PowerShell HTML Weekly AD and Mailbox Report

As an Exchange admin, one of the hardest things to keep an eye on is AD. Not in the sense of your replication or DC health, but that everything is where it is supposed to be. Some of the most trivial calls end up being related to a distribution group, shared mailbox, or room mailbox not being in the proper OU, so the relevant team cannot manage them. Unfortunately there isn’t a tool out there (that I know of) that will help you keep an eye on this sort of thing without pounding you with notifications. For that reason, I created a script that I run weekly as a scheduled task. This script greets me every Monday morning, and shows me the following:

  • Mailboxes on Litigation Hold
  • Mailboxes without a Retention Policy
  • All the existing Journaling Rules
  • The user objects in AD that have been inactive for over 60 days
  • Shared Mailboxes in the wrong OU
  • Room Mailboxes in the wrong OU
  • Distribution Groups in the wrong OU
  • Shared Mailboxes with enabled user objects
  • Room Mailboxes with enabled user objects

And here’s what the report looks like in an Outlook 2016 client:

Now I don’t expect this script to work for every environment. The place I developed the script for has a pretty basic AD hierarchy, with singular specific root OUs for each type of mailbox and distribution groups. If, for example, you keep shared mailboxes in multiple OUs you will have to make some changes to the filters in each relevant cmdlet. The good news is the framework is already here.

Hat tip to Karsten Schneider at ilikesharepoint.de for providing me the starting point on this script.

AD Management Tools [Windows 10]

Stepping away from Exchange for a minute, I was recently reminded that some people don’t have an Admin server, but still find themselves needing to manage an Active Directory environment. If that is the case, you’ll need to install the Remote Server Administration Tools on your PC. If you’re running Windows 7 you can download the installer here. For the AD Management tools Windows 10, you can download the tools here if you have an older build. For newer builds select “Manage optional features” in Settings and click “Add a feature” to see the list of available RSAT tools. From there you can pick the tools you would like to install.

Exchange 2010 Health Check Script

A few years ago when I was leading my first Exchange team, one of the very first lessons I learned was that everyone has a different idea for how to validate a change. When I started my IT career, I was taught after any change you reboot, and when the system comes back up you check the event logs, services, and any relevant application logs to make sure everything is running as expected. However, as I found out after delegating a patching change to a subordinate, everyone didn’t learn that same lesson. Hence, the Exchange 2010 Health Check script.

Start PowerShell to run the Exchange 2010 Health Check script
Server restart – friend or foe?

The Change

During that change window, three out of four mailbox servers didn’t start their Mail Submission service. This was on a weekend of course, and IIRC no one really noticed until Sunday evening. Once I got the call though, I knew exactly what the issue was. I remoted in to the network as soon as I could, started the Mail Submission services, and dreaded going to work the next morning.

The Aftermath

That night I thought about the two questions that were going to come my way the next morning- how did this happen, and how do we prevent it in the future? The first question is relatively easy. Sometimes, for some reason, Exchange services just don’t want to start after a reboot. This is something of a cop-out of course, but I’ve seen this service hang at reboot in most of the environments I’ve worked on. The other question of how we prevent this in the future, was going to take a bit of work.

The Solution

Training is of course the simple answer, but that isn’t the answer that I would want to hear. Especially after an outage of that magnitude.

The solution I came up with was the following Exchange 2010 Health Check Script. This script was to be run against any Exchange 2010 server post-change, and would gather the following server stats and perform the relevant tests:

  • All Servers
    • Status of Services set to startup automatically
    • All of the Error and Warning logs in the last 100 Application log entries
    • All of the Error and Warning logs in the last 100 System log entries
  • For CASes
    • All active connections to all services (based off this function)
    • Test POP connectivity
    • Test IMAP connectivity
    • Test OWA connectivity
    • Test EWS connectivity
  • For Hub Transports
    • Test SMTP connectivity
    • Report on messages in queue
  • For Mailbox Servers
    • Test DAG health
    • Report on the mailbox database copy statuses
    • Test MAPI connectivity
    • Test mailflow

In situations where we had multi-role servers, namely CAS/HTs, the script would run the tests and generate reports for each role. And once run, the admin will be prompted to email the Messaging team’s distribution group so everyone can have eyes on the results.

