Help Center

[DOC:Netmail Documentation]

Knowledge Base

Skip to end of metadata
Go to start of metadata

ScanIt is an easy-to-use reporting tool that helps Exchange administrators monitor the size and growth of Microsoft Exchange mailboxes.

In this guide:



ScanIt is fully compatible with Exchange 2010, Exchange 2013, as well as Office 365.

Access to Exchange Server(s)

You need to have full access to at least one CAS server. This means that you must be able to connect with Outlook to the CAS server from the workstation where the tool is installed. DNS resolution must exist for the CAS server URL. Firewall exceptions must be properly configured.

Remote PowerShell

PowerShell 2.0 or higher is required. If the tool is not installed on an Exchange server, the workstation must have full access to the Exchange CAS server via Remote PowerShell. Newer Microsoft Windows© operating systems come pre-installed with PowerShell 2.0.

.Net Framework

.Net Framework v4 or higher is required.


If you want to use Kerberos authentication, or if the server requires such authentication, then the workstation on which the tool is installed must be part of the domain of the Exchange Server(s). If it is not part of the same domain, then you won't be able to use Kerberos, and the workstation and the server must be configured to allow Basic authentication (see below).

Use of SSL communication is mandatory with Kerberos.

Configuring the Workstation

When the Workstation is in the Same Domain as the Exchange Server(s)

No special configuration is required if you are able to access the CAS server with an Outlook client. However, ScanIt uses some protocols that may be blocked by some firewall configurations.

When the Workstation is a Standalone Workstation

You will need to perform the following steps:

1. The user, which will be used for admin access, must have Remote Exchange Management enabled. Open the Exchange Management Shell (EMS) and run the following command:

Set-User David -RemotePowerShellEnabled $True

Please refer to this article for more information:


2. A PowerShell script needs to be run on the workstation, so the following command must be run in PowerShell to allow this:

Set-ExecutionPolicy Unrestricted

The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Since our scripts are not signed, you have to set the policy to "Unrestricted". More information available here:

The following scripts use the Web Services for Management (WSMan) provider for Windows PowerShell which lets you add, change, clear, and delete WS-Management configuration data on local or remote computers. The WSMan provider exposes a Windows PowerShell drive with a directory structure that corresponds to a logical grouping of WS-Management configuration settings. More information available here:


3. While still in PowerShell on the workstation, change the working folder to C:\Program Files (x86)\Messaging Architects\Detach Report Tool\. Then run the SetClientAccess.ps1 script, passing as an argument the Exchange CAS server IP address or DNS name. You can optionally set all hosts as Trusted, by passing '*' as an argument to the script. For example:


The script does the following:

Set-Item -force WSMan:\localhost\Client\AllowUnencrypted $true

This allows the client computer to request unencrypted traffic. By default, the client computer requires encrypted network traffic.

Set-Item WSMan:\localhost\Client\TrustedHosts -value "$ip" -force

Adds the remote Exchange CAS server(s) that can connect to the local computer through a trusted network connection. Requests are allowed to be sent to computers specified in this list when using an authentication scheme and transport that does not allow the client to authenticate the service, such as Basic authentication over HTTP.


4. On the Exchange CAS server(s) where Remote Management is enabled, run the Set-ExecutionPolicy Unrestricted PowerShell command again, copy the SetServerAccess.ps1 script over locally, and run the following:


The script does the following:

Set-Item -force WSMan:\localhost\Service\AllowUnencrypted $true

See above.

Set-Item WSMan:\localhost\Service\Auth\Basic -value $true -force

Allows the client computer to use Basic authentication. Basic authentication is a scheme in which the user name and password are sent in clear text to the server or proxy. This method is the least secure method of authentication.


After running these scripts and generating the report, you can revert the state of your PowerShell environments by re-running each command with the opposite value ($false instead of $true).

