Get and setup ADMX Files for Office 365 ProPlus, Office 2019 and Office 2016

The new ADMX/ADML files are used by Group Policy to configure installations of Office 365 products, such as Office 365 ProPlus, and volume licensed versions of Office 2019 and Office 2016.
https://www.microsoft.com/en-us/download/details.aspx?id=49030

You have to copy the files to:
%SYSTEMROOT%\PolicyDefinitions

Or if you are using a CentralStore, just copy these files to:
\\DOMAIN-FQDN\SYSVOL\DOMAIN-FQDN\policies\PolicyDefinitions

Start Windows PowerShell using Keyboard shortcuts

Start Windows PowerShell using Keyboard shortcuts

Run as User:  WIN + x in the menu press i

Run as Admin: WIN + x in the menu press a

Start Azure VMs using PowerShell workflow

Today I provide you two scripts to start your Azure VMs in a specified Subscription. The first script will start some VMs and the second will start all VMs of your Subscription.

Get number of most common Microsoft Exchange resources using PowerShell

Get number of most common Microsoft Exchange resources using PowerShell.

SCRIPT:
# get number of resources and save it into variables
$Mailboxes = (Get-Mailbox -ResultSize Unlimited).count
$UserMailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox).count
$RoomMailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails RoomMailbox).count
$SharedMailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox).count
$Contacts = (Get-Contact -ResultSize Unlimited).count

Project Natick - Microsoft sinks a Data Center off the Scottish sea

Microsoft has placed a data center in the Scottish sea to determine the feasibility of subsea datacenters powered by offshore renewable energy.

Learn PowerShell Core 6.0

Folks,

a new book about PowerShell Core 6.0 released. If you are interested in PS, you should check it out...

https://www.packtpub.com/networking-and-servers/learn-powershell-core-60#

What You Will Learn:
– Get to grips with Powershell Core 6.0
– Explore basic and advanced PowerShell scripting techniques
– Get to grips with Windows PowerShell Security
– Work with centralization and DevOps with PowerShell
– Implement PowerShell in your organization through real-life examples
– Learn to create GUIs and use DSC in production

BR
Tim

PowerShell: Get Files on your SYSVOL that are greater than 1 MB

Folks,

you can use the following script, to get files on your SYSVOL that are greater than 1 MB and save the output to CSV and XLSX. ADM Files will be excluded.

Download my script on SPICEWORKS

Have a nice day.

Cheers,
Tim

lastLogon vs lastLogonTimestamp vs lastLogonDate - explained

Today I want to write about this "last Logon attributes"... This could be a little bit confusing if you check it on the internet. So with my post I will try to explain it easily.

lastLogon 
The lastLogon is only updated on the Domain Controller where login has actually happened and it wouldn´t be replicated. It´s being updated each time after each interactive logon. 
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive.

Task Scheduler - Repeat a task on a custom interval that is not selectable

In Windows Server 2008 and above you can set task to repeat on whatever you want. The corresponding drop down menu just present 5,10,15,30 minutes and 1 hour, but you can type in any number of hours or minutes you want to use.

There are some limitations you should know.

You can enter 2 hours, but not 2.5 hours. If you want to run a task every 2.5 hours, you have to enter the amount of minutes. Therefore, this would be 2.5 x 60 = 150 minutes.

PowerShell Get and copy LAPS generated Admin password to clipboard V2

My new script just get the Administrator password generated by LAPS and save it to clipboard.

You just have to enter the computer name.

The password will be shown in your PS Console and copied to your clipboard.

https://gallery.technet.microsoft.com/Get-and-copy-LAPS-0a9bb700?redir=0

Get all Site-Linked GPOs using PowerShell

You can download my new script to get all Site-Linked GPOs on Technet.

https://gallery.technet.microsoft.com/Get-all-Linked-GPOs-using-4086b1f3?redir=0

It´s based on Ashley MCGlone´s Get-GPO-Report. Link -> https://tinyurl.com/jpbzmuu

"CredSSP encryption oracle remediation” error when connect via RDP

Updates

Updates which switches a flag to protect against the CredSSP attack.

