Category: Windows

Adding a security group to the Local Administrator Group in AD
[su_tooltip position=”north” content=”Note: I normallyÂ disable the built-in Administrator account., and make another account an admin. This is a good security precaution and in my opinion a best practice.”][/su_tooltip]

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP
1. Open Active Directory Users and Computers
2. Select your Security Group OU
3. Right Click and select New > Group
4. Give the Group a name, I used â€œAUTOMATIONâ€
CREATE THE GPO
1. Launch Group Policy Management Console.
2. Right click the OU that you want the GPO to apply to.
3. Select â€œCreate a GPOâ€¦â€
4. This will Launch Group Policy Editor.
5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
7. Action: Update (This is the most important part).
8. Add the needed security group. I have added my AUTOMATION Security Group.
9. Click Apply.
10. Click OK.
11. Apply the GPO to the root of the domain OR the appropriate OU.
Incorrect Way (This is how you would create a Restricted Access Group)

[su_note note_color=”#ee899a”]Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group.Â [/su_note]

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP
1. Open Active Directory Users and Computers
2. Select your Security Group OU
3. Right Click and select New > Group
4. Give the Group a name, I used â€œSG â€“ Local Adminsâ€
CREATE THE GPO
1. Open Group Policy Management Console.
2. Right click the OU that contains the systems you want to set the local admin on
3. Select â€œCreate a GPO in this domain, and Link it hereâ€¦â€
4. Name the GPO. I used â€œSet Local Administratorsâ€
5. Right Click the GPO and select Edit.
6. Set the following:
  1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  2. Right Click and select â€œAdd Groupâ€¦â€
  3. Select browse and add the Administrators group
  4. Select OK
  5. Double click Administrators
  6. Select Add for â€œMembers of this group:â€
  7. Browse and find your security group. I added â€œSG â€“ Local Adminsâ€
That should be it. Now you can set which users of the domain are local administrators of their computers.
June 6, 2017
Lists all users last logon time
As administrators we often want to check whichÂ usersÂ have not logged in for quite a while, or what accounts recently accessed a system, etc.

The following script list all users and their last logon time. With the lastloggeduser.csv we can get fancy with excel to find differences based on age and more.
```
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\scripts\lastloggedusers.csv
```
May 8, 2017
Connecting to a remote domain controller using PowerShell
Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller. Â I try to minimize logging onto servers as much as possible. Â Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it.

I will be discussing two approaches below to connect to a domain controller:
1. Connecting from a client machine on the same domain
2. Connecting from a client machine on a different domain or a workstation/server
Before we get started, and regardless of which approach you take below, the following will need to be installed on the client Windows machine. Primarily you need to get the Active Directory Module for Windows PowerShell installed.

Installing the Active Directory Module

GUI:

The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.

On Windows Server 2016, you can install the AD for PowerShell module from theÂ Server ManagerÂ (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS ToolsÂ -> Active Directory module for Windows PowerShell).

PowerShell:

You can also install the module from the PowerShell console using the command:
```
Install-WindowsFeature -Name "RSAT-AD-PowerShell" â€“IncludeAllSubFeature
```
The RSAT-AD-PowerShell can be installed not only on the domain controllers, but also on any domain member server or even a workstation. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain ServicesÂ (AD DS) role (when promoting server to AD domain controller).

Approach 1: Connecting from a client machine on the same domain

First step you need to do is find all of your domain controllers and allow remote connections to it.

Logon to your one of your domain controllers and open up PowerShell:
```
winrm quickconfig
```
[su_note note_color=”#fafae8″]You need to do this once on each domain controller so you can remotely connect to each one of them at a later time.[/su_note]

You can read more about WinRM here.

Alternatively, the following command can be ran in an elevated Powershell console on the DC. This enables WinRM and configures the firewall so that it can accept incoming commands.
```
Enable-PSRemoting
```
Once that is done you are ready to connect to your domain controller.

