Mohammed Wasay

Tag: powershell

  • Resolve IP Addresses from List of Host Names

    Resolve IP Addresses from List of Host Names

    If you have a list of hostnames/servers that you need IP addresses for its cumbersome to ping each server and get the ip address.

    PowerShell to the rescue!

    To do this we need a file called Server.txt with each server’s hostname on each line. I am storing the file in D:\Data\Servers.txt.

    Once we run the script below it resolves the ip via DNS and stores to another file called D:\Data\Addresses.txt.

    [su_note note_color=”#fafae8″]All the IP addresses are getting pulled from their DNS value. [/su_note]

    function Get-HostToIP($hostname) {     
    $result = [system.Net.Dns]::GetHostByName($hostname)     
    $result.AddressList | ForEach-Object {$_.IPAddressToString } 
} 
 
Get-Content "D:\Data\Servers.txt" | ForEach-Object {(Get-HostToIP($_)) >> d:\data\Addresses.txt}
  • Connecting to a remote domain controller using PowerShell

    Connecting to a remote domain controller using PowerShell

    Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller.  I try to minimize logging onto servers as much as possible.  Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it.

    I will be discussing two approaches below to connect to a domain controller:

    1. Connecting from a client machine on the same domain
    2. Connecting from a client machine on a different domain or a workstation/server

    Before we get started, and regardless of which approach you take below, the following will need to be installed on the client Windows machine. Primarily you need to get the Active Directory Module for Windows PowerShell installed.

    Installing the Active Directory Module

    GUI:

    The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.

    On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).

    PowerShell:

    You can also install the module from the PowerShell console using the command:

    Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

    The RSAT-AD-PowerShell can be installed not only on the domain controllers, but also on any domain member server or even a workstation. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).

    Approach 1: Connecting from a client machine on the same domain

    First step you need to do is find all of your domain controllers and allow remote connections to it.

    Logon to your one of your domain controllers and open up PowerShell:

    winrm quickconfig

    [su_note note_color=”#fafae8″]You need to do this once on each domain controller so you can remotely connect to each one of them at a later time.[/su_note]

    You can read more about WinRM here.

    Alternatively, the following command can be ran in an elevated Powershell console on the DC. This enables WinRM and configures the firewall so that it can accept incoming commands.

    Enable-PSRemoting

    Once that is done you are ready to connect to your domain controller.

    Make sure your system is configured to run PowerShell scripts.

    #Set the ExecutionPolicy to allow execution of scripts
Set-ExecutionPolicy Unrestricted

    Copy the content below and paste it into your PowerShell Editor. Rename your value of “yourdomaincontroller” to your actual DC Server name.

    #ConnectAD.ps1
#Connect to your Domain Controller(DC)
#Change the value after the -ComputerName to your know DC

$session = New-PSSession -ComputerName "yourdomaincontroller" -Credential (Get-Credential)
Invoke-Command $session -Scriptblock { Import-Module ActiveDirectory }
Import-PSSession -Session $session -module ActiveDirectory

    Now all command you enter will be applied to the DC.

    To check if your connection is successful. Try the command below to get a list of all of your domain controllers.

    #Get a list of all domain controllers in your environment
Get-ADDomainController -Filter * | Select-Object name

    Approach 2: Connecting from a client machine on a different domain or a workstation

    Windows Remoting works perfectly for same domain situations, and the set-up is relatively straight-forward. It’s extremely powerful when it works, and offers a highly flexible way to securely execute commands remotely.

    Problems arise however when trying to use WinRM in mixed domain environments, or where only one machine is on a domain. This requires some additional configuration steps outlined below.

    Logon to your one of your domain controllers and open up PowerShell and run the following:

    Enable-PSRemoting

    The following registry key needs to be added to the target domain controllers:

    New-ItemProperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

    Make sure the ports are open:

    By default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively.

    The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).

    [su_note note_color=”#f9f4ca” text_color=”#000000″ radius=”2″]In some environments, you may need to check if the server authentication certs are valid and not expired. Also, in some situations I have seen that if the client is not resolving the FQDN, it is because the DNSzone doesn’t exist in the source domain. Either the zone can be added, or the host file can be modified to add the DC’s FQDN. [/su_note]

    Trusted Hosts:

    Adding the client IP or name can help avoid errors.