Operating system, RollUp, Update
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1, KB4103718 (Monthly Rollup) KB4103712 (Security-only update)
Windows Server 2012, KB4103730 (Monthly Rollup), KB4103726 (Security-only update)
Windows 8.1 / Windows Sever 2012 R2, KB4103725 (Monthly Rollup), KB4103715 (Security-only update)
Windows 10 Version 1607 / Windows Server 2016, KB4103723
Windows 10 Version 1703, KB4103731
Windows 10 1709, KB4103727

Solution:

To resolve this issue, the May updates including this patch have to be installed on all Servers and Clients!

Workaround:

If you can´t do this you can apply the following workaround.
Note: After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks.

Updated clients cannot communicate with non-updated servers
If you installed the May Updates on your DC you can apply a GPO to set these settings.
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Setting
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002


Non-updated clients cannot communicate with patched servers
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Setting
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

How to find largest files using Powershell

If your hard drive is running out of space, you need to know which files causing this issue!

To establish this we will use Get-ChildItem.

Use the following command to get the top three files.

Get-ChildItem -r| sort -descending -property length | select -first 3 name, Length

The Length will be displayed in Bytes, if you have large files it´s better to display it in Mega Bytes, so let´s calculate the responding property length into MB.

Get-ChildItem -r|sort -descending -property length | select -first 3 name, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Now we get all files, where are these files located? Just select DirectoryName as well, to get it.

Get-ChildItem -r|sort -descending -property length | select -first 3 name, DirectoryName, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Install Forest DC on Azure using Powershell

Folks,

I published a script on TechNet to install a DC on Azure using PowerShell.

Check it out:
https://gallery.technet.microsoft.com/Install-Forest-DC-on-Azure-33f2c9e8

Cheers,
Tim

Get and set DFS-R primary member

You can use the following command to get and set the DFSR primary member.

Get which DFSR member is primary member
Dfsradmin Membership List /RGname:<replication group name> /attr:MemName,RFName,IsPrimary

Set the primary member for a replication group
dfsradmin Membership Set /RGName:<replication group name> /RFName:<replication folder name> /MemName:<primary member> /IsPrimary:True

Run "dfsrdiag pollad" to update Active Directory configuration.

How to find all AD Users with a specidfic profilepath or homeDirectory

If you try to search for a specific homeDirectory or profilepath that are assigned to users, you have to filter on this path.

Therefore, let´s assume you have a DFS share named \\domain.com\DFSShare\User and in this share you have all homeDirectories. To find all users using this path you could expect that you can use a query like this:

Get-ADUser -Filter "homedirectory -like '\\domain.com\DFSShare\User*'" -Properties homedirectory | select samaccountname, homedirectory

If you run this line, the output will be empty, even if some users using this share as homeDirectory.

Why? A network path has backslashes and a backslash „\” is a special character. Therefore, if you filter on those paths, you have to replace every \ with \5c.

For more information check out the following MS article:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx

If we do that our PowerShell query looks like this:

Get-ADUser -Filter "homedirectory -like '\5c\5cdomain.com\5cDFSShare\5cUser*'" -Properties homedirectory | select samaccountname, homedirectory

Now we see all users that have a homeDirectory located in \\domain.com\DFSShare\User

Syncing NPS Settings between two servers

If you want to be redundant, you need a second server running NPS with all the settings you need to handle requests of your Radius Clients. Network devices typically allow you to specify multiple Radius Servers in their configuration using a shell or web interface. If you have two servers, you have to define a "Master Radius Server", so you can use this server to do all configuration changes and these changes have to be imported to a second server. You can sync your NPS configuration, manually via GUI or using a PowerShell script that running in a schedule task. Find attached a picture that show this process.

The following script could be used to sync your NPS configuration between two servers. This path C:\admin\NPS\Backup\ must be available on both servers. Just create them or add it to the sript.


# Get date
$date = get-date -Format yyyy_MM_dd
# Export NPS config
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig_$date.xml
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig.xml
# Destination Server
$NPSDestServer = "SecondRadius"
# Copy config to destination server
Copy-Item -path C:\admin\NPS\Backup\NPSConfig.xml -destination \\$NPSDestServer\C$\admin\NPS\NPSConfig.xml
# Export current config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Export-NPSConfiguration -Path C:\admin\NPS\BackupNPSConfig.xml}
# Import new config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Import-NPSConfiguration -Path C:\admin\NPS\NPSConfig.xml}


Just copy this script to your Master Radius, change $NPSDestServer = "SecondRadius" to match to your second NPS server name and create a schedule task that execute this script.