Make sure your system is configured to run PowerShell scripts.
```
#Set the ExecutionPolicy to allow execution of scripts
Set-ExecutionPolicy Unrestricted
```
Copy the content below and paste it into your PowerShell Editor. Rename your value of “yourdomaincontroller” to your actual DC Server name.
```
#ConnectAD.ps1
#Connect to your Domain Controller(DC)
#Change the value after the -ComputerName to your know DC

$session = New-PSSession -ComputerName "yourdomaincontroller" -Credential (Get-Credential)
Invoke-Command $session -Scriptblock { Import-Module ActiveDirectory }
Import-PSSession -Session $session -module ActiveDirectory
```
Now all command you enter will be applied to the DC.

To check if your connection is successful. Try the command below to get a list of all of your domain controllers.
```
#Get a list of all domain controllers in your environment
Get-ADDomainController -Filter * | Select-Object name
```
Approach 2: Connecting from a client machine on a different domain or a workstation

Windows Remoting works perfectly for same domain situations, and the set-up is relatively straight-forward. It’s extremely powerful when it works, and offers a highly flexible way to securely execute commands remotely.

Problems arise however when trying to use WinRM in mixed domain environments, or where only one machine is on a domain. This requires some additional configuration steps outlined below.

Logon to your one of your domain controllers and open up PowerShell and run the following:
```
Enable-PSRemoting
```
The following registry key needs to be added to the target domain controllers:
```
New-ItemProperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
```
Make sure the ports are open:

By default, WS-Man andÂ PowerShellÂ remoting useÂ portÂ 5985 and 5986 for connections over HTTP and HTTPS, respectively.

The module is interacting with AD through theÂ Active Directory Web ServiceÂ that must be installed on your domain controller (communication is performed over the TCP portÂ 9389).

[su_note note_color=”#f9f4ca” text_color=”#000000″ radius=”2″]In some environments, you may need to check if the server authentication certs are valid and not expired. Also, in some situations I have seen that if the client is not resolving the FQDN, it is because the DNSzone doesn’t exist in the source domain. Either the zone can be added, or the host file can be modified to add the DC’s FQDN. [/su_note]

Trusted Hosts:

Adding the client IP or name can help avoid errors.

Depending on your environment and what is allowed or not one of the following should work for your situation.

View the computers of TrustedHosts list

To view the list of TrustedHosts added to the machine, type the following command. By default, its value is blank.
```
Get-Item WSMan:\localhost\Client\TrustedHosts
```
Add all computers to the TrustedHosts list

Using the Set-Item cmdlet and the wildcard you can add all the computers to the TrustedHosts list with the following command.
```
Set-Item WSMan:\localhost\Client\TrustedHosts -Value *
```
Add all domain computers to the TrustedHosts list

In the following command, replace .yourdomain.com with your own domain name.
```
Set-Item WSMan:\localhost\Client\TrustedHosts *.yourdomain.com
```
Add specific computers to the TrustedHosts list

You can add specific computers you choose based on their hostname by separating them with a comma (,) using the following command.
```
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <ComputerName>,[<ComputerName>]
```
Where ComputerName can be in the Server01 or Server01.yourdomain.com format
Add a computer to an existing list of TrustedHosts

If you have already added some computers to the TrustedHosts list and want to add an additional computer, without deleting the previous entries, you should use the following method. This is because the TrustedHosts list is updated based on the last Set-Item command you have run overwriting the previous entries.