    Depending on your environment and what is allowed or not one of the following should work for your situation.

    View the computers of TrustedHosts list

    To view the list of TrustedHosts added to the machine, type the following command. By default, its value is blank.

    Get-Item WSMan:\localhost\Client\TrustedHosts

    Add all computers to the TrustedHosts list

    Using the Set-Item cmdlet and the wildcard you can add all the computers to the TrustedHosts list with the following command.

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value *

    Add all domain computers to the TrustedHosts list

    In the following command, replace .yourdomain.com with your own domain name.

    Set-Item WSMan:\localhost\Client\TrustedHosts *.yourdomain.com

    Add specific computers to the TrustedHosts list

    You can add specific computers you choose based on their hostname by separating them with a comma (,) using the following command.

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value <ComputerName>,[<ComputerName>]

    Where ComputerName can be in the Server01 or Server01.yourdomain.com format

    Add a computer to an existing list of TrustedHosts

    If you have already added some computers to the TrustedHosts list and want to add an additional computer, without deleting the previous entries, you should use the following method. This is because the TrustedHosts list is updated based on the last Set-Item command you have run overwriting the previous entries.

    Use the following command to save the current TrustedHosts computer list to a curList variable.

    $currentList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value

    To add a computer to the current list, type the following command by specifying both the variable you created and the computer name you are going to add.

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$currentList , Server01"

    Alternatively, to avoid using a variable, add the -Concatenate switch to the Set-Item command to add both new and previous entries. For example:

    Set-Item WSMan:\localhost\Client\TrustedHosts -Concatenate -Value Server02

    Add computers to the TrustedHosts list using the IP address

    Similarly to the previous commands, you can use an IPv4 or IPv6 address. In the case of IPv6, you have to type the address between [].

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value 10.10.10.1,[0:0:0:0:0:0:0:0]

    Add computers to the TrustedHosts list using multiple IP address (Most common)

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.10.10.1, 10.10.10.2"

    Another way to add trusted hosts is via an elevated Command Prompt:

    winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}

    Importing the AD Module:

    Before using any cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).

    Import-Module ActiveDirectory

    With this configuration, it’s now possible to authenticate and execute a command remotely with explicit credentials.

    Lets check if it is working:

    Enter-PSSession -ComputerName 10.0.2.33 -Credential $Credentials

    It WORKS! 🙂

    Common Errors & Solutions:

    Error: WinRM service started.  Set-WSManQuickConfig : <f:WSManFault…. WinRM firewall exception will not work since one of the network connection types on this machine is set to Public…… Change the network connection type to either Domain or Private and try again.

    Solution: 

    Enable-PSRemoting -SkipNetworkProfileCheck -Force

    Explanation:

    The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you can’t do this in the Network and Sharing Center.

     

    Error: Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the request….

    Solution:

    winrm set winrm/config/client @{TrustedHosts="10.0.2.33"}

    Explanation:

    In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the above error.

    Error: Cannot connect to host…

    Solution:

    Check with your network/ firewall team if  the port 5985, 5986, and 9389 are open.

    Explanation: 

    Most of the times the ports are overlooked and are the root cause as to why the connection is not working

  • No remote Desktop License Server available on RD Session Host server 2012 R2

    No remote Desktop License Server available on RD Session Host server 2012 R2

    A fully functional and activated 2012 R2 Remote Desktop Session Host server displayed the following message:

    This was a simple setup on one server with the: connection broker, Session Host and Licensing server with 2012 R2 CAL’s installed.

    Even though the licensing seems to be configured correctly, in server manager:

    and PowerShell:

    Licensing diagnostics:

    everywhere you look, everything seems to be OK. But the license manager shows something odd:

    No licenses are being used? This server was used since late 2012. Some interesting things could also be found in the event logs, the following events appear:

    EventID: 1130
    Source: TerminalServices-RemoteConnectionManager

    The Remote Desktop Session Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Session Host server, use the Remote Desktop Session Host Configuration tool.

    and:

    EventID: 1128
    Source: TerminalServices-RemoteConnectionManager

    The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.

    The solution was to delete the REG_BINARY in

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

    Only leaving the default.

    Note: you must take ownership and give admin users full control to be able to delete this key.

