daknetworks.com

You are here: Blog

Enable 2FA in Microsoft3365 | Enable MFA in Microsoft365

I've seen this in 2 places. Sometimes the one in IDENTITY-PROTECTION does not work. Not sure why. Here it is:

AAD > USERS
MULTI-FACTOR-AUTHENTICATION (at the top)
checkmark usernames
ENABLE (on the right)

mfa1

mfa2

AAD > SECURITY > IDENTITY-PROTECTION
MFA-REGISTRATION-POLICY

Exchange Queue

Let's say that you have a loop because someone setup an INBOX RULE to forward to an outside domain that is having problems.

How do you clear the queue of 1M messages that show as a result?

To clear the incoming messages that have arrived in the inbox:

Get-Mailbox account.name | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it } -DeleteContent

To clear the messages in the queue for the recipient:

Get-ExchangeServer |?{$_.IsHubTransportServer -eq $true} |Get-Queue |get-message -ResultSize unlimited |?{$_.recipient -eq ' This e-mail address is being protected from spambots. You need JavaScript enabled to view it '} |Remove-Message -WithNDR $False -Confirm $False

To clear the messages in the queue for the postmaster <>:

Get-ExchangeServer |?{$_.IsHubTransportServer -eq $true} |Get-Queue |get-message -ResultSize unlimited |?{$_.sender -eq '<>'} |Remove-Message -WithNDR $False -Confirm $False

Hyper V General access denied error

Hyper V General access denied error

IDE/ATAPI Account does not have sufficient privilege to open attachment 'E:\VMs\VMName\Disk0.vhd. Error: 'General access denied error'

What this is trying to tell you is that HYPER-V has a user account for each VM. This user account is a random string of letters & numbers. This user account is hidden. This user account has access to the the VHD's.

If you were to do something like move the VHD's off the drive, expand the drive and move them back on the new drive, the user account would no longer have access.

No problem. Just add the permissions back in.

Looke at the details of the error message and it will let you know the user account name. Something like:

AE78918D-FE0E-4E6D-AFF5-25B32D4FE243

In command prompt (as admin), type something like:

C:\>icacls "F:\VHD\VHD-NAME-HERE.avhdx" /grant "NT VIRTUAL MACHINE\AE78918D-FE0E-4E6D-AFF5-25B32D4FE243":(F)

It will repsond with something like:

processed file: F:\VHD\VHD-NAME-HERE_756DFD7E-5E29-4ABA-B12F-40BAD636E2A2.avhdx
Successfully processed 1 files; Failed processing 0 files

Now start the VM and it should start without hassle.

NOTES:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/hyper-v-virtual-machine-not-start-0x80070005

Last Updated on Tuesday, 15 September 2020 14:43

Nic Teaming Cisco Flapping For Server Host Hypver-v or VMware

This is solved by creating a port-bond/lag/etherchannel on the Cisco Switch.

Here is my config:

interface Port-channel1
description LAG to Server Host 1
switchport
switchport trunk allowed vlan 1-3
switchport mode trunk
switchport nonegotiate

!

interface GigabitEthernet1/1
description LAG Server Host 1 Member 1
switchport
switchport trunk allowed vlan 1-2
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on

!

interface GigabitEthernet1/2
description LAG Server Host 1 Member 2
switchport
switchport trunk allowed vlan 1-3
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on

Recovering Foreign/Unconfigured (bad) drives

Recovering Foreign/Unconfigured (bad) drives

The controller says a foreign configuration was detected during boot. All of hte drive bays have red lights on them. I try to import the configuration, but it fails.

Failure to import arrays usually means that the drives were unexpectedly powered off or disconnected from the RAID controller, which puts them in the Unconfigured(bad) state. This is done as a precautionary measure to prevent drives with bad connections from joining the array, as sudden disconnects can result in data corruption.

These scenarios may also be accompanied by errors regarding preserved-cache on the controller, where if there were pending write operations at the time of the failure the controller holds the data until the disks are verified working, again as a preventative measure against data corruption.

Drives stuck in the Unconfigured(bad) state need to be manually set back to Unconfigured(good) before they will be importable. Please be aware that this procedure does not guarantee that your data will be restored, and has the potential to further damage your data if the drives are failing due to hardware defects. 

If you want to import the configuration anyway, you can set drives to Unconfigured(good) through the MegaRAID BIOS, then retry to import configuration.

1. Start the LSI/AVAGO/MEGARAID

megaraid-bios-v1

2 click DRIVES (on the left-hand side).

megaraid-bios-v2

3. -select an unconfigured drive, click on the PROPERTIES > GO

megaraid-bios-v3

4. click Make Unconf Good > Go.
Do this for every Unconfigured(bad) drive.

megaraid-bios-v4

5. Once all the drives have been marked good, head back to the MegaRAID BIOS home page, then click on Scan Devices to initiate a rescan of the enclosures. This should then prompt you with any foreign configurations detected, which you can then import.

megaraid-bios-v5

 

Last Updated on Sunday, 11 October 2020 17:00

Find Cluster Size in Partitiion

Dealing with a data array of 24 physical disks. The controller is a MegaRaid/LSI/Avago 3108 firmware v24.9.0-0022. The physical disks are 500GB drives giving about 9TB.

Wanting to upgrade the storage space, I replaced the drives with 2 TB physical disks. This was done on-the-fly, 1-at-a-time so that the office was not disrupted. Fail disk, remove disk, insert new disk, let it re-raid. The process took about an hour a disk and I was able to complete over a few days.

With the new space available, I was able to grow the virtual-disk on the fly. Took about 8 hours to initialize.

With the disk space available, I wanted to expand the volume in Windows Disk Manager but got an error message:

"The volume cannot be extended because the number of clusters will exceed the maximum number of clusters supported by the file system."

virtual-disk-manager

Well, how many clusters do I have:

-type: fsutil fsinfo ntfsinfo f:

number-of-clusters

This shows that the cluster size is 4kb; this is the default-size.

As such, the official docs say that the max size is 16TB:

Cluster sizeLargest volumeLargest file
4 KB (default size) 16 TB 16 TB
8 KB 32 TB 32 TB
16 KB 64 TB 64 TB
32 KB 128 TB 128 TB
64 KB (maximum size) 256 TB 256 TB

The only way around this is to reformat the drive with a larger cluster size.

NOTES:
https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview

Last Updated on Friday, 11 September 2020 13:04

Outlook 365 Will Not Connect to Gmail

Outlook 365 Will Not Connect to Gmail

1- turn on 2-STEP-VERIFICATION here:
https://myaccount.google.com/security

2- create an APP-PASSWORD
(select MAIL > WINDOWS)
(it will give a random password such as: sdfs sdfd dfas hfgr)

3- disable SIMPLE ACCOUNT CREATION in OUTLOOK:
(download disable SIMPLE ACCOUNT CREATION)
(double-click to import)

4- restart OUTLOOK

5- add the gmail account
(use the APP-PASSWORD with no-spaces)
(do NOT use the password to access the account)

Last Updated on Friday, 04 September 2020 15:41

Dell Latitude 7490 BSOD | WHEA UNCORRECTABLE ERROR

Dell Latitude 7490 BSOD | WHEA UNCORRECTABLE ERROR

  • -go to the Device Manager.
  • -click DISPLAY ADAPTER
  • -uninstall the display adapter and delete the driver.
  • -reboot.
  • -repeat until the base driver shows: Microsoft Display Adapter
  • -download the video driver from: https://support.dell.com
  • -run file and EXTRACT (not install).
  • -right-click Microsoft Display Adapter.
  • -update driver.
  • -manually select the extracted-folder\Graphics
  • -let it install.
  • -reboot.

NOTES:
-https://www.dell.com/support/article/en-us/sln313066/latitude-5x80-5x90-7x80-7x90-and-precision-3520-windows-hardware-error-architecture-whea-blue-screen-or-system-hang?lang=en

Last Updated on Wednesday, 12 August 2020 09:57

WSUS Server Keeps Stopping

WSUS Server Keeps Stopping

Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“.

-set to 0 (no limit).
-started WSUSPool.
-started Windows WSUS service.
-started cleanup.

Surface Pro Keyboard Does Not Work | Surface Pro Type Pad Does Not Work | Surface Book Keyboard Does Not Work

Surface Pro Keyboard Does Not Work | Surface Pro Type Pad Does Not Work | Surface Book Keyboard Does Not Work

-open CMD (as admin)
-type:systeminfo (to verify Surface model:Surface Pro 4).
-download/install newest drivers/firmware for Surface model.
-reboot.
-device-manager.
-show hidden devices (click VIEW at the top).
-human-interface-devices.
-surface type pad integrator > delete > checkmark to remove drivers.
-keyboard.
-uninstall all keyboards.
-shutdown.
-hold volume-up and power button for full 30 seconds.
-power on.
-type pad should work.

Cisco Set Trunk For Watchguard AP

Have a Watchguard AP 325. The Cisco switches are 2960. They are POE.

The Watchguard AP 325 powers and get IP address. The Watchguard Firebox cannot see the AP. What gives?

Well the port that it is on is not set a trunk port. A trunk port is a network port that allows data to flow across a network for multiple VLANs. Perhaps a trunk port is thought of as a “bundle.”

Since the AP is going to have multiple devices connected for traffic, it needs to be set as a trunk port.

Here's how:

enable
show interface status | include trunk
config t
int Gi3/0/34
Description Whatever AP Name Here
switchport mode trunk
switchport access vlan 1
switchport trunk native vlan 300
no switchport voice vlan
switchport trunk allowed vlan 300-306
end

show int Gi3/0/34 switchport
show int Gi3/0/34 trunk

write mem
copy run start

Class dismissed!

Last Updated on Wednesday, 29 July 2020 17:57

aksfridge.sys BSOD on Windows Update | Sentinel Causes BSOD

-updated RST driver.
-wget https://downloadmirror.intel.com/29647/eng/SetupRST.exe -outfile setuprst-v17.9.1.1009.exe
-setuprst-v17.9.1.1009.exe -accepteula -s
-reboot

-bsod being caused by aksfridge.sys
-this is the SENTINEL bug.
-download the command line:
https://supportportal.gemalto.com/csm?sys_kb_id=979a4e21db92e78cfe0aff3dbf9619c6&id=kb_article_view&sysparm_rank=7&sysparm_tsqueryId=4ad5b82e1bfc5410f12064606e4bcb15&sysparm_article=KB0018319

a. Go to this site: https://sentinelcustomer.safenet-inc.com/sentineldownloads/
b. Click: Sentinel LDK RunTime & Drivers
c. Download: "Sentinel HASP/LDK - Command Line Run-time Installer".
d. Unzip the files.
e. In an elevated command prompt (run cmd.exe as an administrator) navigate to the location where you unzipped haspdinst.exe.
f. Type the command “haspdinst.exe -remove” without quotes and press Enter.
g. When it finishes successfully, type the command “haspdinst.exe -purge” without quotes and press Enter.
h. When this finishes successfully, the HASP drivers should now be uninstalled. Re-boot and try the upgrade again.

Fix Microsoft Windows Store | Fix Windows Calculator App

Fix Microsoft Windows Store | Fix Windows Calculator App

-go to: C:\Program Files\WindowsApps
-change ownership to ADMINISTRATORS.
-change permissions to ADMINISTRATORS | FULL-PERMISSIONS
-look in the list for the APP that won't work (ie CALCULATOR).
-delete the folders.

1. Copy URL for the Microsoft Windows Store app: https://www.microsoft.com/en-gb/p/microsoft-store/9wzdncrfjbmp?activetab=pivot:overviewtab
2. Paste copied URL into search box: https://store.rg-adguard.net/
3. Find WINDOWS STORE. There will be 2 versions
12007.1001.213.0
12007.1001.213.70
4. Download second latest version ending (.0 not .70)
5. Run the file and select Install
6. SETTINGS > APPS
7. click STORE
8. click ADVANCED-OPTIONS
9. click RESET

Last Updated on Friday, 17 July 2020 17:33

Dell Installation Command Lines

Dell Installation Command Lines just in case anyone needs:

dism /online /add-provisionedappxpackage /packagepath:C:\\DELL\27T76\175eee77761
0486798c16be30cbbe29b.appxbundle /dependencypackagepath:C:\\DELL\27T76\Microsoft
.NET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackage
path:C:\\DELL\27T76\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x64__8wekyb3d8b
bwe.appx /dependencypackagepath:C:\\DELL\27T76\Microsoft.VCLibs.140.00_14.0.2732
3.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\DELL\27T76\Microsoft.NET.
Native.Framework.2.0_2.0.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:
C:\\DELL\27T76\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.a
ppx /dependencypackagepath:C:\\DELL\27T76\Microsoft.VCLibs.140.00_14.0.27323.0_x
86__8wekyb3d8bbwe.appx  /licensepath:C:\\DELL\27T76\175eee777610486798c16be30cbb
e29b_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\\DELL\2PGXF\f68432bfe31
a4034a94b2fa07b206df6.appxbundle  /licensepath:C:\\DELL\2PGXF\f68432bfe31a4034a9
4b2fa07b206df6_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\\Apps\334CH\DELL\334CH\
11023d4f34c14610a6161cf4fb3c0d78.appxbundle /dependencypackagepath:C:\\Apps\334C
H\DELL\334CH\Microsoft.NET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.a
ppx /dependencypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.NET.Native.Runtim
e.2.0_2.0.25709.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\Apps\334CH\
DELL\334CH\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe.appx /depende
ncypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.NET.Native.Framework.2.0_2.0.
27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\Apps\334CH\DELL\334CH
\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.appx /dependenc
ypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.VCLibs.140.00_14.0.27323.0_x86_
_8wekyb3d8bbwe.appx  /licensepath:C:\\Apps\334CH\DELL\334CH\11023d4f34c14610a616
1cf4fb3c0d78_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\5NT2Y\RstHsaBridge
_17.5.1005.0_x64_bundle.appxbundle /dependencypackagepath:c:\dell\5NT2Y\Microsof
t.VCLibs.140.00.UWPDesktop_14.0.27323.0_x64__8wekyb3d8bbwe.appx  /licensepath:c:
\dell\5NT2Y\2ab1a93c7f5944c7a5d2413b3f1decaf_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\8R3T7\2ccd06ab93a5
461080ec95e9acfddb44.appxbundle /dependencypackagepath:c:\dell\8R3T7\Microsoft.N
ET.Native.Framework.1.7_1.7.27413.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:c:\dell\8R3T7\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:c:\dell\8R3T7\Microsoft.VCLibs.140.00_14.0.26706.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\8R3T7\Microsoft.NET.Nativ
e.Framework.1.7_1.7.27413.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\de
ll\8R3T7\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:c:\dell\8R3T7\Microsoft.VCLibs.140.00_14.0.26706.0_x86__8we
kyb3d8bbwe.appx  /licensepath:c:\dell\8R3T7\2ccd06ab93a5461080ec95e9acfddb44_Lic
ense1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\9R2CY\d8eb3d301c8e
44c893460c573e2524e3.appx /dependencypackagepath:c:\dell\9R2CY\Microsoft.NET.Nat
ive.Framework.2.1_2.1.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\
dell\9R2CY\Microsoft.NET.Native.Runtime.2.1_2.1.26424.0_x64__8wekyb3d8bbwe.appx
/dependencypackagepath:c:\dell\9R2CY\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8
wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\9R2CY\Microsoft.NET.Native.Fram
ework.2.1_2.1.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\9R2
CY\Microsoft.NET.Native.Runtime.2.1_2.1.26424.0_x86__8wekyb3d8bbwe.appx /depende
ncypackagepath:c:\dell\9R2CY\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8
bbwe.appx  /licensepath:c:\dell\9R2CY\d8eb3d301c8e44c893460c573e2524e3_License1.
xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\CPWK1\99a6dd26bc56
45b3a738200b2f69ca51.appxbundle  /licensepath:c:\dell\CPWK1\99a6dd26bc5645b3a738
200b2f69ca51_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\NXM09\5fb8f189f280
4baeb42a158867b0ba1d.appx  /licensepath:c:\dell\NXM09\5fb8f189f2804baeb42a158867
b0ba1d_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\P17DD\6b148b557f42
489bad3fd35943962277.appxbundle /dependencypackagepath:c:\dell\P17DD\Microsoft.N
ET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:c:\dell\P17DD\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:c:\dell\P17DD\Microsoft.VCLibs.140.00_14.0.27323.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\P17DD\Microsoft.NET.Nativ
e.Framework.2.2_2.2.27405.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\de
ll\P17DD\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:c:\dell\P17DD\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8we
kyb3d8bbwe.appx  /licensepath:c:\dell\P17DD\6b148b557f42489bad3fd35943962277_Lic
ense1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\Apps\YR2T2\560274d333d4
453891d8ec26f03f7a7c.appxbundle /dependencypackagepath:C:\Apps\YR2T2\Microsoft.N
ET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:C:\Apps\YR2T2\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:C:\Apps\YR2T2\Microsoft.VCLibs.140.00_14.0.27323.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\Apps\YR2T2\Microsoft.NET.Nativ
e.Framework.2.0_2.0.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:C:\Ap
ps\YR2T2\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:C:\Apps\YR2T2\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8we
kyb3d8bbwe.appx  /licensepath:C:\Apps\YR2T2\560274d333d4453891d8ec26f03f7a7c_Lic
ense1.xml /Region="all"

Cisco Router VRF

Cisco Router VRF's are virtual routers. Basically Cisco version of HyperV/VMWare.

