Details

Created: 27 April 2021

BACKGROUND

Server is in another domain from the workstation.

Credentials are given.

Upon logging in, the password must be changed.

or

Upon logging in, the password is expired.

The password cannot be changed via RDP.

RDP

You can try to save the RDP file and edit with a text editor.

Change or add to: enablecredsspsupport:i:0

In our experience, this didn't work since NLA is turned on in the server and the system being used is not part of the domain.

RDP/IIS

https://server.domain.tld/RDWeb/Pages/en-US/password.aspx

There is a page in the RDWeb server that can be turned on. Check to see if this page exists on the server.

Details

Created: 22 April 2021

Outlook Automatically Deletes Email | Outlook Junk E-mail Filter

Background Story

Them: I'm not getting email from Foo User.

Me: According to server logs the message is being received. Are you sure you don't see the message in the Inbox.

Them: Yes, I am sure. The message is not there.

Me: OK, I'll look into it.

Trace/Tail the Message Through the Server

First, trace the message to see where it is going:

Get-MessageTrackingLog -Start "04/20/2021" -Sender This email address is being protected from spambots. You need JavaScript enabled to view it. -Recipients This email address is being protected from spambots. You need JavaScript enabled to view it. -Resultsize Unlimited -MessageSubject:"foo-subject"

And see if there are any FAIL's:
Get-MessageTrackingLog -EventId FAIL  -Start "04/01/2021" -Recipients This email address is being protected from spambots. You need JavaScript enabled to view it.

This will verify that the message is indeed being received.

Trace/Tail the Message in Outlook

Next, let's take a look at where the messages are in Outlook. This will generate a report and put it in your Mailbox. The report will collect the message info and let us know where the messages are in Outlook:

Get-Mailbox foo.user | Search-Mailbox -SearchQuery {Received:"03/01/2021..04/20/2021" AND Subject:"foo-subject"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full

The result is that the messages are being received and are in OUTLOOK but they are in the DELETIONS folder and they have not been read:

The DELETIONS folder is a special folder that is different than the DELETED-ITEMS folder. The DELETIONS folder is for email that has been deleted from the DELETED-ITEMS.

How is that happening?

To start with the DELETION folder, let's see how many items are in the DELETIONS folder:
Get-MailboxFolderStatistics foo.user |Select Name, ItemsInFolder |findstr /i deletions

IGNORE

The IGNORE button will automatically send messages-in-the-conversation to the DELETIONS folder.

This can be recovered by:

• -click DELETED-ITEMS (on the left-hand side)
• -click RECOVER-DELETED-ITEMS-FROM-SERVER (at the top)
• -select the messages in the list.
• -click OK to restore.
• -if the IGNORE button is shaded, then IGNORE is turned on. Click it to toggle it OFF.

As an administrator, the only way to see if IGNORE is on is through MFCMAPI (just search for it, comes right up):

• -load the mailbox.
• -QUICK-START > OPEN-FOLDER > IPM_SUBTREE
• -new window opens.
• -click IPM_SUBTREE
• -right-click CONVERSATION-ACTION-SETTINGS
• -click Open-Associated-Contents-Table

This will show if there are any IGNORE conversations with the SUBJECT and DATE so that you can target the message in the RECOVER-DELETED-ITEMS-FROM-SERVER.

Updated Story

Them: The messages are not IGNORED.

Me: hmmm.... Messages are automatically deleted and are not ignored.

Looking into it on the Exchange Server 2013

Just to double-check, let's make sure IMAP and POP are stopped. The reason we want to do this is so that there are no IMAP client problems happeing.
get-service -Name MSExchangeIMAP*
get-service -Name MSExchangePOP*

Even if the services are stopped, we want to check the settings for the services to ensure the LoginType is SecureLogin:
get-ImapSettings |fl
get-POPSettings |fl

get-IMAPSettings |select *log*
get-POPSettings |select *log*

And make sure that the logs are turned on incase something gets turned on by someone else on the team:
Set-ImapSettings -ProtocolLogEnabled $true
Set-PopSettings -ProtocolLogEnabled $true

Also, let's turn off mailbox access to IMAP, POP and OWA:
get-casmailbox | ?{$_.OWAEnabled -eq $true} |set-casmailbox -OWAEnabled $false
get-casmailbox | ?{$_.POPEnabled -eq $true} |set-casmailbox -POPEnabled $false
get-casmailbox | ?{$_.IMAPEnabled -eq $true} |set-casmailbox -IMAPEnabled $false

Check the mailbox Spam Confidence Level (SCL) to see if anything is enabled:
Get-ContentFilterConfig |fl Enabled
Enabled : False

Get-OrganizationConfig |fl *scl*
SCLJunkThreshold : 8

Get-Mailbox foo.user |fl AntispamBypassEnabled
AntispamBypassEnabled : False

Get-Mailbox foo.user |fl SCL*
SCLDeleteThreshold     :
SCLDeleteEnabled       :
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

Junk E-Mail Configuration Exchange

Junk E-mail options are included in Exchange/Outlook. This happens on both the server-side in EXCHANGE but also can happen in the local OUTLOOK client directly as OUTLOOK uses its own SMARTSCREEN filter technology; a client-side filter.

(Note that this is why the settings in EXCHANGE don't always reflect the settings in OUTLOOK.)

This happens because OUTLOOK can be used with accounts other than EXCHANGE accounts. Again, the local OUTLOOK client has its own Junk Mail filter that is independent from the server-side EXCHANGE Junk Mail filter.

To add more, on 11/01/2016, Microsoft stopped generating updates for the OUTLOOK client SMARTSCREEN client-side filter.