Configuring the Exchange Server

Configuring EWS Access URLs

In some cases, you may need to define the URLs through which the EWS will be accessed. To do this, go to the IIS management on the Exchange Server(s), under Default Web Site click the EWS node, then double-click Request Filtering. Go to the URL tab, and on the right, click Allow URL. Enter the URLs through which you will invoke the service (e.g., or

Impersonation and Remote PowerShell Access

In order to allow access to all mailboxes from a single account, you must enable impersonation for the Admin user. Open an Exchange Management Shell command prompt, and type the following command:

New-ManagementRoleAssignment -Name AdminImpersonation -Role applicationImpersonation -User <>

Where <> is the actual email address of the account you want to use for impersonation.

Remember the –Name value, as you will need it if you need to remove impersonation permissions. Also, you need to enable remote PowerShell access for the same user with the following command:

Set-User <administrator> -RemotePowerShellEnabled $True


Using ScanIt

The following screen capture shows the interface of the ScanIt interface:

Before running the report for first time, complete the fields listed below. The content of the fields will be preserved for subsequent uses of ScanIt.

  • Exchange IP/DNS: Enter the IP address or DNS of an Exchange server with a CAS role. The URL entered must be configured for Remote EWS Management, as described above.
  • Admin User ID: Enter the administrator's user ID. Both domain\user and user@domain formats are acceptable. This user must have Remote PowerShell access, as described above, and also must have admin rights to the Exchange system.
  • Admin Password: Enter the corresponding Admin User password.
  • Impersonation User ID and Impersonation Password: These are the user credentials for the user configured to have full system mailbox access, as described in Impersonation & Remote PowerShell Access above.
  • Exchange Online: Select this option if you are using Office365.
  • Use Kerberos: This option is dependent on your system configuration and can only be used if the workstation where ScanIt is run is in the same domain as the Exchange forest.
  • Use Autodiscover: This option forces the tool to look up the correct URL for each user over MAPI and DNS, but it can slow down report generation time. However, you must select this option if there are mailboxes on different Exchange servers.
  • Use SSL: This option is dependent on the configuration of the IIS and PowerShell on the target, and it must be selected if Kerberos is used.
  • The User Manual link opens this document.
  • Filter Mailboxes: This option allows you to display results for mailboxes only above given size or the first x percent of mailboxes (ordered by total mailbox size).
  • The File menu allows you to open an old report file or quit the program:
    • The configuration settings will be remembered when you close ScanIt and will be loaded automatically the next time you start the tool.
    • Click Run report to start the collection of the statistics. The yellow text box will display the last log events.

Note: Establishing the connection to Remote PowerShell and Exchange can take some time.

    • The log file will be saved under the installation folder's Logs subfolder.
    • When the report is ready, ScanIt will attempt to open it in your default browser. If it fails, you can open the report from the Reports subfolder.

Important: Do not delete any subfolders from the Reports folder.

Reading the Report

Once reports are generated, they can always be viewed here: C:\Program Files (x86)\Messaging Architects\Detach Report Tool\Reports\

Depending on your browser and settings, you may need to enable ActiveX controls to view the report.

Interpreting the Report

The following screen capture shows an example of the report generated by ScanIt:

Top Section

The top section of the report provides the global picture of your email system.

On the left-hand side, the total sizes for all messages and attachments, as well as their percentages of storage use, are displayed.

On the right-hand side, a breakdown of the total storage also provides the average attachment size, number of mailboxes that were scanned, and the total number of messages, attachments, and attached messages that were found.

Mailbox List Selector

Just below the top section, simple buttons allow you to select mailboxes from which to display details.

It is also possible to search through all the scanned mailboxes to view the particular stats for any one of them by using the Search feature.

Mailbox List

For any mailbox you select, the mailbox information shown includes the name of the user and the number of folders, attachments, messages, and attached messages. The total amount of storage taken up by the mailbox, as well as a breakdown of the number of messages and attachments, are provided on the right-hand side.

Note the sorting options at the top of the list of mailboxes. You can re-order the display according to any of the following parameters:

  • User
  • Email address
  • Size of messages
  • Size of attachments
  • Total size taken up by the mailbox