remove

Cleaning up Office365 Groups Mess

Office 365 Groups are a shared workspace for email, conversations, files, and events where group members can collectively get stuff done. It compliments the introduction of Microsoft Teams. The main thing to keep in mind is that this feature is still evolving.

Why is it important to control Office 365 Group creation?

This feature is enabled by default. So its better to put restrictions in place or later clean up sites, groups, permissions set by organization users.

Which Group?

SharePoint frequently reuses terms, which often makes conversations and forum posts a lot of fun. There’s at least three “Groups” in Office 365:

  • Active Directory Groups: Groups at the AD level. Outside of SharePoint. Useable across all site collections, and other applications. A “Sales Managers” AD group can be created once, updated in one place and used across all site collections in the tenant.
  • SharePoint Groups: Collections of users (people) and AD groups. Scoped to a single site collection. A “Sales Managers” SharePoint group would need to be created in each of the site collections and all updates repeated across all of the site collections.
  • Office 365 Groups: A new collaboration option! A combination of a mailbox and a site collection. Not a group useable for managing access to SharePoint sites.

Office 365 Groups

Office 365 Groups are a combination of an Exchange email account with the group’s name that is used to store conversations, and a “OneDrive – like” site collection to store files.

A collection of Office 365 Groups facts:

  • Internally, to distinguish traditional groups from the new Office 365 Groups, Groups are called “Unified Groups”. Externally they should be called “Office 365 Groups”, not “SharePoint Groups”.
  • Creating a Group creates an AD Distribution group, an email address and a “hidden” SharePoint Site Collection. The site collection is not visible in the tenant admin pages. The AD group is not manageable from Azure AD, only from the tenant admin Groups pages. (You can see members in Azure AD, but cannot edit them.)
  • Groups can be created from:
    • Outlook (OWA).
    • A user’s OneDrive.
    • The “GROUPS” page in the tenant Admin site. Here you can create both “Office 365 Groups” and “security groups”.
  • Conversations are stored in Exchange inboxes and files are stored in SharePoint Site Collections.
  • Groups are defined and managed in Azure AD. (Which explains why the PowerShell cmdlets for Groups are not in the SharePoint Online cmdlet library.)
  • Each user may create up to 250 Groups and can be a member of up to 1,024 Groups. There’s no limit for number of Groups per tenant.
  • Emails can be sent in the name of the group by members. (Requires a PowerShell based change.)
  • Groups will not be deleted if the Group’s owner is deleted.
  • Groups use a OneDrive for Business site under the covers. (Template: GROUP#0)
  • URL for the files site collection looks like a normal team site instead of a OneDrive site:  https://yourdomain/sites/groupsitename
  • If there is a URL conflict, a number is appended to the name: https://yourdomain/sites/groupsitename51
  • URL for the mailbox is “guessable”: https://outlook.office365.com/owa/#path=/group/yourGroupName@yourDomain.onmicrosoft.com/people
  • Groups site collections are not (currently) displayed in the admin Site Collections page. You may discover their existence when you create a new site collection that has the same name as a group site. “The site collection already exists. Please enter a different address.
  • PowerShell:
    • Get-SPOSite does not return Groups site collections, but you can access a Groups site by URL.
    • Get-SPOUser does not return users for Groups sites.
  • Groups file storage is counted against the tenant quota. It’s not considered to be a personal OneDrive. There is no “user” for the Group OneDrive. The mailbox can store up to 50GB of messages, posts and calendar entries. The SharePoint Site Collection has a max of 1TB.
  • Search: There is a search box, but it opens the Search Center in a new window/tab and searches all of SharePoint, not just the Groups file site.
  • The document library in the Group site is very much like a OneDrive for Business library. No ribbon, no custom columns, no metadata and no Content Types. The Groups library is very limited:
    • Only one library, and it’s not customizable.
    • Can’t check out/in. (I saw this listed as a feature, but it’s not in my tenants.)
    • Versioning is enabled (Major only)
    • Cannot add/delete columns (i.e. use any custom metadata that might be useful to search or eDiscovery.)
    • Cannot use workflows.
    • Cannot audit security from the browser.
    • No branding. Cannot be opened by SharePoint Designer.
  • The Site Collection is VERY limited.
    • Almost all of the links for site or list maintenance are redirected to the home page.
    • There is no Settings page.
    • There is no Site Permissions page, so there’s no Site Permissions page or 2nd tier recycle bin.
    • You cannot create new lists or libraries.
  • Library Sync: The Sync button works with the new OneDrive for Business sync client. So, keep in mind that group members of easily offline all of the content.
  • Recycle Bin:
    • There is a recycle bin, but you can only access the user level.
    • If you share a file with a non-member with “Edit”, they can delete the file, but get “Sorry, you don’t have access to this page” when they click the Recycle Bin link.
    • There is no Site Collection recycle bin page available. The Groups “owner” can’t recover files deleted by members.
  • Can be administered and reported on from PowerShell as part of the Exchange Online cmdlets.
    https://technet.microsoft.com/en-us/library/jj200780(v=exchg.160).aspx
    cmdlets: Get/Set/New/Remove-UnifedGroup and Get/Add/Remove-UnifiedGroupLinks
    https://support.office.com/en-us/article/Use-PowerShell-to-manage-Office-365-Groups-aeb669aa-1770-4537-9de2-a82ac11b0540
  • Groups can be disabled for all users. (PowerShell)
  • Groups can be disabled for a subset of users. (Requires PowerShell.)
  • Security:
    • New groups default to “Public”. Everyone has access. You must remember to choose Private when you create the group.
    • I can’t find a place to change Public/Private status after the group has been created.
    • The names of groups are not private. They will be seen in “Send to”, “Share” and other places where user names can be seen. All groups, public and private, are listed in the “Browse Groups” screens. (Train your users not to use group names that reveal confidential data. You know, names like “IT Layoff Planning Group”. 🙂 )
    • Files can be shared with the “group”. They will be listed in the “Shared with us” tab.
    • Files that are shared with the “group” will be visible to all users even for Private groups! (I think this is a bug!) (The user must know the URL to the Files site.)
    • Files can be “reshared”. Sam has a site named “My Private Group”, which is Private, He shares a file with Robert (with Edit or View). Robert can only see that one file in the group site. Robert shares with Susan. Susan can then share with………
    • Users who guess the URL to the file site can see the site, but no files, or only files shared with them. They can see the list of “members” and who the owner is.