    After a reboot the server should be working again, licenses are now being used:

    Although everything seemed to be OK and configured correctly with valid licenses, it seems that the setup was still in a 180 day grace period, even though it was correctly configured.

  • Office365: List Your Business Can’t Live Without

    Office365: List Your Business Can’t Live Without

    When you have a lot of conference rooms, equipment or special rooms mailboxes it is hard to list or find available free rooms during a particular time slot. Luckily, Office365 and Outlook 2013/2016 have a special feature called ‘Room Lists’, which enable you to find and schedule  a room quickly based on availability and offer suggestions during room reservation.

    In simple terms Room List work  as distribution groups for conference or other types of rooms.

    Use PowerShell to login to Office365:

    #Connect to Office365
Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session

    Create a room list:

    New-DistributionGroup -Name HQ -DisplayName "HQ" –PrimarySmtpAddress [email protected] –RoomList

    Add rooms to a list:

    Add-DistributionGroupMember –Identity "HQ" -Member [email protected]

    Check what Room Lists you have:

    Get-DistributionGroup | Where {$_.RecipientTypeDetails -eq "RoomList"} | Format-Table DisplayName,Identity,PrimarySmtpAddress

    Check what conference rooms are part of a particular room list:

    Get-DistributionGroupMember –Identity "HQ"
  • How To Get Rid Of Dell KACE Agent?

    How To Get Rid Of Dell KACE Agent?

    What is Dell KACE Agent?

    Unifies and automates non-computer and computer asset management processes from deployment to retirement, to facilitate such tasks as software and regulatory compliance.
    Uninstalling KACE can be a pain. Luckily there is a way thanks to wmic.

    This works for 32 & 64 bit machines

    From Command Prompt/ Powershell in Admin Mode:

    wmic product where "name like '%kace%'" call uninstall /nointeractive

    Tech-notes:

    Details:

    URL: www.dell.com
    Help link: www.kace.com
    Installation folder: C:\Program Files\dell\kace
    Uninstaller: MsiExec.exe /I{55914E97-339E-4CB6-AACC-DE52DE9689D3}
    (The Windows Installer is used for the installation, maintenance, and removal.)
    Estimated size: 11.87 MB
    Language: English (United States)

    Behaviors:

    2 Services

    • ampagent.exe runs as a service named ‘Dell KACE Agent’ (AMPAgent) “Manages connections between agent and server.”.
    • kswmetersvc.exe runs as a service named ‘Dell KACE Software Meter’ (Dell KACE Software Meter) “Manages the Dell KACE Software Meter application”.

    2 Windows Firewall Allowed Programs

    • kinventory.exe is added as a firewall exception for ‘%ProgramFiles(x86)%\Dell\KACE\KInventory.exC:192.168.10.49:enableC:KACE Inventory’.
    • ampagent.exe is added as a firewall exception for ‘%ProgramFiles(x86)%\Dell\KACE\AMPAgent.exC:192.168.10.49:enableC:KACE Agent’.

    Files installed by KACE Agent:

    • mobileappinfo.dll – eSMART Agent (MobileAppInfo DLL (Captures/Returns Mobile Apps))
    • ampagent.exe – KACE Agent (AMP Service)
    • ampkickstart.exe – AMPKickstart
    • amptools.exe – AMPTools
    • kacecredentialprovider64.dll – KACE Credential Provider
    • kcopy.exe – KCopy
    • kdeploy.exe – KDeploy
    • kinventory.exe – KInventory
    • klaunch.exe – KLaunch
    • klaunchsvc.exe – KLaunchSvc
    • kswmetersvc.exe – KSWMeterSvc
    • kuseralert.exe – KUserAlert
    • kuseralertlang_de-de.dll
    • kuseralertlang_es-es.dll
    • kuseralertlang_es-la.dll
    • kuseralertlang_fr-fr.dll
    • kuseralertlang_it-it.dll
    • kuseralertlang_ja-jp.dll
    • kuseralertlang_pt-br.dll
    • kuseralertlang_zh-cn.dll
    • kuseralertlang_zh-tw.dll
    • kusrinit64.exe – KUsrInit Application
    • kwinimpl64.dll – KWinImpl Dynamic Link Library
    • plugindesktopalerts.dll – Desktop Alerts
    • pluginrunprocess.dll – Run Process
    • pluginweb.dll – Web
    • runkbot.exe – runkbot
    • inventory.exe (by Dell Inc) – Inventory (Inventory Application for x64 Platform)
  • Cleaning up Office365 Groups Mess

    Cleaning up Office365 Groups Mess

    Office 365 Groups are a shared workspace for email, conversations, files, and events where group members can collectively get stuff done. It compliments the introduction of Microsoft Teams. The main thing to keep in mind is that this feature is still evolving.

