mo wasay

Deleting contents of a mailbox

So came across an account that had 450000 items that were log files that were being captured in a mailbox. I wanted to delete all the enteries with powershell instead of going through the GUI.

Here the command I used to get it done:

 

Creating a Picture Policy to use with Office365

With Office365 you can have profile pictures, and this setting is enabled by default. In larger organizations you may not want this policy enabled or have a customized policy for different departments. Here’s what I had to do to disable the picture upload capability by default and use powershell to update it for individuals by using a customized policy.

Let’s get started.

Connect to Office365 from Powershell:

Check if you have any existing policies that allow photos to be enabled and displayed:

Result:

2016-01-18_15-49-04

Let’s create a new policy:

Check the setting for the newly created policy:

Result:

2016-01-18_15-59-07

We need to make sure that users using this new policy are the only one that can upload their picture via the Office365 Portal.

Set the default policy to restrict the capability to upload pictures:

Check for how many policies you have now:

Result:

2016-01-18_15-56-43

Assign the new policy to admins:

Normally you would never need this but still depending on your requirements if you wanted to apply the new policy (just change the policy name from the one list to the new one you created) or revert everything back to the default policy:

Check the policy against users to see what they are using:

2016-01-18_16-17-44

You are done.

Now each user with the new policy will be able to upload their profile pics and users with the default policy will not be able to upload their pictures.

Picture dimensions:

I have used 96×96 based on the MSDN forum in the past but noticed a lot of pixelation in the contact cards. I was able to get 280 x 280 resolution to get a nice resolution profile pic.

Find out Windows version from an ISO file

So we download a lot of .ISO file from various sources. I needed to install Windows 10 x64 Pro and was having trouble identifying which was which from the different versions I had been testing. This was important to me because I needed to know if it was Retail, VL, or MSDN. This should work for Vista and up, basically any windows that has WIM files within.

First you will need to mount the ISO file to a computer so you can browse it. Then open up a command prompt as administrator and run the following command.

(I is the drive letter for the mounted ISO file)

Here is an example of the output from the command for a Windows 10 Pro ISO.

 

How do I enable or disable anonymous LDAP binds to Windows Server 2008 R2 Active Directory (AD)?

By default the setting is set to <not set> meaning it is disabled.

2016-01-15_16-22-51

I strongly recommend against this. Many applications communicate with directory services through LDAP, but the LDAP Request for Comments (RFC) specification stipulates that an LDAP bind should support the passing of a credential. Connecting anonymously really shouldn’t be needed. You may have many Unix-style applications that currently use an anonymous LDAP bind to other directory services, but there’s a good chance that they do actually support binding through a credential, making anonymous binding unnecessary.

Where possible, if anonymous binds are required, create a separate AD LDS instance that allows the anonymous connection and has the subset of information that’s required by the application.

If you have to enable anonymous binds, you can do so.

  1. Start Adsiedit.msc (Start, Run, Adsiedit.msc).
    2016-01-15_16-25-34
  2. Expand the Configuration container. Expand Services, Windows NT.
  3. Right-click CN=Directory Service and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. To enable: If the value is currently <Not Set>, set it to 0000002. If it isn’t currently blank, you must change the 7th character of the string to 2. (For example, if it was 001, 0010002 should be your new value. Click OK.
  6. To disable: Set the value to <Not Set>. Click OK.
  7. Close the ADSIEdit tool.

Anything that NT AUTHORITY\ANONYMOUS LOGON or Everyone has rights to can now be read through an anonymous bind.

Transferring FSMO roles (2003-2012)

Note: if you do not know what the “FSMO” roles are, or wish to know more, please see this link:
Operations master rolesThis is a well-known subject among Active Directory administrators.Even before Windows 2012, there was no lack of choice in the methods allowing us to transfer the FSMO roles:

If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.

If there were more than one domain controller, we could transfer the roles with various graphic interfaces…

Transferring roles with the graphic interface

We need to use three different “tools” to transfer all the FSMO roles.

 

  • Active Directory Users and Computers for the PDCe, RID Master and Infrastructure Master roles
  • Active Directory Domains and Trusts for the Domain Naming Master
  • Active Directory Schema – after registering a certain dll…

 

We’ll first transfer the PDC emulator, the RID Master and Infrastructure Master in Active Directory Users and Computers (ADUC).

1. Connect to ADUC, right-click on the domain and select “Operations Masters” in the menu:

FSMO-010

2. Attempt to change the Operations Master and observe the error message:

FSMO-01a

If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.

3. This time, select “Change Domain Controller”:

FSMO-01b

 

4. Connect to the domain controller to which you intend to transfer the roles:

FSMO-01c

5. Now go back to the menu (as illustrated above) and select “Operations Masters”.

 

6. We’ll use the RID Master as an example below. Note that the other domain controller is now the “target” as opposed to the same domain controller. Click on “Change” and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.

 

FSMO-01d
7. For the Domain Naming Master, we need to perform the same type of operation but in the Active Directory Domains and Trusts MMC.

