the Exchange mailbox.

In this case, I don’t know why it was not approved (or rejected), and it was stuck in quarantine since July 2013. Quite a long time ago Smile

image

As I wanted to clear the quarantine, i tried to allow it (as this device belong to me) but… no luck; it failed with the error

The operation couldn’t be performed because object ‘Benoit HAMET’ couldn’t be found on ‘<domain controller>’.

image

Ok, it may make sense as the related account has been moved to Exchange Online since then.

So, I tried another way with PowerShell and ran the following command to find any device in quarantine for more than 1 month and delete them

Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-MobileDevice

But failed again with a similar error.

As almost everything related to Exchange is stored on AD, I started looking on the attributes of the user account but found nothing using ADUC console – in fact I found the allowed devices attribute but nothing related to pending or quarantine.

So, I switched to ADSIEdit (our good friend for any AD deep stuff) and start looking around the user object… and I found it Smile

ALL the mobile devices associated to a user are located just below the subbranch CN=ExchangeActiveSyncDevices, below the user object

image

So, in order to not delete the wrong device, i ran again the command to get his name on Exchange

Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)}

Which returns all the properties associated on any device put in quarantine

Then, using the value of the Name attribute, I was to locate the correct value on ADSIEdit and delete it

image