    Why is it important to control Office 365 Group creation?

    This feature is enabled by default. So its better to put restrictions in place or later clean up sites, groups, permissions set by organization users.

    Which Group?

    SharePoint frequently reuses terms, which often makes conversations and forum posts a lot of fun. There’s at least three “Groups” in Office 365:

    • Active Directory Groups: Groups at the AD level. Outside of SharePoint. Useable across all site collections, and other applications. A “Sales Managers” AD group can be created once, updated in one place and used across all site collections in the tenant.
    • SharePoint Groups: Collections of users (people) and AD groups. Scoped to a single site collection. A “Sales Managers” SharePoint group would need to be created in each of the site collections and all updates repeated across all of the site collections.
    • Office 365 Groups: A new collaboration option! A combination of a mailbox and a site collection. Not a group useable for managing access to SharePoint sites.

    Office 365 Groups

    Office 365 Groups are a combination of an Exchange email account with the group’s name that is used to store conversations, and a “OneDrive – like” site collection to store files.

    A collection of Office 365 Groups facts:

    • Internally, to distinguish traditional groups from the new Office 365 Groups, Groups are called “Unified Groups”. Externally they should be called “Office 365 Groups”, not “SharePoint Groups”.
    • Creating a Group creates an AD Distribution group, an email address and a “hidden” SharePoint Site Collection. The site collection is not visible in the tenant admin pages. The AD group is not manageable from Azure AD, only from the tenant admin Groups pages. (You can see members in Azure AD, but cannot edit them.)
    • Groups can be created from:
      • Outlook (OWA).
      • A user’s OneDrive.
      • The “GROUPS” page in the tenant Admin site. Here you can create both “Office 365 Groups” and “security groups”.
    • Conversations are stored in Exchange inboxes and files are stored in SharePoint Site Collections.
    • Groups are defined and managed in Azure AD. (Which explains why the PowerShell cmdlets for Groups are not in the SharePoint Online cmdlet library.)
    • Each user may create up to 250 Groups and can be a member of up to 1,024 Groups. There’s no limit for number of Groups per tenant.
    • Emails can be sent in the name of the group by members. (Requires a PowerShell based change.)
    • Groups will not be deleted if the Group’s owner is deleted.
    • Groups use a OneDrive for Business site under the covers. (Template: GROUP#0)
    • URL for the files site collection looks like a normal team site instead of a OneDrive site:  https://yourdomain/sites/groupsitename
    • If there is a URL conflict, a number is appended to the name: https://yourdomain/sites/groupsitename51
    • URL for the mailbox is “guessable”: https://outlook.office365.com/owa/#path=/group/yourGroupName@yourDomain.onmicrosoft.com/people
    • Groups site collections are not (currently) displayed in the admin Site Collections page. You may discover their existence when you create a new site collection that has the same name as a group site. “The site collection already exists. Please enter a different address.”
    • PowerShell:
      • Get-SPOSite does not return Groups site collections, but you can access a Groups site by URL.
      • Get-SPOUser does not return users for Groups sites.
    • Groups file storage is counted against the tenant quota. It’s not considered to be a personal OneDrive. There is no “user” for the Group OneDrive. The mailbox can store up to 50GB of messages, posts and calendar entries. The SharePoint Site Collection has a max of 1TB.
    • Search: There is a search box, but it opens the Search Center in a new window/tab and searches all of SharePoint, not just the Groups file site.
    • The document library in the Group site is very much like a OneDrive for Business library. No ribbon, no custom columns, no metadata and no Content Types. The Groups library is very limited:
      • Only one library, and it’s not customizable.
      • Can’t check out/in. (I saw this listed as a feature, but it’s not in my tenants.)
      • Versioning is enabled (Major only)
      • Cannot add/delete columns (i.e. use any custom metadata that might be useful to search or eDiscovery.)
      • Cannot use workflows.
      • Cannot audit security from the browser.
      • No branding. Cannot be opened by SharePoint Designer.
    • The Site Collection is VERY limited.
      • Almost all of the links for site or list maintenance are redirected to the home page.
      • There is no Settings page.
      • There is no Site Permissions page, so there’s no Site Permissions page or 2nd tier recycle bin.
      • You cannot create new lists or libraries.
    • Library Sync: The Sync button works with the new OneDrive for Business sync client. So, keep in mind that group members of easily offline all of the content.
    • Recycle Bin:
      • There is a recycle bin, but you can only access the user level.
      • If you share a file with a non-member with “Edit”, they can delete the file, but get “Sorry, you don’t have access to this page” when they click the Recycle Bin link.
      • There is no Site Collection recycle bin page available. The Groups “owner” can’t recover files deleted by members.
    • Can be administered and reported on from PowerShell as part of the Exchange Online cmdlets.
      https://technet.microsoft.com/en-us/library/jj200780(v=exchg.160).aspx
      cmdlets: Get/Set/New/Remove-UnifedGroup and Get/Add/Remove-UnifiedGroupLinks
      https://support.office.com/en-us/article/Use-PowerShell-to-manage-Office-365-Groups-aeb669aa-1770-4537-9de2-a82ac11b0540
    • Groups can be disabled for all users. (PowerShell)
    • Groups can be disabled for a subset of users. (Requires PowerShell.)
    • Security:
      • New groups default to “Public”. Everyone has access. You must remember to choose Private when you create the group.
      • I can’t find a place to change Public/Private status after the group has been created.
      • The names of groups are not private. They will be seen in “Send to”, “Share” and other places where user names can be seen. All groups, public and private, are listed in the “Browse Groups” screens. (Train your users not to use group names that reveal confidential data. You know, names like “IT Layoff Planning Group”. 🙂 )
      • Files can be shared with the “group”. They will be listed in the “Shared with us” tab.
      • Files that are shared with the “group” will be visible to all users even for Private groups! (I think this is a bug!) (The user must know the URL to the Files site.)
      • Files can be “reshared”. Sam has a site named “My Private Group”, which is Private, He shares a file with Robert (with Edit or View). Robert can only see that one file in the group site. Robert shares with Susan. Susan can then share with………
      • Users who guess the URL to the file site can see the site, but no files, or only files shared with them. They can see the list of “members” and who the owner is.