FSMO-01e

 

8. For the Schema Master, we need to register a .dll file and then create add “Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.

FSMO-01g

Note: there should be a confirmation message (which can be closed – not shown above) indicating that the registration was successful. I’ll assume the reader knows how to add “snap-ins” to a MMC. If not, please search for instructions online.

We can confirm the new owner (or “holder”) of the roles in the graphic interfaces themselves or use the concise “netdom query fsmo” command

BEFOREPS C:\> netdom query fsmo

Schema master                 DC-001.machlinkit.biz

Domain naming master   DC-001.machlinkit.biz

PDC                                 DC-001.machlinkit.biz

RID pool manager          DC-001.machlinkit.biz

Infrastructure master      DC-001.machlinkit.biz

AFTER

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz

Domain naming master   DC-004.machlinkit.biz

PDC                                DC-004.machlinkit.biz

RID pool manager         DC-004.machlinkit.biz

Infrastructure master      DC-004.machlinkit.biz

Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.

Transferring roles with NTDSUTIL (command line interface)

We can transfer the roles at the command line using ndtsutil as shown below.

But first some notes:

Since Windows Server 2008, we must activate an “instance” of ntds with the command…

activate instance ntds

This was not necessary with Windows 2003.

Second, the syntax for the Domain Naming master has changed.

With Windows 2003, we would enter:

transfer domain naming master

Since Windows 2008, we must enter

transfer naming master

Having clarified those points, let’s enter the sequence of commands that transfers the roles (I will double space for readability – the text in bold represents the commands to enter):

PS C:\> ntdsutil

C:\Windows\system32\ntdsutil.exe: activate instance ntds

Active instance set to “ntds”.

C:\Windows\system32\ntdsutil.exe: roles

fsmo maintenance: connections

server connections: connect to server DC-004

Binding to DC-004 …

Connected to DC-004 using credentials of locally logged on user.

server connections: quit

Note: at this point, depending on the role we want to transfer, we enter all or any of the following:

fsmo maintenance: transfer schema master

fsmo maintenance: transfer naming master

fsmo maintenance: transfer rid master

fsmo maintenance: transfer pdc

fsmo maintenance: transfer infrastructure master

Once the command is entered (and Enter is pressed), ntdsutil produces some rather verbose output indicating which domain controller holds which roles. In the case of the Schema Master we would see something like this:

fsmo maintenance: transfer schema masterServer “DC-004” knows about 5 roles

Schema – CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Naming Master – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

PDC – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

RID – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Infrastructure – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.

Transferring roles with Powershell

With Powershell version 3 (part of Windows Server 2012)  and version 4 (Windows Server 2012 R2), we can use the “Move-ADDirectoryServerOperationMasterRole” cmdlet to transfer or “move” the operations roles. We can either type the entire name of the role…

Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole
PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Or the number that represent the roles:

  • PDCEmulator = 0
  • RIDMaster = 1
  • InfrastructureMaster = 2
  • SchemaMaster = 3
  • DomainNamingMaster = 4

So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:

PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.

This cmdlet works quite nicely as we can see here.

At first, DC-004 holds the roles:

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz
Domain naming master    DC-004.machlinkit.biz
PDC                                  DC-004.machlinkit.biz
RID pool manager            DC-004.machlinkit.biz
Infrastructure master        DC-004.machlinkit.biz

We transfer them to DC-001…

PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Move Operation Master Role
Do you want to move role ‘PDCEmulator’ to server ‘DC-001.machlinkit.biz’ ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”): A

We confirm the transfers with…

PS C:\> netdom query fsmo

Schema master                  DC-001.machlinkit.biz
Domain naming master    DC-001.machlinkit.biz
PDC                                  DC-001.machlinkit.biz
RID pool manager            DC-001.machlinkit.biz
Infrastructure master        DC-001.machlinkit.biz

Move-ADDirectoryServerOperationMasterRole

Transferring the roles by domain controller demotion

Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:

PS C:\> netdom query fsmo

Schema master                     DC-004.machlinkit.biz
Domain naming master        DC-004.machlinkit.biz
PDC                                      DC-004.machlinkit.biz
RID pool manager                DC-004.machlinkit.biz
Infrastructure master            DC-004.machlinkit.biz

So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.

 

How to manually uninstall a printer driver in Windows

Came across an interesting issue today where I was unable to remove the printer drivers. I got the message that the printer is in use and therefore cannot delete the drivers.

Here’s what I did to get the printer:

  1. Goto ‘Services’ under ‘Administrative Tools’, and restart the ‘Printer Spooler Service’.
  2. Click the Start menu and in the search field type ‘printui /s /t2‘ (without the quotes), and then press Enter or click it in the search list.
  3. You should see a dialog box pop up.
  4. Select the appropriate printer driver you are trying to uninstall and click ‘Delete’ or ‘Remove’.
  5. Delete the printer from ‘Devices and Printers’ in Control Panel.

I have able to remove the corrupted drivers and then install the new drivers successfully.