Use the following command to save the current TrustedHosts computer list to a curList variable.
```
$currentList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value
```
To add a computer to the current list, type the following command by specifying both the variable you created and the computer name you are going to add.
```
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$currentList , Server01"
```
Alternatively, to avoid using a variable, add the -Concatenate switch to the Set-Item command to add both new and previous entries. For example:
```
Set-Item WSMan:\localhost\Client\TrustedHosts -Concatenate -Value Server02
```
Add computers to the TrustedHosts list using the IP address

Similarly to the previous commands, you can use an IPv4 or IPv6 address. In the case of IPv6, you have to type the address between [].
```
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 10.10.10.1,[0:0:0:0:0:0:0:0]
```
Add computers to the TrustedHosts list using multiple IP address (Most common)
```
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.10.10.1, 10.10.10.2"
```
Another way to add trusted hosts is via an elevated Command Prompt:
```
winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}
```
Importing the AD Module:
Before using any cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).
```
Import-Module ActiveDirectory
```
With this configuration, it’s now possible to authenticate and execute a command remotely with explicit credentials.

Lets check if it is working:
```
Enter-PSSession -ComputerName 10.0.2.33 -Credential $Credentials
```
It WORKS! 🙂

Common Errors & Solutions:

Error:Â WinRM service started.Â Set-WSManQuickConfig : <f:WSManFaultâ€¦.Â WinRM firewall exception will not work since one of the network connection types on this machine is set to Publicâ€¦â€¦Â Change the network connection type to either Domain or Private and try again.

Solution:Â
```
Enable-PSRemoting -SkipNetworkProfileCheck -Force
```
Explanation:

The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you canâ€™t do this in the Network and Sharing Center.

Error:Â Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the requestâ€¦.

Solution:
```
winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}
```
Explanation:

In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with theÂ Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the above error.

Error:Â Cannot connect to host…

Solution:

Check with your network/ firewall team ifÂ the port 5985, 5986, and 9389 are open.

Explanation:Â

Most of the times the ports are overlooked and are the root cause as to why the connection is not working
April 25, 2017
A Beginner’s Guide to Checksum
Are you wondering what a checksum is? You may have noticed that when you download files from certain websites, they have a very long string of numbers and letters called a checksum or MD5 checksum or SHA-1, etc. These really long strings basically act as fingerprints for that particular file, whether it be an EXE, ISO, ZIP, etc.

Checksums are used to ensure the integrity of a file after it has beenÂ transmitted from one storage device to another. This can be across the Internet or simply between two computers on the same network. Either way, if you want to ensure that the transmitted file is exactly the same as the source file, you can use a checksum.

The checksum is calculated using a hash function and is normally posted along with the download. To verify the integrity of the file, a user calculates the checksum using a checksum calculator program and then compares the two to make sure they match.

Checksums are used not only to ensure a corrupt-free transmission, but also to ensure that the file has not been tampered with. When a good checksum algorithm is used, even a tiny change to the file will result in a completely different checksum value.

The most common checksums are MD5 and SHA-1, but both have been found to have vulnerabilities. This means that malicious tampering can lead to two different files having the same computed hash. Due to these security concerns, the newer SHA-2 is considered the best cryptographic hash function since no attack has been demonstrated on it as of yet.

About 99.9% of the time, you really donâ€™t need to care or worry about checksums when downloading files off the Internet. However, if you are downloading something sensitive like anti-virus or privacy software like Tor, itâ€™s probably a good idea to verify the checksum because hackers can create malware-infested versions of critical software in order to gain full access to a system.

Windows has in-built checksum utility and it is very easy to use:
```
certutil -hashfile pathToFileToCheck MD5
```
It can also calculate for MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

DownloadÂ Microsoft File Checksum Integrity Verifier

The MD5 & SHA Checksum Utility is my favorite utility for working with checksums because it has all the features I need in the free version.
April 24, 2017
Reset Windows Server 2012 R2 RDS 120 Day Grace Period

The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.

The official solution is to Activate the RDS/TS CAL License server and point the Server to License server with User/Device License and will be resolve the problem, but if you want to reset the timer and again avail the 120 days grace time here is the solution:

Delete the REG_BINARY in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

To delete the key you must take ownership and give admin users full control.

After a restart of the server RDS will reset the grace period to 120 days.