#################################################################
# Exchange 2010 Health Check Script                             #
# This script generates an Exchange Server health check report  #
# And can email it to a specified recipient			#
#								#
# Created by Eric Kukkuck 3/3/2015				#
# https://MSExchangeHelp.com					#
#################################################################

$OrgName = "MyCo"
$TranscriptPath = "D:\ABZ\Reports\E2010HealthCheck_" + (Get-Date -f yyyy-MM-dd_HH-mm) + ".txt"

$POPEnabled = "$False"
$IMAPEnabled = "$True"

$SMTPServer = "smtp.domain.intranet"
$SMTPSender = "postmaster@domain.net"
$SMTPRecipient = "MessagingTeamDG@domain.net"

start-transcript -Path $TranscriptPath

    Write-Host ""
write-host "Welcome to the $OrgName Exchange Server Health Check script. This script is to be run upon completion of any changes made to an Exchange sever and the results emailed to $SMTPRecipient." -foregroundcolor "green"

    write-host ""
Write-Host "Enter server name to validate:" -ForegroundColor "Yellow"

    write-host ""
$Server = Read-Host

    write-host ""
$ServerRole = get-ExchangeServer $Server | Select ServerRole

function Get-CASActiveUsers {
  [CmdletBinding()]
    param(
    [Parameter(Position=1, ParameterSetName="Value", Mandatory=$true)]
    [String[]]$ComputerName,
    [Parameter(Position=0, ParameterSetName="Pipeline", ValueFromPipelineByPropertyName=$true, Mandatory=$true)]
    [String]$Name
  )

  process {
    switch($PsCmdlet.ParameterSetName) {
      "Value" {$servers = $ComputerName}
      "Pipeline" {$servers = $Name}
    }
    $servers | %{
      $RPC = Get-Counter "\MSExchange RpcClientAccess\User Count" -ComputerName $_
      $OWA = Get-Counter "\MSExchange OWA\Current Unique Users" -ComputerName $_
      $AS = Get-Counter “\MSExchange ActiveSync\Current Requests” -ComputerName $_
      $AB = Get-Counter "\MSExchangeAB\NSPI Connections Current" -ComputerName $_
      $IMAP =  If($IMAPEnabled -eq 'True'){get-counter "\MSExchangeimap4(1)\current connections" -ComputerName $_}Else{'Disabled'}
      $POP = If($POPEnabled -eq 'True'){Get-Counter "\MSExchangePOP3(_Total)\Connections Current" -ComputerName $_}Else{'Disabled'}
      $EWS = Get-Counter "\W3SVC_W3WP(*msexchangeservicesapppool)\Active Requests" -ComputerName $_
      New-Object PSObject -Property @{
        Server = $_
        "RPC Client Access" = $RPC.CounterSamples[0].CookedValue
        "Outlook Web App" = $OWA.CounterSamples[0].CookedValue
	"ActiveSync" = $AS.CounterSamples[0].CookedValue
	"Address Book" = $AB.CounterSamples[0].CookedValue
	"IMAP" = If($IMAP -eq'Disabled'){'Disabled'}Else{$IMAP.CounterSamples[0].CookedValue}
	"POP" = If ($POP -eq 'Disabled'){'Disabled'}Else {$POP.CounterSamples[0].CookedValue}
	"EWS" = $EWS.CounterSamples[0].CookedValue
      } | Select-Object Server,"RPC Client Access","Outlook Web App",ActiveSync,IMAP,POP,"Address Book",EWS | FT -Auto
    }
  }
}

if ($ServerRole -like '@{ServerRole=ClientAccess}'){write-host 'Dedicated CAS Server Detected...' -foregroundcolor "magenta"
write-host ""
write-host 'Service Status (Displays Services that are configured for Automatic startup but are in a stopped state):' -foregroundcolor "green"
Get-WmiObject Win32_Service -computername $Server |
Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } |
# process them; in this example we just show them:
Format-Table -AutoSize @(
    'DisplayName'
    @{ Expression = 'State'; Width = 9 }
    @{ Expression = 'StartMode'; Width = 9 }
    'StartName'
)
write-host "All 'Error' & 'Warning' Application log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName application | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host "All 'Error' & 'Warning' System log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName System | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host 'Active Client Connections:' -foregroundcolor "green"

get-casactiveusers -computername $Server

write-host 'IMAP Connectivity Validation:' -foregroundcolor "green"

If($IMAPEnabled -eq 'False'){Write-Host ""}

If($IMAPEnabled -eq 'True'){Test-ImapConnectivity -ClientAccessServer $Server | fl Result,scenariodescription}Else{'IMAP Service disabled, continuing to next test...'}

If($IMAPEnabled -eq 'False'){Write-Host ""}

write-host 'POP Connectivity Validation:' -foregroundcolor "green"