Delete the Lync or Skype for Business SIP profile from a Windows computer

When a Lync 2010/2013 desktop client for Windows signs-in, to minimize the bandwidth consumption the Lync client retrieves a lot of information from cache.  This cached information is stored in the users SIP Profile in a folder named sip_(SipURI of the user) located on a Windows computer in the following folder:

Lync 2010: %UserProfile%\AppData\Local\Microsoft\Communicator\

Lync 2013: %UserProfile%\AppData\Local\Microsoft\Office\15.0\Lync

Skype for Business: %UserProfile%\AppData\Local\Microsoft\Office\16.0\Lync

If there are any issue with the files in the SIP profile, users might experience issue with Lync client such as:

  • Contacts appear to be offline
  • Unable to search the Global Address List
  • Contacts are missing from the contact list
  • Contacts display Presence Unknown
  • Presence is not displayed in Outlook or SharePoint
  • “User is not SIP enabled” errors
  • “Lync Server is Temporarily Unavailable” errors

Additionally, it is a good practice to delete the SIP profile when switching to a new Lync platform as connection information can be cached.

To resolve the issues listed above, use the following guidance to delete the SIP profile for the affected user.  NOTE: Depending on the Windows Explorer settings, the SIP profile folder may be hidden, if you are unable to navigate to the path listed for your version of the Lync client you will need to set Windows Explorer to Show Hidden Files and Directories prior to completing the steps below.

Deleting the SIP Profile

  1. Close Lync completely by right-clicking the Lync icon in the Windows System Tray and selecting Exit.
  2. Open Windows Explorer and navigate to the folder that corresponds to the Lync client version that is installed
  • Lync 2010: %UserProfile%\AppData\Local\Microsoft\Communicator
  • Lync 2013: %UserProfile%\AppData\Local\Microsoft\Office\15.0\Lync
  • Skype for Business: %UserProfile%\AppData\Local\Microsoft\Office\16.0\Lync
  1. Delete the sip_username directory that matches the sip address of the user experiencing the issues.  This directory will be rebuilt when the Lync client is restarted the next time.
  2. Restart the computer
  3. Restart the Lync client

The SIP profile folder and cached information will be rebuilt and the issues above should be resolved.

Exchange 2010: Moving Messages to Another Working Queue on another CAS Server

One of my CAS Hub servers was acting up and started queuing email. I needed to move the message to another working server while I needed time to troubleshoot what was causing the queuing.

This is what I had to do.

On the non working server:

  • Create a Folder on C: called MailsExport
  • Open Exchange Management Shell and type the following:
  • Mail should start exporting.
  • Once completed Move the *.eml files to the “Exchange Server\V14\TransportRoles\Pickup” folder on the working server.
  • The new server should immediately start processing the messages.

Updating the system time on Server 2008R2 & 2012R2 using NTP Servers

    1. To update, use the command below (2008 and 2012 server compatible)
      change the ntp_server with your source. Check http://tf.nist.gov/tf-cgi/servers.cgi for servers
    2. Restart the time service
    3. Resync the time
    4. Verify your sync status

Commands above should be fine if your sources are working correctly and/or your connection is OK (firewall or Microsoft Forefront can be an issue also).

The commands below can help with troubleshooting

To list out peers

To list out NTP Sources:

Cannot migrate user from Exchange 2010 to Exchange Online

So I came across this error while migrating some accounts from On-Premise Exchange 2010 Server to Exchange Online.

Error: The subscription for the migration user [email protected] couldn’t be loaded. The following error was encountered: A subscription wasn’t found for this user.

migrationbatch

In short, there is an address conflict between the user properties of the exchange server and the synced object on Office365. Lets go back to the basics to get this fixed.

Environment: Exchange 2010 in Hybrid Mode with Exchange Online. Migrating accounts using a staged migration approach. The problematic user in Exchange Online is properly licensed.

Setup for Staged Migration.

  • Exchange Online: Stop the problematic migration batch and delete it
  • Exchange 2010: Even though the user account may show that it is a Remote mailbox or just a User Mailbox. Right click and hit Disable. (This will remove the exchange properties for the user.)
    option1
  •  option2
  • Exchange 2010: Search your Exchange database and find the user’s on-premise mailbox. This is easier if you have just 1 or 2 databases. In an enterprise environment this may be a task by itself. Open EMS and type the following:
    If the result set it too long, you may want to save the contents to a file.
    Open the file and search for the user you disabled in step 2
  • Now you need to delete the problematic user in Exchange Online. Open up PowerShell ISE and type the following:
    After supplying the Global Admin credentials and successfully logging in, do the following:
  • Now the object is not in Exchange 2010 and Exchange Online
  • Attach the user back to Exchange 2010. Open up EMS and type the following:
  • The mailbox should show up in Exchange 2010. Make sure that the SMTP address includes: [email protected] address.
  • In a  few minutes DirSync will sync the object back to Exchange Online (This depends on your DirSync time interval)
  • When the user shows up – make sure you assign the user a license in Exchange Online.
  • Start a new migration batch for the user.
  • Migration will go through as expected.