Groups vs. Team Sites

Groups Team Sites
Can add lists/libraries No Yes
Can add pages No Yes
Can add columns/metadata No Yes
Can use Content Types No Yes
Can hide membership No Yes
Can brand No Yes
Can be fully managed with PowerShell No Yes

Cleaning up the mess

So since this feature is enabled by default. Users in your organization may have already started creating groups and hidden SharePoint site.

So first we need to disable this option right away.

Prerequisites:

Check your Company-level configuration settings

Now need to check your company-wide configuration settings through the Get-MsolCompanyInfo Windows PowerShell cmdlet. This cmdlet will display your current company-wide configuration settings that affect all users. You specifically need to verify that the UserPermissionToCreateGroupsEnabled parameter is set to False.

To check your Company-level configuration settings

You will first need to connect to your Office 365 service. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

In the Sign in to your Account screen, enter your credentials to connect you to your service, and click Sign in.

You will be returned to a prompt in the Windows Azure Active Directory Module.

You will need to display your company-wide configuration settings. To do this, type and enter:

This will display a listing of the current configuration settings that apply to all users in your company.

As you can see the value for the UsersPermissiontoCreateGroupsEnabled setting is True. We need to change this to False.

To change the UsersPermissionToCreateGroupsEnabled setting value

You will first need to use the Set-MsolCompanySettings cmdlet to change the UsersPermissionToCreateGroupsEnabled parameter to False. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

You will be returned to a prompt in the Windows Azure Active Directory Module.

After changing the setting, you then need to run the Get-MsolCompanyInfo cmdlet to verify that the value has changed to True.

After running the cmdlet, check the displayed information to verify that the UsersPermissionToCreateGroupsEnabled setting value has changed to False.

