Picker is extremely slow
Exchange 2010. About 10,000 mail objects in AD.
When adding "Full-Access Permissions" to any mailbox, the Select User or Group picker is
extremely slow.
If I press STOP before all objects are found... and then manually enter a name such as
smith in the SEARCH: box, it takes forever to find all of the smiths in the GAL.
Anyone else experiencing this issue ?
I previously managed a 25,000 mailbox Exchange2007 environment, and never had any slowness when assigning permissions and using the picker.
January 31st, 2011 11:58pm
Have you tried the Add-MailboxPermission exchange shell command.
More Information about this command you will find on
http://technet.microsoft.com/en-us/library/bb676551.aspx
Please remember that when using LDAP Seaarch (Pickerr) not all objects will be shown. So if you are working on a large infrastructure yu have to use the commandline interface.
Further information you will find on
http://support.microsoft.com/kb/315071 or
http://ldapwiki.willeke.com/wiki/LDAP%20policy%20in%20Active%20Directory
regards Thomas Paetzold visit my blog on: http://susu42.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2011 12:22am
The powershell method works great for anyone comfortable with PS and knows the exact name of the group and mailbox ahead of time.
But for this customer (a hospital)... their helpdesk and email support team need to be able to use the EMC to assign these permissions.
The issue is when scrolling through 5000 objects in the picker or using "find now" to locate the correct security group to assign the permissions... performance is incredibly slow.
February 2nd, 2011 8:55pm
Yes, I reported the same problem:
http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/b2ebf28d-dc03-4e71-a064-1a77d6b0ebe8/?prof=required
You replied there as well....so I know it's NOT just me. FIX FIX FIX Microsoft! :-)
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2011 11:17pm
There were alot of improvements with the picker/search functionality in Service Pack 1 for Exchange 2010.
Do you have SP1 installed?
If you try searching for on object in Active Directory Users and Computers, how are the results? (Use a test account, go to properties, security tab, and try to add/search)
We've had this reported and SP1 seemed to improve the functionality a bit...
Thanks,
Kevin Ca - MSFTKevin Ca - MSFT
February 27th, 2011 9:17pm
Yes, SP1 is installed.
Searching for objects in AD Users and Comptuers the results are fast like always.
On Exchange 2010, if you go under the properties of a mailbox, and select something like "Send on Behalf Of" and search, it's fast.
Only using Full Access and Send-As permissions from the main Exchange 2010 Console is it slow.
When we were on Exchange 2007, this was very fast like it should be.
I think it's a bug and it needs addressed.
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2011 9:43pm
Can confirm it too (2010 SP1 + UR2)
It wants to show all user and group objects, even non-mail enabled (since you can grant access to a security group) -I'd guess this would total up to over 500,000 for my env. I don't even want to pick the name from the list, I just want
to search for it!
February 27th, 2011 10:52pm
Hi,
when you are administering a real big Active Directory with 10,000 Mailobjects you should think about using the commandline instead of using the graphical userr interface (Exchange Console)
Please refer to the Excahnge Shell (Powershell extensions) Commands for administering the Exchange system.
regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2011 11:01pm
I am going to have to disagree with your Peddy. While us real Exchange admins can easily use the Shell, and thats what I have been having to do, there are times in enivroments where a help desk worker has the Exchnage Recipient Admin role, and needs
to be able to set these via the GUI. Thats why the GUI is there.
We have a very large AD enviroment, over 100,000 objects, and the picker worked just fine on Exchange 2007.
Like CN9 said above, it wouldn't as bad if the stupid search even worked, but it has to wait for it to try to show everything first before you can even do anything.
It's a bug, and it's needs fixed, even though the Shell is a work around, it's not a solution to the problem that is being reported.
February 27th, 2011 11:41pm
We have a few cases open with this issue reported. They're all still under investigation. I'll need a few days to do some research and once i have more information i can update this post.
Thanks,
Kevin Ca - MSFTKevin Ca - MSFT
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2011 11:44pm
On top of the functionality, I'd also be concerned about the impact to Global Catalogs. Not sure what's happening in the backround but hopefully it's not hammering them with some inefficient query. I may have hundreds of people running the Exchange console
- not only do I not want to teach them powershell but I'd hate to see GCs going down.
Good to hear it's being looked at.
February 28th, 2011 12:21am
To provide an update on my earlier post. I did some research on the cases we have right now, and they are all scenarios where Service Pack 1 has the fixes included to address the performance issues.
If you have Service Pack 1 installed, we'll likely need to pursue this in 1 of the 2 following ways:
1. Evaluation of basic performance monitor counters on the affected Exchange Servers & Domain Controllers/Global Catalogs
or
2. Open a support case to report the problem.
To comment on the second option; without any open tickets or reported problems, our options to pursue/troubleshoot these issues via forums communications are very limited. As a reminder; if you open a support case and it is determined to be a code problem
or a bug, you are not charged/decremented for the incident.
I did in fact try to reproduce the issue in my lab by importing 30K mail enabled users; but could not reproduce it. This is a scenario where real data is critical for us to troubleshoot.