Chapter 1 of the PowerShell Cookbook

Want a free, 90-page intro to PowerShell? 
Here you go - Chapter 1 of the PowerShell Cookbook:
http://cdn.oreilly.com/oreilly/booksamplers/9781449320683_sampler.pdf

Can Certificate Transparency affect your Active Directory CA?

Certificate Transparency
So first of all what is Certificate Transparency (CT)? With CT, all HTTPS certificates are logged into public log servers, and clients refuse to honour certificates that are not present in at least a subset of trusted logs. These logs provide a record of certificates that are issued and would help identify certificates that aren’t issued. Google pushing this topic and we all know how it influence the IT Business. It will enforce CT in Google Chrome on end of April of 2018 for certificates issued after the first April of 2018.

I just want to make it clear it only affects HTTPS certificates. For other purposes like SMIME, Smartcard Logon, Code Signing and so on are not affected. If you think of you even don’t see those certificates in Chrome. So let‘s get back to the topic. So the common scenarios would be an internal (private) CA and the second if you are chain certificates to public Root.


Internal CA
If you have a internal/private CA within your Environment, that does not chain up to a public root, CT will not affect your CA.  Google Chrome uses Windows native CAPI to determine trusted chains and know what is internal.


CA with Certificates chain to public Root
If a CA chains up to a public root and you issue HTTPS certificates, CT may affect your CA. In this case you should contact your Services Provider.

Find and delete unlinked (orphaned) GPOs with PowerShell

Just check out my new post "Find and delete unlinked (orphaned) GPOs with PowerShell" on 4sysops.com!


https://4sysops.com/archives/find-and-delete-unlinked-orphaned-gpos-with-powershell/

How a new client find its Domain Controller

In my new post, I want to show you how a new Windows Client locate its Domain Controller. Find attached a picture, I draw some time ago, yea just with paint ^^. I think it´s a nice overview about this process.

So you see in the first step anything happening in a zone called _msdcs. Maybe some of you asking yourself, what is this _msdcs subdomain? I will try to explain it to you a little bit more… An Active Directory forest have a subdomain beneath them called _msdcs. This subdomain is unique and used for the registration of specific Microsoft DNS services records. Why? Microsoft is not the only company who developed Directory Services using LDAP. Therefore, with _msdcs Microsoft can specifically bind a client to its LDAP Servers / Domain Controllers.

Active Directory PowerShell cmdlet query is timing out

If you expect your PowerShell query to return an exceptionally large results set that might take longer than 2 minutes to retrieve. You can increase the OperationTimeout on your target DC by performing the following steps:


Login to the target DC


Browse to "%Windir%\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config" and edit it
Increase the "OperationTimeout" parameter value based on your needs. The default value is 2 minutes.

After that restart ADWS using the following PowerShell commands
Stop-Service ADWS
Start-Service ADWS

Windows 10’s File Explorer is getting tabs support

Now in the latest Windows 10 Build 17618 (RS5) Microsoft added tabs support into File Explorer. It was a highly-requested feature from community.

Apart from File Explorer, other built-in traditional programs like Command Prompt, PowerShell and Notepad are also supported. MS also enabled this feature for Mail, Calendar, OneNote, and MSN News App. So a user can switch between these Apps just like switching between tabs
in Internet browsers.

List all or specified SPNs that are assigned to an AD object

Find a specified SPN using PowerShell with ADSI:

$SPNName = Read-Host "Enter SPN"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*$SPNName*)"
$results = $search.Findall()
foreach($result in $results)
{
       $UserEntry = $result.GetDirectoryEntry()
       Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
       Write-host "DN      =      "  $UserEntry.distinguishedName
       Write-host "Object Cat. = "  $UserEntry.objectCategory
       Write-host "servicePrincipalNames"
       $i=
       foreach($SPN in $UserEntry.servicePrincipalName)
       {
           Write-host "SPN(" $i ")   =      " $SPN       $i+=1
       }
       Write-host ""
}


Find all SPNs using PowerShell with ADSI:

$SPNName = "*"
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=$SPNName)"
$results = $search.Findall()
foreach($result in $results)
{
       $UserEntry = $result.GetDirectoryEntry()
       Write-host "Object Name = " $UserEntry.name -backgroundcolor "green" -foregroundcolor "black"
       Write-host "DN      =      "  $UserEntry.distinguishedName
       Write-host "Object Cat. = "  $UserEntry.objectCategory
       Write-host "servicePrincipalNames"
       $i=
       foreach($SPN in $UserEntry.servicePrincipalName)
       {
           Write-host "SPN(" $i ")   =      " $SPN       $i+=1
       }
       Write-host ""
}


Using a LDAP Query, just replace spnname:

(&(objectCategory=person)(ServicePrincipalName=*spnname*))

To search all you can use this query:
(&(objectCategory=person)(ServicePrincipalName=*))

Get DHCP Server in your Domain

In this post I will show you how to get all DHCP that are used in your Domain.