The advantage of this is that you can take a single internet connection/MPLS connection and break it into 2 connections. Each connection will have its own outside-ip and inside-ip.

When this happens, the routes move from the physical connection to the virtual connection/VRF connections.

Show VRF connections:
show vrf

Show VRF routes:
show ip route vrf vrf-name-here

Add VRF route:
enable
config t
router bgp 65000
network 10.162.116.0
address-family ipv4 vrf vrf-name-here
network 10.162.116.0
exit-address-family
exit
ip route vrf vrf-name-here 10.162.116.0 255.255.255.0 10.162.100.1
(The above is: subnet subnet-mask gateway)
exit

Verify the config and save it as the startup config:
show run
copy run start

Last Updated on Wednesday, 15 July 2020 14:19

Windows Catalog MSU Download and Install

The June 2020 updates have caused problems.

To fix, Microsoft has put out an update. Found here (select your Windows version on the left-hand side):
https://support.microsoft.com/en-us/help/4555932

The trick is that the update will not be pushed out through Windows Updates and it will not be pushed out through Windows Server Updates (WSUS).

So the only option is to get it from Windows Catalog.

Here is how to download:
wget "http://download.windowsupdate.com/c/msdownload/update/software/updt/2020/06/windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu" -outfile "windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu"

Here is how to install:
wusa.exe "c:\installs\windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu"

Outlook 365 | Windows Security Box Keeps Showing

Open Outlook 365. The Windows Security Box shows. You type in the password. The box shows again. And again. And again. What gives?

 This could happen for a few reasons.

1- check the DNS records. There should be an autodiscover on the company domain name. In other words: autodiscover.daknetworks.com should go somewhere. And that somewhere should be correct.

2- check the DNS records. If there is more than 1 domain, then the autodiscover needs to be on all of the domains. In other words, autodiscover.daknetworks.net should go somewhere as well. That somewhere should be the same somewhere as the main domain.

3- check the Control-Panel > Credential Manager. Close Outlook. Delete any username/password that indicates Outlook. If there are incorrect username & password saved in there, they will be used to access the email. Since the username/password are incorrect, it will ask for the correct username/password.

4- check the registry at:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\

There are 2 parts to Outlook. The client software, what you are using on your system, and the server software, what the entire company is using to store/send/receive email.

Beginning with Outlook 2016/Outlook 365 some of the options to manually set what happens are removed in an effort to try to make setup easier.

If you have Outlook 365, then most likely you have Microsoft 365 for the company and it tries to automatically connect to the Microsoft 365 server.

But if you have Outlook 365 and have a private Exchange server, that can cause a mismatch. This results in Outlook always asking for a username/password for the Microsoft 365 server.

Outlook 365 automatically goes through a list to get autodiscover information. This is as follows:

- PreferLocalXML
- Office 365 | ExcludeExplicitO365Endpoint
- Root domain look up (Fancy way of saying it queries the A record) | ExcludeHttpsRootDomain
- Secure URL look up | ExcludeHttpsAutoDiscoverDomain
- Local Autodiscover (SCP object) | ExcludeScpLookup
- HTTP redirect | ExcludeHttpRedirect
- SRV record look up | ExcludeSrvRecord
- Last Known URL | ExcludeLastKnownGoodURL

To skip a method, this is set via a registry edit:

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v PerferLocalXML /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpRedirect /d 0
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsAutoDiscoverDomain /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsRootDomain /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeScpLookup /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeSrvRecord /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeLastKnownGoodURL /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeExplicitO365Endpoint /d 1

5- trial software. There might be Office trial software installed along side of the Office software:

  • -Open COMMAND-PROMPT (as admin)
  • -Check the license, type:
    C:\Program Files (x86)\Microsoft Office\Office16\cscript ospp.vbs /dstatus
  • -Uninstall the license, type:
    cscript ospp.vbs /unpkey:[productkey]
    (ie: cscript ospp.vbs /unpkey:VMFTK)
  • -Restart the system.

NOTES:
-https://docs.microsoft.com/en-us/outlook/troubleshoot/domain-management/unexpected-autodiscover-behavior
-https://support.microsoft.com/en-us/help/3211279/outlook-2016-implementation-of-autodiscover
-
https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover?redirectedfrom=MSDN&view=exchserver-2019
-
https://practical365.com/exchange-server/fixing-autodiscover-root-domain-lookup-issues-mobile-devices/

Last Updated on Wednesday, 22 July 2020 15:05

MobileIron Stops Working

Getting MobileIron to work is a process. I wish I had my notes. All I can say is get the setup support. It will take about 20 hours or so even with a cloud setup.

This includes the following:

  • CONNECTOR
  • SENTRY
  • LDAP(S)
  • CERTIFICATE
  • forcing all email through SENTRY.

Outside services like MIMECAST or MOBILEIRON need information from the Active-Directory. Mimecast gets the info directly through LDAPS and a dedicated USERNAME and PASSWORD to send the information. This works but the effort in getting LDAPS through the firewall is upon the customer.

As a result, other companies like MICROSOFT and MOBILEIRON require a setup to be established internally or a CONNECTOR. This connector is responsible for sending the Active-Directory info to the cloud service. This gets around the effort of the firewall but it adds the effort of maintaining the CONNECTOR.

The MICROSOFT CONNECTOR is an APP on a dedicated Windows Server called Microsoft Azure Active Directory Connect.

MOBILEIRON CONNECTOR is a dedicated server based off Linux with limit commands.

MOBILEIRON CONNECTOR updates automatically. When it does, it disconnects from the MOBILEIRON CLOUD.

Here's how to fix:

  • -login to the MOBILEIRON CONNECTOR onsite.
  • -type: enable
  • -type: connector stop
  • -type: connector start
Last Updated on Tuesday, 12 May 2020 09:46

Windows 10 Activation Error | SLMGR

Windows 10 Activation Error | SLMGR

slmgr.vbs /dlv
-access denied: 0xc0000022

-software-protection service is not started (sppsvc).
-try to start: access denied

-regedit
-go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
-go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Software Protection
-go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC
-go to: HKEY_LOCAL_MACHINE\SYSTEM\WPA

-permissions
-USER: NT Service\SPPSVC
-add: FULL CONTROL

-restart

slmgr.vbs /dlv
Find the Activation Code.

slmgr.vbs /dli activation-code-here
Find the details.

changepk.exe /ProductKey 12345-12345-12345-12345-12345

NOTES:
https://digitalbamboo.wordpress.com/tag/windows-software-protection-will-not-start-access-denied-5/

QCA9377 Ubuntu 18.04

Here are my travels getting QCA9377/ath10k working with Ubuntu 18.04 LTS.

The system needs both the driver and the firmware.

$lspci
02:00.0 Network controller: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (rev 31)

$ sudo dmesg | grep ath10k
[ 23.189587] ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
[ 23.497366] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:02:00.0.bin failed with error -2
[ 23.497373] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/cal-pci-0000:02:00.0.bin failed with error -2
[ 23.553780] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/QCA9377/hw1.0/firmware-6.bin failed with error -2
[ 23.725428] ath10k_pci 0000:02:00.0: qca9377 hw1.1 target 0x05020001 chip_id 0x003821ff sub 17aa:0901
[ 23.725429] ath10k_pci 0000:02:00.0: kconfig debug 0 debugfs 1 tracing 1 dfs 0 testmode 0
[ 23.725786] ath10k_pci 0000:02:00.0: firmware ver WLAN.TF.1.0-00002-QCATFSWPZ-5 api 5 features ignore-otp crc32 c3e0d04f
[ 23.823833] ath10k_pci 0000:02:00.0: board_file api 2 bmi_id N/A crc32 8aedfa4a
[ 24.455129] ath10k_pci 0000:02:00.0: htt-ver 3.44 wmi-op 4 htt-op 3 cal otp max-sta 32 raw 0 hwcrypto 1
[ 25.139469] ath10k_pci 0000:02:00.0 wlp2s0: renamed from wlan0

https://www.dell.com/support/article/en-us/sln306440/killer-n1535-wireless-firmware-manual-update-guide-for-ubuntu-systems?lang=en

$cd /lib/firmware/ath10k/QCA9377/HW1
$cp WLAN.TF.2.1/firmware-6.bin_WLAN.TF.2.1-00016 firmware-6.bin
(Be sure to use the higher/newest firmware number)

$dmesg | grep -i "error\|warn\|fail"
[ 1.162573] RAS: Correctable Errors collector initialized.
[ 7.807736] EXT4-fs (sda5): re-mounted. Opts: errors=remount-ro
[ 23.497366] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:02:00.0.bin failed with error -2
[ 23.497373] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/cal-pci-0000:02:00.0.bin failed with error -2
[ 23.553780] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/QCA9377/hw1.0/firmware-6.bin failed with error -2

$ uname -r
4.15.0-99-generic

$sudo apt-get update
$sudo apt-get upgrade
$sudo apt-get dist-upgrade

$sudo nmcli dev wifi list

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

# v18.04.4 has a newer kernel but it is not installed automatically on LTS.
# Let's install the newer kernel:
$sudo apt install --install-recommends linux-generic-hwe-18.04 xserver-xorg-hwe-18.04

$ uname -r
5.3.0-51-generic

 

Remote Domain Exchange 2013

Let's say that you have an external domain that your company regurlarly works with. You want to customize some items for this external domain such as you want them to get out of office replys and you want the domain to not have a MailTip message that it is an external user.

New-RemoteDomain -DomainName externaldomain.tld -Name externaldomain
set-remotedomain externaldomain -IsInternal $true -AutoReplyEnabled $true -AutoForwardEnabled $true

No more MailTips for this set.

Get the details by:

get-remotedomain externaldomain |fl

Outlook 2016 MailTips | Exchange 2013 MailTips

If someone is set to Out of Office and you try to send them an email, before you hit the SEND button, you might get a message that states the Out of Office message. This is a MailTip. There are other MailTips as well. The most common are enabled by default. The advanced MailTips are disabled by default.

One advanced MailTip is a notice when sending an email to outside the company. This can be helpful for certain companies. Here is how to see the current settings:

To get the MailTip setting:
Get-OrganizationConfig |findstr /i mail

To set a MailTip to show when sending outside the company:
set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true

Ideally, I wanted to turn this on for a group of people but leave it off for everyone else. I could not find a way, so I just left it on for everyone. Going ISO27001 and getting certified will probably encourage this setting anyway.

NOTES:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips
https://docs.microsoft.com/en-us/powershell/module/exchange/organization/set-organizationconfig?view=exchange-ps

Last Updated on Thursday, 23 April 2020 14:09

VPN, Home Network Not Set to Private

Here is how to diagnose remotely.

  1. Show network connections (in CMD):
    netsh wlan show interfaces
  2. Get the profile:
    get-netconnectionprofile -name "wifi-profile-name-here"
  3. If the get-netconnectionprofile/set-netconnectionprofile says "Provider load failure" then check the bitness:
    [Environment]::Is64BitProcess
    (If says "false" then you are running 32-bit.)
  4. Get the profile (in Powershell):
    get-netconnectionprofile -name "wifi-profile-name-here"
  5. Set the profile to Private (in Powershell):
    set-netconnectionprofile -name "wifi-profile-name-here" -NetworkCategory Private
  6. Set the firewall to allow:
    Set-NetFirewallRule -DisplayGroup 'File And Printer Sharing' -Enabled True -Profile 'Private, Domain'
Last Updated on Thursday, 15 October 2020 08:46

See What Teams an Account is a Member Of

Microsoft Teams has its own Powerhell Module. Please see the article on connecting to Azure/Office365.

Once connect to Microsoft Teams, you have a few options:

See all Teams:

get-teams

See all Teams a user is a member of:

get-teams -user This e-mail address is being protected from spambots. You need JavaScript enabled to view it

NOTES:
https://docs.microsoft.com/en-us/powershell/module/teams/?view=teams-ps

See Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureAD

See Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureAD

To see all the accounts in AzureAD:
Get-MsolUser -All $true
Get-AzureADUser -All $true

To see all the "Guest" accounts in AzureAD:
Get-MsolUser -All $true | ? {$_.UserType -eq "Guest"}
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'}

To get the details:
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'} |select objectid,userprincipalname

This will return the userprincicpal names of the guest accounts. Usually in the format of:
accountname_domainoutside.com#EXT#@tenant-name-internal.onmicrosoft.com

If you delete a "guest" user or "member" user, the account is "soft-deleted" and is still in AAD. The account will be in this state of 30 days until the account is permanently deleted:
Remove-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Remove-AzureADUser -ObjectID This e-mail address is being protected from spambots. You need JavaScript enabled to view it

While the account is in this state, the account can be restored. However, the account cannot be added/invited to another Team.

To view account in the state of "soft-deleted":
Get-MsolUser -All -ReturnDeletedUsers
Get-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c
This doesn't help much because we don't know the ObjectId. The only way I could find the ID is by looking at the AAD logs and filter for "Delete User".

To look at the logs, the AzureADPreview module must be installed:
Install-module AzureADPreview

After the AzureADPreview module is installed, run the following to check the logs for user deletion:
Get-AzureADAuditDirectoryLogs -Filter "category eq 'UserManagement' and OperationType eq 'Delete'" |ft
(The "Correlation ID" is the one you want.)

To permanently delete/hard-delete a guest:
Remove-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -RemoveFromRecycleBin
Remove-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c

To restore an account:
Restore-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Restore-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c

NOTES:
Get-AzureADMSDeletedUser/Restore-AzureADMSDeletedDirectoryObject does not exist, yet.
AzureAD Module v2.0 documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0
AzureAD v2.0-preview documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0-preview
(Check out the difference in the documentation for "Deleted Objects" section to get a feel of where development is happening.)

Last Updated on Monday, 06 April 2020 15:28

Fail2Ban

Fail2Ban is amazing. It is a python script that monitors the apache logs and if it finds something bad, it blocks the IP address for a certain amount of time.

Overall config:

/etc/fail2ban/fail2ban.conf

Defining filter list:

/etc/fail2ban/jail.conf

Defining individual filters based on regex:

/etc/fail2ban/filter.d/filter-name.conf

Defining ignorecommands:

/etc/fail2ban/filter.d/ignorecommands/ignorecommand

You can test by using filters using fail2ban-regex <logfile> <filter> <ignorecommand>:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

Or with an ignorecommand:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/ignorecommands/ignorecommand

It will even pick up the ignorcommands already in the filter-name.conf:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/apache-scan.conf

You can print the matches:

fail2ban-regex --print-all-matched /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

There are a bunch of filters already available. It is just a matter of enabling them and defining them with a reach-back number (ie within the last 24 hours), a miss number (ie 3 strikes) and a block time (2 hr, 2 day, etc).

Since I've noticed that most traffic is through bad bots, that happens to be one of my favorites.

 

Last Updated on Sunday, 12 April 2020 15:28

Create Shared Calendar

Create Shared Calendar

You have a few options.

  1. -create a shared mailbox. Doing so, you can force this on someone's Outlook. However, they will not receive calendar reminders. Bummer.
  2. -create a normal mailbox. Doing so, you will need to manually add the account to Outlook. Bummer.
  3. -create a shared calendar from a typically mailbox. A little complicated, especially if a large group. But for a small group, this might work.
  4. -create a public calendar. Available to everyone but they have to look for the calendar.
  5. -create a room account. This allows the meeting to be scheduled on the room account and puts an event on the personal calendar where reminders happen.
  6. -create Office 365 group / Unified Group. All Members of the group will automatically have the Group in Outlook. All members will automatically receive invites and notifications. Bummer.

I chose to setup a room account. This seems to be the most in line with what the client wants.