As a result, for Email Protection to work properly/efficiently, Junk Email filtering should be:
-enabled in OWA/EMS.
-disabled in Outlook client.

The server-side EXCHANGE filter happens through a hidden INBOX-RULE on the mailbox. Let's see the server-side filter:
Get-InboxRule -Mailbox foo.user
Get-InboxRule -Mailbox foo.user -IncludeHidden

Let's check the configuration for the Junk E-mail on the server-side EXCHANGE. This can be done in the OWA (web email access) or through EMS (Exchange Management Shell); both have the same effect (but does not change the client-filter in OUTLOOK):
Get-MailboxJunkEmailConfiguration foo.user

Let's set the mailbox Junk E-mail Settings:
set-MailboxJunkEmailConfiguration foo.user-enabled $true
(or $false if needing to turn off)

(Note OWA changes can be done via the URL: https://mail.domain.tld/owa/This email address is being protected from spambots. You need JavaScript enabled to view it./#path=/mail)

While the client-side filter OPTIONS-tab (off | low | medium | high) cannot be changed by settings on the mailbox, the SAFE-SENDERS, SAFE-RECIPIENTS, BLOCKED-SENDERS tabs can be changed on the server which will update the settings in OUTLOOK:
(Get-MailboxJunkEmailConfiguration foo.user).BlockedSendersAndDomains

To set and make changes on the client-side filter and set just one domain:
set-MailboxJunkEmailConfiguration foo.user -trustedsendersanddomains foobar.tld

Or add the domain without changing what is already set in place:
set-MailboxJunkEmailConfiguration foo.user -trustedsendersanddomains @{Add="foobar.tld"}

Headers

With the server-side EXCHANGE settings set, let's look at the message headers to see if there are any server-side junk-email tags in the headers:
Get-Mailbox foo.user | Search-Mailbox -SearchQuery {Received:"03/01/2021..04/20/2021" AND Subject:"foo-subject"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog"

RESULT: no EXCHANGE tags are found the message headers.

Junk E-Mail Configuration Outlook

Again, to reiterate, the state of the junk email rule on the mailbox doesn't affect the client-side junk email settings that are available in the Outlook Junk Email Filter. Even when the junk email rule is disabled in the server-side mailbox, Outlook can still move messages to the Junk Email folder or automatically delete messages.

When the local client-side Outlook Junk Email Filter is set to Low or High, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder. This spam classification is separate from the SCL Junk Email threshold that's configured on the Exchange organization or on the mailbox. In fact, Outlook ignores the SCL value that's set on a message by Exchange (for all SCL values other than -1), and uses its own criteria to determine whether the message is spam.

So how to change the local Outlook Junk Email Filter that uses its own SmartScreen filter technology?

While Microsoft recommends that to enable, disable, and configure the client-side Junk Email Filter settings that are available in Outlook to use Group Policy, there are regedits that can be made to control a policy. When the regedits are made, the setting is greyed-out and cannot be changed by the local account.

On the client system with OUTLOOK, check to see if any policies exist:
reg query HKCU\Software\Policies\Microsoft\office\16.0\outlook
reg query HKCU\Software\Policies\Microsoft\office\16.0\outlook\Options\Mail

Disable the local OUTLOOK client JUNK E-MAIL SMARTSCREEN filter but Options can still be changed (no visual queue shows the filter is disabled):
echo y |reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook" /v DisableAntiSpam /t REG_DWORD /d 1

Change the JUNK E-MAIL OPTIONS to LOW:
echo y |reg add "HKCU\Software\Policies\Microsoft\office\16.0\outlook\Options\Mail" /v JunkMailProtection /t REG_DWORD /d 0xfffffff

Change the JUNK E-MAIL OPTIONS to OFF:
echo y |reg add "HKCU\Software\Policies\Microsoft\office\16.0\outlook\Options\Mail" /v JunkMailProtection /t REG_DWORD /d 4294967295

Updated Story

Them: I am finally getting the report now. Thank you for helping me!

NOTES:

https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailboxjunkemailconfiguration?view=exchange-ps
https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecating-support-for-smartscreen-in-outlook-and-exchange/ba-p/605332

Details

Created: 01 April 2021

Offline Address Book (OAB) is found with the following:
Get-OfflineAddressBook |fl

To get the needed info:
Get-OfflineAddressBook |select name,GUID,GeneratingMailbox,VirtualDirectories |fl
Get-OabVirtualDirectory |fl

OAB logs are here (default location):
C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog

OAB changes are kept here (default location):
OC:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\{guid-from-get-offlineaddressbook}

The files inside have a randomly generated GUID2. The manifest is the xml file.

Force an update of OAB:
Get-OfflineAddressBook |update-OfflineAddressBook

The OAB locally is found here:
%LOCALAPPDATA%\Microsoft\Outlook\

The GUID2 matches the GUID2 found on the server.

Please see the following for a deep-dive fix:
http://www.daknetworks.com/blog/584-oab-0x8004010f-hafnium-fix-outlook-address-book-deep-dive-fix

NOTES:
https://techcommunity.microsoft.com/t5/exchange-team-blog/the-case-of-constant-oab-generation-and-full-oab-downloads/ba-p/1031610
https://msexchangeguru.com/2013/12/04/e2013-oab/
https://www.youtube.com/watch?v=AvywR9CWYHs#t=2246

Details

Created: 15 March 2021

Find Dell Dock Via Powershell

wget https://downloads.dell.com/FOLDER07071810M/1/DSIAPC_2.4.0.0.msi -outfile DSIAPC_2.4.0.0.msi
msiexec.exe /i "DSIAPC_2.4.0.0.msi" ALLUSERS=1 /qn /norestart /log output.log
start-sleep 120
gwmi -n root\dell\sysinv dell_softwareidentity | select versionstring, elementname |sort elementname |more

Details

Created: 10 March 2021

HAFNIUM exploit for Exchange servers has caught everyone by storm.

