Recently, I just found an old device put in quarantine on my Exchange environment (ECP\Mobile\Mobile Device Access).
Initially this was normal because I applied mobile device policy to put in quarantine all new mobile device – using ActivSync protocol to connect to the Exchange mailbox.
In this case, I don’t know why it was not approved (or rejected), and it was stuck in quarantine since July 2013. Quite a long time ago
As I wanted to clear the quarantine, i tried to allow it (as this device belong to me) but… no luck; it failed with the error
The operation couldn’t be performed because object ‘Benoit HAMET’ couldn’t be found on ‘<domain controller>’.
Ok, it may make sense as the related account has been moved to Exchange Online since then.
So, I tried another way with PowerShell and ran the following command to find any device in quarantine for more than 1 month and delete them
Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-MobileDevice
But failed again with a similar error.
As almost everything related to Exchange is stored on AD, I started looking on the attributes of the user account but found nothing using ADUC console – in fact I found the allowed devices attribute but nothing related to pending or quarantine.
So, I switched to ADSIEdit (our good friend for any AD deep stuff) and start looking around the user object… and I found it
ALL the mobile devices associated to a user are located just below the subbranch CN=ExchangeActiveSyncDevices, below the user object
So, in order to not delete the wrong device, i ran again the command to get his name on Exchange
Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)}
Which returns all the properties associated on any device put in quarantine
Then, using the value of the Name attribute, I was to locate the correct value on ADSIEdit and delete it