    Groups vs. Team Sites

    Groups Team Sites
    Can add lists/libraries No Yes
    Can add pages No Yes
    Can add columns/metadata No Yes
    Can use Content Types No Yes
    Can hide membership No Yes
    Can brand No Yes
    Can be fully managed with PowerShell No Yes

    Cleaning up the mess

    So since this feature is enabled by default. Users in your organization may have already started creating groups and hidden SharePoint site.

    So first we need to disable this option right away.

    Prerequisites:

    Check your Company-level configuration settings

    Now need to check your company-wide configuration settings through the Get-MsolCompanyInfo Windows PowerShell cmdlet. This cmdlet will display your current company-wide configuration settings that affect all users. You specifically need to verify that the UserPermissionToCreateGroupsEnabled parameter is set to False.

    To check your Company-level configuration settings

    You will first need to connect to your Office 365 service. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

    Connect-MsolService

    In the Sign in to your Account screen, enter your credentials to connect you to your service, and click Sign in.

    You will be returned to a prompt in the Windows Azure Active Directory Module.

    You will need to display your company-wide configuration settings. To do this, type and enter:

    Get-MsolCompanyInformation

    This will display a listing of the current configuration settings that apply to all users in your company.

    As you can see the value for the UsersPermissiontoCreateGroupsEnabled setting is True. We need to change this to False.

    To change the UsersPermissionToCreateGroupsEnabled setting value

    You will first need to use the Set-MsolCompanySettings cmdlet to change the UsersPermissionToCreateGroupsEnabled parameter to False. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

    Set-MsolCompanySettings - UsersPermissionToCreateGroupsEnabled $False

    You will be returned to a prompt in the Windows Azure Active Directory Module.

    After changing the setting, you then need to run the Get-MsolCompanyInfo cmdlet to verify that the value has changed to True.