In short, see if there are any IOC by running a script Test-ProxyLogon.ps1:
https://github.com/microsoft/CSS-Exchange/tree/main/Security

Next, run the Microsoft Support Emergency Response Tool (MSERT) to eliminate any glaring errors:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

The notes on the MSERT are here:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Some are reporting about Scheduled Tasks doing damage. Here is how to view the Scheduled Tasks:

Get-ScheduledTask |select taskname,actions -ExpandProperty actions |select taskname,execute,arguments |ft -wrap

Some reports of newly created accounts/group so let's check those as well:

$days = (Get-Date).AddDays(-30)
Get-ADUser -Filter * -Property whenCreated | where {$_.whenCreated -gt $days} | ft Name, whenCreated
Get-ADUser -Filter * -Property whenChanged | where {$_.whenChanged -gt $days} | ft Name, whenChanged
Get-ADGroup -Filter * -Property whenCreated | where {$_.whenCreated -gt $days} | ft Name, whenCreated
Get-ADGroup -Filter * -Property whenChanged | where {$_.whenChanged -gt $days} | ft Name, whenChanged

Details

Created: 09 March 2021

Here are my notes on changing to Jive/GoTo:

PBX Server URL:
https://my.jive.com/pbx

SETUP ACCOUNTS IN JIVE:
-click USERS (on left-hand side)
-type in account with phone-set-mac-address.

PROVISIONING-SERVER:
http://$companydomain.onjive.com/p
(or possibly $companydomain.onjive.com/p/$MA)
In DHCP Scope-Options, set the 160-Polycom-Boot-Server-Name to: http://$companydomain.onjive.com/p

TYPE: http (would like for it to be https)
USER: none
PASS: none

JIVE-PASS:
The JIVE Cloud Phone Server (aka JIVE PBX) automatically changes the password to each device. This is found here:
https://my.jive.com/pbx/$companydomain/security

JIVE-NETWORKS:
Phones will need access to the JIVE servers through the firewall:
https://static.jive.com/meta/networks.txt
+199.87.120.0/22
+162.250.60.0/22
+199.36.248.0/22
208.34.80.0/21
208.34.96.0/20
45.12.196.0/24

JIVE-PORTS:
Phone will need access to the following ports:
TCP
5060-5062
80
443

UPD
5060-5062
10000-65500
4000-4999
123

JIVE-SUPPORT-SITE:
https://support.goto.com/connect

JIVE-REBOOT:
Reboot the phone sets and they will automatically change to JIVE. Rebooting can be done through switch POE or if needed, the following package can be used to reboot phone sets.

PolycomVVXControl.exe -a 10.123.123.123 -w password-here reboot
PolycomVVXControl.exe -a 10.123.123.123 -w password-here factoryreset

JIVE-REBOOT-PROBLEMS:
In a few cases, systems were rebooted and changed to the new JIVE PBX server before the account was added in the JIVE PBX PANEL. Since there is no account, the phone changes to the JIVE server but no extension or account is added to the phone.

Trying to factory reset through the phone-web page or PolycomVVXControl doesn't work because JIVE has already changed the password.

But since the new account isn't provisioned, the new password isn't provisioned as well.

What to do? Well, JIVE temporarily sets a provisioning password. Here it is:

POLYCOM PHONES JIVE PROVISION
PASS: 8647

Details

Created: 08 March 2021

-go to ATT.com.
-Account > Sign in.
-Manage Profile.
-Sign-in info.
-select Manage secure mail keys (at the bottom)
-Add secure mail key.
-type in a nickname for the secure mail key (example: Outlook).
-click Create-Secure-Mail-Key.
-the new secure mail key is shown and should be used for email access in Outlook/Thunderbird/Mail app.

Details

Created: 08 March 2021

Details

Created: 16 February 2021

Here is how to find all accounts with an E5 license:

get-msoluser -maxresults 1000 |?{($_.islicensed -eq $true) -and ($_.licenses.accountskuid -like "*e5*")}

Here is how to bulk remove everyone with an E5 license (Careful! Be sure you want to do this):

get-msoluser -maxresults 1000 |?{($_.islicensed -eq $true) -and ($_.licenses.accountskuid -like "*e5*")} | set-msoluserlicense -RemoveLicenses "domain-here:SPE_E5"

Details

Created: 08 February 2021

See an appxpackage:

Get-AppxPackage -allusers *Microsoft.Whiteboard*

Here it is in powershell:

Get-AppxPackage -allusers *Microsoft.Whiteboard* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Details

Created: 01 February 2021

Let's say that you have a new system in a remote location. The local staff opens the box, powers the system on and logs into the system with their 365 credentials. During that process, that system has become Azure AD Joined.

Systems cannot be both Azure AD joined and Local AD joined.

So, if you have a local AD and try to join the system to the local AD, an error message will show that joining the local AD cannot be done until it is no longer Azure AD Joined.

You can do this one by one but your not just tech support... you are a system administrator!

We need to do this in some type of shell command (command shell or power shell).