Turn on Skype-for-Business/Teams for All Accounts

Let's say there is a world wide pandemic. Everyone suddenly wants-to/required-to work from home. How do you license everyone for Skype-for-Business/Teams? Here's how:

get-msoluser -maxresults 1000 | set-msoluser -usagelocation US | set-msoluserlicense -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

Now everyone is licensed for Skype-for-Business/Teams.

The problem becomes that there are accounts that should not be licensed; namely the "Health" mailboxes.

Here is how to find them:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $true -and $_.signinname -like "*Health*"}

Here is how to unlicense them:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $true -and $_.signinname -like "*Health*"} |set-msoluserlicense -removelicenses "foodomain:teams_commercial_trial"

Completely Remove Office 365 Group | Completely Remove Unified Group

Let's say you have an Office 365 Group. You add a bunch of people. They add events to the calendar. Everyone is getting the calendar invites. They don't want that.

OK, first step is to delete the Office 365 Group through the GUI. Easy enough.

Now it still shows in Outlook. We want it completely gone.

  • -start POWERSHELL (as administrator).
  • -connect to the AzureAD endpoint.
  • -type: Get-AzureADMSDeletedGroup

It will show the ID.

  • -type: Remove-AzureADMSDeletedDirectoryObject -id 6546513213652165361654

NOTES:
https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadmsdeleteddirectoryobject?view=azureadps-2.0-preview

Last Updated on Wednesday, 01 April 2020 15:49

Create Dynamic Group for Office 365 Groups | P1 License

Want to create a dynamic group for Office 365 Groups?

In Azure Active Directory, you should be able to create a group that is set dynamically depending on rules. This can be done through something called RULE-BUILDER.

It can be done. But it requires a P1 license for every account a part of the Office 365 Group/Unified-Group. This is $6 per month.

1-start POWERSHELL (as-admin).
2-type: Import-Module AzureADPreview
3-type: $LiveCred = Get-Credential
4-type in your username/password.
5-type: Connect-AzureAD -Credential $LiveCred
6-type: get-azureadmsgroup
7-type: get-azureadmsgroup -id 6541651431314646546541 |fl

You will see that MembershipRule and MembershipRuleProcessingState are blank. Let's set those items (2 options are given for MembershipRule as example).

  • set-azureadmsgroup 654654654654 -membershipruleprocessingstate on
  • set-azureadmsgroup 654654654654 -membershiprule $dynamicmembershiprule
  • set-azureadmsgroup 654654654654 -MembershipRule "(user.department -contains ""Marketing"")"
  • set-azureadmsgroup 654654654654 -GroupTypes "DynamicMembership"

Requires a P1 license. $6/user/month.

NOTES:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0

Last Updated on Wednesday, 01 April 2020 14:29

Skype for Business Powershell

Do you have Skype for Business? If so, you either have a Lync server on-site (Lync is the former name of Skype for Business) or you have a cloud service with Office-365.

If you have an Office-365 service, do you want to control Skype for Business through powershell? Here's how:

1-install SKYPE-FOR-BUSINESS POWERSHELL-MODULE: https://www.microsoft.com/en-us/download/confirmation.aspx?id=39366
2-start POWERSHELL (as-admin).
3-type: Import-Module SkypeOnlineConnector
4-type: $LiveCred = Get-Credential
5-type in your username/password.
6-type: $sfbSession = New-CsOnlineSession -Credential $LiveCred
7-type: Import-PSSession $sfbSession

type: Get-CsConferencingPolicy -identity global
type: Set-CsConferencingPolicy –Identity global –EnableDialInConferencing $True

Office365 Groups | Unified Groups

Office365 Groups | Unified Groups

Typically, Exchange has Distribution Groups. An email is sent to the group and everyone in the group receives a copy of the email.

Office365-Groups or Unified-Groups are now available.

Difference Between Exchange Groups and Office365 Groups

How is that different? Why would I want an Office365 Group instead of a traditional Distribution Group.

Mainly because there are the following additional features:

  • -shared mailbox. Members still receive a copy in their personal inbox.
  • -shared files.
  • -shared calendar.
  • -invite external guests.

The following article actually says it better than I can:

https://support.microsoft.com/en-us/office/why-you-should-upgrade-your-distribution-lists-to-groups-in-outlook-7fb3d880-593b-4909-aafa-950dd50ce188

Creating a Unified Group:

new-unifiedgroup foogroup

Adding members:

Add-DistributionGroupMember

Upgrading a group from a Distribution-Group to a Unified-Group:

Upgrade-DistributionGroup -DlIdentities This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Upgrade Error

When I tried to upgrade one DistributionGroup to a UnifiedGroup, I got an error message, "ErrorReason: The specified distribution group is not eligible to be upgraded or you are not allowed to upgrade this distribution group."

What gives?

Well, this is because the Owner of the DistributionGroup was an unlicensed account, the Office365 Admin. Changing the owner to a licensed account, allowed the upgrade to happen.

Last Updated on Wednesday, 01 April 2020 14:07

Enabling Perfect Forward Secrecy | Fixing Perfect Forward Secrecy

Enabling Perfect Forward Secrecy | Fixing Perfect Forward Secrecy

Using ssllabs.com to test the certificate on a server will grade the certificate with a score (A, B, C, D, F). The grade was capped to B due to Perfect Forward Secrecy and gave the following for a reference:
https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

OK, I don't know what Perfect Forward Secrecy is. All I really care about is getting the grade to A. What do I have to do?

Reading the link, I thought the certificate was incorrect and started to look for how to recreate the certificate using ECDHE instead of RSA. That is because of the lines, "Instead of using the RSA method for exchanging session keys, you should use the Elliptic Curve Diffie-Hellman (ECDHE) key exchange" and my inability to understand where I "can still use the RSA public-key cryptosystem as the encryption algorithm, just not as the key exchange algorithm."

Recreating the certificate is incorrect. The certificate is fine using the instructions found in the other article on this site.

The solution is found in the Apache/HTTPD server with the settings found in the following file on the server:
/etc/httpd/config/httpd.conf

The server already had the following:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
#SSLHonorCipherOrder on

All I had to do was turn on the SSLHonorCipherOrder:
SSLHonorCipherOrder on

And while I was at it, turn off TLSv1.1 since that was removed in January 2020 from most major browsers:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

That left us with:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on

Restart Apache/HTTPD with:
apachectl -k restart

Enjoy the grade of letter A!

ssl-report

NOTES:
-use the following to see what ciphers are accepted: openssl ciphers -v
-the server didn't have the option to turn on the CipherOrder, I had to create a template fragment called 35SSL10SSLHonorCipherOrder and filed bug 10916. This will probably make its way into the base.
-for the curious, the following are the short steps:
config setprop modSSL HonorCipherOrder on
config setprop httpd-e-smith TLSv1.1 disabled
signal-event domain-modify
signal-event email-update

 

Last Updated on Sunday, 29 March 2020 14:24

Skype for Business Microphone Not Working

Skype for Business Microphone Not Working

Here's how to fix:

-click START > SETTINGS
-type: MICROPHONE-PRIVACY-SETTINGS
-checkmark ALLOW-APPS-TO-ACCESS-YOUR-MICROPHONE
Last Updated on Wednesday, 15 April 2020 17:03

AutoCad Installation Error 1606 | Could Not Access Network Location

Installing AutoCad from AutoDesk. Result: 

Here's how to fix:

Go to run.

Type ‘regedit’

click ‘ok’.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Check the location for “Common Documents”

It will be pointing to a non-existent location Eg. "Common Documents"="C:\\Users\\Public\\Documents"

Change the value data of common document as: "Common Documents"="d:\\Users\\Public\\Documents"

OR

create that non-existent folder Run AutoCAD 2014 setup again

Dell Monitor Guide

Since I lose this all the time and spend too much time trying to find it again, here is a link to the Dell monitor guide:

https://www.dell.com/support/article/en-us/sln317180/identifying-dell-monitor-types-by-their-model-number?lang=en

Upgrade from Windows Server 2008 to Server 2012 R2 Fails on WMWare

Upgrade from Windows Server 2008 to Server 2012 R2 Fails on VMWare. There is no reason why. Then it rolls back to Windows Server 2008.

The anwser is to remove the RESERVED PARTITION. If you look at the device manager, there will be 2 partitions; 1 for the RESERVED PARTITION and 1 for WINDOWS.

1- set the main Windows parition as the boot:

Run command prompt as administrator
Type: bcdboot c:\windows /s c:
(You should get a message that states: Boot files successfully created.)
Open Disk Management, right-click on your C: drive and select Mark Partition as Active.
Reboot

2- remove the RESERVED PARTITION.
Edit the VM in WMWare to remove the RESERVED PARTITION HARD DRIVE. This will be the lowest partition size.
Reboot

That should do it!

If not, you might have to boot from a install ISO, go to REPAIR, ADVANCED, CMD and fiddle with DISKPART and BOOTREC.

Remove Uninstall Entries

Let's say you have a service installed but don't want the user to uninstall the service by accident.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

OR

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

Find Hostname from IP Address

Find Hostname from IP Address

Let's say you have a large internal global network and you have an IP address that is slamming your SAP server that is coming from a different network segment with a different DNS server.

How do you know what host that is?

In a large network, there might be different domains and different DNS servers. You can query your local DNS server:

nslookup 1.2.3.4

But the local DNS won't find it because the host is not registering with that Name Server.

So to make this work, find the DNS server on that network segment. Sometimes using a traceroute helps here:

tracert 10.20.30.40

This will show the network hops. Hopefully this will narrow down the DNS server for that segment and query it, like this:

nslookup 10.20.30.40 11.22.33.44

It will return the FDQN and IP address.

PXE Boot ISOs

/WORK IN PROGRESS - DO NOT ATTEMPT/

My work with PXE boot was back in 2007 with BARTPE. A new project has come up and I need it again.

{{Languages}}

==PXE booting to ISO==

===Goal===
We want to boot ISO images via PXE (rather than through CD). This means that, as long as we have enough RAM in the local pc's, we can boot WINPE or any LIVE CD (such as KNOPPIX, PCLINUXOS, UBCD, etc).


===Assumptions===
You are a network/server administrator and know what TFTP, LIVEISO, PE and PXE -a network boot- means. You have a running SME SERVER and your SME SERVER is your DHCP server.


===Install TFTP package on your SME SERVER===
-install SMESERVER-TFTP-SERVER on your SME SERVER: http://wiki.contribs.org/Tftp_server
yum --enablerepo=smecontribs install smeserver-tftp-server

-install SMESERVER-THINCLIENT on your SME SERVER: https://wiki.contribs.org/Thinclient
yum --enablerepo=smecontribs install smeserver-thinclient

-install SMESERVER-THINCLIENT-TS on your SME SERVER: https://wiki.contribs.org/Thinclient_usage
wget http://distro.ibiblio.org/smeserver/contribs/trevorb/7.x/Thinclient/smeserver-thinclient-ts-2.2-1.noarch.rpm
Access SERVER-MANAGER > Thin-Client panel.
Click to add another Thin Client Distribution
Upload smeserver-thinclient-ts-2.2-1.noarch.rpm

You now have a /tftpboot directory on the SME-SERVER.
Inside the /tftpboot directory is another directory /tftpboot/thinclient directory. 
Inside the /tftpboot/thinclient directory are the files necessary to make the PXE happen.

===Create TFTPBOOT structure on your SME SERVER===
-we need to move the files into the proper locations.

-change to the directory
cd /tftpboot

-create a GRAPHICS, ISO, COM32 directories
mkdir graphics iso com32

-move the pxelinux.0 file and the pxelinux.cfg directory to the /tftpboot
mv ./thinstation/pxelinux.0 ./
mv ./thinstation/pxelinux.cfg ./

-finally, move the thinstation directory to the iso directory and create any other directories in iso that you want for iso distributions. For example, BARTPE and MEMDISK
mv ./thinstation ./iso
mkdir ./iso/bartpe ./iso/memdisk

You now have the following structure in the /tftpboot directory:
graphics (The graphics directory is for graphics, naturally.)
iso (The iso directory is for the iso files.)
pxelinux.cfg (The pxelinux.cfg directory is the boot menu.)
pxelinux.0 (This file is what boots the remote system.)
com32 (The com32 directory is for the menu). 

 

===Download Syslinux Executable===
To boot ISO images we need an executable that can handle ISO's. Lucky for us, a bunch of executables for each distribution is already available in a project called SYSLINUX. SYSLINUX actually encompasses PXELINUX, ISOLINUX and EXTLINUX.

wget: https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/6.xx/syslinux-6.03.zip
unzip syslinux-6.03.zip

Inside the "bios" directory you will find different executables for different distributions. For example, MEMDISK is a special executable (legacy) that can boot floppy images, hard disk images and some ISO.

Let's copy the file bios\memdisk\memdisk to /tftpboot/iso/memdisk anyway that you can, such as through SCP.

In addition, let's copy the following files to the root of /tftpboot:
syslinux-6.03\bios\com32\elflink\ldlinux\ldlinux.c32
syslinux-6.03\bios\com32\menu\vesamenu.c32
syslinux-6.03\bios\gpxe\gpxelinux.0 (You already have the pxelinux.0 but pgxelinux.0 provides an additional way to boot which adds a few options such as booting over ftp, http, etc)

 

===Create an Windows-based ISO on your local pc===

Copy or download the ISO files to the iso directory.

 

++++++++++++++++++++++++++++++++++++++++++++++++++
++(no longer supported, here for archival purposes only)
++++++++++++++++++++++++++++++++++++++++++++++++++
===Create an Windows-based ISO on your local pc===

====BARTPE====
-download BARTPE on your local pc: http://www.nu2.nu/pebuilder/

-create a BARTPE disk using WINDOWS SERVER 2003 source (i386 directory)

-or if you don't have a WINDOWS SERVER 2003 source, you can use a WINDOWS XP SP2 source (i386 dir) but you'll have to replace the following file with a newer version from the WINDOWS SERVER 2003 SP1 download (see next section):
C:\pebuilder3110a\BartPE\I386\SYSTEM32\DRIVERS\ramdisk.sys

-you now have a BARTPE.ISO (on your local pc)


====Obtain WINDOWS SERVER 2003 SP1 files needed====
-download the WINDOW 2003 SERVER SP1:
https://www.google.com/search?q=WindowsServer2003-KB889101-SP1-x86-ENU.exe

(You now have a file called: WindowsServer2003-KB889101-SP1-x86-ENU.exe)

-open WINRAR to open the WindowsServer2003-KB889101-SP1-x86-ENU.exe file (the W2K3 file is just a self-extracting ZIP/CAB/TAR file)

-extract only the following files from the W2K3SP1:
ntdetect.com
ramdisk.sy_
setupldr.ex_
startrom.n1_

-The underscore files are compressed. We need to decompress/expand them:
expand ramdisk.sy_
expand setupldr.ex_
expand startrom.n1_

(You only need the ramdisk.sys file if you don't have a WINDOWS 2003 SERVER source to build your BARTPE from. See above section.)


===Transfer files to SME SERVER===
-copy the following files to the SME SERVER in the "/tftpdboot/iso/bartpe" directory:
ntdetect.com
setupldr.exe
startrom.n12
bartpe.iso


===Work with files in the TFTPDBOOT dir===
-the files are case-sensitive and need to be named exactly as follows:
ntdetect.com (lower-case)
NTLDR (rename the setupldr.exe to NTLDR, all caps)
startrom.0 (rename the startrom.n12 to startrom.0) (This is a ZERO)
BARTPE.ISO (all caps)

-create a winnt.sif:
vi winnt.sif

-the contents of the winnt.sif file:
[SetupData]
BootDevice = "ramdisk(0)"
BootPath = "\i386\System32\"
OsLoadOptions = "/noguiboot /fastdetect /minint /rdexportascd /rdpath=iso/bartpe/bartpe.iso"
++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++

 

 ====Create DEFAULT file====
-change to pxelinux.cfg directory and create the contents of the default file:
cd pxelinux.cfg
vi default

Each distribution iso will have a LABEL and a full-path-to-the-kernel. Currently, we have only 3; BARTPE, THINSTATION and KNOPPIX.