    Get-MsolCompanyInfo

    After running the cmdlet, check the displayed information to verify that the UsersPermissionToCreateGroupsEnabled setting value has changed to False.

    Identifying the site collections in PowerShell

    Connect to SharePoint

    #Connecting to SharePoint

#User account with Global Admin Permissions
$adminUPN="[email protected]"

#Organization Name (myorganizationinc.onmicrosoft.com)
$orgName="myorganizationinc"

#Prompting and using the password
$userCredential = Get-Credential -UserName $adminUPN -Message "Type the password."

#Making the Connection
Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $userCredential

    Get a list of Site Collections

    Get-SPOSite -Detailed | Format-Table -AutoSize

    More than likely the Group SharePoint Site is restricted to the user that may have created it. You may get this error when trying to remove it:

    To remove it you need to take ownership as the CollectionOwner

    Set-SPOUser -Site http://myorganizationinc.sharepoint.com/sites/<YourGroupsSite> -LoginName [email protected] -IsSiteCollectionOwner $true

    Now if you want to do this for all the site collections:

    $Sites = Get-SPOSite
ForEach ($Site in $Sites)
{
Set-SPOUser -Site $site -LoginName [email protected] -IsSiteCollectionOwner $true
}

    Once this is applied the admin will be able to remove the hidden Sharepoint collection. Remove the site collections that are no longer needed.

    Remove-SPOSite -Identity https://myorganizationinc.sharepoint.com/sites/<YourGroupsSite> -NoWait

    Deleting the Groups

    Now to delete the groups that the users created. Head over to the Office365 Admin Portal.

    Click the “Office 365 group” from the selection to show all groups (These should be all cloud based)

    Once the groups are displayed remove them as necessary.

    Groups are no longer in your environment.

    Planning for the future: Migration of Distribution Groups to Groups

    If you are in Hybrid mode you cannot user Groups in a clean fashion. It will get messy. Sooner or later you will need to plan for migration of your distribution groups to Groups. Know your current limitations and hold.

    Migrate distribution lists to Office 365 Groups – Admin help

    Distribution list eligibility for migration

    The following table lists which distribution lists are eligible or not eligible for migration

    Property Eligibility
    On-premise managed distribution list. Not eligible
    Nested distribution lists. Distribution list either has child groups or is a member of another group. Not eligible
    Moderated distribution list Not eligible
    Distribution lists with send on behalf settings Not eligible
    Distribution lists hidden from address lists Not eligible
    Distribution lists with member RecipientTypeDetails other than UserMailbox, SharedMailbox, TeamMailbox, MailUser Not eligible
    Distribution lists with member join or depart restriction as Closed Eligible. Converted to a private Office 365 Group.
    Distribution lists with custom delivery status notifications. ReportToManager = true, ReportToOriginator = false ReportToManager = false, ReportToOriginator = false Eligible. Office 365 groups don’t understand these properties, and delivery status notifications are always sent to the person that sent the email.
  • Creating Security Groups for File Shares in Bulk using PowerShell

    Creating Security Groups for File Shares in Bulk using PowerShell

    Security Groups are great for managing large groups for permissions.  A client requested that they needed to have Read-Only, Read-Write, and Ready-Modify (allow for deleting) for all their file shares for better management.

    Getting the Share Names

    In order for me to create the groups I needed the share names. PowerShell to the rescue!

    Type the following on the File Server/ Cluster to list all the shares and capture the output in a text file:

    WmiObject -class Win32_Share -computer <yourfileserver.fqdn) | Out-File c:\scripts\shares.txt

    [su_note note_color=”#fafae8″]On your file-server you may have a lot of share but for example purposes I am showing just one.[/su_note]

    Output should be similar to:

    Cleaning up the Share Names

    Now that we have the Share names we need to do a bit of cleanup to avoid having duplicates.

    • We need to remove all entries for hidden shares “$”
    • We need to remove duplicates
    • We need to change the case of the share names to lower case. ( I prefer lowercase but you can decide to do what best fits your needs)

    Follow my guide to removing duplicates in a text file using NotePad++

    Once the sharenames are clean save it to a text file.