Thanks,
Kevin Ca - MSFTKevin Ca - MSFT
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2011 5:42am
Kevin,
I have already been through option 1, and performance looks normal. Nothing out of the ordinary I can tell. And like we stated, it only happens when setting Send-As or Full Access from the main MMC GUI. Creating mailboxes and searching,
setting send on behalf of, journal rules and searching and selecting a user, etc...all normal. Exchange 2007 never had this problem in our enviroment as well. We have operations manager that logs performance data, and I have used process monitor,
task manager, performance monitor, etc, locally and on the DC's to see if there is an additional load. Not seeing anything.
So that leaves option 2. I relize that we may not be charged, but I do not make deceisions at work in terms of money, and I cannot contact support for something like this unless it would be determined to be a major issue. Unless you can provide
a way for me to talk to support without asking for credit card info, I cannot report the problem, hence why I am on these forums. If you want to touch base with me through e-mail, feel free, and I can send you all the logs, information etc, you want.
Thats one of the problems with Micrsoft support. There needs to be a place for support to report bugs like these without being hassled for biling information.
I really don't think I can get the people who control money at work to allow me to use a credit card to call support on this issue because in their minds, this wont' be a critical need and doesn't impact end users at all. But I know Microsoft has a
desire to gather information from clients to get these issues fixed, so we are kind of in a catch 22 situation. Feel free to touch base with me thoguh e-mail. I am sure as a mod you can find my e-mail address.
March 10th, 2011 6:13am
We haven't deployed 2010 yet as we're still testing. I'm going to apply the latest update rollup to our lab (just came out the other day) and if it's still occurring I'll open a case. I'll post back, but it might take a couple of weeks.
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2011 5:29pm
I just find it odd it only happens in the main MMC screen: Recipient Configuration -> Mailbox -> right click user mailbox and select
Full Access or Send-As permissions. SLOW SLOW SLOW
The picker is fast everywhere else in my testing. Trying to compile a list of where the picker is normal (like it was in Exchange 2007):
·
When creating a mailbox for an existing AD user
·
Mailflow tab on a mailbox. Going to delivery options on a mailbox and setting Send on Behalf of permission, or setting a Forward To address
·
Mailflow tab on a mailbox. Setting message delivery restrictions to accept/reject messages from certain senders
·
Organization Config -> Hub Transport -> Journal Rules. Creating a journal rule and setting the journal reports, or journal message recipient.
·
Recipient Config -> Distribution Group -> select a group and add a member
I am sure there are other places as well. It also makes no difference if you are using the management console on any of the Exchange servers (whether
it be a mailbox, CAS, or HUB) or even remotely on my management workstation using just the management tools.
March 10th, 2011 6:06pm
Get the exact same thing here, running 2010 SP1 RU3. If I add group members to dist. groups it runs just fine. If I do a full permisison add it takes awhile to load up.
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 10:33pm
I have exactly the same issue as described above. Running Exc2010 SP1 UR 3. I have a parent domain, with three child domains underneath. I have around 5'000 mailboxes in my system, and around 6000 AD users acounts in my main domain (not factoring in other
AD objects like groups, or user accounts on other domains).
Does anyone have an update on this issue?
Kevin Ca, what environment are you running in your lab? Are you on Update Rollup 3? I'm very suprised that you say you can't replicate the issue. Perhaps your AD in your Lab is too thinly populated to cause the issue?
Is there a way of setting a default context for these searches? Mine reverts to the top level of our forest on each use. If it was at least set to the child domain\OU where my users accounts are, this might speed things up slightly.
Obviously that's only a workaround, just like suggesting using powershell (user admins aren't often powershell gurus). We need this behaviour rectifiying, it's clearing been identified in multiple sites, all running up to date Exchange builds.
Is there any chance that UR4 may include a fix for this? Have any other users out there found any resolutions themselves?
I've actually had an operations guy today start reporting that his MMC is crashing when he tries to do these searches in the console. Has anyone experienced that yet? I've not yet been able to replicate it on any of my consoles, just wanted to know if anyone
else out there has.
Thanks in advance all :)
Gavin Connell
July 8th, 2011 5:42am
Same slowness here (1700 mailboxes), Exchange 2010 SP1, no rollups. Being able to set a defaullt OU for the picker would help, at the very least. Waiting for SP2 to come out - hopefully its addressed.
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2011 4:09pm
I can also confirm this problem - we need the Gui to perform so our our front line support can help our people quickly. Command line is not acceptable for this.
September 4th, 2011 10:53am
Same problem here on Exchange 2010SP1RU3. 11,000 mailboxes. GUI fast everywhere except for searching for people in "Manage Full Access" and "Manage Send As". Sooo annoying!!!
And while we're talking about the "Manage Full Access" and "Manage Send As" options, why can't we add or paste multiple users into the window just like you can in AD when you click "Check name" and it underlines all the names?
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 10:13am
Exchange 2010SP1RU5, these are the results I see consistently.
2007 Behavior
Click Add, people picker starts enumerating all your users, you type in a name, the people picker stops enumerating and produces your query in less then one second.