-the contents of the default file (note that this is case-sensitive reference the iso filename):
prompt 1
implicit 0
timeout 600
default foo

LABEL bartpe
kernel iso/bartpe/startrom.0

LABEL thinstation
kernel iso/thinstation/vmlinuz
append initrd=iso/thinstation/initrd ramdisk_blocksize=4096 root=/dev/ram0 ramdisk_size=524288 console=ttyS3 vga=791

LABEL knoppix
kernel iso/memdisk/memdisk
append initrd=iso/knoppix/knoppix.iso iso

===Summary of contents of TFTPBOOT dir===
-graphics
-iso
--iso/bartpe
---iso/bartpe/BARTPE.ISO
---iso/bartpe/ntdetect.com
---iso/bartpe/NTLDR
---iso/bartpe/startrom.0
---iso/bartpe/winnt.sif
--iso/thinstation
---iso/thinstation/vmlnuz
---iso/thinstation/initrd
---iso/thinstation/thinstation.conf.network
--iso/memdisk
---iso/memdisk/memdisk
--iso/knoppix
---iso/knoppix/knoppix.iso
-pxelinux.cfg
--pxelinux.cfg/default
-pxelinux.0
-gpxelinux.0
-ldlinux.c32
-vesamenu.c32


===Boot client PC===
-that should do it! Start your client PC and boot from the network.

-it will boot the pxelinux.0 and try to use any config files.

-at the prompt, when it asks for an image type: {bartpe | thinstation | knoppix}

-pretty cool, huh?

===Advanced Menu===
It is possible to create submenus. Just create a plain text file in tftpboot/pxelinux.cfg/ directory and use the same format as the default. The file can be named tools, memorytest, recovery, etc anything you want.

===Advanced Modern OS===
The problem becomes that modern OS's renders the memdisk approach useless because if you loaded the ISO with MEMDISK, once the kernel was read from the ISO and loaded into memory, the ISO data would be gone.

Last Updated on Tuesday, 11 February 2020 15:04

Exchange Retention | RetainDeletedItemsFor

PHONE: Riiiiinnnnnngggg!!!! Riiiiinnnnnngggg!!!! Riiiiinnnnnngggg!!!!

ME: Hello

THEM: Yes, in Outlook, when I go my Deleted Items and click "Recover Deleted Items from Server" it only goes back 2 weeks.

Retention

Retention is how long something can be retrieved if it is deleted. By default, this is 14 days. This can be found with the RetainDeletedItemsFor value, like this:

get-mailbox foo.user |select RetainDeletedItemsFor

Now, there is also a retention on the MailboxDatabase (EDB) that covers all mailboxes on the EDB. This setting is the DeletedItemRetention value, like this:

Get-MailboxDatabase "mailbox.database.name" |select DeletedItemRetention

Setting

Note that Mailboxes will automatically get their settings from the Mailboxdatabase. To set custom settings, you must first disable using the Mailboxdatabase defaults, like this:

set-mailbox foo.user -UseDatabaseRetentionDefaults $false

Net, setting retention is like this:

set-mailbox foo.user -RetainDeletedItemsFor 30

Note that is you run this command while using the mailboxdatabase defaults, the setting will stay at the default value of 14.

Or in one command:

set-mailbox foo.user -UseDatabaseRetentionDefaults $False -RetainDeletedItemsFor 30

Last Updated on Friday, 31 January 2020 14:15

Ugrade Ubuntu 14.04 LTS to Ubuntu 18.04 LTS

Open terminal.

  • lsb_release -a
  • sudo apt update
  • sudo apt upgrade
  • sudo apt dist-upgrade
  • reboot
  • sudo apt install update-manager-core
  • sudo vim /etc/update-manager/release-upgrades
  • typ: prompt=lts
  • sudo do-release-upgrade
  • reboot
  • lsb_release -a
Last Updated on Monday, 27 January 2020 16:40

Change DNS in Ubuntu Without Rebooting

First, find the DNS servers:

Ubuntu >= 15: nmcli device show | grep IP4.DNS

Ubuntu <= 14: nmcli dev list iface | grep IP4

Second, change the DNS servers using the GUI.

Third, restart the service without rebooting the system:

Ubuntu >= 15: sudo systemctl restart NetworkManager.service

Ubuntu <= 14: sudo service network-manager restart

Last Updated on Friday, 24 January 2020 14:43

PowerEdge 2950 PERC Windows Server Install

Came across a PowerEdge 2950 with a PERC (raid controller) that needed Windows Server installed. The Windows Server ISO didn't have the PERC drivers and trying to inject the drivers into the Windows Server ISO failed.

Had to reset the DRAC:

  • -CTRL+E to access the DRAC settings to reset the password.
  • -ssh into the DRAC.
  • -issue the following to reset the DRAC: racadm racreset hard

Had to set the BIOS:

  • -allow SATA port to be turned on for the DVD.
  • -allow USB to boot.
  • -USB to show as HD.
  • -select boot menu.
  • -select USB.

Had to use the Dell Systems Build and Update Utility (SBUU) v5.5.0 for this to work. This ISO is found here:

https://dl.dell.com/sysman/OM_v5.5.0_SUU_A00.ISO

Or the Dell System Management Tools and Documentation ISO here:
https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=p8v4x&oscode=wx64&productcode=poweredge-2950

Separate ISO's put together by running the following in command-prompt: copy /b om* OM_550_SUU_DVRPCK_A00.iso

After running through the options of the SBUU, the process looks for a DVD in the DVD drive. The process errors out if the DVD drive is unavailable and doesn't pick up the USB as the DVD. Go figure.

What makes this process difficult is because there are 54 downloads in the Dell Drivers web site for "SYSTEM-MANAGEMENT":

  1. Sometimes it is referred to as the "Dell OpenManage Systems Build and Update Utility" with the "OM" in the title and ISO name.
  2. Sometimes it is referred to as the "Dell DVD ISO - Dell Server Updates, v.5.5.0, A00."
  3. Sometimes there are other ISO's that seem like they should work but don't. Such as the Dell Installation and Server Management (ISM) ISO aka "Dell CD ISO - Installation and Server Management v.5.2.0."
  4. Sometimes the documenation refers to the Lifecycle Controller aka "Dell DVD ISO - Lifecycle Controller OS Driver Packs v.6.5.1" which doesn't work in my case.
  5. Sometimes the driver download page refers to the "OS Driver Pack DVD ISO" aka "DELL LIFECYCLE CONTROLLER OS DRIVER PACK V7.0.0" which doesn't work in my case.
  6. Sometimes the driver download page refers to the "Q1 Server Update Utility DVD ISO v7.2.1" which doesn't work in my case.
  7. Sometimes the driver download page refers to the "Dell Systems Management Tools and Documentation DVD ISO ,V 7.3.0" which doesn't work in my case.
  8. Sometimes the driver download page refers to the "Dell Windows OS install support pack, v6.3" or the "Dell Windows OS install support pack v7.0.0" which doesn't work in my case.
  9. Sometimes the driver download page refers to the "Q1 Server Update Utility DVD ISO v7.2.1" which doesn't work in my case.

In addition, the downloads are broken up into:

  • Embedded Server Management
  • Secure Systems Management
  • Systems Management

I'm not certain if a newer SBUU would work (or anything else for that matter):

https://www.dell.com/support/driver/us/en/04/DriversDetails?driverId=YH0GX&fileId=3406550491

Last Updated on Monday, 20 January 2020 11:58

Force Email Through MobileIron On Mobile Devices

Let's say you have a budget for mobile device management (MDM) and you want more control than what is built into Exchange. There are a few options to choose from but MobileIron is a popular path.

To get it setup, I recommend the Setup Services that MobileIron offers. Thinking that you'll be able to correctly navigate through this forest needs to be set aside. There's simply too much unless you have previous experience.

Once devices are enrolled into MobileIron, the goal is that the only way to get company email is through Outlook on a company-owned system or through MobileIron on a company-owned mobile device.

Mobile devices connect to Exchange through ActiveSync. Mobile devices will connect to a Sentry server (rather than through Exchange server) that limits access to Exchange server. So the idea here is to only allow access through the Sentry server and shut off all other access.

Here's how:

First, on the Exchange server, install the IP AND DOMAIN RESTRICTIONS:

  • -on the on premise Exchange server, open the SERVER-MANGER.
  • -click ADD ROLES AND FEATURES.
  • -click NEXT > NEXT > NEXT.
  • -expand WEB SERVER (IIS) > WEB-SERVER > SECURITY.
  • -checkmark IP AND DOMAIN RESTRICTIONS.
  • -wait for it to finish.

Great! Next, on the Exchange server, add the Sentry server to the ALLOW:

  • -open IIS.
  • -expand SITE > DEFAULT WEB SITE > MICROSOFT-SERVER-ACTIVESYNC
  • -click ADD ALLOW ENTRY.
  • -type in the ip address of the Exchange server.

Great! Now let's block everything else:

  •  -click EDIT FEATURE SETTINGS (on the right-hand side).
  • -find ACCESS FOR UNSPECIFIED CLIENTS.
  • -change to DENY.
  • -click OK.
  • -run CMD-AS-ADMIN.
  • -type: iisreset

That's it! You devilish fool, now you've done it. You've disabled webmail/OWA and you've disabled ActiveSync except through MobileIron. Now that is one step closer to following ISO 27001, DFARS and overall security.

NOTES:

https://bayton.org/docs/enterprise-mobility/infrastructure/restricting-access-to-exchange-activesync/

Last Updated on Tuesday, 12 May 2020 09:28

Disable OWA/EWS/ActiveSync for All Accounts in Exchange 2013

Each mailbox in Exchange 2013 can have access through different ways:

  1. ActiveSyncEnabled
  2. OWAEnabled
  3. PopEnabled
  4. ImapEnabled
  5. MapiEnabled
  6. Exchange Web Services (EWS)

To see the options if they are set for TRUE/FALSE, use the get-casmailbox:

get-CASMailbox foo.user

To see for everyone:

get-casmailbox

To set OWA to be disabled:

set-casmailbox foo.user -OWAEnabled $false

So if you wanted to disable for everyone:

get-casmailbox | set-casmailbox -OWAEnabled $false

Likewise, if you want to do this with ActiveSync, the command is:

set-casmailbox foo.user -ActiveSyncEnabled $false

get-casmailbox | set-casmailbox -ActiveSyncEnabled $false

If you disable ACTIVESYNC, the account cannot get email on the MAIL app on iPhone. Most likely, you want to keep ACTIVESYNC turned on and OWA turned off.

In addition, you probably want to turn off EWS for the accounts. I've found that some 3rd party email apps (ie Blue Mail) use EWS to gather email rather than ACTIVESYNC. For whatever reason, this will not show in Exchange as a mobile device (ie Get-MobileDevice -Mailbox foo.user).

To disable EWS for a single account:

Set-CASMailbox foo.user -EWSEnabled $False

And to disable EWS for everyone:

get-casmailbox | set-casmailbox -EWSEnabled $false

Or it can be done on the entire Organization config:

Set-OrganizationConfig -EWSEnabled $False

Last Updated on Wednesday, 08 January 2020 18:21

Create Hyper-V VM from Powershell

Here you go:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
New-VM -Name MyMachine -path C:\installs\vm-machine -MemoryStartupBytes 512MB
New-VHD -Path C:\installs\vm-machine\MyMachine\mymachine.vhdx -SizeBytes 10GB -Dynamic
Add-VMHardDiskDrive -VMName MyMachine -path "C:\installs\vm-machine\MyMachine\mymachine.vhdx"
Set-VMDvdDrive -VMName MyMachine -ControllerNumber 1 -Path "C:\installs\vm-machine\MyMachine\connector-59.0.0.52.iso"

Adjust as needed.

Your Meeting Was Declined Exchange 2013 | Get-CalendarProcessing | Set-CalendarProcessing

Your Meeting Was Declined in Outlook/Exchange 2013. This resource does not accept meetings longer than 1440 minutes.

Get-CalendarProcessing-v1

Resource rooms are set by default to 1440 minutes/24 hours/1 day.

To change, there is a different table than the one for get-mailbox, you have to use Get-CalendarProcessing | Set-CalendarProcessing.

To get the current settings:

Get-CalendarProcessing foo.resource |fl

You will see:

MaximumDurationInMinutes: 1440

To set for longer:

Set-CalendarProcessing foo.resource -MaximumDurationInMinutes 4320

NOTES:

https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/Set-CalendarProcessing?redirectedfrom=MSDN&view=exchange-ps

Last Updated on Friday, 18 October 2019 08:54

Dell Command Update

Dell Command is a driver update tool that comes with a Dell computer system. You can run the tool via command line. Awesome!

Note that this is in v2.3/v2.4 and not in v3.0 (Yikes!) but is re-introduced in v3.1.

SIMPLE DELL COMMAND UPDATE

cd c:\program files (x86)\Dell\CommandUpdate

dcu-cli.exe

dcu-cli.exe /scan

dcu-cli.exe /applyUpdates

dcu-cli.exe /applyUpdates -updateType=driver,bios,firmware

It will go through find the drivers, download them and install them automatically.

Because this is via command line, this can be pushed out through the entire network.

ADVANCED DELL COMMAND UPDATE

Now Dell releases all in one driver packs (aka CAB files) for their business systems (Latitude, Precision, etc). You can download the CAB file in a central location and roll out the CAB file to the system (be certain to choose the right CAB file and match the CAB file name to the model number):

dcu-cli.exe" /driverRestore \\MyServer\MyRepositoryShare\E7470-win10-A11-F4MTJ.CAB

REALLY ADVANCED DELL COMMAND UPDATE

There is a Dell Command Deploy Driver Pack

https://www.dell.com/support/article/us/en/04/how14097/driver-pack-catalog?lang=en

NOTES:

DELL COMMAND UPDATE: https://www.dell.com/support/manuals/us/en/04/command-update-v2.4/dcu_ug_v2.4/command-line-interface-reference?guid=guid-92619086-5f7c-4a05-bce2-0d560c15e8ed&lang=en-us

DELL CAB FILES: https://www.dell.com/support/article/us/en/04/sln312414/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment?lang=en

Last Updated on Tuesday, 13 October 2020 10:07

Set Out of Office for Mailboxes in Exchange 2013

Want to set an out of office reply for an account in Exchange 2013? Here's how:

GET

To get the current settings:

Get-MailboxAutoReplyConfiguration foo.user

SET

To set the Out of Office reply:

Set-MailboxAutoReplyConfiguration foo.user -AutoReplyState Scheduled `
-StartTime “10/14/2019” -EndTime “12/15/2019” `
-ExternalMessage “Type External automatic reply here” `
-InternalMessage “Type External automatic reply here”

EXAMPLE

It can be tough to set escpecially if you have double-quotes. The backtick when used at the end of the line is used to join to the next line. Also, the backtick is used to escape the double-quote. Example for escaping quotes:

Set-MailboxAutoReplyConfiguration foo.user –AutoReplyState Scheduled `
-StartTime “10/14/2019” -EndTime “12/15/2019” `
–ExternalMessage “<html><head><meta name=`"Generator`" content=`"Microsoft Exchange Server`"><!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }--></style></head><body><font size=`"2`"><span style=`"font-size:10pt;`"><div class=`"PlainText`">Hello,<br><br>I'm out of office due to sudden medical leave. Please contact Other User ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or Other User2 ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) in my absence. I will have limited email access.<br> <br>Thank you.</div></span></font></body></html>” `
-InternalMessage “<html><head><meta name=`"Generator`" content=`"Microsoft Exchange Server`"><!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }--></style></head><body><font size=`"2`"><span style=`"font-size:10pt;`"><div class=`"PlainText`">Hello,<br><br>I'm out of office due to sudden medical leave. Please contact Other User ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or Other User2 ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) in my absence. I will have limited email access.<br> <br>Thank you.</div></span></font></body></html>”

NOTES:

-https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-mailboxautoreplyconfiguration?view=exchange-ps

Last Updated on Monday, 14 October 2019 13:02

Microsoft Teams | Skype for Business

Setting

Once upon a time, Skype was Skype and everything was good. Then Microsoft bought them and everything became confusing; really confusing.

In another point in the time, Slack came into existence. It caught steam. All the cool kids used it, the marketing was a bit viral and the company went public company on the NYSE.

Competition

To compete, Microsoft developed Microsoft-Teams; the Microsoft version of Slack.

Microsoft added Teams to their Office365 packages so anyone with an Office365 account could use Microsoft Teams. But it still wasn't enough.

To make the offering more attractive, they offer Microsoft-Teams for free. This is up to 300 accounts on the same domain.

Convergence

At this point Skype for Business is becoming Microsoft Teams:
https://docs.microsoft.com/en-us/microsoftteams/faq-journey

What is interesting is that if you have a Microsoft Teams License (free), you can use Skype for Business:
https://products.office.com/en-us/microsoft-teams/free

1- Signup for free Office365 account: https://portal.office.com

Unlicensed accounts are free. You cannot do anything per se but it doesn't cost anything, so there is no harm.