    Client Requirement for the Security Groups:

    For each file share there are three security groups needed:

    • <Sharename>_RO : Read-Only
    • <Sharename>_RW : Read & Write
    • <Sharename>_RM : Read & Modify

    For PowerShell to do this I needed to create a .CSV file with all the security group entries.  Now, there are many ways this can be done. I will share what I have been doing.

    Open up Microsoft Excel and copy the share on a column to the right (lets say K2)

    Now on Cell A2 your value should be =CONCATENATE(K2,”_RW”) and drag it down.

    It should look something like this:

    Do the same for RO & RM. Now you have all the security groups names you need to create.

    Create a file called FileShares_Groups.csv  using the following format.

    Create the file Create Security Groups for File Shares.ps1

    .NOTES
	File Name:
	Author: Mohammed Wasay
	Contact Info:
		Website:www.mowasay.com
		Twitter:@wasay
	Requires:
	Tested:
.PARAMETER
    None

.EXAMPLE
    .\Create Security Groups for File Shares.ps1
#>
#Import Active Directory Module
Import-Module ActiveDirectory

$csv = Import-Csv -Path "c:\scripts\FileShares_Groups.csv"

ForEach ($item In $csv)
    {
        $create_group = New-ADGroup -Name $item.GroupName -GroupCategory $item.GroupCategory -groupScope $item.GroupScope -Path $item.OU
        Write-Host -ForegroundColor Green "Group $($item.GroupName) created!"
    }

    Copy the two files: FileShares_Groups.csv & Create Security Groups for File Shares.ps1  into a folder called C:\scripts  on the Domain Controller.

    Run the PowerShell script and see the security groups get created.

     

     

  • Remove duplicates, blank lines, spaces, to get unique values and sort data in one operation

    Remove duplicates, blank lines, spaces, to get unique values and sort data in one operation

    From time to time I come across this need; where I need to scrub a file where there are duplicates, there are blank lines, the sort order is all wack, and it just needs to be formatted to where it can be more readable and/or usable.

    This method just doesn’t apply to text, but also applies to numbers.

    Software Prerequisites:

    • NotePad++
    • TextFX Characters Plug-in for NotePad++

    Enabling TextFX Characters Plug-in

    Install NotePad++ with all defaults

    Goto Plugins > Plugin Manager > Show Plugin Manager

    Install TextFX Characters Plugin

    Once successfully downloaded it will prompt for a restart.

    After a successful restart of the application you should now see the TextFX entry in the toolbar.

    Removing duplicates, blank lines, and sorting data

    • Paste the text into Notepad++ (CTRL+V). As you can see, there were lines and half of them were blank.

    • Mark all the text (CTRL+A). Click TextFX → Click TextFX Tools → Check +Sort outputs only UNIQUE (at column) lines (if not already checked).

    • Click TextFX → Click TextFX Tools → Click Sort lines case insensitive (at column)

    • Duplicates and blank lines have been removed and the data has been sorted alphabetically. (The first line that may appear empty contains a space, which is regarded as a character and is included in the list of unique data.)

    [su_tooltip position=”north” content=”Please check permissions on the files and folders. If you have unique or specialized permission on the file or folders these wont work.”]

    Changing to lowercase

    To change the text to lowercase Goto: TextFX > TextFX Characters > lower case[/su_tooltip]

    This has saved me a lot of time when working with IP addresses or cleaning up text.

     

  • Set password never to expire for users in a particular domain (Bulk mode)

    Set password never to expire for users in a particular domain (Bulk mode)

    Let me start by saying that I don’t recommend doing this at all.

    Password Never Expires is bad security practice, but there are situations that might require it.

    I had a similar request on how this could be done.

    Setting it for multiple users:

    #Connect of Office365
Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService –Credential $O365Cred 

#Get a List of user that belong to the second domain
$SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com"

#Setting the password never to expire
ForEach($SDuser in $SDusers)
{
    Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true
}

    Setting it for a single user:

    Get-MSOLUser -UserPrincipalName [email protected] | Select PasswordNeverExpires

     

  • Get PasswordAge for users in a particular domain

    Get PasswordAge for users in a particular domain

    In Office365 if you have more than one domain in a subscription, there are times where you may want to get the password age for users of that domain.

    In my case to check which users are covered and meeting policy and get the users addressed.

    Get-MsolUser -All -DomainName "yourdomainname.com" | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}}

    The output will be similar to: