active

Force synchronization for DFSR-replicated SYSVOL

Posted on April 22, 2020 by Active Directory Windows

One of my clients had a problem with processing GPO on client computers. Different computers applied different settings from the same GPO but from different domain controllers. All tests related to replication was successful, all GPOs are applied, but replication between domain controllers was a problem, and because of that most clients had a different GPO configuration.

I had a similar problem with a newly promoted domain controller which I previously blogged about here.

Scenarios where this problem typically occurs:

  • Replication was moved  from FRS to DFSR
  • Demoting an old domain controller in the environment
  • When there is a problem with the DFS replication of the SYSVOL folder

To solve this problem, I had to manually perform an authoritative synchronization between the domain controllers.

I am including steps for authoritative and non-authoritative synchronization, but before we get started we need to see the state of the replication.

Steps:

  1. Find the state of the replication state. Typically the problem DCs will be at 0 or 2. The goal is to get to state 4.
  2. Get to State 2
  3. Get to State 4

Find the state of the replication of all DCs

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

Non-authoritative synchronization of DFSR-replicated SYSVOL

  • Stop the DFS Replication service ( net stop dfsr).
  • In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=FALSE
  • Force Active Directory replication throughout the domain  ( repadmin /syncall primary_dc_name /APed )
  • Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
    DFSRDIAG POLLAD 
  • You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
  • On the same DN from Step 1, set:
    msDFSR-Enabled=TRUE
  • Force Active Directory replication throughout the domain ( repadmin /syncall primary_dc_name /APed).
  • Start the DFS Replication service ( net start dfsr).
  • Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
  • You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done non-authoritative sync of SYSVOL.
  • Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.

Authoritative synchronization of DFSR-replicated SYSVOL

  1. Find the PDC Emulator (Elevated Command Prompt: netdom query fsmo ) – which is usually the most up to date for SYSVOL contents. Or the server holding all the policies and scripts. Consider this the primary server.
  2. Stop the DFS Replication service ( net stop dfsr) on the primary server.
  3. On the primary server, In the ADSIEDIT.MSC tool, modify the following DN and two attributes to make authoritative:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=FALSE
    msDFSR-options=1
  4. Modify the following DN and single attribute on all other domain controllers in that domain:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=FALSE
  5. Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed). Probably need to run the same command 3-4 times.
  6. Start the DFSR service set as authoritative ( net start dfsr) on the primary DC.
  7. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
  8. On the same DN from Step 1, set:
    msDFSR-Enabled=TRUE
  9. Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed ). Probably need to run the same command 3-4 times.
  10. Run the following command from an elevated command prompt on the same server that you set as authoritative (primary server):
    DFSRDIAG POLLAD 
  11. Wait a few minutes you will see Event ID 4602 in the DFSR event log (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication) indicating SYSVOL has been initialized. That domain controller has now done an authoritative sync of SYSVOL.
  12. Start the DFSR service on the other non-authoritative DCs ( net start dfsr). You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
  13. Modify the following DN and single attribute on all other domain controllers in that domain:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=TRUE
  14. Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):
  15. Verify you see Event ID 2002 and 4602 on all other domain controllers.
  16. Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.
If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise, you will see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts. If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its SYSVOL contents are usually most up to date. The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, simply make it non-authoritative and do not touch other servers. This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to includeALL of those as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, etc. previously if this is a disaster recovery scenario on all DCs in the domain.

After these actions, all problems with GPO processing and SYSVOL replication disappeared. 🙂

Get Primary, Secondary, Tertiary DNS values and more from Multiple Servers

Posted on February 13, 2020 by Azure PowerShell Windows

Came across a unique request to get primary, secondary, and tertiary DNS values for multiple computers/servers across the domain. I started writing the script and got what I wanted.

Now this started off as just to query for DNS Server information, but then I thought to add other pieces to get myself a good Network Inventory of all the servers in the environment.

I am utilizing the Win32_NetworkAdapterConfiguration WMI Class to get the required information.

You can modify the script below to suit your needs. The complete list of settings that can be captured:

Since the scripts are querying for information it is best if it runs from a DC or a privileged server with an account that has privileged access.

To get the results you need the following two scripts:

Get-NetworkInfo.ps1:

I needed to get all the network information for all the domain controllers in the domain. So the following code retrieves it for me. This came really handy in viewing all the DNS settings setup on all the DCs and correcting them if needed.

Get-Remote-NetworkInfo.ps1

This will get the information and export to an excel file that you can have handy for reference or auditing. Hope this helps!

Fix Active Directory broken security inheritance problem

Posted on August 8, 2019 by PowerShell Windows

Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are unable to edit the AD object.

To find out which objects were not getting the inherited permissions run the following :

I ran it on the entire domain to identity potential problem accounts. 🙂

To fix the issue:

Reference:

https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.areaccessrulesprotected?view=netframework-4.8
https://blogs.msdn.microsoft.com/adpowershell/2009/10/22/viewconfigure-protected-acl-and-fixing-broken-inheritance/

Force Replication of all Domain Controllers on all Sites

Posted on September 14, 2018 by PowerShell Windows

If you want to replicate all Domain Controllers, then you have to start replication on each of them separately. This may take a while. To save time there is an easier way to force replication on all Domain Controllers of all Active Directory Sites.

Log on to one of your Domain Controllers. Start Windows PowerShell with administrative privileges. Using the Get-ADDomain cmdlet we can get the domain name and the domain partition.

Now depending on the size of your environment the results may take some time to appear. The final output should be something like this:

 

NSLookup still showing IP of demoted Domain Controller

Posted on March 23, 2018 by Windows

So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local

Demoted DC: MWDC04 / IP: 10.14.111.111

I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I found worked.

I had removed the IP address from the Primary DNS Server and saw entries for:

(same as parent folder) Host(A)  10.14.111.111
(same as parent folder) NameServer (NS)  10.14.111.111

I also looked under internaldomain.local > _msdcs and deleted entries from there.

After clearing the cache and waiting for replication, did a nslookup again and the IP was still there.

Well, there are some good and bad things about Microsoft DNS.

The BAD:

You cannot search DNS values in DNS Management. You are limited to searching just the names.

THE GOOD:

All DNS entries are stored in a flat file on the DNS Server “C:\WINDOWS\system32\dns\internaldomain.local.dns” (The default location). JACKPOT!

I opened it up in Notepad++, did a search for IP and DNS name of the demoted server(MWDC04-10.14.111.111) and started deleting matched entries. I was so surprised to find entries that were deeply buried under “domaindnszones” & “forestdnszones” and a few other subzones.

Cleared the cache again and waited for replication. Once replication completed I tried nslookup internaldomain.local and this time it didn’t list the demoted DC anymore.

I hope this saves others time, because finding a record in DNS might be like searching for a needle in a haystack!

Speed up Active Directory & DNS replication between Sites

Posted on August 8, 2017 by Windows

Using the standard GUI Microsoft Management Consoles to make the change to speed up Active Directory replication is not possible. The best result of using administrator consoles will be to increase domain replication between domain controllers to 15 minutes. These large time values were instituted into Active Directory at version 1 because inter-site connections during that era of computing and networking were much lower in bandwidth with the most common being frame-relay or 56k circuits. Since then, inter-site connections and the Internet speeds have increased tremendously so faster domain controller replication is possible even over wan links.

Fast Intersite Replication Interval – Speed up DC Replication, Updates are in Seconds

To enabled faster Intersite Replication, to nearly the speed of intra-site or LAN replication, use ADSI Edit.
Start ADSI edit and go to
Configuration > then Sites > Inter Site Transports > IP.
Note this setting cannot be enabled for SMTP InterSite links.
Unless it has been renamed, right click on  the default Intersite link and choose properties. Then scroll down to the options line. Double-click and change the value to 1 if it has a value .
 <not set> is the default unless this option has been previously modified.  Once changed to 1, click OK twice to save and close the properties window.
Force a replication using Sites and Services so this setting get pushed/pulled to the other domain controllers.
Test by creating a couple of test accounts in AD.
Check your other domain controller or controllers for the new account. You will see it appear in seconds.

