Setup LAPS on Administrator Workstation

When you install LAPS program on a computer where you want the ability to easily retrieve the password just select the Management Tools

Link Exchange Online Mailbox with Exchange On-premise

One of my customer have a hybrid exchange environment.

For a new user needs to create AD account and Mailbox on Exchange on-premise.

After creating mailbox and if is needed (depends on Company Police), user mailbox moving to the Exchange Online (Office 365).

It is important to be sure that the right routing address is set, user listed in Address Book and all works fine.

In this case some mailboxes was created wrong.

That means, that there was a AD user on-premise and mailbox was created directly in the Exchange Online.

 

 

 

When on-premise user tried to send message to user whose mailbox was created in Exchange Online directly, he got message:

 

Connect to Exchange Online PowerShell

Exchange Online PowerShell allows you to manage your Exchange Online settings from the command line.

1. On your local computer, open Windows PowerShell and run the following command.

$UserCredential = Get-Credential

In the Windows PowerShell Credential Request dialog box, type your account and password, and then click OK.

2. Run the following command.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

3. Run the following command.

Import-PSSession $Session -DisableNameChecking

Windows Tips: How to make sure a downloaded .iso matches a hash value?

Install the Microsoft File Checksum Integrity Verifier tool from 

http://www.microsoft.com/en-us/download/details.aspx?id=11533

Then using fciv.exe with Command Prompt:

fciv.exe -sha1 filename.iso

PowerShell Script: Get AD Domain and Forest functional level

Simple script to show Active Directory domain and forest functional level, FSMO roles, all sites in the forest, Global Catalog servers.

Link for download
.\Get-ADInfo.ps1

Example of usage:

[PS].\Get-ADInfo.ps1

Automate WSUS Server Cleanup on Windows Server 2016 with PowerShell

I had a task to automate wsus server cleanup on windows server 2016.

For this task I used one windows server 2016 powershell command

Invoke-WsusServerCleanup

Invoke-WsusServerCleanup performs the process of cleanup on a specified WSUS server. This process has the same impact as running the Cleanup Wizard from the WSUS Console and allows the specification of the same options as Cleanup Wizard.

In my case I added tasks in Task Scheduler on WSUS Server to run powershell with command:

Task 1. 

Name: WSUS-Cleanup

Task running: Weekly

Description: Cleanup obsolete computers and obsolete updates, delete unneeded updates and obsolete revisions to updates, declines expired updates, declines superseded updates

Command:

[PS]Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

Task 2.

Name: WSUS-Cleanup-Computers 

Task running: Daily

Description: Cleanup for obsolete computers

Command:

[PS]Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers

Happy SysAdmin Day!

Enable IP Address Conflict Detection in DHCP on Windows Server

You may use DHCP server option what detects conflicts by pinging an IP address before offering that address to clients.

DHCP Conflict Detection is useful, if some client use a static ip-address from DHCP pool.

On Windows Server by default DHCP Conflict Detection is disabled.

To enabled DHCP conflict detection

Open DHCP console

Налаштування Windows DHCP сервера для виявлення конфліктів IP-адрес

DHCP сервер може виявляти конфлікти IP-адрес, перш ніж пропонувати адреси клієнтам.

Виявлення конфліктів IP-адрес є корисним, якщо якийсь клієнт у мережі використовує статичну IP-адресу з пулу DHCP.

Щоб увімкнути виявлення конфліктів IP-адрес

Відкрийте консоль DHCP

PowerShell Script: Remove AD Groups for Users in specific OU

This small script remove all Active Directory (AD) groups for users in specific Organizational Unit (OU).
Except group "Domain Users"

 

Example of usage:

[PS].\Remove-ADGroups-for-Users-in-OU.ps1 -OU "OU=Users,OU=Disabled Accounts,DC=myDomain,DC=local" -Confirm:$False

 

Script can be useful for OU with disabled users accounts.

 

Link for download
Remove-ADGroups-for-Users-in-OU.ps1

PowerShell Script: Get LAPS Password Information from Active Directory

A small script for export Computers LAPS Password information from Active Directory to csv file.

Script generates a CSV file with computer names and LAPS Passwords.
    ComputerName;OperatingSystem;Password;PasswordExpTime;DistinguishedName

Requirement of the script:
   - Active Directory PowerShell Module
   - Needed rights to view AD LAPS Attributes: ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
  
Example of usage:

[PS].\Get-ADComputers-LAPS-Password.ps1
[PS].\Get-ADComputers-LAPS-Password.ps1 -OU "OU=Computers,OU=IT Department,DC=myDomain,DC=com"

Links for download
PowerShell Gallery | Get-ADComputers-LAPS-Password
GitHub | Get-ADComputers-LAPS-Password.ps1
Get-ADComputers-LAPS-Password.zip

PowerShell Script: Get BitLocker Recovery Information from Active Directory

A small script for export Computers BitLocker Recovery Information from Active Directory to csv file.

This script generates a CSV file with computer names and BitLocker Recovery Keys:
    ComputerName;OperatingSystem;Date;Time;GMT;PasswordID;RecoveryPassword;DistinguishedName

Requirement of the script:
    - Active Directory PowerShell Module
    - Needed rights to view AD BitLocker Recovery Info

Example of usage:

[PS].\Get-ADComputers-BitLockerInfo.ps1
[PS].\Get-ADComputers-BitLockerInfo.ps1 -OU "OU=Computers,OU=IT Department,DC=myDomain,DC=com"

Links for download

PowerShell Gallery | Get-ADComputers-BitLockerInfo

GitHub | Get-ADComputers-BitLockerInfo.ps1

Get-ADComputers-BitLockerInfo.zip

How to delegate right to unlock locked Active Directory (AD) user accounts?

