So came across an account that had 450000 items that were log files that were being captured in a mailbox. I wanted to delete all the enteries with powershell instead of going through the GUI.
Here the command I used to get it done:
|
1 |
Search-mailbox -Identity user@domain.com -DeleteContent -Force |
With Office365 you can have profile pictures, and this setting is enabled by default. In larger organizations you may not want this policy enabled or have a customized policy for different departments. Here’s what I had to do to disable the picture upload capability by default and use powershell to update it for individuals by using a customized policy.
Let’s get started.
Connect to Office365 from Powershell:
|
1 2 3 4 5 |
Import-Module MSOnline $O365Cred = Get-Credential $O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection Import-PSSession $O365Session Connect-MsolService –Credential $O365Cred |
Check if you have any existing policies that allow photos to be enabled and displayed:
|
1 2 |
#Check which the default policy regarding the photo Get-OWAMailboxPolicy | FL *Photo* |
Result:
Let’s create a new policy:
|
1 2 |
#Create a New OWA Policy New-OWAMailboxPolicy –Name OWAUsersPicPolicy |
Check the setting for the newly created policy:
|
1 2 |
#Check the setting for the newly created Policy Get-OWAMailboxPolicy OWAUsersPicPolicy | FL *Photo* |
Result:
We need to make sure that users using this new policy are the only one that can upload their picture via the Office365 Portal.
|
1 2 |
#Set the Policy setting to have photo changing feature enabled Set-OwaMailboxPolicy OWAUsersPicPolicy -SetPhotoEnabled $True |
Set the default policy to restrict the capability to upload pictures:
|
1 2 |
#Set the default OWA policy to not allow profile pics Set-OwaMailboxPolicy Owamailboxpolicy-default -SetPhotoEnabled $False |
Check for how many policies you have now:
|
1 2 |
#Get OWA Policies (Should see two policies now) Get-OWAMailboxPolicy | FL Name |
Result:
Assign the new policy to admins:
|
1 2 |
#Assigning the newly created picture policy to the admins in the organization. Set-CASMailbox -Identity "adminemail@domain.com -OwaMailboxPolicy OWAUsersPicPolicy |
Normally you would never need this but still depending on your requirements if you wanted to apply the new policy (just change the policy name from the one list to the new one you created) or revert everything back to the default policy:
|
1 2 |
#Assign all users in the organization the default policy (Normally you will not have to do this) Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Owamailboxpolicy-default |
Check the policy against users to see what they are using:
|
1 2 |
#Check the policy against one of the users Get-CASMailbox -Identity user@domain.com | FL *OWA* |
You are done.
Now each user with the new policy will be able to upload their profile pics and users with the default policy will not be able to upload their pictures.
I have used 96×96 based on the MSDN forum in the past but noticed a lot of pixelation in the contact cards. I was able to get 280 x 280 resolution to get a nice resolution profile pic.
So we download a lot of .ISO file from various sources. I needed to install Windows 10 x64 Pro and was having trouble identifying which was which from the different versions I had been testing. This was important to me because I needed to know if it was Retail, VL, or MSDN. This should work for Vista and up, basically any windows that has WIM files within.
First you will need to mount the ISO file to a computer so you can browse it. Then open up a command prompt as administrator and run the following command.
|
1 |
dism /Get-WimInfo /WimFile:I:\sources\install.wim /index:1 |
(I is the drive letter for the mounted ISO file)
Here is an example of the output from the command for a Windows 10 Pro ISO.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
Microsoft Windows [Version 10.0.10240] (c) 2015 Microsoft Corporation. All rights reserved. C:\Windows\system32>dism /Get-WimInfo /WimFile:I:\x64\sources\install.wim /index:1 Deployment Image Servicing and Management tool Version: 10.0.10240.16384 Details for image : I:\x64\sources\install.wim Index : 1 Name : Windows 10 Pro Description : Windows 10 Pro Size : 13,880,679,832 bytes WIM Bootable : No Architecture : x64 Hal : acpiapic Version : 10.0.10240 ServicePack Build : 16384 ServicePack Level : 0 Edition : Professional Installation : Client ProductType : WinNT ProductSuite : Terminal Server System Root : WINDOWS Directories : 19767 Files : 101280 Created : 9/10/2015 - 12:35:28 AM Modified : 10/18/2015 - 8:16:08 PM Languages : en-US (Default) The operation completed successfully. |
By default the setting is set to <not set> meaning it is disabled.