April 12, 2017
No remote Desktop License Server available on RD Session Host server 2012 R2

A fully functional and activated 2012 R2 Remote Desktop Session Host server displayed the following message:

This was a simple setup on one server with the: connection broker, Session Host and Licensing server with 2012 R2 CALâ€™s installed.

Even though the licensing seems to be configured correctly, in server manager:

and PowerShell:

Licensing diagnostics:

everywhere you look, everything seems to be OK. But the license manager shows something odd:

No licenses are being used? This server was used since late 2012. Some interesting things could also be found in the event logs, the following events appear:

EventID: 1130
Source: TerminalServices-RemoteConnectionManager

The Remote Desktop Session Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Session Host server, use the Remote Desktop Session Host Configuration tool.

and:

EventID: 1128
Source: TerminalServices-RemoteConnectionManager

The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.

The solution was to delete the REG_BINARY in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

Only leaving the default.

Note: you must take ownership and give admin users full control to be able to delete this key.

After a reboot the server should be working again, licenses are now being used:

Although everything seemed to be OK and configured correctly with valid licenses, it seems that the setup was still in a 180 day grace period, even though it was correctly configured.

April 12, 2017
How To Get Rid Of Dell KACE Agent?
What is Dell KACE Agent?

Unifies and automates non-computer and computer asset management processes from deployment to retirement, to facilitate such tasks as software and regulatory compliance.

Uninstalling KACE can be a pain. Luckily there is a way thanks to wmic.

This works for 32 & 64 bit machines

From Command Prompt/ Powershell in Admin Mode:
```
wmic product where "name like '%kace%'" call uninstall /nointeractive
```
Tech-notes:

Details:

URL: www.dell.com

Help link: www.kace.com

Installation folder: C:\Program Files\dell\kace

Uninstaller: MsiExec.exe /I{55914E97-339E-4CB6-AACC-DE52DE9689D3}

(The Windows Installer is used for the installation, maintenance, and removal.)

Estimated size: 11.87 MB

Language: English (United States)

Behaviors:
2 Services

ampagent.exe runs as a service named ‘Dell KACE Agent’ (AMPAgent) “Manages connections between agent and server.”.

kswmetersvc.exe runs as a service named ‘Dell KACE Software Meter’ (Dell KACE Software Meter) “Manages the Dell KACE Software Meter application”.
2 Windows Firewall Allowed Programs

kinventory.exe is added as a firewall exception for ‘%ProgramFiles(x86)%\Dell\KACE\KInventory.exC:192.168.10.49:enableC:KACE Inventory’.

ampagent.exe is added as a firewall exception for ‘%ProgramFiles(x86)%\Dell\KACE\AMPAgent.exC:192.168.10.49:enableC:KACE Agent’.

Files installed by KACE Agent:

mobileappinfo.dll – eSMART Agent (MobileAppInfo DLL (Captures/Returns Mobile Apps))

ampagent.exe – KACE Agent (AMP Service)

ampkickstart.exe – AMPKickstart

amptools.exe – AMPTools

kacecredentialprovider64.dll – KACE Credential Provider

kcopy.exe – KCopy

kdeploy.exe – KDeploy

kinventory.exe – KInventory

klaunch.exe – KLaunch

klaunchsvc.exe – KLaunchSvc

kswmetersvc.exe – KSWMeterSvc

kuseralert.exe – KUserAlert

kuseralertlang_de-de.dll

kuseralertlang_es-es.dll

kuseralertlang_es-la.dll

kuseralertlang_fr-fr.dll

kuseralertlang_it-it.dll

kuseralertlang_ja-jp.dll

kuseralertlang_pt-br.dll

kuseralertlang_zh-cn.dll

kuseralertlang_zh-tw.dll

kusrinit64.exe – KUsrInit Application

kwinimpl64.dll – KWinImpl Dynamic Link Library

plugindesktopalerts.dll – Desktop Alerts

pluginrunprocess.dll – Run Process

pluginweb.dll – Web

runkbot.exe – runkbot

inventory.exe (by Dell Inc) – Inventory (Inventory Application for x64 Platform)
March 20, 2017
Hack: Microsoft Outlook AutoComplete
Outlook maintains the AutoComplete list. The list is used by both the automatic name-checking feature and the automatic completion feature. The AutoComplete list, also known as the nickname cache, is generated automatically when you send email messages from Outlook. The list contains SMTP addresses, LegacyExchangeDN entries, and display names for people to whom you have sent mail previously.

