Here's an interesting issue you may run into when migration from Exchange 2003 to Exchange 2010.   E-mails passing through the Exchange 2010 Hub Transport role may bounce back with a Non-Delivery Report (NDR) with the SMTP code 550 5.7.1 that says something like "Submission has been disabled for this account."

You would normally only see this NDR when a user's mailbox has exceeded the ProhibitSendQuota and/or ProhibitSendReceiveQuota limit (i.e. their mailbox is full).  However, there's a potential "bug" here.   In this case, you will get the NDR even if the mailbox is using the database default limits and is NOT full.  If you bring up the account properties in Active Directory Users and Computers (ADUC) on a system with the Exchange 2003 tools loaded, everything looks fine on the account.    However, if you lookup the account in PowerShell with the Exchange 2010 tools loaded, you'll see that the ProhibitSendQuota and/or ProhibitSendReceiveQuota has a value (often 0KB, but it can be any value lower than the default and still cause this problem) even with the UseDataBaseQuotaDefaults set to "True".

For some reason, the Exchange 2010 Hub Transport seems to ignore the UseDatabaseQuotaDefaults = True flag and will reject messages based on the ProhibitSendQuota and/or ProhibitSendReceiveQuota limits.

If you have a large environment, you'll probably want to find and fix all accounts with this issue right away.  It won't be practical to wait for someone to report that they've had this problem.   Luckily PowerShell makes it easy for us.


To find all users across your entire AD forest that will run into this problem, run this command:

Get-Mailbox -IgnoreDefaultScope -ResultSize Unlimited -Filter { UseDatabaseQuotaDefaults -eq $true -and ProhibitSendQuota -ne "unlimited" -or UseDatabaseQuotaDefaults -eq $true -and ProhibitSendReceiveQuota -ne "unlimited" } | Select Name,UserPrincipalName,Database,ServerName,UseDatabaseQuotaDefaults,ProhibitSendQuota,ProhibitSendReceiveQuota | Export-CSV -Path c:\scripts\badquotas.csv

To FIX the problem for all users across your entire AD forest, run this command:

Get-Mailbox -IgnoreDefaultScope -ResultSize Unlimited -Filter { UseDatabaseQuotaDefaults -eq $true -and ProhibitSendQuota -ne "unlimited" -or UseDatabaseQuotaDefaults -eq $true -and ProhibitSendReceiveQuota -ne "unlimited" } | Set-Mailbox -ProhibitSendQuota unlimited -ProhibitSendReceiveQuota unlimited

In my most recent run-in with this issue, I found just under 2,000 accounts impacted by it.  With about 60,000 mailboxes total, that's only about 3% affected.  That being said, it's still much quicker to let PowerShell do all the hard work for you.  Even with 60,000 mailboxes spread out across 4 domains in the forest, these PowerShell commands took less than 5 seconds to complete.

, ,

About Author

about author

Josh Bryant

Josh M. Bryant is currently a Senior Director of Technical Account Management at Tanium where he helps customers overcome the challenges of managing very large scale computing environments. Prior to joining Tanium, he was a Premier Field Engineer at Microsoft specializing in Microsoft Exchange Server, and then later a Cybersecurity Architect specializing in Compromise Recovery. Josh is also a Master Sergeant in the Illinois Air National Guard where he manages a team of Cyber Threat Intelligence specialists.

Leave a Reply

Your email address will not be published. Required fields are marked *