2- Sync with on-site Active Directory (if needed)

If you have an onsite AD, you can setup a separate server just for the purpose of syncing with Office365 Azure Active Directory.

Download Microsoft Azure Active Directory Connect here:
https://www.microsoft.com/en-us/download/details.aspx?id=47594

 3- Assign Microsoft Teams License

You'll have to Connect to Office365/AzureAD via Powershell but once you do, you can perform 3 steps.

    3a- assign a Location:

    set-msoluser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -usagelocation US

    3b- check the Office365 Licenses

    get-msoluser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it |fl |findstr /i licen

    3c- assign a Microsoft Teams License

    set-msoluserlicense -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

4- Download Skype for Business Basic

To make matters worse, documentation will try to convince you to download the software at: https://portal.office.com/account#installs

While this is logical, this will not work if you have Office 2016/2019 installed. This is because the download is a click-to-run (c2r) application. C2R applications cannot be mixed with others.

The Skype for Business Basic Full Client (448.1 MB) is found here:
https://www.microsoft.com/en-us/download/details.aspx?id=49440

Or if you need to download in Powershell through wget:
wget 'https://download.microsoft.com/download/8/7/E/87E24B50-9C85-4B1D-A581-94AA037803F8/LyncEntry_bypass_ship_x64_en-us_exe/lyncentry.exe' -outfile 'lyncentry_x64.exe'

Typically, Skype for Business Basic needed an onsite Lync Server or an Offce365 account (Office 365 ProPlus, Office 365 Enterprise E3 or Office 365 Enterprise E4).

I guess because of the convergence of Skype for Business and Microsoft Teams, the Microsoft Teams license will work with Skype for Business Basic now.

Note that the download is called: lyncentry.exe

5- Install Skype for Business Basic

6- Login to Skype for Business Basic

That's it! It should work! Good job, well done!

Last Updated on Wednesday, 15 April 2020 17:07

Disable Chrome Software Reporter Tool via GPO

Just like disabling Microsoft Telemetry, the Google Chrome Software Reporter Tool can become a pain. Let's turn it off.

In my other article about adding GPO ADMX files to control Chrome, I explain how to add the ADMX files to the GPO to control CHROME so I won't go through that again.

  • -new GPO.
  • -name: c-chrome-cleanup-disabled
  • -settings: COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > GOOGLE > GOOGLE-CHROME
  • -select CONTROL-HOW-CHROME-CLEANUP-REPORTS-DATA-TO-GOOGLE
  • -set: DISABLED
  • -select ENABLE-CHROME-CLEANUP-ON-WINDOWS
  • -set: DISABLED

Save the GPO but don't forget to turn off User-Configuration: DETAILS > USER-CONFIGURATION-SETTINGS-DISABLED.

Apply GPO where needed.

Last Updated on Wednesday, 25 September 2019 15:06

Disable Windows Telemetry via GPO

Windows Telemetry does "stuff." I don't want it to do that "stuff." In certain cases, it hogs resources sometimes it becomes out of control.

  • -new GPO.
  • -name: c-disable-telemetry
  • -settings: COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > WINDOWS-COMPONENTS > DATA-COLLECTION-AND-PREVIEW-BUILDS
  • -select ALLOW-TELEMETRY
  • -set: ENABLED:0 (only works on Windows Enterprise).

But wait, there's more:

  • -settings: COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > SYSTEM > INTERNET-COMMUNICATION-MANAGEMENT > INTERNET-COMMUNICATION-SETTINGS
  • -select TURN-OFF-WINDOWS-CUSTOMER-EXPERIENCE-IMPROVEMENT-PROGRAM
  • -set: ENABLED.

Save the GPO but don't forget to turn off User-Configuration: DETAILS > USER-CONFIGURATION-SETTINGS-DISABLED.

That's it! Link to all OU's necessary.

Last Updated on Wednesday, 25 September 2019 15:06

MPLS Connection Cisco Routes

So routes in an MPLS cisco router can have the following codes; the highlighted ones are the most common I see:

Codes:

  • L - local
  • C - connected
  • S - static
  • R - RIP
  • M - mobile
  • B - BGP
  • D - EIGRP
  • EX - EIGRP external
  • O - OSPF
  • IA - OSPF inter area
  • N1 - OSPF NSSA external type 1
  • N2 - OSPF NSSA external type 2
  • E1 - OSPF external type 1
  • E2 - OSPF external type 2
  • i - IS-IS
  • su - IS-IS summary
  • L1 - IS-IS level-1
  • L2 - IS-IS level-2
  • ia - IS-IS inter area
  • * - candidate default
  • U - per-user static route
  • o - ODR
  • P - periodic downloaded static route
  • H - NHRP
  • l - LISP
  • + - replicated route
  • % - next hop override

As elsewhere, you can see the routes by:

show ip route

Or you can search for a route by (ie search for routes to 10.116.x.x):

show ip route | incude 10.116

 To add a route to the MPLS router nodes, the route must be added as a STATIC route to the node that is LOCAL to the subnet.

For example, we add a new node to the MPLS network. That new node has the following network as a LOCAL subnet: 10.116.0.10/32.

This network would show as the following:

L        10.116.0.10/32 is directly connected, GigabitEthernet0/1

The new node also has the following network as a subnet 10.116.15.0/24. The problem is that while the subnet at the location will already know about the subnet, the other locations will not know about the subnet until it is advertised/distributed across the MPLS network routers.

If you try to traceroute a address on the new subnet from a different location, the other routers will not know what to do and bounce the packet to the default route, causing a loop/bounce.

As stated above, to resolve, the STATIC route must be added to the router where the subnet is located:

S        10.116.15.0/24 [1/0] via 10.116.1.1

To add a static route:
enable
config t
ip route 10.116.15.0 255.255.255.0 10.116.1.1
(note that CIDR doesn't work. ie: ip route 10.251.10.0/24 10.162.100.2)

Once that is added, the other routers will pickup the route as a BGP route:

B        10.116.15.0/24 [20/0] via 10.162.131.38

B routes (BGP) will pick up routes from their neighbor. You can view by:
show ip bgp

O routes (OSPF routes) will pick up routes as well. You can view by:
show ip ospf

 

Last Updated on Friday, 07 February 2020 17:20

Rename Files

Let's say you have a bunch of files to rename. You want to minus the first 10 characters of each file. What's the best way?

It depends.

Total Commander

My favorite for small-to-medium batches is Total Commander. It understands REGEX and it shows the before-names and after-names before committing the command.

  • -highlight the files (they show as red filenames).
  • -click FILE > MULTI-RENAME-TOOL (the rename box shows)
  • -find RENAME-MASK (in the upper-left).
  • -type: [N10-]
  • -adjust according to your situation.
  • -click START (at the bottom-right).

This should do it!

Powershell

For powershell, the command will be something like:

get-childitem 'c:\path\to\file\*.txt | rename-item -newname { [string]($_.name).substring(8) }

Or if you need to split at an underscore "_".

Get-ChildItem'c:\path\to\file'|Rename-Item-NewName{ $_.BaseName.Split('_')[0]+ $_.Extension}

NOTES

https://www.ghisler.ch/wiki/index.php/Multi-rename_tool

Last Updated on Thursday, 22 August 2019 11:15

Uninstall TeamViewer

TeamViewer uninstall.

First, stop the service:

sc stop teamviewer

See if the service stopped:

sc query teamviewer

See if there is any TeamViewer process running:

powershell "ps |findstr /i team"

If there is a TeamViewer process running, taskill it:

taskkill /F /T /IM teamviewer.exe

Run the uninstall command:

"C:\Program Files (x86)\TeamViewer\uninstall.exe" /S

Powershell Connect To AzureAD | Connect to Office365

This information is in other articles that are posted but they can be overly complicated. This is the TLDR version.

Start Powershell

  • -start POWERSHELL (as administrator).
  • -type: $LiveCred = Get-Credential
  • -type in your username/password.

Office365 Endpoints | O365 Endpoints | Azure Endpoints | Microsoft Online Endpoints

From here you have the option to connect to different ENDPOINTS of Office365/AzureAD. The information is the same but data is displayed differently depending on which endpoint is being used.

The ENDPOINTS I use regularly are:

  1. OUTLOOK/Exchange-Online
  2. AzureAD
  3. MSOnline
  4. Skype-for-Business/Teams
  5. Microsoft Teams

Note that all modules can be found here (although look closely as the names can be unnatural to some):
https://docs.microsoft.com/en-us/powershell/module/

See Installed Modules

If you want to see the installed modules, you can view by:

Get-InstalledModule

Install Module

To connect to the endpoints, a module must be installed into Powershell. So if this is the first time, depending on the endpoint,use the following

  1. Outlook/Exchange-Online: does not need a module
  2. AzureAD: type: Install-Module AzureAD (or Install-Module AzureADPreview)
  3. MSOline: type: Install-Module MSOnline
  4. Skype-for-Business/Teams: Import-Module SkypeOnlineConnector
  5. Teams: Install-Module MicrosoftTeams

Note that this only has to be done once. After the module is installed into Powershell, it remains.

Also note that since the AzureAd module is being actively developed, the "preview" module, or beta-version, has additional commands that the current release does not. However only one of the AzureAD modules (either AzureAD or AzureADPreview) can be installed at a time.

Connect to Endpoint

After the module is installed into Powershell, the connection is as follows:

  1. OUTLOOK/Exchange-Online: type:
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session -AllowClobber
  2. AzureAD: Connect-azuread -Credential $LiveCred
  3. MSOnline: Connect-MsolService -Credential $LiveCred
  4. Skype-for-Business/Teams: type:
    $sfbSession = New-CsOnlineSession -Credential $LiveCred
    Import-PSSession $sfbSession
  5. Teams: Connect-microsoftteams -Credential $LiveCred

Which Endpoint Is Best

It depends on what you are trying to do.

  1. OUTLOOK/Exchange-Online: for the Exchange portion of Office365. Should be easy to determine if it is needed.
  2. AzureAD: new endpoint that seems to have development in the works. To me the commands are long and arduous but it has the advantage of automation or workflow.
  3. MSOnline: tried and true as a legacy option that seems to work best.
  4. Skype-for-Business/Teams: for the Skype-for-Business/Teams portion of Office365.
  5. Teams: for the Microsoft Teams portion of Office365.

Uninstall Module

Here is how to uninstall a module:

Uninstall-Module ModuleNameHere
(ie: Uninstall-Module AzureAD)

Last Updated on Sunday, 18 October 2020 10:22

License Accounts in Office365 | License Accounts in AzureAD

As a refresher, get-msoluser and get-azureaduser are similar but provide information differently.

This is a case where it seems to be easier to use get-msoluser.

To see all accounts:

get-msoluser

That returns a maximum of 500 results in a command, so you can check with (20000 represents some really high number because 'unlimited' or 'all' doesn't exist):

get-msoluser -maxresults 20000

To search for a specific account:

get-msoluser -searchstr foo.user

To see if accounts are licensed:

get-msoluser -maxresults 20000 |where {$_.islicensed -eq $true}

To see if accounts are not licensed:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $false}

To see if accounts are not licensed and filter through the external contacts and healthmailboxes:

get-msoluser -maxresults 1000 |?{$_.islicensed -eq $false} |?{($_.UserPrincipalName -notlike "HealthMailbox*") -and ($_.userprincipalname -notlike "*#EXT#*")}

To see an example of the details of a licensed account for ADHOC:

get-msoluser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it |fl |findstr /i licen
IndirectLicenseErrors                  : {}
IsLicensed                             : True
LicenseAssignmentDetails               : {Microsoft.Online.Administration.LicenseAssignmentDetail}
LicenseReconciliationNeeded            : False
Licenses                               : {foodomain:RIGHTSMANAGEMENT_ADHOC}

To see an example of the details of an unlicensed account:

get-msoluser -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it |fl |findstr /i licen
IndirectLicenseErrors                  : {}
IsLicensed                             : False
LicenseAssignmentDetails               : {}
LicenseReconciliationNeeded            : False
Licenses                               : {}

To assign a license to an account, you might think that set-msoluser has a key/value but they break it out to set-msoluserlicense (which is weird because there is no get-msoluserlicense). But before that is possible, the account must be set for USAGELOCATION (which is set-msoluser):

set-msoluser -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it -usagelocation US

set-msoluserlicense -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

Likewise for removing the license:

set-msoluserlicense -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it -removeLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

What options are available for the license key?

Glad you asked. Here is how to get the options for your tenant:

Get-MsolAccountSku

If something doesn't show, it is because it has not been provisioned.

Last Updated on Wednesday, 13 May 2020 15:02

Exchange 2013; Get Accounts that Someone Else Has Access To

So it is easy to find out what USER is a member of what GROUP. Or vice-versa.

What is not as easily available is finding out what USER has access to another account. Or another way of putting it is; how to find mailboxes that have additional permissions than just their own?

Here's how:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}}

Or if you need to create an Excel document out of it:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

Notes:

This is found in the article for Remove Mailbox Permissions That Are Not Inherited but the info might be hidden there.

Last Updated on Monday, 12 August 2019 15:47

Delete User from Azure AD

For whatever reason, I had an account in Azure AD that picked up the @foobar.onmicrosoft.com domain rather than the actual local domain. I suspect this happened because there was already an account manually created as a Global Admin so when the AD sync was happening, it could not create an account and defaulted to the onmicrosoft.com account.

In any regard, you can delete the account on Azure AD without affecting the Local AD. After the deletion, sync back to Azure AD from the Local AD.

These are the steps:

Connect to Office365/ExchangeOnline

Set-ExecutionPolicy RemoteSigned

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session -AllowClobber

Connect to MSOnline

Install-Module AzureAD

Install-Module MSOnline

Connect-MsolService -Credential $LiveCred

Get the User / Delete the User

get-msoluser -searchstring foouser

get-MsolUser -ObjectId 33f85584-acde-4c23-aa00-d8ab654a258b

remove-MsolUser -ObjectId 33f85584-acde-4c23-aa00-d8ab654a258b

Connect to AzureAD & Verify the Account Does not Exist

Connect-azuread -Credential $LiveCred

get-AzureADUser

get-azureaduser -searchstring fooname

Permanently Delete

Go to Azure Acive Directory > Users > Deleted Users

Select User

Permanently Delete

Sync from Local AD

Then to sync back from the Local AD.

-connect directly to the system that has Azure AD Connect.

Check the schedule:

Get-ADSyncScheduler

Run the sync:

Start-ADSyncSyncCycle -PolicyType Delta

Notes

get-msoluser and get-azureaduser are pretty much the same in that they will provide the same basic details. They are different in that they connect to different endpoints of the service and therefore provide similar information but provide it differently.

In short, get-msoluser is the 'old way' and get-azureaduser is the 'new way.'

The problem is that the old way is easier to use and not everything is in the new way.

Last Updated on Wednesday, 07 August 2019 16:43

Redirect Entire Domain

Of course you can use the DNS at the REGISTRAR (GoDaddy, Enom, etc) level but what if you have access to the server but not the domain?

Two files are needed:

  1. index.php
  2. .htaccess (don't forget the leading '.' and there are no extensions)

The contents of the index.php file to redirect to the new web site:

<?php
    header('Location: https://foo.tld');
?>

The contents of the .htacess file to redirect any phantom links to the index page:

Options +SymLinksIfOwnerMatch
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Last Updated on Wednesday, 07 August 2019 16:38

GPO gpresult rsop | gpupdate

All this time and I never covered this... GPO, gpupdate, gpresult, rsop

GPO

You know GPO, right? The Default Domain Policy is the applied for the entire domain and should override the rest. Put the password stuff in this policy but nothing else.

GPUPDATE

The GPO's will apply automatically but if you need to do it now:

gpupdate /force

GPRESULT

To see what is being applied, type:

gpresult /r

It shows what server the system is connecting to, what GPO's are applying, what GPO's are not applying and what security-group is being applied. All useful information.

To see more info, use verbose mode:

gpresult /v

Note that the command will only show the USER gpo's. If you want to show the COMPUTER gpo's, the command should be run AS-ADMINISTRATOR.

Or if you need to run remotely:

gpresult /r /scope:computer

GROUPS

Groups are applied on login. If the group doesn't show, logout/login.

RSOP

Since GPO's can overlap, the follow will show what GPO's are winning in case they are fighting: rsop.msc

NET ACCOUNTS

Or a quicky to show password rules: net accounts /domain

Last Updated on Monday, 09 December 2019 10:31

10 Steps for NVMe Drives | Microsoft, Intel, Toshiba

On 2 separate occasions today, I ran into problems with NVMe drives. These are SSD drives on a chip through a pcie slot rather than a SATA connection.