See if the system is joined to Azure AD or Local AD:

dsregcmd.exe /status

If it is Azure AD joined, leave the Azure AD:

dsregcmd /debug /leave
shutdown -r -t 3

After reboot, you can join the system to the Local AD:

For a single system:

add-computer -domainname domain.tld -Credential domain.tld\firstname.lastname -restart –force

Or to automate a group of systems:

$domain = "domain.tld"
$username = "domain.tld\foo.user.with.joining.privledges" (could be an admin account or an account setup to do just this task.)
$password = "password-here" |ConvertTo-SecureString -asPlainText -Force
Start-Sleep -s 10
$credential = New-Object System>management.Automation.PSCredential($username,$password)
Start-Sleep -s 20
add-computer -DomainName $domain -credential $credential
Start-Sleep -s 10
restart-computer

Details

Created: 21 January 2021

First get the current ALLOWED/BLOCKED state of the devices for an account"
Get-CASMailbox -Identity foo.user | Select-Object "*ActiveSync*"

Next get the device id for an account:
Get-MobileDevice -Mailbox foo.user| fl identity,deviceid

Allow the devices for the account:
Set-CASMailbox -Identity foo.user -ActiveSyncAllowedDeviceIDs @{add='D17VGSSFTP7VB799BVU1HTNH68'}
Set-CASMailbox -Identity foo.user -ActiveSyncAllowedDeviceIDs @{add='7044450f9e54415d907e56e5c09d517f'}

Details

Created: 25 November 2020

DISM.exe /Online /add-capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 /CapabilityName:Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0 /CapabilityName:Rsat.CertificateServices.Tools~~~~0.0.1.0 /CapabilityName:Rsat.DHCP.Tools~~~~0.0.1.0 /CapabilityName:Rsat.Dns.Tools~~~~0.0.1.0 /CapabilityName:Rsat.FailoverCluster.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.FileServices.Tools~~~~0.0.1.0 /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.IPAM.Client.Tools~~~~0.0.1.0 /CapabilityName:Rsat.LLDP.Tools~~~~0.0.1.0 /CapabilityName:Rsat.NetworkController.Tools~~~~0.0.1.0 /CapabilityName:Rsat.NetworkLoadBalancing.Tools~~~~0.0.1.0 /CapabilityName:Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.RemoteDesktop.Services.Tools~~~~0.0.1.0 /CapabilityName:Rsat.ServerManager.Tools~~~~0.0.1.0 /CapabilityName:Rsat.Shielded.VM.Tools~~~~0.0.1.0 /CapabilityName:Rsat.StorageReplica.Tools~~~~0.0.1.0 /CapabilityName:Rsat.VolumeActivation.Tools~~~~0.0.1.0 /CapabilityName:Rsat.WSUS.Tools~~~~0.0.1.0 /CapabilityName:Rsat.StorageMigrationService.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.SystemInsights.Management.Tools~~~~0.0.1.0

DISM.exe /Online /add-capability /CapabilityName:Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

:: Get Bitlocker status:
manage-bde -status

:: Get Bitlocker status powershell:
Get-BitLockerVolume -MountPoint "C:"

:: Suspend Bitlocker for a drive:
manage-bde -protectors -disable C:

:: Suspend Bitlocker for a drive powershell:
Suspend-BitLocker -MountPoint "C:" -RebootCount 0

:: Resume Bitlocker for a drive:
manage-bde –resume C:

:: Resume Bitlocker for a drive powershell:
Resume-BitLocker -MountPoint "C:"

:: Enable Bitlocker for a drive:
manage-bde -protectors -enable C:

:: Enable Bitlocker for a drive powershell:
Enable-BitLocker C:

:: Encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory:
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

::Powershell command on device to get the status of the local volume (ie C drive):
get-bitlockervolume
get-bitlockervolume |fl

:: Powershell command on device to get the RecoveryPassword
(Get-BitLockerVolume).KeyProtector

NOTES:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer
https://4sysops.com/archives/enable-bitlocker-with-powershell/
https://4sysops.com/archives/configure-and-enabling-bitlocker-on-windows-server/
https://4sysops.com/archives/store-and-retrieve-bitlocker-recovery-keys-from-active-directory/
https://www.rebeladmin.com/2019/09/step-step-guide-enable-bitlocker-cloud-managed-windows-10-devices-using-microsoft-intune/

Details

Created: 25 November 2020

Perception is reality. Nothing defines our modern brave new world better than that statement.

If you are an agent or hold a position and nobody knows about it; you're a secret agent. The reason nobody knows about it is because they don't see you in their daily incessant stream of information.

Breaking through clutter is one topic. Another is having the information there when they are searching for you.

Truth be told; most don't even do that. The general public searches and they find no information. None. That is a death blow.

To be found, the following must be established:

1. contact email address
2. contact phone number
3. about me / about us / what we do
4. headshot / lead shot
5. main photo

This is the most basic information. This needs to be determined. If not, then they will find information, it just won't be what you want it to be.

Moving on will be determined upon the industry you are in. For example, if you are in real estate sales, the following may apply:

1. realtor.com
2. trulia.com
3. zillow.com
4. broker web site / company web site
5. personal web site
6. facebook.com/yourbusinesspage
7. twitter
8. instagram
9. linkedin
10. maps
11. yelp
12. mls / board membership
13. youtube
14. far
15. nar
16. dbpr / state licensing

Spend some time making sure that all your contact info at the industry specific places are the same.

Details

Created: 27 October 2020

I did the following:

1. -created a request (CSR) at the TomCat install.
2. -bought a certificate at GoDaddy (I know, I know... client request).
3. -submitted the CSR.
4. -received the certificate back.

At this point, all I had to do was install the intermediate and then install the certificate reply to the CSR. TomCat says no.... chain not valid.