Identifying the site collections in PowerShell

Connect to SharePoint

Get a list of Site Collections
More than likely the Group SharePoint Site is restricted to the user that may have created it. You may get this error when trying to remove it:

To remove it you need to take ownership as the CollectionOwner

Now if you want to do this for all the site collections:

Once this is applied the admin will be able to remove the hidden Sharepoint collection. Remove the site collections that are no longer needed.

Deleting the Groups

Now to delete the groups that the users created. Head over to the Office365 Admin Portal.

Click the “Office 365 group” from the selection to show all groups (These should be all cloud based)

Once the groups are displayed remove them as necessary.

Groups are no longer in your environment.

Planning for the future: Migration of Distribution Groups to Groups

If you are in Hybrid mode you cannot user Groups in a clean fashion. It will get messy. Sooner or later you will need to plan for migration of your distribution groups to Groups. Know your current limitations and hold.

Migrate distribution lists to Office 365 Groups – Admin help

Distribution list eligibility for migration

The following table lists which distribution lists are eligible or not eligible for migration

Property Eligibility
On-premise managed distribution list. Not eligible
Nested distribution lists. Distribution list either has child groups or is a member of another group. Not eligible
Moderated distribution list Not eligible
Distribution lists with send on behalf settings Not eligible
Distribution lists hidden from address lists Not eligible
Distribution lists with member RecipientTypeDetails other than UserMailbox, SharedMailbox, TeamMailbox, MailUser Not eligible
Distribution lists with member join or depart restriction as Closed Eligible. Converted to a private Office 365 Group.
Distribution lists with custom delivery status notifications. ReportToManager = true, ReportToOriginator = false ReportToManager = false, ReportToOriginator = false Eligible. Office 365 groups don’t understand these properties, and delivery status notifications are always sent to the person that sent the email.

Remove duplicates, blank lines, spaces, to get unique values and sort data in one operation

From time to time I come across this need; where I need to scrub a file where there are duplicates, there are blank lines, the sort order is all wack, and it just needs to be formatted to where it can be more readable and/or usable.

This method just doesn’t apply to text, but also applies to numbers.

Software Prerequisites:

  • NotePad++
  • TextFX Characters Plug-in for NotePad++

Enabling TextFX Characters Plug-in

Install NotePad++ with all defaults

Goto Plugins > Plugin Manager > Show Plugin Manager

Install TextFX Characters Plugin

Once successfully downloaded it will prompt for a restart.

After a successful restart of the application you should now see the TextFX entry in the toolbar.

Removing duplicates, blank lines, and sorting data

  • Paste the text into Notepad++ (CTRL+V). As you can see, there were lines and half of them were blank.

  • Mark all the text (CTRL+A). Click TextFX → Click TextFX Tools → Check +Sort outputs only UNIQUE (at column) lines (if not already checked).

  • Click TextFX → Click TextFX Tools → Click Sort lines case insensitive (at column)

  • Duplicates and blank lines have been removed and the data has been sorted alphabetically. (The first line that may appear empty contains a space, which is regarded as a character and is included in the list of unique data.)

Changing to lowercase

To change the text to lowercase Goto: TextFX > TextFX Characters > lower case

This has saved me a lot of time when working with IP addresses or cleaning up text.

 

Remove disabled users from Distribution Lists & Security Groups in Active Directory

One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy.

The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:

Hope this helps!

Windows: Hide Internet Explorer 11 address bar & navigation bar

Applies to:

Windows Server 2008R2, Windows Server 2012R2, Windows 10

There are two ways this can be accomplished depending on your needs for the controlled environment.

GPO:

I would like to first clarify that there is not a single GPO to just hide TABS in IE11. There is however a way you can enforce IE in Full View Mode which by default will remove the TABS and Address bar via a GPO.

The GPO  you can use to enforce the Full-Screen view is available on both Computer and User configuration policy. Below is the gpo location path in group policy editor console.

  • GPO NAME: Enforce full-screen mode
  • LOCATION: Computer or User configuration – Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
  • KEY LOCATION: Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

SCREENSHOT: GPO CONSOLE

2352.GPO-LOCATION

WINDOWS REGISTRY:

This will cause the IE address bar to not show. I disabled the Navigation bars too so it gives a clean window experience.