The drives were Toshiba KXG60ZNV512G NVM and would BSOD coming out of sleep/hibernate.

Here are 10 steps to make sure you have the best NVMe experience.

1- Update the drive firmware. Be sure to match the model number (KXG60ZNV512G). Dell's web site provided the wrong drive firmware. This firmware would not install as the drive was not found on the system. I found the correct firmware by showing all downloads for the model (Precision 7530).

2- Update the bios. The bios needs to be built to work with an NVMe drive. So if the bios doesn't work, it may need updated.

3- Write down the bios settings for the drive and reset to the default bios settings. Reboot. After reboot, manually set the settings again. There are some settings that cannot be changed manually. If there are hidden settings the default should be appropriate. But we want to make sure we have the drive settings (probably RAID/RST) because we don't want to guess after the update. Changing them incorrectly produces a BSOD on bootup. Not the end of the world as it can be fixed.

4- In the bios, turn off the C-STATE. While we are at it, turn of SPEEDSTEP... ugh.

4- Update the chipset drivers.

5- Update the NVMe drivers. There are 4 providers of NVMe drivers:

  1. Microsoft built-in drivers.
  2. Samsung.
  3. Intel RST (iastorAC.inf).
  4. OpenFabrics Alliance.

Word on the street is that the OpenFabrics drivers perform best but let's stick with the crowd and use Intel RST drivers.

6- Manually install the drivers; UPDATE-DRIVERS > BROWSE > LET-ME-PICK > HAVE-DISK > choose IASTORAC.INF > Reboot.

7- Enable the Device Manager Write Caching Options by disabling the write cache buffer; DEVICE-MANAGER > DISK-DRIVES > RIGHT-CLICK > PROPERTIES > POLICIES > CHECKMARK "turn off windows write cache buffer."

8- Disable the Link Power Management (LPM). Open the Intel Rapid Storage Technology Software > PERFORMANCE > LINK-POWER-MANAGEMENT > DISABLE.

9- Set to ultimate performance. Windows has power settings for both plugged into power and for battery. If it is plugged in, use it for maximum performance. Some settings are hidden in the Windows UI, so set it via command line:
powercfg -s e9a42b02-d5df-448d-aa00-03f14749eb61

While we are at it, make sure the hibernation is off:
powercfg -h off

10- Have fun! Remember, if this "feels heavy," get someone else to do it for you. Here is a benchmark:

nvme-test-v1

Last Updated on Tuesday, 30 July 2019 17:42

10 Reasons Why I Prefer Webroot Antivirus

I wrote this email for a colleague who inquired about Webroot. After I finished the message and sent it, I realized that it was appropriate for a blog post:

Webroot is very good protection.

1: INSTALLATION

The installation is very simple with msi or exe options available. Both options are simple, silent and fast install. The command line looks something like this: msiexec.exe /i "wsasme.msi" ALLUSERS=1 /qn /norestart /log output.log GUILIC=664CG8545895728446C

2: PROTECTION-AREAS

Once installed, the protection has the following areas:

1-Real time Protection

2-Rootkit Protection

3-Web Protection

4-USB Protection

5-Firewall Protection

6-Identity Protection

7-Phishing Protection

8-DNS protection is available as well as an upgrade.

3: SCANS

Scans are very fast and use little processor resources. A “deep” scan takes around 30 seconds. A “Full” scan takes around 30-60 minutes but this scan is not needed because of the central console.

4: CONSOLE

All computers report back to a central console which is located here:

https://my.webrootanywhere.com

5: MONITOR

The console is a central place to monitor systems, control systems and will show which systems are clean and which systems have problems.

6: CONTROL

The console also controls the options for Webroot and will determine the settings for the software. One policy we like is the inability to uninstall the software. So even if a person has administrator rights, they are unable to remove Webroot. Uninstall is only performed by the console.

The console also gives limited control access to the systems. You can perform manual scans, lock the computer, restart the computer or restart in safe-mode. This is good when the system is out of the office and might have little control over the system through other access.

7: THREAT RESOLUTION

In the event that Webroot finds a threat, it will automatically resolve the issue and either quarantine the file or delete the file. There is very little maintenance to perform.

8: WEBSITE BLOCKING

While the firewall blocks websites, Webroot is a second layer of protection that blocks when the system is not behind a company firewall.

9: DEFINITION-UPDATES

Definition updates are handled by the console with cloud-based threat intelligence. All systems use the same definition updates and policies.

10: UPGRADE-VERSION

Webroot will automatically update to the newest version. There is no need to manually update the software version.

BONUS: ALERTS & REPORTS

The console can generate alerts and reports. Alerts send an email or text message when any problem is found. Reports shows a list of problems for a time period; for example for the last 30 days, 60 days or 90 days.

FINAL THOUGHTS

The only other antivirus we are considering Cylance.

Last Updated on Wednesday, 24 July 2019 08:57

Reset Cisco Router Password and Config | Authorization failed

Trying to reset cisco password; getting "% Authorization failed" for every command. I guess there is an AAA set.

PC <-> usb-to-serial-connection <-> serial-to-ethernet <-> ethernet-to-console
plug into console
putty
select serial
type: com3
Power on router
startup sequence shows.
hit CTRL + BREAK (within 60 seconds).
type: confreg 0x2142
type: reset
Wait for reboot.
type: no
type: enable
type: show startup-config
copy the entire output to your pc and save.
type: config t
type: config-register 0x2142
type: end
type: reload
type: no
confirm the reload with enter
type: no (when ask to enter the initial config).
type: enable
type: config t
type: config-register 0x2102 (notice this is different)
type: end
type: write memory
type: reload
hit ENTER to confirm reload

10 Items I Wish I Knew Before Setting Up Webex Room Kit

We had our first interaction with Webex Room Kit recently. After hashing it out for a few days, here are a couple of tips that might help:

1- Webex Meetings and Webex Teams are 2 separate products.

Webex Meetings is traditional Webex. You can host/schedule meetings and other people can join. The meetings can be for small 1-on-1 type of meetings or they can be webinar type of meetings where one person presents and everyone else is muted. Up to 1000 people can attend.

Webex Teams is like Skype. Others ring you and you can ANSWER or DECLINE.

2- Webex Meetings and Webex Teams are 2 separate software.

Since they function differently, you will need both, if needed. My recommendation is to skip Webex Teams altogether. More on that later.

Here is the current link for Webex Meetings (Windows):
https://akamaicdn.webex.com/client/WBXclient-39.4.5-5/webexapp.msi

You can install silently by:
msiexec.exe /i "webexapp-39.4.5-5.msi" ALLUSERS=1 /qn /norestart /log output.log

3- Close Outlook when installing Webex Meetings.

When Outlook is closed, Webex Meetings buttons will install into Outlook. You can use the buttons to Start a Meeting or Schedule a Meeting directly from Outlook.

These buttons are not available for Webex Teams. This is a deal-breaker for Webex Teams.

4- Licensed Accounts are only needed for people who START/HOST/SCHEDULE meetings.

If a user is not going to START/HOST/SCHEDULE a meeting, they do not need a license.

They can still attend meetings that others START/HOST/SCHEDULE.

5- Webex Meetings (& Teams) is licensed per NAMED-USER (colloquially called PER-USER) or ACTIVE-USER (colloquially called CONCURRENT-USER).

In NAMED-USER, you will pay for every person that has an account. If they never HOST/SCHEDULE a meeting, you will still pay.

In ACTIVE-USER, you pay for the number of meetings that can happen at one-time. Like incoming/outgoing phone lines, once they are used up, someone will have to wait till a spot is free to make a call.

6- ACTIVE-USER (aka CONCURRENT-USER) starts at 40 licenses.

This is kind of a bummer for small companies. It would be awesome if a 5 license option were available for smaller companies who may want the features of Webex but don't host meetings too often.

For larger companies, with ACTIVE-LICENSE, you can install on everyone's computer (say 250 computers) and only pay for 40 licenses. Awesome option!

7- Webex Room Kits are Webex Teams by default.

In thinking about it, it makes sense. If you have a conference room of 4 people and they need to call another room, that other room will have to ANSWER for anything to happen. If not, it just rings like a phone until a NO-ANSWER message shows. It will not just show the other conference room and wait for other people to show. That would be kind of creepy.

8- Webex Room Kit TouchPanel has a Directory which is Webex Teams by default.

So if someone starts a Webex Meeting and you try to join via Webex Room Kit by calling their name from the Directory, it will not join the Meeting. It will just ring. This has been the single biggest source of frustration with the Webex Room Kit. People stomp away cursing under their breath about how the stuff doesn't work.

I'm trying to see if that can be changed.

9- Call the Personal Room.

If you start to type in someone's name, they will show twice. Once as their name and a second time as a PERSONAL-ROOM. By tapping on their name, you are calling them via Webex Teams. By tapping on their PERSONAL-ROOM, you are calling them via Webex Meetings. This is "fix" for the frustration above. Trying to communicate (educate?) people on this has proven to be difficult.

In short, call the Personal Room.

10- Adjust the Options from https://admin.webex.com

This web site can control the Webex Room Kit. Options like Whiteboard focus, so that the camera can focus on the person in the conference room along with a Whiteboard and options like Standby-Branding, so that you can display a web site on the TV while the Webex Room Kit is not being used are both options can be found by a little digging.

11 (Bonus!)- Siri/Cortana is Built Into the Webex Room Kit

OK, it is their version of Siri/Cortana but you can say, "Hey Webex, call John" and it will do your bidding. Of course, use caution on the whole Teams/Meeting Personal Room aspect.

Conclusion

In the end, Webex Room Kits along with Webex Meetings is one of the best all around options available for video conferencing and can change the entire culture of the company while providing best-in-class service to customers. Webex Meetings is great but needs a bit of class time to get the full features out of it. Webex Teams,while perhaps necessary, is very confusing to communicate and for users to pick up on their own. Having 2 options only serves to increase support times. Do yourself a favor and ditch Webex Teams going with Webex Meetings only is the way to go.

Now to see if it is possible to change that darn Directory in Webex Room Kit Touchpad to only show Personal Rooms...

Last Updated on Friday, 28 June 2019 17:42

Why WatchGuard?

Why WatchGuard instead of {insert brand name here}? Good question.

Fine Grain Control

First and foremost, WatchGuard has fine-grain control. This means that WatchGuard will inspect every incoming and outgoing traffic. This is done on a port level (0-65,535) and a portocol level. This means it can allow/deny protocols on ports that it should not be running on. This is different than lower-end systems that will allow all outgoing traffic but only port-forwards incoming ports.

Automatic Deny

WatchGuard automatically denies something that it does not recognize. This is important for security. This way, only items that need to go through are doing so through manual allowance rather than automatic allowance.

Multiple Interfaces

WatchGuard can handle multiple interfaces. This means dual WAN connections or possibly more; such as dual-WAN and MPLS connections. Or perhaps a single WAN connection and multiple internal network segments that are completely separate. Think in terms of an office suite where there might be 5 tenants or more sharing a single internet connection. The economies of scale are at work here as every tenant could share a single fiber connection rather than each getting their own WAN/ISP.

Multiple IP Addresses

WatchGuard can handle multiple public IP addresses all on the same interface. This means that we can use one ip address for our LAN and other dedicated IP addresses for servers. This helps for security but also if you have multiple servers using the same port number, say port 80 for web hosting. You can have multiple web servers behind the same WatchGuard with different public ip address but using the same WAN connection.

No Reboot Configuration Updates

WatchGuard will apply new configurations without rebooting the system. The only time a reboot is needed is when the OS is updated. This is a dream if you ever managed any other system that wants to reboot everytime a change is made.

Wireless Controller

WatchGuard has wireless controller builtin. This allows for easy deployment of several access points (AP's) at once. It will sniff out new AP's and ask if it should manage them. This can be done via internet as well. So upgrading AP firmware is done in one fell scheduled swoop in the wee hours of the morning during low/no traffic.

Business Class Ready

WatchGuard is business class ready. Stop using home quality routers at the office. With uptimes more than a year, WatchGuard is built for the offices both large and small.

Integrated Threat Detection Against Cryptolocker

WatchGuard has integrated Threat Detection client that can run on the systems. If cryptolocker is detected, WatchGuard can shut it down automatically.

VPN Options

WatchGuard handles VPN through SSL VPN (it can also do PPTP and IPSEC). With PPTP being outdated and other systems difficult to setup, WatchGuard SSL VPN works out of the box. And it works at most remote situations since it runs over https/port 443. This saves on support time for road warriors and conference travelers needing to connect back to the office.

Also WatchGuard VPN can be site to site with super easy drag and drop configuration.

Next, WatchGuard VPN can be split-tunnel for remote workers. This allows remote workers to use the local internet connection for web surfing and the VPN connection for office network shares. Helps in situations where road warriors need to print to their local network printers but still need access to the office server.

WatchGuard VPN works with OpenVPN. This allows the traffic to be forced over the VPN connection.

Centralized Management

WatchGuard can be managed centrally through WatchGuard System Manager. This means that if you have several WatchGuard firewalls (or hundreds... cough, cough), you can manage them all from a single console. This manages licenses, upgrades, wireless firmware, firewall rules. You name it and the WatchGuard System Manager can manage it.

Centralized Reporting

Likewise, WatchGuard has Centralized Reporting in the form of WatchGuard Dimension. All traffic from all clients across all WatchGuard Firewalls is recorded in a central location. If we need to run a report on web sites visited during a certain time, no problem. Here it is.

Putting All Together

Putting this all together means that we can manage many WatchGuard systems and their wireless access points and their reporting across North America without ever leaving network operations center.

Last Updated on Thursday, 04 July 2019 05:23

Powershell Get Disk Space

Here is how to get the disk space in powershell with GB (aka human readable numbers):

get-psdrive

Here it is cleaned up a bit:

get-psdrive -PSProvider filesystem | Format-Table -Wrap -AutoSize -Property Root,@{Name='UsedGB';Expression={[math]::round($_.used/1gb,2)}}, @{Name='FreeGB';Expression={[math]::round($_.free/1gb,2)}}, @{Name='PctFree';expression={$_.free/($_.free+$_.used)*100 –as [int]}}

It has every connected drive,  drive letter, used GB, free GB and Percentage Free GB.

 

WatchGuard Downloads

WatchGuard Downloads are here:

https://watchguardsupport.secure.force.com/software/

The OS upgrade option is built into the web ui and should be used to upgrade versions. The OS upgrade will also upgrade the SSL VPN client versions that are stored directly on the Firebox.

Last Updated on Tuesday, 25 June 2019 08:29

Install WebEx Remotely

Let's say that you have limited access to a system. Let's say that you want to download a WebEx package to the system via command line/powershell. Here's how:

wget "https://akamaicdn.webex.com/client/WBXclient-39.4.5-5/webexapp.msi" -outfile "webexapp.msi"

msiexec.exe /i "webexapp.msi" ALLUSERS=1 /qn /norestart /log output.log

Remove Appx Windows 10

Remove Appx app (is that redundant?):

Get-AppxPackage -allusers -name "Microsoft.MicrosoftOfficeHub" |Remove-AppxPackage

Here is an example:

REMOVE
Get-AppxPackage -allusers -name "Microsoft.Windows.Photos" |Remove-AppxPackage

GET
Get-AppxPackage -allusers | Select Name, PackageFullName |findstr /i photo

ADD
Add-AppxPackage -register "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\appxmanifest.xml" -DisableDevelopmentMode

Last Updated on Wednesday, 04 December 2019 12:31

Surface Pro 4 Max Perfomance

Click here to see how to set the Surface Pro 4 to Max Performance on the Intel HD Graphics and the Processor:

https://www.windowscentral.com/how-max-intel-hd-graphics-surface-pro-4

WDF_VIOLATION BSOD 1903

MacBook Pro circa 2011 running bootcamp and Windows 10. Updated to 1903. BSOD "WDF_VIOLATION."

-hold power button to shut off.
-press power button to turn on.
-do this about 3 times. After the 3rd time, the option for ADVANCED BOOT should appear.
-press F8
-select SAFE-MODE WITH COMMAND-PROMPT
-login as normal.
(a scary black screen shows)
-you will be at c:\windows\system32

-type: cd drivers
-type: dir |findstr /i machal
-it will show: MacHALDriver.sys
-this is our problem.
-type: rename MacHALDriver.sys MacHALDriver.sys.sav
-press ENTER key
-type: shutdown -r -t 3
-press ENTER key

The system will reboot and you should be able to login as normal with the BSOD. Apparently the BOOTCAMP DRIVERS V6 will fix. But I have not tried to install yet.