2010SP1RU5
Click Add, people picker starts enumerating all your users, you type in a name, the people picker stops enumerating and produces your query in 4 seconds.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
September 6th, 2011 10:29am
Oh, I wish mine was 4 seconds, it wouldn't be so bad. With have thousands of Exchange mailboxes, and over 100,000 AD accounts....it's more l like 30-45 seconds for me. It doesn't appeaer the the picker stops enumerating once you try to query.
It won't even let you query until its done it's thing is what it appears to be doing.
However, with our 2007 environment, it was only really quick (less than a second).
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 10:36am
I'm actually surprised I get a consistent 4 second response time now, before I recall it being much slower not 30-45 seconds but maybe around 10 seconds when I was on SP1 RU1. For grins go to EMC, org config and modify config domain controller and
try pointing to different DCs and see if you get different results.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
September 6th, 2011 10:45am
I've been down all the troubleshooting steps I knew to take, including changing DC's and CAS servers for the console. Results are consistently slow, and makes the GUI useless for this purpose.
I still feel this is a bug as so many other people are complaining about it, and there is no free way to submit bugs without giving them a credit card number. So, looks like we have to live with it unless Microsoft wants to reach out to me as I have
suggested months ago on here.
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 10:48am
If you open the "Manage Full Access Permission" or Manage Send As Permission and search for a user the actual command that is taking such a long time to run is:
Get-SecurityPrincipal | Filter-PropertyStringContains -Property 'Name' -SearchText 'fred.smith'
You can see this by looking in the "View Exchange Management Shell Command Log" window in "View".
What's odd is that if you attempt to run that same command in the EMS it errors with:
The term '-Filter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spe
lling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:32
+ Get-SecurityPrincipal | -Filter <<<< PropertyStringContains -Property 'Name' -SearchText 'fred.smith'
+ CategoryInfo : ObjectNotFound: (-Filter:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
By the looks of it, it is returning the Security Principles for every single object in the domain and then filtering the results. Therefore the search time may be directly proportionate to the amount of AD objects in a domain.
September 6th, 2011 11:08am
Good find, this may be why it works in someplaces, and not ont the manage send as/full access permissions.
What does you log say when you search for something at any of these locations:
·
Mailflow tab on a mailbox. Going to delivery options on a mailbox and setting Send on Behalf of permission, or setting a Forward To address
·
Mailflow tab on a mailbox. Setting message delivery restrictions to accept/reject messages from certain senders
·
Organization Config -> Hub Transport -> Journal Rules. Creating a journal rule and setting the journal reports, or journal message recipient.
·
Recipient Config -> Distribution Group -> select a group and add a member
Could be they just coded the wrong thing in the place we are talking about.
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 11:18am
They all use "Get-Recipient". God knows why it's different for Full Access and Send As...
@James,
How many AD objects in your domain?
Edit. Don't understand why the code needs to be more elaborate than:
Get-SecurityPrincipal -identity 'fred.smith'
September 6th, 2011 11:30am
We have about 140,000 user objects, almost another 1,000 groups which are being returned as well.
This wasn't a problem in 2007...so perhaps they made changes for whatever reason.
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 12:15pm
That is a good observation Birtybasset with the shell command, I'm in the middle of a migration so 2010 only has 1k objects. Performing the DL search filter is quick as others have observed but is using a different query -ANR filter instead
of the failing Filter-PropertyStringContains.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
September 6th, 2011 12:34pm
Since, for the time being, there's not a lot we can do about this I decided to make a small script I could use every time I needed to grant a user Full Access & Send As rights on a mailbox.
This only works if you have the Exchange tools installed:
Create a ps1 file with the below code in it:
$user=Read-Host "Enter a user name"
$mailbox=Read-Host "Enter a mailbox name"
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
Add-MailboxPermission $mailbox -Accessrights “FullAccess” -User $user
Add-ADPermission $mailbox -Extendedrights “Send As” -User $user
Then, because I use a custom MMC console to connect to everything I need I created a batch file that points to the ps1 file and added that in to the MMC. The batch file just contains:
powershell.exe -noexit E:\downloads\Set-MailboxPerms.ps1
So now I can just click the link in the mmc, it opens the console window asking for the username and the mailbox. When entering them both and pressing enter, a couple of seconds later the permissions have been applied on the mailbox. Happy
days!
Thought this might be of use to someone...
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2011 7:04am
Hello All,
On March 10th i posted an update stating at the time, our options were to check out the performance of the Exchange Server and the DCs that the Exchange Server use, or open a support case to report the problem.
I've been following the reports of the issue internally as this discussion has been kept alive, and it looks like one of my colleagues has a more formal investigation going on.
I will try to have an update on this in about 2 to 3 weeks.
Kevin Ca - MSFT
September 12th, 2011 9:26pm
Hi Microsoft,
I confirmed that this is a problem in my environment as well, please fix this ASAP !
We did not see this issue in Exchange 2003 and it is now broken in Exchange 2010.
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2011 2:17am