I strongly recommend against this. Many applications communicate with directory services through LDAP, but the LDAP Request for Comments (RFC) specification stipulates that an LDAP bind should support the passing of a credential. Connecting anonymously really shouldn’t be needed. You may have many Unix-style applications that currently use an anonymous LDAP bind to other directory services, but there’s a good chance that they do actually support binding through a credential, making anonymous binding unnecessary.
Where possible, if anonymous binds are required, create a separate AD LDS instance that allows the anonymous connection and has the subset of information that’s required by the application.
If you have to enable anonymous binds, you can do so.
Anything that NT AUTHORITY\ANONYMOUS LOGON or Everyone has rights to can now be read through an anonymous bind.
If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.
If there were more than one domain controller, we could transfer the roles with various graphic interfaces…
1. Connect to ADUC, right-click on the domain and select “Operations Masters” in the menu:
2. Attempt to change the Operations Master and observe the error message:
If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.
3. This time, select “Change Domain Controller”:
4. Connect to the domain controller to which you intend to transfer the roles:
5. Now go back to the menu (as illustrated above) and select “Operations Masters”.
6. We’ll use the RID Master as an example below. Note that the other domain controller is now the “target” as opposed to the same domain controller. Click on “Change” and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.
8. For the Schema Master, we need to register a .dll file and then create add “Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.
Note: there should be a confirmation message (which can be closed – not shown above) indicating that the registration was successful. I’ll assume the reader knows how to add “snap-ins” to a MMC. If not, please search for instructions online.
We can confirm the new owner (or “holder”) of the roles in the graphic interfaces themselves or use the concise “netdom query fsmo” command
BEFOREPS C:\> netdom query fsmo
Schema master DC-001.machlinkit.biz
Domain naming master DC-001.machlinkit.biz
PDC DC-001.machlinkit.biz
RID pool manager DC-001.machlinkit.biz
Infrastructure master DC-001.machlinkit.biz
AFTER
PS C:\> netdom query fsmo
Schema master DC-004.machlinkit.biz
Domain naming master DC-004.machlinkit.biz
PDC DC-004.machlinkit.biz
RID pool manager DC-004.machlinkit.biz
Infrastructure master DC-004.machlinkit.biz
Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.
We can transfer the roles at the command line using ndtsutil as shown below.
But first some notes:
Since Windows Server 2008, we must activate an “instance” of ntds with the command…
activate instance ntds
This was not necessary with Windows 2003.
Second, the syntax for the Domain Naming master has changed.
With Windows 2003, we would enter:
transfer domain naming master
Since Windows 2008, we must enter
transfer naming master
Having clarified those points, let’s enter the sequence of commands that transfers the roles (I will double space for readability – the text in bold represents the commands to enter):
PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server DC-004
Binding to DC-004 …
Connected to DC-004 using credentials of locally logged on user.
server connections: quit
Note: at this point, depending on the role we want to transfer, we enter all or any of the following:
fsmo maintenance: transfer schema master
fsmo maintenance: transfer naming master
fsmo maintenance: transfer rid master
fsmo maintenance: transfer pdc
fsmo maintenance: transfer infrastructure master
fsmo maintenance: transfer schema masterServer “DC-004” knows about 5 roles
Schema – CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
Naming Master – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
PDC – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
RID – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
Infrastructure – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.
Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole
PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
Or the number that represent the roles:
So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:
PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4
Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.
This cmdlet works quite nicely as we can see here.
At first, DC-004 holds the roles:
PS C:\> netdom query fsmo
Schema master DC-004.machlinkit.biz
Domain naming master DC-004.machlinkit.biz
PDC DC-004.machlinkit.biz
RID pool manager DC-004.machlinkit.biz
Infrastructure master DC-004.machlinkit.biz
We transfer them to DC-001…
PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4
Move Operation Master Role
Do you want to move role ‘PDCEmulator’ to server ‘DC-001.machlinkit.biz’ ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): A
We confirm the transfers with…
PS C:\> netdom query fsmo
Schema master DC-001.machlinkit.biz
Domain naming master DC-001.machlinkit.biz
PDC DC-001.machlinkit.biz
RID pool manager DC-001.machlinkit.biz
Infrastructure master DC-001.machlinkit.biz
Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:
PS C:\> netdom query fsmo
Schema master DC-004.machlinkit.biz
Domain naming master DC-004.machlinkit.biz
PDC DC-004.machlinkit.biz
RID pool manager DC-004.machlinkit.biz
Infrastructure master DC-004.machlinkit.biz
So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.
Came across an interesting issue today where I was unable to remove the printer drivers. I got the message that the printer is in use and therefore cannot delete the drivers.
Here’s what I did to get the printer:
I have able to remove the corrupted drivers and then install the new drivers successfully.
