January 2016

Deleting contents of a mailbox

So came across an account that had 450000 items that were log files that were being captured in a mailbox. I wanted to delete all the enteries with powershell instead of going through the GUI.

Here the command I used to get it done:

 

Creating a Picture Policy to use with Office365

With Office365 you can have profile pictures, and this setting is enabled by default. In larger organizations you may not want this policy enabled or have a customized policy for different departments. Here’s what I had to do to disable the picture upload capability by default and use powershell to update it for individuals by using a customized policy.

Let’s get started.

Connect to Office365 from Powershell:

Check if you have any existing policies that allow photos to be enabled and displayed:

Result:

2016-01-18_15-49-04

Let’s create a new policy:

Check the setting for the newly created policy:

Result:

2016-01-18_15-59-07

We need to make sure that users using this new policy are the only one that can upload their picture via the Office365 Portal.

Set the default policy to restrict the capability to upload pictures:

Check for how many policies you have now:

Result:

2016-01-18_15-56-43

Assign the new policy to admins:

Normally you would never need this but still depending on your requirements if you wanted to apply the new policy (just change the policy name from the one list to the new one you created) or revert everything back to the default policy:

Check the policy against users to see what they are using:

2016-01-18_16-17-44

You are done.

Now each user with the new policy will be able to upload their profile pics and users with the default policy will not be able to upload their pictures.

Picture dimensions:

I have used 96×96 based on the MSDN forum in the past but noticed a lot of pixelation in the contact cards. I was able to get 280 x 280 resolution to get a nice resolution profile pic.

Find out Windows version from an ISO file

So we download a lot of .ISO file from various sources. I needed to install Windows 10 x64 Pro and was having trouble identifying which was which from the different versions I had been testing. This was important to me because I needed to know if it was Retail, VL, or MSDN. This should work for Vista and up, basically any windows that has WIM files within.

First you will need to mount the ISO file to a computer so you can browse it. Then open up a command prompt as administrator and run the following command.

(I is the drive letter for the mounted ISO file)

Here is an example of the output from the command for a Windows 10 Pro ISO.

 

How do I enable or disable anonymous LDAP binds to Windows Server 2008 R2 Active Directory (AD)?

By default the setting is set to <not set> meaning it is disabled.

2016-01-15_16-22-51

I strongly recommend against this. Many applications communicate with directory services through LDAP, but the LDAP Request for Comments (RFC) specification stipulates that an LDAP bind should support the passing of a credential. Connecting anonymously really shouldn’t be needed. You may have many Unix-style applications that currently use an anonymous LDAP bind to other directory services, but there’s a good chance that they do actually support binding through a credential, making anonymous binding unnecessary.

Where possible, if anonymous binds are required, create a separate AD LDS instance that allows the anonymous connection and has the subset of information that’s required by the application.

If you have to enable anonymous binds, you can do so.

  1. Start Adsiedit.msc (Start, Run, Adsiedit.msc).
    2016-01-15_16-25-34
  2. Expand the Configuration container. Expand Services, Windows NT.
  3. Right-click CN=Directory Service and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. To enable: If the value is currently <Not Set>, set it to 0000002. If it isn’t currently blank, you must change the 7th character of the string to 2. (For example, if it was 001, 0010002 should be your new value. Click OK.
  6. To disable: Set the value to <Not Set>. Click OK.
  7. Close the ADSIEdit tool.

Anything that NT AUTHORITY\ANONYMOUS LOGON or Everyone has rights to can now be read through an anonymous bind.

Transferring FSMO roles (2003-2012)

Note: if you do not know what the “FSMO” roles are, or wish to know more, please see this link:
Operations master rolesThis is a well-known subject among Active Directory administrators.Even before Windows 2012, there was no lack of choice in the methods allowing us to transfer the FSMO roles:

If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.

If there were more than one domain controller, we could transfer the roles with various graphic interfaces…

Transferring roles with the graphic interface

We need to use three different “tools” to transfer all the FSMO roles.

 

  • Active Directory Users and Computers for the PDCe, RID Master and Infrastructure Master roles
  • Active Directory Domains and Trusts for the Domain Naming Master
  • Active Directory Schema – after registering a certain dll…

 

We’ll first transfer the PDC emulator, the RID Master and Infrastructure Master in Active Directory Users and Computers (ADUC).

1. Connect to ADUC, right-click on the domain and select “Operations Masters” in the menu:

FSMO-010

2. Attempt to change the Operations Master and observe the error message:

FSMO-01a

If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.

3. This time, select “Change Domain Controller”:

FSMO-01b

 

4. Connect to the domain controller to which you intend to transfer the roles:

FSMO-01c

5. Now go back to the menu (as illustrated above) and select “Operations Masters”.

 

6. We’ll use the RID Master as an example below. Note that the other domain controller is now the “target” as opposed to the same domain controller. Click on “Change” and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.

 

FSMO-01d
7. For the Domain Naming Master, we need to perform the same type of operation but in the Active Directory Domains and Trusts MMC.