[su_note note_color=”#fafae8″]NoteÂ The AutoComplete list for Outlook is specific to Outlook and is not shared by Outlook Web App (OWA). OWA maintains its own AutoComplete list.[/su_note]

The following sections provide information about the AutoComplete feature.

Limit to the number of entries

Outlook limits the number of entries that you can save in the AutoComplete list. After you reach this limit, Outlook uses an internal algorithm to determine the best names to remove from the list. It does this based on a usage weighting. Therefore, you may find some names unexpectedly removed from your nickname cache. There are two general approaches that you can use to avoid this situation:
1. You can proactively remove AutoComplete list entries that you no longer need. This is the preferred approach. For more information about how to do this, see the section titled “How to remove AutoComplete list entries one at a time.”
2. You can increase the limit for the nickname cache. If you have a larger nickname cache, you could also lose a larger number of cached entries if your nickname cache becomes unusable because of corruption.
The limits are as follows:
- Outlook 2016: 1,000 entries
- Outlook 2013: 1,000 entries
- Outlook 2010: 1,000 entries
- Outlook 2007: 2,000 entries
- Outlook 2003: 1,000 entries
How to enable the AutoComplete feature

Outlook 2010, Outlook 2013, and Outlook 2016

To access the AutoComplete setting, follow these steps:
- On the File menu, click Options.
- Select the Mail tab.
- Scroll approximately halfway down until you see Send messages. Make sure that the Use Auto-Complete List to suggest names when typing in the To, Cc, and Bcc lines box is checked. If you need to disable Auto-Complete uncheck the box.
How to import .nk2 files into Outlook 2010, Outlook 2013, and Outlook 2016

Microsoft Office Outlook 2007 and earlier versions store the AutoComplete list in an nickname (.nk2) file on the disk. Outlook 2010, Outlook 2013, and Outlook 2016 store the AutoComplete list as a hidden message in your primary message store. Outlook 2010, Outlook 2013, and Outlook 2016 let you import the older .nk2 files.

For more information about how to import .nk2 files in Outlook 2010,Â go to the following Microsoft website:

Import Auto-Complete List from another computer

How to import .nk2 files into Outlook 2013 or Outlook 2016

When you start Microsoft Outlook 2013 or Outlook 2016 for the first time, your nickname cache (stored in the Â profilename.nk2 file) is imported into a hidden message in your default message store.

[su_note note_color=”#fafae8″]Note profilename is the name of your Outlook profile.[/su_note]

For example, if you are using a Microsoft Exchange account, the nickname cache is imported into a hidden message in the Exchange mailbox.

Note Outlook 2007 and earlier versions store the nickname cache .nk2 file in the following folder.
- Windows XP
  Drive:\Documents and Settings\Username\Application Data\Microsoft\Outlook
- Windows Vista and later versions
  Drive:\Users\Username\AppData\Roaming\Microsoft\Outlook
After the nickname cache is imported, the
profilename.nk2 file is renamed to
profilename.nk2.old. On the next start of Outlook, your nickname cache is not imported. Outlook 2013 and Outlook 2016 do not use the .nk2 file for maintaining your nickname cache. All updates to your nickname cache in Outlook 2013 and Outlook 2016 are made to the hidden message in your default message store.