Last Updated on Wednesday, 05 June 2019 16:34

WatchGuard Allow Web Site

It is possible to setup different access to different groups.

Typically we block web site to weapons by default. Going to a web site like the following is blocked: beretta.com

But what if they are a client and we want the MARKETING group to allow access to the web site?

-this was the simple setup:
https://www.jscmgroup.com/watchguard-blog/2016/8/29/watchguard-webblocker-actions

Without any setup the log is:
2019-06-05 14:53:51 Deny 10.192.480.250 199.83.128.143 http/tcp 56564 80 0-LANLAG 0-External ProxyDeny: HTTP Request categories (Outbound-HTTP-proxy-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard.1" cats="Weapons" op="GET" dstname="beretta.com" arg="/favicon.ico"

-you can see that the proxy-action is: HTTP-Client.Standard.1.
-but it should be: HTTP-Client.marketing
-this is because the proxy-action is not attaching to the group. This is because I was trying on a system on a subnet with an exception for authentication:
10.192.480.0/24 (note: subnet not real for posting purposes)
-this results in NO-AUTH, NO-GROUP and NO-PROXY-ACTION.
-using different pc on: 10.192.420.0/24

-for setup, the key here is that the WatchGuard group name needs to be the same as the AD group name: MARKETING
-next, create the rule where you can create the proxy. I went the long way around.
-ultimately, I had to:
-edit-policy > Proxy-Action > HTTP Proxy Exceptions
-add: *.beretta.com

NOTES:
-going to: -edit-policy > Proxy-Action > WebBlocker
-click: EDIT > EXCEPTIONS
-click: ADD
-type: *.beretta.com/*
Did not work. I still ended up with log:
2019-06-05 15:40:06 Deny 10.192.420.100 199.83.134.143 http/tcp 61063 80 0-LANLAG 0-External ProxyDeny: HTTP Content Type match (Outbound-HTTP-Marketing-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0018" proxy_act="HTTP-Client.marketing" rule_name="Default" src_user="dakruhm"

-the fix should be:
-edit-policy > Proxy-Action > HTTP-RESPONSE > CONTENT-TYPES

OpenText Enterprise Scan and SAP

Here are my scribble notes so I don't have to look them up again.

Install the OpenText Enterprise Scan program.

Scanning is rather simple, just make sure you select the correct model of scanner and scan the document.

Next is sending to the Archive Server.

Setup the pipeline to the Archive server (ie 10.195.160.4).
scan config manager

Test the archive server pipeline:
scan > config-manager

Pipeline info:
localhost
Port 4023
Port 8080 (for management)
right-click & select LIST-PIPELINES

Start Enterprise Scan
Config Archive

Ops
Capture Center
Capture Center via shared
content server
doc pipe for content server
doc pipe for SAP
doc pipe for tcp
external storage

Flow
Doc pipeline SAP

Server
http
8080
check
nettcp secure
19284
local
localhttp

There is a possibility that there is a port on a firewall that needs to be opened if the archive server is offsite.

Check the profile: cmd > set
ecm conf dir = c:\ProgramData\Open Text (intentional space "Open" "space" "Text")
ecm doc pipeline base = c:\Program Files\OpenText
ecm doc pipeline conf = c:\ProgramData\OpenText (intentional nospace "OpenText")
ecm doc pipeline info = c:\ProgramData\OpenText (intentional nospace "OpenText")
ecm doc pipeline sap = c:\ProgramData\OpenText (intentional nospace "OpenText")

c:\ProgramData\OpenText\BASE Document Pipeline\config\dpconfig\dp.dpconfig
c:\ProgramData\OpenText\BASE Document Pipeline\config\dpconfig\dp.dpinfo

Error Message: Late_Archive_error | Could Not Process Document

Logs are here:
c:\ProgramData\OpenText\var\LogDir\doctods_1.log

http status code = '0', http status message = 'Couldn't resolve host name'
dsc::dscOpenDoc dsc.cxx-9776 cannot reserve a document id; the call of function dshDsReserveDocId() failed: 'HTTP error: connection was broken: host = denw08v701 (archive='ABC')'

This means the archive is not working because the local system cannot find the system that is named in the script. This happens because the server is outside the domain so simply stating the system as "denw08v701" it needs to be "denw08v701.domain.tld".

Or you can edit the HOSTS file:
c:\Windows\System32\drivers\etc\hosts

Add:
10.195.160.4 denw08v701

Last Updated on Monday, 03 June 2019 14:17

Find What Port Number a Mac Address Is On Cisco IOS

Find What Port Number a Mac Address Is On Cisco IOS

If you know the full Mac address, you can perform the following:

show mac address-table address 6476.7A98.1818

If you know just part of the Mac address (where 1818 is the last 4 digits of the Mac):

show mac address-table | include 1818

Change your interface, if needed:

enable

configure  terminal

interface GigabitEthernet0/1
 description MPLS
 ip address 10.162.131.54 255.255.255.248
 duplex full
 speed 100

Be sure that your link speed is set correctly. Sometimes auto speed doesn't work right.

And change your gateway/bgp-neighbor, if needed:

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 redistribute ospf 30
 neighbor 10.162.30.1 remote-as 65006
 neighbor 10.162.131.49 remote-as 1
 no auto-summary

And remember to save your running config as your startup config:

copy  running-config startup-config

You can show your routes by:

show ip route

Last Updated on Wednesday, 22 May 2019 17:18

Hyper-V Integration Services Windows Server 2016 Datacenter

Integration services is Microsoft's terminology for client-tools/guest-tools. Other vendors such as VMware and VirtualBox have their own terminology but the idea is the same. With the tools installed the guest VM works better, faster, etc.

To see if the Integration Services are installed:

  • -go to Host system.
  • -powershell (as admin).
  • -type: get-vm |ft name,version

With Windows 10 Guest VM, and Server 2016 Host, the integration services are installed via Windows Update.

To see the version of Integration Services:

-type: REG QUERY "HKLM\Software\Microsoft\Virtual Machine\Auto" /v IntegrationServicesVersion

Then let us see if the service on the GuestVM is running:

-type: Get-Service -Name vm*

Last Updated on Wednesday, 10 April 2019 17:31

Laptop Password Expired and VPN

Let's say that you have a typical Windows domain network at the headquarters. A rule of the network account policy is that the password changes every 90 days.

And let's say that you have a group of outside sales people who do not come into the office. Every once in a while they vpn into HQ.

If the password expires on their account, they can still login to their laptops because the laptop keeps a local copy of the access list. But then the VPN fails and email fails.

They call and we reset their account password.

The VPN works.

But then how does the laptop get updated?

Here's how:

  • login on the laptop without network (using the old password).
  • connect to a network for internet.
  • start the VPN connection to HQ.
  • lock the laptop (CTRL+ALT+DEL > LOCK).
  • unlock (using the new password).

When unlocking, the computer is connected to the domain (via the VPN tunnel), It will verify the password with the domain. As a side effect this will update the password on the laptop.

Linux Delete All Files Greater than a Certain Size

Lets say you have a directory of photos. The directory is about 1TB and the hard drive is packed full. How do you delete files that are larger than a certain size?

Here's how:

cd /path/to/dir
find . -name "*.jpg" -size +1000k -delete

K is for KB.
Miss off the "-delete" if you want to run a test without deleting the files.
Adjust accordingly.

Or if you need to delete base on date (files older than 30 days):
find ./path/to/dir/ -type f -mtime +30 -delete

Find files larger than 1MB:
find ./directory-name-here -type f -size +1M

Find files older than 180 days:
find ./directory-name-here -type f -mtime +180 -exec rm -f {} \

Last Updated on Sunday, 11 October 2020 18:04

Mimecast LDAPS Connection

Here is the best source for setup of LDAPS:

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

For Mimecast, if you are using a self-signed certificate as the instructions above provide, set the Encryption Mode to: Relaxed

Last Updated on Thursday, 14 March 2019 18:32

Rename User Active Directory

Rename user in Active Directory is a common task but putting it all in one spot

Rename User in GUI

-open Active Directory Users and Computers.
-right-click on the Name.
-select RENAME.
(rename User dialog box appears to change other common items)

Rename User in CMD

dsmove "<UserDN>" -newname "<NewUserName>"
dsmod user "<UserDN>" -upn "<NewUserUPN>" -ln "<NewUserLastName>"

Rename User in PS

rename-adobject "oldname" "newname"
or
Get-ADUser -Identity 'oldname' | Rename-ADObject -NewName 'newname'

For a full one-liner:
Get-ADUser "old.name" |Rename-ADObject -NewName “New Name” | Set-ADUser -GivenName “New” -Surname “Name” -DisplayName “New Name” -SamAccountName “newname” -UserPrincipalName " This e-mail address is being protected from spambots. You need JavaScript enabled to view it

NOTES:

All the following are different:

Name
GivenName
Surname
SamAccountName
DisplayName
OtherName
UserPrincipalName

Most can be set by: Set-ADUser

But the Name of the Object is a bit different and needs to be set by: Rename-ADObject

Check your work by using Get-ADUser.

Here is Get-ADUser:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduser?view=win10-ps

Here is Set-ADUser:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-aduser?view=win10-ps

Here is Rename-ADObject:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/rename-adobject?view=win10-ps

Last Updated on Monday, 11 March 2019 09:41

Watchguard VPN Split Tunnel Doesn't Resolve

Watchguard VPN setup. Watchguard has a split tunnel automatically. Works for hundreds of people.

Run into a new setup where the Watchguard VPN would connect but asking for vlan resources would respond back with the local network. The desired result is the remote network.

This happens to be on an ATT home router. The laptop is hard-wired connected. Note that the wireless connection work fine. Go figure.

Here's how to diagnose on the vpn laptop:

  • -click START > POWERSHELL (as admin).
  • -type: get-netipinterface

Typically, out of the box, each connection will have a name (obviously) and a setting for IPV4 and IPV6. Each setting will have a METRIC.

Let's say the the connections are named: ETHERNET and VPN.

You will notice that:

ETHERNET IPV4 has a metric of 35
ETHERNET IPV6 has a metric of 35
VPN IPV4 has a metric of 35
VPN IPV6 has a metric of 35

What we need to do is set the METRIC on the hard-wired connection to a number higher than the vpn connection.

-type: netsh int ipv4 set interface interface="ETHERNET" metric=40
-type: netsh int ipv6 set interface interface="ETHERNET" metric=40

That should do it.

Note that other posts will talk about turning ipv6 off, etc. This can be done via PowerShell:
Disable-NetAdapterBinding –InterfaceAlias “Ethernet Interface Name Here” –ComponentID ms_tcpip6

Last Updated on Thursday, 21 May 2020 09:45

Watchguard Change Opened Ports | Watchguard Change Opened Outgoing Ports

Watchguard Change Opened Ports | Watchguard Change Opened Outgoing Ports

Let's say that you already have a firewall policy on your Firebox. That firewall policy has a non-standard-port open from that static internal ip-address to the rest of the www (any-external) so that it can talk to who it needs to. Note that this is not a static server internally that needs to service the rest of the www such as a web server, this is simply a piece of software that needs to reach out on a non-standard-port.

Now, at the current moment, you need to either add to the port list or change the port number.

When you click on the firewall policy there is no option to edit the port list or the port number. How you change it?

Good question. What you want to do is change what is called in Watchguard-speak, the firewall-policy-type.

Here's how:

  • -click FIREWALL > FIREWALL-POLICIES.
  • -click ADD-POLICY (at the top). (Yes, even if you are not adding a firewall-policy).
  • -bullet CUSTOM.
  • -select the policy-type (from the drop-down list).
  • -click EDIT.
  • -click ADD | EDIT | REMOVE as necessary.
  • -click SAVE (at the bottom).
  • -click CANCEL (so that it does not save a new firewall-policy).

I have yet to figure out if there is a better way to go directly to the firewall-policy-types.

 

Last Updated on Wednesday, 27 February 2019 16:56

Watchguard Port Forward

Here is how to port forward if you are hosting a server of some type on your internal network that needs to be accessible outside of the office:

  • -log in via web https://10.1.10.1:8080
  • -click on Firewall > SNAT.
  • -click ADD.
  • -type name: 5802 incoming to port 5802
  • -click ADD.
  • -type internal address to send traffic to. (e.g., 10.1.10.5)
  • -click OK.
  • -click SAVE
  • -click Firewall > Firewall Policies.
  • -click ADD-POLICY.
  • -click CUSTOM.
  • -type name: 5802 incoming to port 5802
  • -click ADD.
  • -enter port # and click OK. (e.g., 5802)
  • -click SAVE.
  • -click ADD POLICY button.
  • -change “FROM” box to contain only “Any-External”.
  • -remove everything in “TO” box.
  • -click ADD button.
  • -change “Member Type” to “Static NAT”.
  • -select the Policy Type you just added and click OK.
  • -click SAVE.
Last Updated on Wednesday, 27 February 2019 15:11

Get All Mailboxes With Permissions Other Than Themselves

Get All Mailboxes With Permissions Other Than Themselves. Here's how:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

Outlook Calendar Permissions for Visual Learners

Learn visually? Me too. Here's the Outlook Permissions in table format with color view:

  Author Contributor Editor None NoneEditingAuthor Owner PublishingEditor PublishingAuthor Reviewer AvailabilityOnly LimitedDetails
CreateItems                      
CreateSubfolders                      
DeleteAllItems                      
DeleteOwnedItems                      
EditAllItems                      
EditOwnedItems                      
FolderContact                      
FolderOwner                      
FolderVisable                      
ReadItems                   Free/Busy Free/Busy w Name & Location
Last Updated on Friday, 22 February 2019 09:54

Office 365 - Join Computer to Domain | Azure Active Directory

Do you have an Office365 account for your company domain (ie daknetworks.com) and email? Did you know that you can join your laptop or desktop to the Office365 domain?

The typical access for Office365 is here:
https://portal.office.com

There is also another portal to manage your Office365 domain:
https://admin.microsoft.com

AZURE ACTIVE DIRECTORY

Once here, you are welcomed with so many services it is hard to keep them straight. What we are interested in is Azure-Active-Directory. Once you click on Azure-Active-Directory, you will see more options. Let's cover the basics.

USERS

Clicking on USERS will show you the users in your company. These naturally mirror the email accounts as you can't have an email account without having an Azure-Active-Directory account. But that might not be obvious if this is new to you.

GROUPS

Click on GROUPS is similar.

DEVICES

DEVICES will show all the DEVICES that is REGISTERED or JOINED. What's the difference?

REGISTERED is allowing the company to control the device. This is what happens with your iPhone (because who in their right mind would use Android). When you add your Office365 company email address to the phone, the company can control your iPhone. You might not know that. But it is nonetheless true. They can take the email account off the phone without your permission or they can wipe your entire iPhone without your permission.

The same is true for Windows 10 laptops/desktops. If you add your Office365 company email address to Outlook, the company can control your computer is some ways. Just like your iPhone, your computer is still accessible by you with the password that you setup when you brought the computer home from the store or received in the mail/ups/fedex/amazon package. But your company can control some of the items on your computer.

JOINED is what we think of in a traditional computer setup for a small company with an on-site server. When a computer is JOINED, any user in the company can login to that computer without having to setup the password locally. All the usernames/passwords are kept on a centrally located "invitation list."

JOIN COMPUTER TO AZURE ACTIVE DIRECTORY

 So how do you do that?

  • -click START > SETTINGS > ACCOUNTS
  • -click ACCESS-WORK-OR-SCHOOL (on the left-hand side).
  • -click CONNECT.
  • -click JOIN-THIS-DEVICE-TO-AZURE-ACTIVE-DIRECTORY.
  • -type in your email-address.
  • -click NEXT.
  • -type in your email-password.
  • -click SIGN-IN > JOIN > DONE.

MAGIC TO GET AROUND YOUR ORGANIZATION REQUIRES HELLO

There's a part here where if we continue, it will want to change your password to a PIN. Let's get around this.

  • -click START > RUN.
  • -type: gpedit.msc
  • -click Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business (on the left-hand side).
  • -click Use Windows Hello for Business (in the middle).
  • -click DISABLED.
  • -click OK
  • -restart your computer to make sure it survives reboot.

LOGIN WITH AZURE ACTIVE DIRECTORY

At the login screen,

  • -click OTHER-USER (at the bottom-left).
  • -type in your email-address.
  • -type in your email-password.

Once you do a whole new world begins. Now you can use your email-address and email-password to access the computer. You might notice that it automatically has your name from your email address. This is some the power of JOINING to an Azure-Active-Directory.