Show all DHCP Server using netsh
netsh dhcp show server


Show specific DHCP Server using netsh and findstr
netsh dhcp show server | findstr "dhcp01"

Show two DHCP Server using netsh

netsh dhcp show server | findstr "dhcp01 dhcp02"

Results could be exported with >%path%

netsh dhcp show server >C:\admin\dhcp.txt

You can use Powershell using get-adobject and export it with export-csv

$RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE")

$CfgNC = $RootDSE.Get("configurationNamingContext")

Get-ADObject -SearchBase "$CfgNC" -Filter "objectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'" | select name | Sort-Object -Property Name | Export-csv "C:\admin\Forest DHCP Servers.csv" -NoType

Or just using Get-DhcpServerInDC

Get-DhcpServerInDC


If you want to filter using Get-DhcpServerInDC you can do it like this
Get-DhcpServerInDC | where dnsname -like *dhcp02*

PowerShell Versions over the years and the future of PowerShell

If you want to know your PowerShell Version just type in $PSVersionTable You can run this command on every system with PowerShell installed. So if you have PowerShell Core installed on you macOS or Linux system you can use $PSVersionTable. PS C:\> $PSVersionTable

Name                                         Value
----                                              -----
PSVersion                                   5.1.16299.98
PSEdition                                   Desktop
PSCompatibleVersions                {1.0, 2.0, 3.0, 4.0...}
BuildVersion                               10.0.16299.98
CLRVersion                                4.0.30319.42000
WSManStackVersion                  3.0
PSRemotingProtocolVersion        2.3
SerializationVersion                    1.1.0.1

Powershell Versions over the years.
PowerShell 1.0 started in November 2006 and was integrated in Windows Server 2008.

PowerShell 2.0  released October 2009 integrated in Windows 7 and Server 2008 R2.

PowerShell 3.0 released September 2012 integrated in Windows 8 and Server 2012.

PowerShell 4.0 released October 2013 integrated in Windows 8.1 and Server 2012 R2.

PowerShell 5.0 released February 2016 integrated in Windows 10.

PowerShell 5.1 released January 2017 integrated in Windows 10 Anniversary Update and Server 2016.

PowerShell Core 6.0 released January 2018 supported for Windows 7, 8.1, and 10,Windows Server 2008 R2, 2012 R2, 2016, Windows Server Semi-Annual Channel, Ubuntu 14.04, 16.04 and 17.04, Debian 8.7+ and 9, CentOS 7, Red Hat Enterprise Linux 7, OpenSUSE 42.2, Fedora 25, 26 and macOS 10.12+. The community also constributed package that not officially supported for Arch Linux, Kali Linux and AppImage. It was realeased experimental for Windows on ARM32/64 and Raspbian(Stretch). Donwload PS Core: https://github.com/PowerShell/PowerShell

Previous versions are also available to download.

V3 for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2
https://www.microsoft.com/en-us/download/details.aspx?id=34595

V4 for Windows 7, Windows Embedded Standard 7, Windows Server 2008 R2, Windows Server 2012
https://www.microsoft.com/en-us/download/details.aspx?id=40855

V5 for Windows 7 Service Pack 1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2
https://www.microsoft.com/en-us/download/details.aspx?id=50395

V5.1 for Windows 7 Service Pack 1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
https://www.microsoft.com/en-us/download/details.aspx?id=54616

What is the difference between PowerShell and PowerShell Core?
The most difference is that PowerShell Core is cross-platform and runs on Windows, Linux, and MacOS while the old one runs on Windows only. For now, PowerShell Core isn´t as powerful as the old PowerShell, cebause the new PowerShell uses the less feature-rich .NET Core and .NET Standard. The old one uses .NET Framework and .NET Standard. So .NET Core is pretty new and Microsoft needs some time to get it as powerful as .NET Framework.