NoteÂ If you have multiple Outlook profiles, the nickname cache from each profile is merged into your new Outlook 2013 or Outlook 2016 nickname cache on the first start of Outlook by using that profile. Therefore, you may find more than one .nk2 file renamed to .nk2.old.

However, there may be situations where you have to import a nickname cache file after this first-run nickname cache import process has finished. For example, a colleague wants to share their nickname cache with you and you want to update your existing nickname cache with your colleagueâ€™s data.

To import .nk2 files into Outlook 2013 or Outlook 2016, follow these steps:
- Make sure that the .nk2 file is in the following folder:
  %appdata%\Microsoft\Outlook
  
  Note The .nk2 file must have the same name as your current Outlook 2013 or Outlook 2016 profile. By default, the profile name is “Outlook.” To check the profile name, follow these steps:
  1. Click Start, and then click
    Control Panel.
  2. Double-click Mail.
  3. In the Mail Setup dialog box, click
    Show Profiles.
- Click Start, and then click
  Run.
- In the Open box, type
  outlook.exe /importnk2Â , and then click
  OK. This should import the .nk2 file into the Outlook profile.
[su_note note_color=”#fafae8″]Note After you import the .nk2 file, the contents of the file are merged into the existing nickname cache that is currently stored in your mailbox.[/su_note]

[su_note note_color=”#fafae8″] Note The .nk2 file is renamed with a .old file name extension on the first start of Outlook 2013 or Outlook 2016. Therefore, if you try to re-import the .nk2 file, remove the .old file name extension.[/su_note]

How to copy theÂ AutoComplete list

The steps to export and import the AutoComplete list are different, depending on the version of Outlook that you are using.

Outlook 2010, Outlook 2013, and Outlook 2016

To copy the AutoComplete list in Outlook 2010, Outlook 2013, and Outlook 2016, follow these steps:

[su_tooltip position=”north” content=”To change the text to lowercase Goto: TextFX > TextFX Characters > lower case”]Note: Please make sure the you are using the appropriate MFCMAPI for x86 or x64.[/su_tooltip]

Step 1

To export the AutoComplete mailbox message, follow these steps:
1. Exit Outlook, and then close Outlook Web Access or Outlook Web App (OWA) on all workstations that are connected to your mailbox.
2. Download and install MFCMAPI from http://mfcmapi.codeplex.com.
3. Run mfcmapi.exe.
4. On the Session menu, click Logon.
5. If you are prompted for a profile, select the desired profile name, and then click OK.
6. In the top pane, locate the line that corresponds to your mailbox, and then double-click it.
7. In the left-side navigation pane, expand Root Container, and then expand Top of Information Store or IPM_SUBTREE.
8. Right-click the Inbox folder, and then click Open Associated Content Table. This action opens a new MFCMAPI window that contains various properties.
9. Under the Subject column, right-click the item that has the subject IPM.Configuration.Autocomplete,
  
  and then click Export Message. This action opens the Save Message To File window.
10. In the drop-down list, select MSG file (UNICODE), and then click OK.
11. Select a folder location to which you want to save the message, and then click Save. Note this location.
Step 2

To import the AutoComplete mailbox message, follow these steps.
1. Exit Outlook, and then close Outlook Web Access or Outlook Web App (OWA) on all workstations that are connected to your mailbox.
2. Download and install MFCMAPI from http://mfcmapi.codeplex.com
3. Run mfcmapi.exe.
4. On the Session menu, click Logon.
5. If you are prompted for a profile, select the desired profile name, and then click OK.
6. In the top pane, locate the line that corresponds to your mailbox, and then double-click it.
7. In the left-side navigation pane, expand Root – Mailbox, and then expand Top of Information Store or IPM_SUBTREE.
8. Right-click the Inbox folder, and then click Open Associated Content Table. This action opens a new MFCMAPI window that contains various properties.
9. To avoid duplicate entries, you must delete the existing AutoComplete message.
  [su_note note_color=”#fafae8″]Note: Before you delete the IPM.Configuration.Autocomplete message, you must export the message.[/su_note]
  