I tried many intermediate and root certficates in the GD repository but the final certificate would not install.
https://certs.godaddy.com/repository

Nothing worked for me at this point.

Here is how to fix:

1. -uninstall any certificate intermediate or root that I installed.
2. -open the certificate from GD in Windows.
3. -click the tab for the Certificate Path (at the top).
4. -click the intermediate certificate (the one in the middle).
5. -click VIEW-CERTIFICATE > DETAILS > COPY-TO-FILE
6. -click BASE-64-ENCODED-X-509

Now combine them:

1. -open the certificate from GD in a text editor.
2. -open the certificate from Intermediate in a text editor.
3. -copy and past the intermediate certificate directly below the GD certificate, like so:
   -----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa ....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV ....
-----END CERTIFICATE-----
4. -save the certificate.
5. -install the certificate in TomCat.

Details

Created: 27 October 2020

TomCat runs on Java. To find the Tomcat version, you have to find were Java is installed. This can be anywhere.

For me, the location is:

C:\Program Files\HelpSystems\GoAnywhere\jre\bin

So open cmd and change to the location:

cd "C:\Program Files\HelpSystems\GoAnywhere\jre\bin"

Find the Java version:

java -version

I get:

openjdk version "1.8.0_192"
OpenJDK Runtime Environment (Zulu 8.33.0.1-win64) (build 1.8.0_192-b01)
OpenJDK 64-Bit Server VM (Zulu 8.33.0.1-win64) (build 25.192-b01, mixed mode)

To find the TomCat version:

java -cp "C:\Program Files\HelpSystems\GoAnywhere\tomcat\lib\catalina.jar" org.apache.catalina.util.ServerInfo

I get:

Server version: Apache Tomcat/7.0.105
Server built:   Jul 2 2020 12:25:26 UTC
Server number:  7.0.105.0
OS Name:        Windows Server 2016
OS Version:     10.0
Architecture:   amd64
JVM Version:    1.8.0_192-b01
JVM Vendor:     Azul Systems, Inc.

Details

Created: 06 October 2020

MFA seems to be in a few places. Here it is:

1
AAD > USERS
MULTI-FACTOR-AUTHENTICATION (at the top)
checkmark usernames
ENABLE (on the right)

2
AAD > SECURITY > IDENTITY-PROTECTION
MFA-REGISTRATION-POLICY
Sometimes the one in IDENTITY-PROTECTION does not work if you do not have a P2 license.

3
AAD > SECURITY > AUTHENITCATION-METHODS

4
AAD > SECURITY > MULTIFACTOR-AUTHENITCATION

5
AAD > USERS > USER-SETTINGS > MANAGE-USER-FEATURE-SETTINGS

6
AAD > USERS > PROPERTIES > MANAGE-SECURITY-DEFAULTS

If you need to check the MFA settings for an account through powershell:

Get-MsolUser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. |select strongauthentication*

If you need to clear the MFA settings for an account through powershell:
Set-MsolUser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -StrongAuthenticationMethods @()

NOTES:
https://endpoint.microsoft.com
https://security.microsoft.com
https://entra.microsoft.com
https://aka.ms/mfasetup

Details

Created: 22 September 2020

Let's say that you have a loop because someone setup an INBOX RULE to forward to an outside domain that is having problems.

How do you clear the queue of 1M messages that show as a result?

To clear the incoming messages that have arrived in the inbox:

Get-Mailbox account.name | Search-Mailbox -SearchQuery {from:This email address is being protected from spambots. You need JavaScript enabled to view it.} -DeleteContent

To clear the messages in the queue for the recipient:

Get-ExchangeServer |?{$_.IsHubTransportServer -eq $true} |Get-Queue |get-message -ResultSize unlimited |?{$_.recipient -eq This email address is being protected from spambots. You need JavaScript enabled to view it.'} |Remove-Message -WithNDR $False -Confirm $False

To clear the messages in the queue for the postmaster <>:

Get-ExchangeServer |?{$_.IsHubTransportServer -eq $true} |Get-Queue |get-message -ResultSize unlimited |?{$_.sender -eq '<>'} |Remove-Message -WithNDR $False -Confirm $False

Details

Created: 15 September 2020

Hyper V General access denied error

IDE/ATAPI Account does not have sufficient privilege to open attachment 'E:\VMs\VMName\Disk0.vhd. Error: 'General access denied error'

What this is trying to tell you is that HYPER-V has a user account for each VM. This user account is a random string of letters & numbers. This user account is hidden. This user account has access to the the VHD's.

If you were to do something like move the VHD's off the drive, expand the drive and move them back on the new drive, the user account would no longer have access.

No problem. Just add the permissions back in.

Looke at the details of the error message and it will let you know the user account name. Something like:

AE78918D-FE0E-4E6D-AFF5-25B32D4FE243

In command prompt (as admin), type something like:

C:\>icacls "F:\VHD\VHD-NAME-HERE.avhdx" /grant "NT VIRTUAL MACHINE\AE78918D-FE0E-4E6D-AFF5-25B32D4FE243":(F)

It will repsond with something like:

processed file: F:\VHD\VHD-NAME-HERE_756DFD7E-5E29-4ABA-B12F-40BAD636E2A2.avhdx
Successfully processed 1 files; Failed processing 0 files

Now start the VM and it should start without hassle.

NOTES:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/hyper-v-virtual-machine-not-start-0x80070005

Details

Created: 12 September 2020

This is solved by creating a port-bond/lag/etherchannel on the Cisco Switch.