To delegate the right to unlock user accounts on the OU or domain level in ADUC, you can use the AD delegation wizard.

 

You must perform the following steps.

 

1. Open “Active Directory Users and Computers”

 

PowerShellTip: Use PowerShell to Find User Profile Path

To easily get information about the folder and path to the profile for a currently signed-in user, use environmental variable UserProfile.

[PS]$env:UserProfile

This can be useful in scripts.

Disable Internet Explorer Enhanced Security Configuration (IE ESC)

To disable IE Enhanced Security Configuration in Windows Server 2016
Open the Server Manager.

Click IE Enhanced Security Configuration

 

 

Select 'Off' in the Administrators and Users sections

 

 

Click OK
Restart Internet Explorer for changes to take effect

 

Зміними стандартний Organizational Unit (OU) для нових комп'ютерів в Active Directory

Нові комп'ютери в Active Directory за замовчуванням створюються в контейнері (OU) Computers (CN=Computers,DC=myDomain,DC=com)

 

Щоб це змінити - зайдіть на контролер домену як адміністратора домену (Domain Admin)
Виконайте команду:

 

    ReDirCmp Container-DN

 

де Container-DN - це значення адтрибуту DistinguishedName контейнера (OU), в якому за замовчуванням будуть додаватись нові комп'ютери.

Наприклад:

 

    redircmp "OU=New Computers, DC=myDomain, DC=com"

 

 

Щоб повернутись до типових налаштувань:

 

    redirusr cn=Computers, DC = myDomain, dc=com

 

 

Примітка.
Функціональний рівень домену повинен бути не нижче Windows Server 2003

 

 

 

Зміними стандартний Organizational Unit (OU) для нових користувачів в Active Directory

Нові користувачі в Active Directory за замовчуванням створюються в контейнері (OU) Users (CN=Users,DC=myDomain,DC=com)

 

Щоб це змінити - зайдіть на контролер домену як адміністратора домену (Domain Admin)
Виконайте команду:

 

   ReDirUsr Container-DN

 

де Container-DN - це значення адтрибуту DistinguishedName контейнера (OU), в якому за замовчуванням будуть створюватись нові користувачі.

 

Наприклад:

 

    redirusr "OU=New Users, DC=myDomain, DC=com"

 

 

Щоб повернутись до типових налаштувань - виконайте команду:

 

    redirusr cn=Users, dc = myDomain, dc=com

 

 

 

Примітка.
Функціональний рівень домену повинен бути не нижче Windows Server 2003

 

 

DHCPServerTip: Enable/Disable all scopes on DHCP Server

To Deactivate/Disable all IPv4 Scopes on DHCP server you may use PowerShell Command:

[PS] Get-DhcpServerv4Scope | Set-DhcpServerv4Scope -State Inactive

To Activate/Enable all IPv4 Scopes on DHCP server:

[PS] Get-DhcpServerv4Scope | Set-DhcpServerv4Scope -State Active

To view all IPv4 Scopes on DHCP server

[PS] Get-DhcpServerv4Scope -ComputerName <DHCP-ServerName>

Migrate DHCP from one Windows Server to another Windows Server

Log on to the old/existing DHCP server.
Open CMD and type command
 

netsh dhcp server export C:\Users\%username%\Desktop\dhcp.txt all

 

 

Log on to the new DHCP server.
Install the DHCP role on the new DHCP server.
Verify that the DHCP service is installed and started on the new DHCP server.
Copy the exported DHCP text file to the new DHCP server.

Open CMD and type command

netsh dhcp server import C:\Users\%username%\Desktop\dhcp.txt all
 

 

Authorize new DHCP server in Active Directory.
Stop or uninstall DHCP role on the old DHCP server.

Note:
If your old DHCP server is in the same network/subnet as the new DHCP server, you will notice that the old DHCP server has been de-authorized automatically. This is to prevent two DHCP servers from handing out conflicting addresses.

 

Exchange Server 2013 Enters Extended Support Lifecycle Phase

Exchange Server 2013 enters the Extended Support phase of product lifecycle on April 10th, 2018. During Extended Support, products receive only updates defined as Critical.

With the transition of Exchange Server 2013 to Extended Support, the quarterly release schedule of cumulative updates will end. The last planned cumulative update for Exchange Server 2013, Cumulative Update 21, will be released in June 2018.


Additional Information:
https://blogs.technet.microsoft.com/exchange/2018/04/10/exchange-server-2013-enters-extended-support-lifecycle-phase/



Exchange 2010 - End of Support Is Coming

 

On January 14, 2020, Exchange Server 2010 will reach end of support.

 

 

Additional Information:

https://blogs.technet.microsoft.com/exchange/2018/04/10/exchange-2010-end-of-support-is-coming/

 

 

Outlook Error: There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server (Error Code 80000000)

I had an interesting issue while working on one project. When customers working with Outlook, sometimes some Outlook clients received the following certificate error message:

 

There is a problem with the proxy server's security certificate.
Outlook is unable to connect to the proxy server (Error Code 80000000).

 

 

I want to share my solution on this issue.

Exchange 2010: Change Password with Outlook Web Access

Applies to: Exchange Server 2010

 

Enable change password feature in Outlook Web App:

 

Log on to the Client Access server.

Open Registry Editor

regedit

 

Find registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

 

Create the following DWORD value if it doesn't already exist: ChangeExpiredPasswordEnabled. The value type will be REG_DWORD

Set the value of ChangeExpiredPasswordEnabled to 1

Restart IIS

iisreset /noforce

 

Note:

You must make this change on each Client Access server that supports Outlook Web App 

 

PowerShellTip: Get Computer Name

To easily retrieve computer name in Windows PowerShell, use the environmental variable ComputerName.

[PS]$env:ComputerName

This can be useful in scripts.