Note that when you do this, the process creates a new user on the computer so your DESKTOP, DOCUMENTS, PHOTOS, VIDEOS will all be reset to a fresh set. Any items you might have had are still in the other username and password. This can be manually transferred from the other account if needed.

NOTES

I could go on and on about the benefits of this:

  1. this computer now shows in Azure-Active-Directory > DEVICES section.
  2. if you open EDGE, go to https://portal.office.com you are automatically logged in and can download and install the software.
  3. if you open OUTLOOK, your account is automatically found and setup

In addition, I could go on and on about the number of misleading videos and long-winded documents I had to travel to get this far. Here are some of them:

https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

https://www.youtube.com/watch?v=AZrtCtj4rTs

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization

 

 

Last Updated on Thursday, 14 February 2019 20:14

Exchange 2013 Room Lists

Exchange 2013 Room Lists exist.

To get a list of all the room resources:

get-mailbox |? {$_.resourcetype -eq "room"}

Just as mailboxes can be part of a group/distribution-group, the room resources can be part of a group/distribution-group. These are groups do not show in the ECP.

To get a list of all the roomlist groups:

get-DistributionGroup |? {$_.recipienttypedetails -eq "roomlist"}

To create a new roomlist group:

New-DistributionGroup conference-rooms-foo -RoomList

To add a member to the roomlist group:

Add-DistributionGroupMember conference-rooms-foo -Member foomember1

To get a list of all the members of a roomlist group:

get-DistributionGroupMember conference-rooms-foo

Last Updated on Wednesday, 13 February 2019 14:16

SPF Records

For some reason, we have never done an article on SPF records. Here are some notes concerning SPF.

Here are our current records:

v=spf1 a mx ip4:216.245.219.162 include:_spf.freshbooks.com -all

A is for the A record

MX is for the MX record

ip4 is for a dedicated ip address.

include is for including an outside system. In this case Freshbooks which handles our billing for us.

Since A, MX and IP are all the same, only one is needed. We changed it to this:

v=spf1 mx a include:_spf.freshbooks.com -all

Last Updated on Tuesday, 05 February 2019 15:22

FileMaker Server Install Certificate

Client has a FileMaker Server installed at a datacenter. They need the certificate installed and working.

Generate a CSR

  • -open FILEMAKER SERVER.
  • -click DATABASE-SERVER > SECURITY.
  • -click CREATE-REQUEST.
  • -create a password by typing it in.
  • -when you do, a CSR file (certificate request) and a PRIVATE-KEY will be generated.
  • -the files are automatically kept here: C:\Program Files\FileMaker\FileMaker Server\CStore
  • -the CRS is called ServerRequest.pem
  • -this is just a text file. Open the file with NOTEPAD or TEXTEDIT or EDITPAD or NOTEPAD++ (not WORD).

Create a Signed Certificate

  • -take the contents of the CSR and give them to your SSL provider (GoDaddy, RapidSSL, Comodo, etc).
  • -once submitted, that will generate a signed certificate.
  • -it will also give you an intermediary certificate or chain certificate.

Gathering All the Certificates

  • -create a folder on the desktop of the FileMaker Server.
  • -create a new text file in the folder.
  • -copy the contents of the signed certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
  • -rename the file your.filemaker.domain.tld.crt
  • -create another new text file in the folder.
  • -copy the contents of the SHA-1 Root certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
  • -copy the contents of the intermediary certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file directly under the root certificate.
  • -so the file should look like this:

=================

-----BEGIN CERTIFICATE-----
root-certificate-here-blah-blah-blah
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediary-certificate-here-blah-blah-blah
-----END CERTIFICATE-----

=================

  • -rename the file chain.crt
  • -copy the file C:\Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem to this folder as well.
  • -so the folder has 3 files:
    • 1-your.filemaker.domain.tld.crt
    • 2-chain.crt
    • 3-serverKey.pem

Install the Certificate on FileMaker Server

  • -click DATABASE-SERVER > SECURITY.
  • -click IMPORT CERTIFICATE.
  • -for SIGNED-CERTIFICATE choose the file your.filemaker.domain.tld.crt
  • -for PRIVATE-KEY choose the file serverKey.pem
  • -for INTERMEDIATE-CERTIFICATE choose the file chain.crt
  • -for password, type in the password create during the CRS in the first step.
  • -click IMPORT.
  • -restart the service (or restart the server).

That should do it! You're awesome! You now have a green lock in the FileMaker Pro clients running around the country and everyone is happy.

Test the certificate: echo GET | openssl s_client -connect yourwebnameserver.tld:5003

NOTES

What makes this difficult is the terminology and the different certificate types and extensions (crt, cer, pem, p7s, etc). Naturally, I think most people try to use CER files by mistake.

Also the Intermediate certificate is a pain since sometime it is needed but not provided. When it is provided, they expect you to know what to do with it.

Lastly, sometimes they provide 2 Intermediate certificate along with their root-certificates and they expect you to know which one to use. Hint, use SHA-1-root with FM Server v16.

Here are the intermediate certificates for RAPIDSSL:

https://knowledge.digicert.com/generalinformation/INFO1548.html#links

  • -find ROOT
  • -click DOWNLOAD
  • -it will show the root-certficate.
  • -put this at the top of the chain.crt (which has nothing other than this pasted text).
  • -find INTERMEDIATE CA
  • -click DOWNLOAD
  • -it will show the intermediate-certficate.
  • -put this in the same file but under the root certificate.
  • -save the file as chain.crt
Last Updated on Friday, 11 October 2019 08:25

Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)

Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)

User-Profile-Service-Service

SCENARIO

This happens after an upgrade to v1803 or to v1809 or to v1903.

RESOLUTION

Get the HOMEDRIVE:

get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties homedrive, homedirectory, scriptpath |ft name, homedrive, homedirectory

This will output:

name            homedrive homedirectory
----               ---------      -------------
Foo User     Z                \\server\users$\foo.user

You will see above the HOMEDRIVE is something like a capital letter. In this case: "Z"

This needs to be set as: "Z:"

In other words, it is missing the colon ":"

To implement, first get the usernames in the OU needing serviced:

$usernames = (get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties samaccountname |foreach { $_.samaccountname })

Now set the correct HOMEDRIVE value:
foreach ($username in $usernames) {set-aduser $username -homedrive Z:}

MORE INFO

This happens because the HOMEDRIVE value is set incorrectly for the update script.

There is some sort of script that is trying to move the profile (Desktop, Documents, Favorites, Pictures, Photos, Videos) to OneDrive. The script errors when the HOMEDRIVE doesn't have the colon.

Last Updated on Friday, 07 June 2019 15:35

WSUS - Force System to Check for Windows Updates

Windows Service Update Service (WSUS) is groaned by many administrators. What should be a drop-dead-easy process is overly complicated and difficult to manage.

Everything should "just work." But it doesn't.

On 80% of the systems, the ones left on all the time, the success rate is high. The updates download and install on schedule as per the Group Policy (GPO).

On 20% of the systems, the laptops not left on all the time or away from the office, the success rate is mixed. Sometimes the downloads update, sometimes not. Sometimes the downloads install. Sometimes not.

Invariably, throughout the course of a deployment, a handful of laptops and tablets start to lag behind. They refuse to download and install the updates for whatever reason.

This necessitates the ability to force the client system to download and update.

WUAUCLT

To force them to update and install used to be:

wuauclt /detectnow
wuauclt /updatenow

Or you could use the switches together:

wuauclt /detectnow /updatenow

USOCLIENT

Now with Windows 10, wuauclt is no longer working. But the completely undocumented USOCLIENT can be used to do the same:

USOClient StartScan (Start checking for updates)
USOClient StartDownload (Start downloading updates)
USOClient StartInstall (Start installing downloaded updates)
USOclient Refreshsettings
USOclient StartInteractiveScan
USOClient RestartDevice (Restart Windows after updates are installed)
USOClient ScanInstallWait (Check for updates, download available updates and install them)
USOclient ResumeUpdate

I’ve used the following command to get remote systems to update with success:
USOclient StartScan
USOclient StartDownload
USOclient StartInstall

Few notes:

  1. there is no slash.
  2. there is no documentation on the command.
  3. there is no output or feedback from the command.
  4. this command replaces: wuauclt

PSWINDOWSUPDATE

Or you can use powershell. This is not built-in so a module will have to be installed.
(The minimum TLS version was raised on the provider lookup site. The first line sets the machine to TLS1.2)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module PSWindowsUpdate
Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned
Import-Module PSWindowsUpdate
Get-WindowsUpdate
Install-WindowsUpdate

NOTES:

I cannot figure out why the whole process isn't easier, why there is not another way or why this is undocumented.

Last Updated on Wednesday, 29 July 2020 09:44

All Enabled Accounts on Exchange Sorted by Last Name

Them: Can you give us a list of All Enabled Accounts on Exchange Sorted by Last Name?

Me: Sure.

The problem becomes this is trickier than it seems.

There are 3 commands that are helpful:

get-mailbox: a list of all the mailboxes, including SHARED, RESOURCE, EQUIPMENT, ROOM but not including contacts, mailuser, distributiongroup, etc. Disabled accounts are included. There is no disabled/enabled property.
Use the following to see what it shows and the number of items:

Get-Mailbox |Group-Object RecipientTypeDetails |Select name,count

get-recipient: a list of all recipients including mailboxes, contacts, mailuser, distributiongroup, etc. Basically, any type of existing Exchange Online recipient.
Use the following to see what it shows and the number of items:

Get-recipient |Group-Object RecipientTypeDetails |Select name,count

get-user: get the USER objects from Active Directory, including the users without mailboxes and disabled users.
Use the following to see what it shows and the number of items:

Get-user |Group-Object RecipientTypeDetails |Select name,count

Knowing the above, we can put together a command that lists out all the USERS from AD that is enabled:

Get-User -RecipientTypeDetails UserMailbox -sortby lastname |where {$_.UserAccountControl -notlike “*AccountDisabled*”} |Select samaccountname

Last Updated on Tuesday, 21 May 2019 13:01

Find What Groups a User In AD is a Member Of

Find What Groups a User In AD is a Member Of

Here is how for one person:

get-aduser foo.user -properties MemberOf |Select -ExpandProperty memberof

or use the newer command:

Get-ADPrincipalGroupMembership foo.user | select name

or use the older command-line:

net user foo.user /domain

Here is how for a group in an OU:

get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select -ExpandProperty memberof

or you need just the Name and MemberOf:

get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select samaccountname,memberof

And if you need to put the whole thing together:

get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-name,dc=com" -properties Memberof |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}} |ft -wrap

Or if you need just the accounts that are more than the "Domain Users" group:

get-ADuser -Filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties Memberof |where memberof -ne "Domain Users" |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}

But maybe miss off the Guest account:

get-ADuser -Filter * -searchbase "ou=Disabled Users,dc=foodomain,dc=tld" -properties Memberof |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}

And to take this one step further, if you need to remove the user from all the account's groups, then:

Get-ADUser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -Properties MemberOf |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |ForEach-Object{$_.MemberOf |Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false}

 

Last Updated on Monday, 12 August 2019 15:47

Windows Could Not Complete The Installation

Windows Could Not Complete The Installation

windows-could-not-complete-the-installation

Here's how to fix.

  • -hold SHIFT and press F10.
    (a command prompt shows)
  • -type: oobe
  • -hit ENTER key.
  • -type: msoobe
  • -hit ENTER key.
  • -wait for around 5 minutes.
  • -restart the computer and it should work.

If not then do the following:

  • -press the power button on the computer for around 5 seconds. The system will shut off.
  • -press the power button on the computer the system will turn on.
  • - this needs to happen 3 times until a message that says “Preparing Automatic Repair“.
  • -click ADVANCED-OPTIONS.
  • -click TROUBLESHOOT.
  • -click RESET THIS PC.
  • -click KEEP MY FILES.
  • -it will ask for an ADMINISTRATOR username & password.
  • -click CONTINUE.
  • -wait for around 5 minutes.
    (RESET THIS PC screen will show)
  • -click CANCEL.
  • -click CONTINUE.

 If that doesn't work, you can download an iso/usb and repair the installation.

Last Updated on Wednesday, 28 November 2018 18:08

Blinking Back Screen After 1809 | Explorer Crashing After 1809 | Blinking Black Screen After Windows Update

Blinking Back Screen After 1809 | Explorer Crashing After 1809 | Blinking Black Screen After Windows Update. Note that this is NOT a driver issue and this is NOT flickering.

windows-blink-after-1809-v2

This took awhile but in my case of a corporate environment, the AD Account being used had a HOMEFOLDER setup to a network share (homedrive & homedirectory). Changing this account to use the LOCALPATH instead of the NETWORKPATH seemed to have resolved this.

On the AD server:

  • -open powershell
  • -type: set-aduser foo.user -clear homedrive, homedirectory

On client system:

  • -login with AD account.

NOTES:

  • -to get the values, type: get-aduser foo.user -properties homedrive, homedirectory
  • -to clear the values, type: set-aduser foo.user -clear homedrive, homedirectory
  • -to set the values, type: set-aduser foo-user -homedrive Z -homedirectory \\<server-name>\users$\foo.user
    (ie: set-aduser foo-user -homedrive Z -homedirectory \\server\users$\foo.user)
  • -to get the values being used on a system, start command-prompt or powershell and type: set
Last Updated on Monday, 26 November 2018 15:29

Exchange 2013 Inherited Permission for Every Mailbox

Recently I found out that my individual account was given FULLACCESS permission on every mailbox in Exchange. What was strange was that the permissions were INHERITED and had a DENY=TRUE on them.

How in the world did that happen? Also, how do I fix it?

I traced it back to permissions in AD on the Exchange Service:

dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"

Also it was here:

dsacls "CN=COMPANY-NAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"

So it must have happened durning an Exchange CU upgrade. More specifically during the Prepare Active Directory schema:
setup.exe /PrepareSchema
setup.exe /PrepareAD

To remove:
dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld" /R DOMAIN\Account

 Or you can open ADSI > CONFIGURATION > SERVICES > MICROSOFT-EXCHANGE

  • -rigth-click > PROPERTIES
  • -click SECURITY tab (at the top).

If needed, you can look further down:

ADSI > CONFIGURATION > SERVICES > MICROSOFT-EXCHANGE > COMPANY-NAME > ADMINISTRATIVE-GROUPS > EXCHANGE-ADMINISTRATIVE-GROUP > SERVERS > SERVER-NAME

  • -right-click > PROPERTIES
  • -click SECURITY tab (at the top).
  • -click ADVANCED

Look for the account and it will show where the inheritance is coming from.

Last Updated on Tuesday, 29 January 2019 16:20

Asterisk Debugging

Turn on the debug log:

  • vi /etc/asterisk/logger.conf

Uncomment or add a line for debugging:

  • debug => notice,warning,error,verbose,debug
    or
    debug => debug

Start the Asterisk command line:

  • asterisk -rvvvvv
    (this is showing verbose at level 5)

Set the debug level to 5:

  • core set debug 5

Turn off debug for interoffice exchange (iax):

  • iax2 set debug off

Reload the logger and rotate the log:

  • module reload logger
  • logger rotate

Perform the action such as make a call. There is going to be a ton of logs in a few minutes so use cautiously. When do with the action, turn the debug log off or set to low-level:

  • asterisk -rvvvvv
  • core set debug 0
  • module reload logger

Look at the debug file:

  • cat /var/log/asterisk/debug

Don't forget to comment out the debug in the:

  • vi /etc/asterisk/logger.conf

If you need to look at all the phone sets that are connected:

Start asterisk:

  • asterisk -rvvvvv
  • sip show peers

Or if you need just one:

  • sip show peer 04167F120093

After you make changes to the sip.conf, you can reload the changes by:

  • asterisk -rvvvvv
  • sip reload

If you need to debug sip, here's how:

  • asterisk -rvvvvv
  • sip set debug on
  • sip set debug off

If you need to debug rtp, here's how:

  • asterisk -rvvvvv
  • rtp set debug on
  • rtp set debug off

NOTES:

https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information

Last Updated on Friday, 16 November 2018 05:34

Windows 10 WIFI Won't Turn On on Toshiba

Here's how to fix:

It should be the button above the keyboard.

Or it should be the FN + F8.

But if neither of those work then try the following:

C:\Program Files\TOSHIBA\TBS\TBSWireless.exe

Page 1 of 5

  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  3 
  •  4 
  •  5 
  •  Next 
  •  End 
  • »

Contact Dak Networks

Please contact us at the following.