Here is my config:

interface Port-channel1
description LAG to Server Host 1
switchport
switchport trunk allowed vlan 1-3
switchport mode trunk
switchport nonegotiate

!

interface GigabitEthernet1/1
description LAG Server Host 1 Member 1
switchport
switchport trunk allowed vlan 1-2
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on

!

interface GigabitEthernet1/2
description LAG Server Host 1 Member 2
switchport
switchport trunk allowed vlan 1-3
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on

Details

Created: 12 September 2020

Recovering Foreign/Unconfigured (bad) drives

The controller says a foreign configuration was detected during boot. All of the drive bays have red lights on them. I try to import the configuration, but it fails.

Details

Created: 11 September 2020

Dealing with a data array of 24 physical disks. The controller is a MegaRaid/LSI/Avago/Broadcom 3108 firmware v24.9.0-0022. The physical disks are 500GB drives giving about 9TB.

Wanting to upgrade the storage space, I replaced the drives with 2 TB physical disks. This was done on-the-fly, 1-at-a-time so that the office was not disrupted. Fail disk, remove disk, insert new disk, let it re-raid. The process took about an hour a disk and I was able to complete over a few days.

With the new space available, I was able to grow the virtual-disk on the fly. Took about 8 hours to initialize.

With the disk space available, I wanted to expand the volume in Windows Disk Manager but got an error message:

"The volume cannot be extended because the number of clusters will exceed the maximum number of clusters supported by the file system."

Well, how many clusters do I have:

-type: fsutil fsinfo ntfsinfo f:

This shows that the cluster size is 4kb; this is the default-size.

As such, the official docs say that the max size is 16TB:

The only way around this is to reformat the drive with a larger cluster size.

NOTES:
https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview

Details

Created: 04 September 2020

Outlook 365 Will Not Connect to Gmail

1- turn on 2-STEP-VERIFICATION here:
https://myaccount.google.com/security

2- create an APP-PASSWORD
(select MAIL > WINDOWS)
(it will give a random password such as: sdfs sdfd dfas hfgr)

3- disable SIMPLE ACCOUNT CREATION in OUTLOOK:
(download disable SIMPLE ACCOUNT CREATION)
(double-click to import)

4- restart OUTLOOK

5- add the gmail account
(use the APP-PASSWORD with no-spaces)
(do NOT use the password to access the account)

Details

Created: 12 August 2020

Dell Latitude 7490 BSOD | WHEA UNCORRECTABLE ERROR

• -go to the Device Manager.
• -click DISPLAY ADAPTER
• -uninstall the display adapter and delete the driver.
• -reboot.
• -repeat until the base driver shows: Microsoft Display Adapter
• -download the video driver from: https://support.dell.com
• -run file and EXTRACT (not install).
• -right-click Microsoft Display Adapter.
• -update driver.
• -manually select the extracted-folder\Graphics
• -let it install.
• -reboot.

NOTES:
-https://www.dell.com/support/article/en-us/sln313066/latitude-5x80-5x90-7x80-7x90-and-precision-3520-windows-hardware-error-architecture-whea-blue-screen-or-system-hang?lang=en

Details

Created: 06 August 2020

WSUS Server Keeps Stopping

Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“.

-set to 0 (no limit).
-started WSUSPool.
-started Windows WSUS service.
-started cleanup.

The default setting for WSUS are woefully inadequate. See either the of the following for either a WSUS Setup speedrun or a WSUS Complete Setup in-depth:
http://www.daknetworks.com/blog/408-wsus-setup
http://www.daknetworks.com/blog/658-wsus-complete-setup

Details

Created: 06 August 2020

Surface Pro Keyboard Does Not Work | Surface Pro Type Pad Does Not Work | Surface Book Keyboard Does Not Work

-open CMD (as admin)
-type:systeminfo (to verify Surface model:Surface Pro 4).
-download/install newest drivers/firmware for Surface model.
-reboot.
-device-manager.
-show hidden devices (click VIEW at the top).
-human-interface-devices.
-surface type pad integrator > delete > checkmark to remove drivers.
-keyboard.
-uninstall all keyboards.
-shutdown.
-hold volume-up and power button for full 30 seconds.
-power on.
-type pad should work.

Details

Created: 29 July 2020

Have a Watchguard AP 325. The Cisco switches are 2960. They are POE.

The Watchguard AP 325 powers and get IP address. The Watchguard Firebox cannot see the AP. What gives?

Well the port that it is on is not set a trunk port. A trunk port is a network port that allows data to flow across a network for multiple VLANs. Perhaps a trunk port is thought of as a “bundle.”

Since the AP is going to have multiple devices connected for traffic, it needs to be set as a trunk port.

Here's how:

enable
show interface status | include trunk
config t
int Gi3/0/34
Description Whatever AP Name Here
switchport mode trunk
switchport access vlan 1
switchport trunk native vlan 300
no switchport voice vlan
switchport trunk allowed vlan 300-306
end

show int Gi3/0/34 switchport
show int Gi3/0/34 trunk

write mem
copy run start

That should do it for this one.