SCREENSHOT: REGISTRY LOCATION WITH VALUES

1172.GPO-REGISTRY-LOCATION

Download the Registry file.

The GPO and keys will cause the browser to open in full view with no address bar or tabs

7536.FULL-VIEW-AFTER-GPO

Remove licensing from ESXi host

WARNING: This is for education/informational testing/development purposes only, and should not be used on a production server.

WARNING: This trick will only work with an ESX(i) stand alone server.  It will not work if the ESX(i) server is connected to a vCenter Server, as the vCenter Server knows better than to let you do this.  (you can always remove and readd the ESX(i) server to vCenter.)

To reset your ESX 4.x, ESXi 4.x and ESXi 5.x 60 day evaluation license:

  1. Login to the TSM through SSH or Shell
  2. Remove the following two files:
  3. Reboot server

If your ESX server is connected to a vCenter server, please remove the ESX server first.  Once the steps above are completed, you can add it back to the vCenter server.

Command to remove the license and reboot the ESX host:

After reboot, logging on the ESXi server, you should be greeted with this message.

60-day-evaluation

For ESXi 5.1 and ESXi 5.5, you may need to continually remove the license files as the server reboots for this to work.  The following should do this quite nicely:

An alternative would be restarting the services, it should work just as well as rebooting the server:

For vCenter
1) Create a DSN to your local SQL Express instance that holds your vCenter DB.
2) Uninstall virtual center
3) Re-install virtual center and point to your DSN making sure not to overwrite.

With this method, I have been able to refresh my 4.1 and 5.0 hosts.  Have not confirmed if this works for 5.1.

Remove group membership of disabled accounts

Majority of the system administrators I’ve met forget this very important rule. When an account is not needed remove its membership from the security/ distribution groups, otherwise you get disabled account showing up in groups, and that looks ugly.

You will need Quest ActiveRoles for Powershell installed to get this working.

Depending on the size of your organization you may need to increase the limit of results to 3000 or more. Default is 1000

Next, create a list of accounts that you will be modifying so we know what we will be removing.

Once you have the list saved. Execute the following:

Membership is stripped from groups, where the user account is disabled.

Get a list of shared mailboxes that are accidentally licensed

We know that in a hybrid scenario or during migration all shared mailboxes are migrated as a user account and then converted in a shared mailbox.

Sometimes admin forget to remove the license for the shared box after conversion and there is no GUI alternative to see if the shared mailbox is licensed. Shared mailbox in Office365 do not require a license.

To find out what shared mailboxes are “accidentally” licensed:

 

 

Outlook: Removing Copy from all the Calendar entries after importing from PST

This article applies to Outlook 2007 and 2010. If you are experiencing this issue with other mail clients, please contact Support.

The “Copy” prefix is usually added to calendar items when items are imported from a PST file or copied from another calendar.

To avoid this happening move items to the calendar instead of importing:

  1. Open Outlook.
  2. Open the .PST file (one that was imported) as an Outlook Data File.
    File > Open > Outlook Data File (.pst)
  3. Switch to Calendar view and check the boxes next to both calendars to view them side by side.
  4. Right-click and drag the item from the pst file calendar to your current mailbox calendar and select “Move” from the menu.
  5. Repeat for every similar item.

To get rid of this “Copy” prefix, you can copy the script that is provided below and run it in Outlook. The script will remove the prefix however you could be still unable to edit the calendar items. To run the script that will remove the “Copy” prefix:

  1. In Outlook, select the Calendar.
  2. Press Alt+F11 to open the VBA editor.
  3. Expand Project1, then double-click on ThisOutlookSession to open the code window.
  4. Copy the code below and paste it into the code window, then Save.
  5. Click the Run button.
 

Remove Password Expiration

Many customers ask me the question how they can remove password expiration on their Office 365 environment. With the PowerShell command below this can be achieved:

  1. First make sure you have the remote signed execution policy set to true. You can do this by running PowerShell in admin mode and running: Set-ExecutionPolicy RemoteSigned
  2. Next, run the following to authenticate your self and import PowerShell commands to your local session:
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session
  3. Get-MsolUser | Format-Table UserPrincipalName,DisplayName,PasswordNeverExpires