The Lazy Way To Do Active Directory Inventory

Posted on June 14, 2017 by Windows

From time to time admins have to run an inventory of what is running in the AD environment. This is a good practice for audits, inventory, removing decommissioned servers, or any other good reason. The details that are required are like when was computer/ server created, when was it last logged into, what is the OS, Service Pack, and OU details if any organization was done in structuring the OU.

Luckily PowerShell can provide all of that information in a nice .csv file which can be later edited in Excel to do filtering as needed.

Open up PowerShell in Admin mode on the DC or create a session if doing this remotely.

Result:

Adding a security group to the Local Administrator Group in AD

Posted on June 6, 2017 by Windows

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “AUTOMATION”

CREATE THE GPO

  1. Launch Group Policy Management Console.
  2. Right click the OU that you want the GPO to apply to.
  3. Select “Create a GPO…”
  4. This will Launch Group Policy Editor.
  5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
  7. Action: Update (This is the most important part).
  8. Add the needed security group. I have added my AUTOMATION Security Group.
  9. Click Apply.
  10. Click OK.
  11. Apply the GPO to the root of the domain OR the appropriate OU.

Incorrect Way (This is how you would create a Restricted Access Group)

Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group. 

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “SG – Local Admins”

CREATE THE GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I used “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “SG – Local Admins”

That should be it. Now you can set which users of the domain are local administrators of their computers.

Connecting to a remote domain controller using PowerShell

Posted on April 25, 2017 by PowerShell Windows

Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller.  I try to minimize logging onto servers as much as possible.  Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it.

I will be discussing two approaches below to connect to a domain controller:

  1. Connecting from a client machine on the same domain
  2. Connecting from a client machine on a different domain or a workstation/server

Before we get started, and regardless of which approach you take below, the following will need to be installed on the client Windows machine. Primarily you need to get the Active Directory Module for Windows PowerShell installed.

Installing the Active Directory Module

GUI:

The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.

On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).

PowerShell:

You can also install the module from the PowerShell console using the command:

The RSAT-AD-PowerShell can be installed not only on the domain controllers, but also on any domain member server or even a workstation. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).

Approach 1: Connecting from a client machine on the same domain

First step you need to do is find all of your domain controllers and allow remote connections to it.

Logon to your one of your domain controllers and open up PowerShell:

You need to do this once on each domain controller so you can remotely connect to each one of them at a later time.

You can read more about WinRM here.

Alternatively, the following command can be ran in an elevated Powershell console on the DC. This enables WinRM and configures the firewall so that it can accept incoming commands.

Once that is done you are ready to connect to your domain controller.

Make sure your system is configured to run PowerShell scripts.

Copy the content below and paste it into your PowerShell Editor. Rename your value of “yourdomaincontroller” to your actual DC Server name.

Now all command you enter will be applied to the DC.

To check if your connection is successful. Try the command below to get a list of all of your domain controllers.

Approach 2: Connecting from a client machine on a different domain or a workstation

Windows Remoting works perfectly for same domain situations, and the set-up is relatively straight-forward. It’s extremely powerful when it works, and offers a highly flexible way to securely execute commands remotely.

Problems arise however when trying to use WinRM in mixed domain environments, or where only one machine is on a domain. This requires some additional configuration steps outlined below.

Logon to your one of your domain controllers and open up PowerShell and run the following:

The following registry key needs to be added to the target domain controllers:

Make sure the ports are open:

By default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively.

The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).

In some environments, you may need to check if the server authentication certs are valid and not expired. Also, in some situations I have seen that if the client is not resolving the FQDN, it is because the DNSzone doesn’t exist in the source domain. Either the zone can be added, or the host file can be modified to add the DC’s FQDN.

Trusted Hosts:

Adding the client IP or name can help avoid errors.

Depending on your environment and what is allowed or not one of the following should work for your situation.

View the computers of TrustedHosts list

To view the list of TrustedHosts added to the machine, type the following command. By default, its value is blank.

Add all computers to the TrustedHosts list

Using the Set-Item cmdlet and the wildcard you can add all the computers to the TrustedHosts list with the following command.

Add all domain computers to the TrustedHosts list

In the following command, replace .yourdomain.com with your own domain name.

Add specific computers to the TrustedHosts list

You can add specific computers you choose based on their hostname by separating them with a comma (,) using the following command.

Where ComputerName can be in the Server01 or Server01.yourdomain.com format

Add a computer to an existing list of TrustedHosts

If you have already added some computers to the TrustedHosts list and want to add an additional computer, without deleting the previous entries, you should use the following method. This is because the TrustedHosts list is updated based on the last Set-Item command you have run overwriting the previous entries.

Use the following command to save the current TrustedHosts computer list to a curList variable.

To add a computer to the current list, type the following command by specifying both the variable you created and the computer name you are going to add.

Alternatively, to avoid using a variable, add the -Concatenate switch to the Set-Item command to add both new and previous entries. For example:

Add computers to the TrustedHosts list using the IP address

Similarly to the previous commands, you can use an IPv4 or IPv6 address. In the case of IPv6, you have to type the address between [].

Add computers to the TrustedHosts list using multiple IP address (Most common)

Another way to add trusted hosts is via an elevated Command Prompt:

Importing the AD Module:

Before using any cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).

With this configuration, it’s now possible to authenticate and execute a command remotely with explicit credentials.

Lets check if it is working:

It WORKS! 🙂

Common Errors & Solutions:

Error: WinRM service started.  Set-WSManQuickConfig : <f:WSManFault…. WinRM firewall exception will not work since one of the network connection types on this machine is set to Public…… Change the network connection type to either Domain or Private and try again.

Solution: 

Explanation:

The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you can’t do this in the Network and Sharing Center.

 

Error: Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the request….

Solution:

Explanation:

In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the above error.

Error: Cannot connect to host…

Solution:

Check with your network/ firewall team if  the port 5985, 5986, and 9389 are open.

Explanation: 

Most of the times the ports are overlooked and are the root cause as to why the connection is not working

Cleaning up Office365 Groups Mess

Posted on February 23, 2017 by Azure Office 365 SharePoint

Office 365 Groups are a shared workspace for email, conversations, files, and events where group members can collectively get stuff done. It compliments the introduction of Microsoft Teams. The main thing to keep in mind is that this feature is still evolving.

Why is it important to control Office 365 Group creation?

This feature is enabled by default. So its better to put restrictions in place or later clean up sites, groups, permissions set by organization users.

Which Group?

SharePoint frequently reuses terms, which often makes conversations and forum posts a lot of fun. There’s at least three “Groups” in Office 365:

  • Active Directory Groups: Groups at the AD level. Outside of SharePoint. Useable across all site collections, and other applications. A “Sales Managers” AD group can be created once, updated in one place and used across all site collections in the tenant.
  • SharePoint Groups: Collections of users (people) and AD groups. Scoped to a single site collection. A “Sales Managers” SharePoint group would need to be created in each of the site collections and all updates repeated across all of the site collections.
  • Office 365 Groups: A new collaboration option! A combination of a mailbox and a site collection. Not a group useable for managing access to SharePoint sites.

Office 365 Groups

Office 365 Groups are a combination of an Exchange email account with the group’s name that is used to store conversations, and a “OneDrive – like” site collection to store files.

A collection of Office 365 Groups facts:

  • Internally, to distinguish traditional groups from the new Office 365 Groups, Groups are called “Unified Groups”. Externally they should be called “Office 365 Groups”, not “SharePoint Groups”.
  • Creating a Group creates an AD Distribution group, an email address and a “hidden” SharePoint Site Collection. The site collection is not visible in the tenant admin pages. The AD group is not manageable from Azure AD, only from the tenant admin Groups pages. (You can see members in Azure AD, but cannot edit them.)
  • Groups can be created from:
    • Outlook (OWA).
    • A user’s OneDrive.
    • The “GROUPS” page in the tenant Admin site. Here you can create both “Office 365 Groups” and “security groups”.
  • Conversations are stored in Exchange inboxes and files are stored in SharePoint Site Collections.
  • Groups are defined and managed in Azure AD. (Which explains why the PowerShell cmdlets for Groups are not in the SharePoint Online cmdlet library.)
  • Each user may create up to 250 Groups and can be a member of up to 1,024 Groups. There’s no limit for number of Groups per tenant.
  • Emails can be sent in the name of the group by members. (Requires a PowerShell based change.)
  • Groups will not be deleted if the Group’s owner is deleted.
  • Groups use a OneDrive for Business site under the covers. (Template: GROUP#0)
  • URL for the files site collection looks like a normal team site instead of a OneDrive site:  https://yourdomain/sites/groupsitename
  • If there is a URL conflict, a number is appended to the name: https://yourdomain/sites/groupsitename51
  • URL for the mailbox is “guessable”: https://outlook.office365.com/owa/#path=/group/yourGroupName@yourDomain.onmicrosoft.com/people
  • Groups site collections are not (currently) displayed in the admin Site Collections page. You may discover their existence when you create a new site collection that has the same name as a group site. “The site collection already exists. Please enter a different address.
  • PowerShell:
    • Get-SPOSite does not return Groups site collections, but you can access a Groups site by URL.
    • Get-SPOUser does not return users for Groups sites.
  • Groups file storage is counted against the tenant quota. It’s not considered to be a personal OneDrive. There is no “user” for the Group OneDrive. The mailbox can store up to 50GB of messages, posts and calendar entries. The SharePoint Site Collection has a max of 1TB.
  • Search: There is a search box, but it opens the Search Center in a new window/tab and searches all of SharePoint, not just the Groups file site.
  • The document library in the Group site is very much like a OneDrive for Business library. No ribbon, no custom columns, no metadata and no Content Types. The Groups library is very limited:
    • Only one library, and it’s not customizable.
    • Can’t check out/in. (I saw this listed as a feature, but it’s not in my tenants.)
    • Versioning is enabled (Major only)
    • Cannot add/delete columns (i.e. use any custom metadata that might be useful to search or eDiscovery.)
    • Cannot use workflows.
    • Cannot audit security from the browser.
    • No branding. Cannot be opened by SharePoint Designer.
  • The Site Collection is VERY limited.
    • Almost all of the links for site or list maintenance are redirected to the home page.
    • There is no Settings page.
    • There is no Site Permissions page, so there’s no Site Permissions page or 2nd tier recycle bin.
    • You cannot create new lists or libraries.
  • Library Sync: The Sync button works with the new OneDrive for Business sync client. So, keep in mind that group members of easily offline all of the content.
  • Recycle Bin:
    • There is a recycle bin, but you can only access the user level.
    • If you share a file with a non-member with “Edit”, they can delete the file, but get “Sorry, you don’t have access to this page” when they click the Recycle Bin link.
    • There is no Site Collection recycle bin page available. The Groups “owner” can’t recover files deleted by members.
  • Can be administered and reported on from PowerShell as part of the Exchange Online cmdlets.
    https://technet.microsoft.com/en-us/library/jj200780(v=exchg.160).aspx
    cmdlets: Get/Set/New/Remove-UnifedGroup and Get/Add/Remove-UnifiedGroupLinks
    https://support.office.com/en-us/article/Use-PowerShell-to-manage-Office-365-Groups-aeb669aa-1770-4537-9de2-a82ac11b0540
  • Groups can be disabled for all users. (PowerShell)
  • Groups can be disabled for a subset of users. (Requires PowerShell.)
  • Security:
    • New groups default to “Public”. Everyone has access. You must remember to choose Private when you create the group.
    • I can’t find a place to change Public/Private status after the group has been created.
    • The names of groups are not private. They will be seen in “Send to”, “Share” and other places where user names can be seen. All groups, public and private, are listed in the “Browse Groups” screens. (Train your users not to use group names that reveal confidential data. You know, names like “IT Layoff Planning Group”. 🙂 )
    • Files can be shared with the “group”. They will be listed in the “Shared with us” tab.
    • Files that are shared with the “group” will be visible to all users even for Private groups! (I think this is a bug!) (The user must know the URL to the Files site.)
    • Files can be “reshared”. Sam has a site named “My Private Group”, which is Private, He shares a file with Robert (with Edit or View). Robert can only see that one file in the group site. Robert shares with Susan. Susan can then share with………
    • Users who guess the URL to the file site can see the site, but no files, or only files shared with them. They can see the list of “members” and who the owner is.

Groups vs. Team Sites

Groups Team Sites
Can add lists/libraries No Yes
Can add pages No Yes
Can add columns/metadata No Yes
Can use Content Types No Yes
Can hide membership No Yes
Can brand No Yes
Can be fully managed with PowerShell No Yes

Cleaning up the mess

So since this feature is enabled by default. Users in your organization may have already started creating groups and hidden SharePoint site.

So first we need to disable this option right away.

Prerequisites:

Check your Company-level configuration settings

Now need to check your company-wide configuration settings through the Get-MsolCompanyInfo Windows PowerShell cmdlet. This cmdlet will display your current company-wide configuration settings that affect all users. You specifically need to verify that the UserPermissionToCreateGroupsEnabled parameter is set to False.

To check your Company-level configuration settings

You will first need to connect to your Office 365 service. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

In the Sign in to your Account screen, enter your credentials to connect you to your service, and click Sign in.

You will be returned to a prompt in the Windows Azure Active Directory Module.

You will need to display your company-wide configuration settings. To do this, type and enter:

This will display a listing of the current configuration settings that apply to all users in your company.

As you can see the value for the UsersPermissiontoCreateGroupsEnabled setting is True. We need to change this to False.

To change the UsersPermissionToCreateGroupsEnabled setting value

You will first need to use the Set-MsolCompanySettings cmdlet to change the UsersPermissionToCreateGroupsEnabled parameter to False. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

You will be returned to a prompt in the Windows Azure Active Directory Module.

After changing the setting, you then need to run the Get-MsolCompanyInfo cmdlet to verify that the value has changed to True.

After running the cmdlet, check the displayed information to verify that the UsersPermissionToCreateGroupsEnabled setting value has changed to False.

Identifying the site collections in PowerShell

Connect to SharePoint

Get a list of Site Collections
More than likely the Group SharePoint Site is restricted to the user that may have created it. You may get this error when trying to remove it:

To remove it you need to take ownership as the CollectionOwner

Now if you want to do this for all the site collections:

Once this is applied the admin will be able to remove the hidden Sharepoint collection. Remove the site collections that are no longer needed.

Deleting the Groups

Now to delete the groups that the users created. Head over to the Office365 Admin Portal.

Click the “Office 365 group” from the selection to show all groups (These should be all cloud based)

Once the groups are displayed remove them as necessary.

Groups are no longer in your environment.

Planning for the future: Migration of Distribution Groups to Groups

If you are in Hybrid mode you cannot user Groups in a clean fashion. It will get messy. Sooner or later you will need to plan for migration of your distribution groups to Groups. Know your current limitations and hold.

Migrate distribution lists to Office 365 Groups – Admin help

Distribution list eligibility for migration

The following table lists which distribution lists are eligible or not eligible for migration

Property Eligibility
On-premise managed distribution list. Not eligible
Nested distribution lists. Distribution list either has child groups or is a member of another group. Not eligible
Moderated distribution list Not eligible
Distribution lists with send on behalf settings Not eligible
Distribution lists hidden from address lists Not eligible
Distribution lists with member RecipientTypeDetails other than UserMailbox, SharedMailbox, TeamMailbox, MailUser Not eligible
Distribution lists with member join or depart restriction as Closed Eligible. Converted to a private Office 365 Group.
Distribution lists with custom delivery status notifications. ReportToManager = true, ReportToOriginator = false ReportToManager = false, ReportToOriginator = false Eligible. Office 365 groups don’t understand these properties, and delivery status notifications are always sent to the person that sent the email.
Mo Wasay
My name is Mo Wasay. I work with a variety of technologies and engage with the community and customers around the world. I am located in Dallas, Texas, U.S.A. I like to share my knowledge and experiences and help others who come across similar situations. My current focus is Microsoft Azure, Azure Stack and Windows Server.
View Mo Wasay, MSCS, MCITP, MCSE, VCP, ISM, CIS's profile on LinkedIn