Details

Created: 20 July 2020

-updated RST driver.
-wget https://downloadmirror.intel.com/29647/eng/SetupRST.exe -outfile setuprst-v17.9.1.1009.exe
-setuprst-v17.9.1.1009.exe -accepteula -s
-reboot

-bsod being caused by aksfridge.sys
-this is the SENTINEL bug.
-download the command line:
https://supportportal.gemalto.com/csm?sys_kb_id=979a4e21db92e78cfe0aff3dbf9619c6&id=kb_article_view&sysparm_rank=7&sysparm_tsqueryId=4ad5b82e1bfc5410f12064606e4bcb15&sysparm_article=KB0018319

a. Go to this site: https://sentinelcustomer.safenet-inc.com/sentineldownloads/
b. Click: Sentinel LDK RunTime & Drivers
c. Download: "Sentinel HASP/LDK - Command Line Run-time Installer".
d. Unzip the files.
e. In an elevated command prompt (run cmd.exe as an administrator) navigate to the location where you unzipped haspdinst.exe.
f. Type the command “haspdinst.exe -remove” without quotes and press Enter.
g. When it finishes successfully, type the command “haspdinst.exe -purge” without quotes and press Enter.
h. When this finishes successfully, the HASP drivers should now be uninstalled. Re-boot and try the upgrade again.

Details

Created: 17 July 2020

Fix Microsoft Windows Store | Fix Windows Calculator App

-go to: C:\Program Files\WindowsApps
-change ownership to ADMINISTRATORS.
-change permissions to ADMINISTRATORS | FULL-PERMISSIONS
-look in the list for the APP that won't work (ie CALCULATOR).
-delete the folders.

1. Copy URL for the Microsoft Windows Store app: https://www.microsoft.com/en-gb/p/microsoft-store/9wzdncrfjbmp?activetab=pivot:overviewtab
2. Paste copied URL into search box: https://store.rg-adguard.net/
3. Find WINDOWS STORE. There will be 2 versions
12007.1001.213.0
12007.1001.213.70
4. Download second latest version ending (.0 not .70)
5. Run the file and select Install
6. SETTINGS > APPS
7. click STORE
8. click ADVANCED-OPTIONS
9. click RESET

Details

Created: 17 July 2020

Dell Installation Command Lines just in case anyone needs:

dism /online /add-provisionedappxpackage /packagepath:C:\\DELL\27T76\175eee77761
0486798c16be30cbbe29b.appxbundle /dependencypackagepath:C:\\DELL\27T76\Microsoft
.NET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackage
path:C:\\DELL\27T76\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x64__8wekyb3d8b
bwe.appx /dependencypackagepath:C:\\DELL\27T76\Microsoft.VCLibs.140.00_14.0.2732
3.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\DELL\27T76\Microsoft.NET.
Native.Framework.2.0_2.0.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:
C:\\DELL\27T76\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.a
ppx /dependencypackagepath:C:\\DELL\27T76\Microsoft.VCLibs.140.00_14.0.27323.0_x
86__8wekyb3d8bbwe.appx  /licensepath:C:\\DELL\27T76\175eee777610486798c16be30cbb
e29b_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\\DELL\2PGXF\f68432bfe31
a4034a94b2fa07b206df6.appxbundle  /licensepath:C:\\DELL\2PGXF\f68432bfe31a4034a9
4b2fa07b206df6_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\\Apps\334CH\DELL\334CH\
11023d4f34c14610a6161cf4fb3c0d78.appxbundle /dependencypackagepath:C:\\Apps\334C
H\DELL\334CH\Microsoft.NET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.a
ppx /dependencypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.NET.Native.Runtim
e.2.0_2.0.25709.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\Apps\334CH\
DELL\334CH\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe.appx /depende
ncypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.NET.Native.Framework.2.0_2.0.
27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\Apps\334CH\DELL\334CH
\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.appx /dependenc
ypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.VCLibs.140.00_14.0.27323.0_x86_
_8wekyb3d8bbwe.appx  /licensepath:C:\\Apps\334CH\DELL\334CH\11023d4f34c14610a616
1cf4fb3c0d78_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\5NT2Y\RstHsaBridge
_17.5.1005.0_x64_bundle.appxbundle /dependencypackagepath:c:\dell\5NT2Y\Microsof
t.VCLibs.140.00.UWPDesktop_14.0.27323.0_x64__8wekyb3d8bbwe.appx  /licensepath:c:
\dell\5NT2Y\2ab1a93c7f5944c7a5d2413b3f1decaf_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\8R3T7\2ccd06ab93a5
461080ec95e9acfddb44.appxbundle /dependencypackagepath:c:\dell\8R3T7\Microsoft.N
ET.Native.Framework.1.7_1.7.27413.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:c:\dell\8R3T7\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:c:\dell\8R3T7\Microsoft.VCLibs.140.00_14.0.26706.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\8R3T7\Microsoft.NET.Nativ
e.Framework.1.7_1.7.27413.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\de
ll\8R3T7\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:c:\dell\8R3T7\Microsoft.VCLibs.140.00_14.0.26706.0_x86__8we
kyb3d8bbwe.appx  /licensepath:c:\dell\8R3T7\2ccd06ab93a5461080ec95e9acfddb44_Lic
ense1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\9R2CY\d8eb3d301c8e
44c893460c573e2524e3.appx /dependencypackagepath:c:\dell\9R2CY\Microsoft.NET.Nat
ive.Framework.2.1_2.1.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\
dell\9R2CY\Microsoft.NET.Native.Runtime.2.1_2.1.26424.0_x64__8wekyb3d8bbwe.appx
/dependencypackagepath:c:\dell\9R2CY\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8
wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\9R2CY\Microsoft.NET.Native.Fram
ework.2.1_2.1.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\9R2
CY\Microsoft.NET.Native.Runtime.2.1_2.1.26424.0_x86__8wekyb3d8bbwe.appx /depende
ncypackagepath:c:\dell\9R2CY\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8
bbwe.appx  /licensepath:c:\dell\9R2CY\d8eb3d301c8e44c893460c573e2524e3_License1.
xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\CPWK1\99a6dd26bc56
45b3a738200b2f69ca51.appxbundle  /licensepath:c:\dell\CPWK1\99a6dd26bc5645b3a738
200b2f69ca51_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\NXM09\5fb8f189f280
4baeb42a158867b0ba1d.appx  /licensepath:c:\dell\NXM09\5fb8f189f2804baeb42a158867
b0ba1d_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\P17DD\6b148b557f42
489bad3fd35943962277.appxbundle /dependencypackagepath:c:\dell\P17DD\Microsoft.N
ET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:c:\dell\P17DD\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:c:\dell\P17DD\Microsoft.VCLibs.140.00_14.0.27323.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\P17DD\Microsoft.NET.Nativ
e.Framework.2.2_2.2.27405.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\de
ll\P17DD\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:c:\dell\P17DD\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8we
kyb3d8bbwe.appx  /licensepath:c:\dell\P17DD\6b148b557f42489bad3fd35943962277_Lic
ense1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\Apps\YR2T2\560274d333d4
453891d8ec26f03f7a7c.appxbundle /dependencypackagepath:C:\Apps\YR2T2\Microsoft.N
ET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:C:\Apps\YR2T2\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:C:\Apps\YR2T2\Microsoft.VCLibs.140.00_14.0.27323.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\Apps\YR2T2\Microsoft.NET.Nativ
e.Framework.2.0_2.0.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:C:\Ap
ps\YR2T2\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:C:\Apps\YR2T2\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8we
kyb3d8bbwe.appx  /licensepath:C:\Apps\YR2T2\560274d333d4453891d8ec26f03f7a7c_Lic
ense1.xml /Region="all"