  To delete the existing AutoComplete message, follow these steps:
  1. In the Subject column, locate the item that has the subject IPM.Configuration.Autocomplete.
  2. Right-click the item, and then click Delete message. This opens the Delete Item window.
  3. In the drop-down list, select Permanent deletion (deletes to deleted item retention if supported), and then click OK.
  4. On the Folder menu, click Import, and then click From MSG.
  5. Locate the .msg file that you created in step 11 of the “How to Export the Auto-Complete List” section, and then click OK.
  6. In the Load MSG window that appears, select Load message into current folder in the Load style list, and then click OK.
The AutoComplete information is imported from the IPM.Configuration.Autocomplete_<hexadecimal code>.msgÂ , where the placeholder<hexadecimal code>Â Â represents a long string of numbers and letters.

How to remove AutoComplete list entries one at a time

To remove entries from the AutoComplete cache one entry at a time, follow these steps:
1. Open a new email message.
2. Type the first few characters of the AutoComplete entry that you want to remove.
3. When the entry appears in the list of suggested names, move your mouse pointer over the name until it becomes highlighted, but do not click the name.
4. When the “X” icon appears next to the highlighted name, clickÂ X to remove the name from the list, or press the Delete key on the keyboard.
How to clear the whole AutoComplete list

This section explains how to delete the AutoComplete list.

Outlook 2010, Outlook 2013, and Outlook 2016

Use one of the following two methods to delete the AutoComplete list in Outlook 2010, Outlook 2013, and Outlook 2016.

Method 1
1. Open Outlook.
2. On the File tab, click Options.
3. Click the Mail tab.
4. Under Send Messages, click Empty Auto-Complete List.
5. Click Yes.
Method 2

Start Outlook by using the /CleanAutoCompleteCache switch. To do this, follow these steps:
1. Click Start, and then click Run.
2. Type Outlook.exe /CleanAutoCompleteCacheÂ .
  Note If Outlook is not installed in the default location, you must point to the path of Outlook.exe.
Filling the Auto-Complete list with Contact addresses

You can directly fill the list again by creating a new message addressed to all your contacts at once.
1. Place Outlook in ‘Work Offline’ mode (see instructions below)
2. Create a new message.
3. Press the Toâ€¦ button.
4. Select the contact list in the right top corner from which you would like to add the contacts from.
  Examples; Contacts folder, Global Address List (GAL) or a contacts folder in a Public folder.
5. Select the first contact.
6. Scroll all the way down to your last contact.
7. Hold the SHIFT button on your keyboard while clicking on the last contact to select them all.
8. Press the To â€“> button to add them all to the Toâ€¦ field.
9. Repeat step 3 to 7 if you have contacts in additional lists that you would like to add.
10. Press OK to close the dialog and to return to the newly created message.
11. Now when you address a new message the AutoSuggest/Auto-Complete feature will pop-up again.
For Outlook 2010, Outlook 2013 and Outlook 2016, you must send the message to actually store these addresses in the AutoSuggest cache. However, by placing Outlook in Offline Mode first via the Send/Receive tab,Â you can easily prevent it from actually being sent by removing it from the Outbox and then place Outlook back online mode.

Working in Offline Mode

This is fairly simple for folks that dont know.

The main confusion is about Work Offline icon which is being displayed on the Send/Receive tab in the Ribbon in Outlook 2010 and Outlook 2013; youâ€™ll find a globe with a red cross in front of it. This doesnâ€™t mean you are in Offline Mode as the icon is always like this. The icon doesnâ€™t change to for instance a globe without a red cross when you are Online

When you actually are in Offline Mode, the icon will show highlighted (as see below, when using a black color theme for Office 2016) Â and your Status Bar will also show â€œWorking Offlineâ€. Clicking on the icon then will bring you back to Online Mode.