FSMO-01e

 

8. For the Schema Master, we need to register a .dll file and then create add “Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.

FSMO-01g

Note: there should be a confirmation message (which can be closed – not shown above) indicating that the registration was successful. I’ll assume the reader knows how to add “snap-ins” to a MMC. If not, please search for instructions online.

We can confirm the new owner (or “holder”) of the roles in the graphic interfaces themselves or use the concise “netdom query fsmo” command

BEFOREPS C:\> netdom query fsmo

Schema master                 DC-001.machlinkit.biz

Domain naming master   DC-001.machlinkit.biz

PDC                                 DC-001.machlinkit.biz

RID pool manager          DC-001.machlinkit.biz

Infrastructure master      DC-001.machlinkit.biz

AFTER

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz

Domain naming master   DC-004.machlinkit.biz

PDC                                DC-004.machlinkit.biz

RID pool manager         DC-004.machlinkit.biz

Infrastructure master      DC-004.machlinkit.biz

Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.

Transferring roles with NTDSUTIL (command line interface)

We can transfer the roles at the command line using ndtsutil as shown below.

But first some notes:

Since Windows Server 2008, we must activate an “instance” of ntds with the command…

activate instance ntds

This was not necessary with Windows 2003.

Second, the syntax for the Domain Naming master has changed.

With Windows 2003, we would enter:

transfer domain naming master

Since Windows 2008, we must enter

transfer naming master

Having clarified those points, let’s enter the sequence of commands that transfers the roles (I will double space for readability – the text in bold represents the commands to enter):

PS C:\> ntdsutil

C:\Windows\system32\ntdsutil.exe: activate instance ntds

Active instance set to “ntds”.

C:\Windows\system32\ntdsutil.exe: roles

fsmo maintenance: connections

server connections: connect to server DC-004

Binding to DC-004 …

Connected to DC-004 using credentials of locally logged on user.

server connections: quit

Note: at this point, depending on the role we want to transfer, we enter all or any of the following:

fsmo maintenance: transfer schema master

fsmo maintenance: transfer naming master

fsmo maintenance: transfer rid master

fsmo maintenance: transfer pdc

fsmo maintenance: transfer infrastructure master

Once the command is entered (and Enter is pressed), ntdsutil produces some rather verbose output indicating which domain controller holds which roles. In the case of the Schema Master we would see something like this:

fsmo maintenance: transfer schema masterServer “DC-004” knows about 5 roles

Schema – CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Naming Master – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

PDC – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

RID – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Infrastructure – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.

Transferring roles with Powershell

With Powershell version 3 (part of Windows Server 2012)  and version 4 (Windows Server 2012 R2), we can use the “Move-ADDirectoryServerOperationMasterRole” cmdlet to transfer or “move” the operations roles. We can either type the entire name of the role…

Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole
PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Or the number that represent the roles:

  • PDCEmulator = 0
  • RIDMaster = 1
  • InfrastructureMaster = 2
  • SchemaMaster = 3
  • DomainNamingMaster = 4

So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:

PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.

This cmdlet works quite nicely as we can see here.

At first, DC-004 holds the roles:

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz
Domain naming master    DC-004.machlinkit.biz
PDC                                  DC-004.machlinkit.biz
RID pool manager            DC-004.machlinkit.biz
Infrastructure master        DC-004.machlinkit.biz

We transfer them to DC-001…

PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Move Operation Master Role
Do you want to move role ‘PDCEmulator’ to server ‘DC-001.machlinkit.biz’ ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”): A

We confirm the transfers with…

PS C:\> netdom query fsmo

Schema master                  DC-001.machlinkit.biz
Domain naming master    DC-001.machlinkit.biz
PDC                                  DC-001.machlinkit.biz
RID pool manager            DC-001.machlinkit.biz
Infrastructure master        DC-001.machlinkit.biz

Move-ADDirectoryServerOperationMasterRole

Transferring the roles by domain controller demotion

Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:

PS C:\> netdom query fsmo

Schema master                     DC-004.machlinkit.biz
Domain naming master        DC-004.machlinkit.biz
PDC                                      DC-004.machlinkit.biz
RID pool manager                DC-004.machlinkit.biz
Infrastructure master            DC-004.machlinkit.biz

So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.

 

How to manually uninstall a printer driver in Windows

Came across an interesting issue today where I was unable to remove the printer drivers. I got the message that the printer is in use and therefore cannot delete the drivers.

Here’s what I did to get the printer:

  1. Goto ‘Services’ under ‘Administrative Tools’, and restart the ‘Printer Spooler Service’.
  2. Click the Start menu and in the search field type ‘printui /s /t2‘ (without the quotes), and then press Enter or click it in the search list.
  3. You should see a dialog box pop up.
  4. Select the appropriate printer driver you are trying to uninstall and click ‘Delete’ or ‘Remove’.
  5. Delete the printer from ‘Devices and Printers’ in Control Panel.

I have able to remove the corrupted drivers and then install the new drivers successfully.