If($POPEnabled -eq 'False'){Write-Host ""}

If($POPEnabled -eq 'True'){Test-PopConnectivity -ClientAccessServer $Server | fl Result,ScenarioDescription}Else{'POP Service disabled, continuing to next test...'}

If($POPEnabled -eq 'False'){Write-Host ""}

write-host 'Outlook Web Services Connectivity Validation:' -foregroundcolor "green"

Test-OutlookWebServices -ClientAccessServer $Server | ft Type,Message -auto -wrap

write-host 'OWA Validation:' -foregroundcolor "green"

Test-OwaConnectivity -ClientAccessServer $Server | fl Result,URL,AuthenticationMethod,ScenarioDescription

write-host 'Web Services Validation:' -foregroundcolor "green"

Test-WebServicesConnectivity -ClientAccessServer $Server | ft Result,Scenario,ScenarioDescription -auto

}

if ($ServerRole -like '@{ServerRole=HubTransport}'){write-host 'Dedicated Hub Transport Server Detected...' -foregroundcolor "magenta"
write-host ""
write-host 'Service Status (Displays Services that are configured for Automatic startup but are in a stopped state):' -foregroundcolor "green"
Get-WmiObject Win32_Service -computername $Server |
Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } |
# process them; in this example we just show them:
Format-Table -AutoSize @(
    'DisplayName'
    @{ Expression = 'State'; Width = 9 }
    @{ Expression = 'StartMode'; Width = 9 }
    'StartName'
)
write-host "All 'Error' & 'Warning' Application log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName application | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host "All 'Error' & 'Warning' System log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName System | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host 'SMTP Connectivity Validation:' -foregroundcolor "green"

Test-SmtpConnectivity $Server | FT

write-host 'Transport Queue Status:' -foregroundcolor "green"

get-queue -server $Server | FT

}

if ($ServerRole -like '@{ServerRole=ClientAccess, HubTransport}'){write-host 'CAS\HT Multirole Server Detected...' -foregroundcolor "magenta"
write-host ""
write-host 'Service Status (Displays Services that are configured for Automatic startup but are in a stopped state):' -foregroundcolor "green"
Get-WmiObject Win32_Service -computername $Server |
Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } |
# process them; in this example we just show them:
Format-Table -AutoSize @(
    'DisplayName'
    @{ Expression = 'State'; Width = 9 }
    @{ Expression = 'StartMode'; Width = 9 }
    'StartName'
)
write-host "All 'Error' & 'Warning' Application log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName application | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host "All 'Error' & 'Warning' System log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName System | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host 'Active Client Connections:' -foregroundcolor "green"

get-casactiveusers -computername $Server

write-host 'IMAP Connectivity Validation:' -foregroundcolor "green"

If($IMAPEnabled -eq 'False'){Write-Host ""}

If($IMAPEnabled -eq 'True'){Test-ImapConnectivity -ClientAccessServer $Server | fl Result,scenariodescription}Else{'IMAP Service disabled, continuing to next test...'}

If($IMAPEnabled -eq 'False'){Write-Host ""}

write-host 'POP Connectivity Validation:' -foregroundcolor "green"

If($POPEnabled -eq 'False'){Write-Host ""}

If($POPEnabled -eq 'True'){Test-PopConnectivity -ClientAccessServer $Server | fl Result,ScenarioDescription}Else{'POP Service disabled, continuing to next test...'}

If($POPEnabled -eq 'False'){Write-Host ""}

write-host 'Outlook Web Services Connectivity Validation:' -foregroundcolor "green"

Test-OutlookWebServices -ClientAccessServer $Server | ft Type,Message -auto -wrap

write-host 'OWA Validation:' -foregroundcolor "green"

Test-OwaConnectivity -ClientAccessServer $Server | fl Result,URL,AuthenticationMethod,ScenarioDescription

write-host 'Web Services Validation:' -foregroundcolor "green"

Test-WebServicesConnectivity -ClientAccessServer $Server | ft Result,Scenario,ScenarioDescription -auto

write-host 'SMTP Connectivity Validation:' -foregroundcolor "green"