The future is PowerShell Core?
Yea, as Microsoft announced PowerShell Core will be provided with new feature updates, while the old PowerShell will just get bug fixes and security updates. So the future belongs to PowerShell Core!
https://blogs.msdn.microsoft.com/powershell/2017/07/14/powershell-6-0-roadmap-coreclr-backwards-compatibility-and-more/

Characters to escape in Active Directory in distinguishedName and canonicalName

In this post I want to show you which characters have to be escaped in AD in distinguishedName and canonicalName Attribute.

distinguishedName

Some characters in Active Directory have to be escaped with the backslash "\" character, if they appear in components of a distinguished name.

Characters that aren´t allowed in distinguished names:

# + < > ; , \ " = and SPACE

The space character must be escaped only if it is the leading or trailing character in any component of a distinguished name. The commas that separate components in a distinguished name are not escaped. The following table shows example relative distinguished names as they would appear

 

ADUC Name	Distinguished Name
Petun, Arnold J.	cn=Petun\, Arnold J.,ou=Sales,dc=Domain,dc=com
Dev\Services	ou=Dev\\Services,dc=Domain,dc=com
IT"Ext + Lab	cn=IT\"Ext \+ Lab,ou=IT,dc=Domain,dc=com
Tim Black	cn=\ Tim Black \ ,ou=HR,dc=Domain,dc=com

 

In other AD attributes, like Name, Description, givenName, or even cn thos characters wouldn´t be escaped!

Find attached some characters that are allowed in distinguished names:

| @ $ % ^ ? : { } ! ' * ( ) . ` ~ & - _ [ ]

 

canonicalName

The escaping in canonicalName attribute  is different. The canonicalName is a constructed attribute, so you can´t modify this attribute. In this attribute slash and backslash characters are escaped using the backslash escape character.

/ \

Get available RIDs using dcdiag or Powershell

Using DCDIAG:

dcdiag /s:dc01.domain.com /test:ridmanager /v | find /i "Available RID"

 

Using PowerShell to convert the parts of riDAvailablePool into issued and remaining RIDs.

 

$DomainDN = (Get-ADDomain).DistinguishedName

$property = get-adobject “cn=rid manager$,cn=system,$DomainDN” -property ridavailablepool -server (Get-ADDomain).RidMaster

$rid = $property.ridavailablepool   

[int32]$totalSIDS = $($rid) / ([math]::Pow(2,32))

[int64]$temp64val = $totalSIDS * ([math]::Pow(2,32))

[int32]$currentRIDPoolCount = $($rid) – $temp64val

$ridsremaining = $totalSIDS – $currentRIDPoolCount

Write-Host “RIDs issued: $currentRIDPoolCount”

Write-Host “RIDs remaining: $ridsremaining”

 

DNS console missing for RSAT on Windows 10 1709

Microsoft posted a workaround on the following support page:
https://support.microsoft.com/en-us/help/4055558/rsat-missing-dns-server-tool-in-windows-10-version-1709

Viewing CRL in Windows Certification Authority console

The CA Console will not display CRL by default, as shown in the attached screenshot.

You have to run the following command to view it:
certsrv.msc /e

You can also run the following command to view it.
certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL

Get new group membership to apply a GPO to a computer without a restart

If you add a computer to an AD group that is assigned to a GPO, you need to restart the computer to get the new group membership.

If you want to bypass this, you can delete the Kerberos ticket.

Run the following command as an admin to do this:
klist -li 0x3e7 purge

Et voila, your computer get its new membership!

After that you can run a gpupdate to apply the assgined Policies.

Import User Photo to Active Directory

If you want to have an image in Outlook, Skype for Business or SharePoint you can use the attribute thumbnailPhoto in Active Directory.

Doing it with Powershell:
Import-Module activedirectory
$UserPhoto = [byte[]](Get-Content C:\admin\User1.jpg -Encoding byte)
Set-ADUser User1 -Replace @{thumbnailPhoto=$UserPhoto}

You can use a software called ADPhotoEdit:
http://www.cjwdev.co.uk/Software/ADPhotoEdit/Download.html

Note:
- Image file size should be not higher than 10kb, because with every file you AD database will grow!
- The maximum image size is 100kb
- Pixel size 96x96 pixels is recommended