Status Bar:

POP3 Accounts:

When you are using a POP3 account, you can reuse your original pst-file on another computer or when reconfiguring the account without losing your AutoComplete cache. However, it is important that you do this in the correct way or the list will still be lost.
March 6, 2017
Create A Dedicated Account To Join Computers To A Domain
Admins often need to automate things, like creating a dedicated account for joining machines to an Active Directory (AD) domain. Â This is useful for things like System Center Configuration Manger task sequences and System Center Virtual Machine Manager templates or similar needs.

First create a standard Windows user account. Â Next, right-click on the Computers Organization Unit (OU) within your AD domain. Â From the menu choose Delegate Control.

On the next screen (Users or Groups) choose Add and select the user account you just created. Â Click Next. Â Choose â€œCreate a custom task to delegateâ€ on the next screen.

Next, choose to only delegate control to computer objects and tick Create and Delete selected objects in this folder. Â Click Next.

On the next screen choose to show general permissions and from the list select:
- Reset password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Click Next and finish to complete the wizard. Â Repeat this process for any other OUs where youâ€™ll be joining computers to the domain.
February 28, 2017
Creating Security Groups for File Shares in Bulk using PowerShell
Security Groups are great for managing large groups for permissions. Â A client requested that they needed to have Read-Only, Read-Write, and Ready-Modify (allow for deleting) for all their file shares for better management.

Getting the Share Names

In order for me to create the groups I needed the share names. PowerShell to the rescue!

Type the following on the File Server/ Cluster to list all the shares and capture the output in a text file:
```
WmiObject -class Win32_Share -computer <yourfileserver.fqdn) | Out-File c:\scripts\shares.txt
```
[su_note note_color=”#fafae8″]On your file-server you may have a lot of share but for example purposes I am showing just one.[/su_note]

Output should be similar to:

Cleaning up the Share Names

Now that we have the Share names we need to do a bit of cleanup to avoid having duplicates.
- We need to remove all entries for hidden shares “$”
- We need to remove duplicates
- We need to change the case of the share names to lower case. ( I prefer lowercase but you can decide to do what best fits your needs)
Follow my guide to removing duplicates in a text file using NotePad++

Once the sharenames are clean save it to a text file.

Client Requirement for the Security Groups:

For each file share there are three security groups needed:
- <Sharename>_RO : Read-Only
- <Sharename>_RW : Read & Write
- <Sharename>_RM : Read & Modify
For PowerShell to do this I needed to create a .CSV file with all the security group entries.Â Now, there are many ways this can be done. I will share what I have been doing.

Open up Microsoft Excel and copy the share on a column to the right (lets say K2)

Now on Cell A2 your value should be =CONCATENATE(K2,”_RW”) and drag it down.

It should look something like this:

Do the same for RO & RM. Now you have all the security groups names you need to create.

Create a file calledÂ FileShares_Groups.csvÂ using the following format.

Create the file Create Security Groups for File Shares.ps1
```
.NOTES
	File Name:
	Author: Mohammed Wasay
	Contact Info:
		Website:www.mowasay.com
		Twitter:@wasay
	Requires:
	Tested:
.PARAMETER
    None

.EXAMPLE
    .\Create Security Groups for File Shares.ps1
#>
#Import Active Directory Module
Import-Module ActiveDirectory

$csv = Import-Csv -Path "c:\scripts\FileShares_Groups.csv"

ForEach ($item In $csv)
    {
        $create_group = New-ADGroup -Name $item.GroupName -GroupCategory $item.GroupCategory -groupScope $item.GroupScope -Path $item.OU
        Write-Host -ForegroundColor Green "Group $($item.GroupName) created!"
    }
```
Copy the two files: FileShares_Groups.csv & Create Security Groups for File Shares.ps1Â into a folder called C:\scriptsÂ on the Domain Controller.

Run the PowerShell script and see the security groups get created.
February 8, 2017