Test-SmtpConnectivity $Server | FT

write-host 'Transport Queue Status:' -foregroundcolor "green"

get-queue -server $Server | FT

}

if ($ServerRole -like '@{ServerRole=Mailbox, ClientAccess, HubTransport}'){write-host 'CAS\HT\MB Multirole Server Detected...' -foregroundcolor "magenta"
write-host ""
write-host 'Service Status (Displays Services that are configured for Automatic startup but are in a stopped state):' -foregroundcolor "green"
Get-WmiObject Win32_Service -computername $Server |
Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } |
# process them; in this example we just show them:
Format-Table -AutoSize @(
    'DisplayName'
    @{ Expression = 'State'; Width = 9 }
    @{ Expression = 'StartMode'; Width = 9 }
    'StartName'
)
write-host "All 'Error' & 'Warning' Application log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName application | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host "All 'Error' & 'Warning' System log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName System | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host 'Active Client Connections:' -foregroundcolor "green"

get-casactiveusers -computername $Server

write-host 'IMAP Connectivity Validation:' -foregroundcolor "green"

If($IMAPEnabled -eq 'False'){Write-Host ""}

If($IMAPEnabled -eq 'True'){Test-ImapConnectivity -ClientAccessServer $Server | fl Result,scenariodescription}Else{'IMAP Service disabled, continuing to next test...'}

If($IMAPEnabled -eq 'False'){Write-Host ""}

write-host 'POP Connectivity Validation:' -foregroundcolor "green"

If($POPEnabled -eq 'False'){Write-Host ""}

If($POPEnabled -eq 'True'){Test-PopConnectivity -ClientAccessServer $Server | fl Result,ScenarioDescription}Else{'POP Service disabled, continuing to next test...'}

If($POPEnabled -eq 'False'){Write-Host ""}

write-host 'Outlook Web Services Connectivity Validation:' -foregroundcolor "green"

Test-OutlookWebServices -ClientAccessServer $Server | ft Type,Message -auto -wrap

write-host 'OWA Validation:' -foregroundcolor "green"

Test-OwaConnectivity -ClientAccessServer $Server | fl Result,URL,AuthenticationMethod,ScenarioDescription

write-host 'Web Services Validation:' -foregroundcolor "green"

Test-WebServicesConnectivity -ClientAccessServer $Server | ft Result,Scenario,ScenarioDescription -auto

write-host 'SMTP Connectivity Validation:' -foregroundcolor "green"

Test-SmtpConnectivity $Server | FT

write-host 'Transport Queue Status:' -foregroundcolor "green"

get-queue -server $Server | FT

write-host 'DAG Node Status:' -foregroundcolor "green"

test-replicationhealth $Server | ft

write-host 'Database Status:' -foregroundcolor "green"

get-mailboxdatabasecopystatus -server $Server |select Identity,Status,ActiveDatabaseCopy,ContentIndexState,CopyQueueLength,ReplayQueueLength | sort Identity | ft

write-host 'MAPI Connectivity Validation:' -foregroundcolor "green"

Test-MAPIConnectivity -Server $Server | FT

write-host 'Mailflow Validation:' -foregroundcolor "green"

Test-mailflow -Identity $Server | FT TestMailflowResult,MessageLatencyTime

}

if ($ServerRole -like '@{ServerRole=Mailbox}'){write-host 'Dedicated Mailbox Server Detected...' -foregroundcolor "magenta"
write-host ""
write-host 'Service Status (Displays Services that are configured for Automatic startup but are in a stopped state):' -foregroundcolor "green"
Get-WmiObject Win32_Service -computername $Server |
Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } |
# process them; in this example we just show them:
Format-Table -AutoSize @(
    'DisplayName'
    @{ Expression = 'State'; Width = 9 }
    @{ Expression = 'StartMode'; Width = 9 }
    'StartName'
)
write-host "All 'Error' & 'Warning' Application log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName application | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host "All 'Error' & 'Warning' System log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName System | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host 'DAG Node Status:' -foregroundcolor "green"

test-replicationhealth $Server | ft

write-host 'Database Status:' -foregroundcolor "green"

get-mailboxdatabasecopystatus -server $Server |select Identity,Status,ActiveDatabaseCopy,ContentIndexState,CopyQueueLength,ReplayQueueLength | sort Identity | ft

write-host 'MAPI Connectivity Validation:' -foregroundcolor "green"

Test-MAPIConnectivity -Server $Server | FT

write-host 'Mailflow Validation:' -foregroundcolor "green"

Test-mailflow -Identity $Server | FT TestMailflowResult,MessageLatencyTime

}

if ($ServerRole -like '*EDGE*'){write-host 'Edge Server Detected...' -foregroundcolor "magenta"
write-host ""
write-host 'Service Status (Displays Services that are configured for Automatic startup but are in a stopped state):' -foregroundcolor "green"
Get-WmiObject Win32_Service -computername $Server |
Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } |
# process them; in this example we just show them:
Format-Table -AutoSize @(
    'DisplayName'
    @{ Expression = 'State'; Width = 9 }
    @{ Expression = 'StartMode'; Width = 9 }
    'StartName'
)
write-host "All 'Error' & 'Warning' Application log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName application | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host "All 'Error' & 'Warning' System log entries in the most recent 100 entries:" -foregroundcolor "green"

Get-EventLog -Newest 100 -ComputerName $Server -LogName System | where {($_.Entrytype -like 'error') -or ($_.EntryType -like 'warning')} | ft TimeGenerated,EntryType,Source,Message

write-host 'Transport Queue Status:' -foregroundcolor "green"

get-queue -server $Server | FT

}

stop-transcript

#$Body = Get-Content -Path C:\ESHC.txt | Out-String

    write-host ""
write-host "Would you like to send this report to the $SMTPRecipient address?" -foregroundcolor "yellow"
    write-host ""
    write-host "Y - Yes" -foregroundcolor "yellow"
    write-host "N - No" -foregroundcolor "red"
    write-host "" 
    write-host -nonewline "Type your choice and press Enter:" -foregroundcolor "yellow"
    $SendMail = read-host
    write-host ""
    $ok = @("Y","N","X") -contains $SendMail
    if ( -not $ok) { write-host "Invalid selection" }

if($SendMAil -eq 'Y'){send-mailmessage -From:$SMTPSender -To:$SMTPRecipient -SMTPServer:$SMTPServer -Subject:$Server' - Post-change Report' -attach $TranscriptPath -Body:"Server report"
write-host 'Report complete, returning to the command prompt...' -foregroundcolor "yellow"}
if($SendMail -eq 'N'){write-host 'Report complete, returning to the command prompt...' -foregroundcolor "yellow"}
    write-host ""

If for some reason the text above doesn’t work, you can download the file here (rename .txt to .ps1)

Exchange Management Tools (Exchange 2010)

Out of the box, Exchange 2010 comes with two primary tools for managing your environment – the Exchange Management Console (EMC) and the Exchange Management Shell (EMS). With just these two tools a good admin can do almost anything management asks of them 😉

The Exchange 2010 Management Console (EMC)
The Exchange Management Console (EMC). Thick management tool installs 4 life!

The EMC is the GUI tool, which is great to get a quick idea of how a server is configured, how many Transport Rules you have, or do anything that only has to be done a handful of times.

The EMS on the other hand, is great for when you need to pull information from dozens, hundreds, or thousands of items. Imaging if someone asked you who has the largest mailbox in the environment. You could click through thousands of mailboxes in the EMC, or just run a quick cmdlet in the EMS and let PowerShell do the heavy lifting. The EMS also allows you to run more complex scripts that will make your life a lot easier.

The Exchange Management Shell (EMS)
The Exchange Management Shell (EMS). I know consoles can be intimidating but in the right hands, the EMS can get you anything you want.

With these two Exchange management tools, any Exchange admin can rule the world (of Exchange)!

Exchange 2010 Deleted Mailbox Not Showing in Disconnected Mailbox View (Clean-MailboxDatabase)

Earlier today I ran into an issue where an Exchange 2010 deleted mailbox wasn’t showing in the Disconnected Mailbox view of the EMC as expected.

No disconnected mailbox in this screenshot...
Exchange 2010 EMC, where’s my missing mailbox?

Knowing that sometimes the EMC doesn’t quite reflect current reality, I decided to run the following in the EMS to see what I could find:

Get-MailboxDatabase | get-mailboxstatistics | where {$_.disconnectreason -ne $null} | ft database,displayname,disc*

The results of the above PowerShell command were basically the same – a mailbox I had just disabled was nowhere to be found! After a few more minutes in the EMS, I was able to identify that the mailbox did still exist within the database (whew!), it just hadn’t fully be flagged as disconnected. Knowing that things like this usually occur because a maintenance task hadn’t been completed, I hit the trusty Google machine and found Peter Schmidt’s post on this exact issue. Running Clean-MailboxDatabase against the relevant DB made my “missing” mailbox appear as disconnected and within two minutes we were back up in running.

Or so we thought. Emails sent to the recently-attached mailbox were promptly responded to with NDRs, the content of such read something like this:

#554-5.2.1 mailbox disabled 554 5.2.1 STOREDRV.Deliver.Exception:AccountDisabledException.MapiExceptionMailboxDisabled; Failed to process message due to a permanent exception with message Cannot open mailbox

Fortunately the fix for this issue was to re-run Clean-MailboxDatabase again to freshen things up.