Details

Created: 15 July 2020

Cisco Router VRF's are virtual routers. Basically Cisco version of HyperV/VMWare.

The advantage of this is that you can take a single internet connection/MPLS connection and break it into 2 connections. Each connection will have its own outside-ip and inside-ip.

When this happens, the routes move from the physical connection to the virtual connection/VRF connections.

Show VRF connections:
show vrf

Show VRF routes:
show ip route vrf vrf-name-here

Add VRF route:
enable
config t
router bgp 65000
network 10.162.116.0
address-family ipv4 vrf vrf-name-here
network 10.162.116.0
exit-address-family
exit
ip route vrf vrf-name-here 10.162.116.0 255.255.255.0 10.162.100.1
(The above is: subnet subnet-mask gateway)
exit

Verify the config and save it as the startup config:
show run
copy run start

Details

Created: 10 July 2020

The June 2020 updates have caused problems.

To fix, Microsoft has put out an update. Found here (select your Windows version on the left-hand side):
https://support.microsoft.com/en-us/help/4555932

The trick is that the update will not be pushed out through Windows Updates and it will not be pushed out through Windows Server Updates (WSUS).

So the only option is to get it from Windows Catalog.

Here is how to download:
wget "http://download.windowsupdate.com/c/msdownload/update/software/updt/2020/06/windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu" -outfile "windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu"

Here is how to install:
wusa.exe "c:\installs\windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu"

Details

Created: 29 June 2020

Open Outlook 365. The Windows Security Box shows. You type in the password. The box shows again. And again. And again. What gives?

 This could happen for a few reasons.

1- check the DNS records. There should be an autodiscover on the company domain name. In other words: autodiscover.daknetworks.com should go somewhere. And that somewhere should be correct.

2- check the DNS records. If there is more than 1 domain, then the autodiscover needs to be on all of the domains. In other words, autodiscover.daknetworks.net should go somewhere as well. That somewhere should be the same somewhere as the main domain.

3- check the Control-Panel > Credential Manager. Close Outlook. Delete any username/password that indicates Outlook. If there are incorrect username & password saved in there, they will be used to access the email. Since the username/password are incorrect, it will ask for the correct username/password.

4- check the registry at:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\

There are 2 parts to Outlook. The client software, what you are using on your system, and the server software, what the entire company is using to store/send/receive email.

Beginning with Outlook 2016/Outlook 365 some of the options to manually set what happens are removed in an effort to try to make setup easier.

If you have Outlook 365, then most likely you have Microsoft 365 for the company and it tries to automatically connect to the Microsoft 365 server.

But if you have Outlook 365 and have a private Exchange server, that can cause a mismatch. This results in Outlook always asking for a username/password for the Microsoft 365 server.

Outlook 365 automatically goes through a list to get autodiscover information. This is as follows:

- PreferLocalXML
- Office 365 | ExcludeExplicitO365Endpoint
- Root domain look up (Fancy way of saying it queries the A record) | ExcludeHttpsRootDomain
- Secure URL look up | ExcludeHttpsAutoDiscoverDomain
- Local Autodiscover (SCP object) | ExcludeScpLookup
- HTTP redirect | ExcludeHttpRedirect
- SRV record look up | ExcludeSrvRecord
- Last Known URL | ExcludeLastKnownGoodURL

To skip a method, this is set via a registry edit. All items below skip/exclude the method of finding the AutoDiscover settings except the PerferLocalXML setting which dictates that a local override is to be used:

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v PerferLocalXML /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_SZ /v domain-name-here.tld /d 'C:\path\to\autoDiscover-domain-name-here.tld.xml'

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpRedirect /d 0

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsAutoDiscoverDomain /d 1

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsRootDomain /d 1

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeScpLookup /d 1

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeSrvRecord /d 1

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeLastKnownGoodURL /d 1

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeExplicitO365Endpoint /d 1

5- trial software. There might be Office trial software installed along side of the Office software:

• -Open COMMAND-PROMPT (as admin)
• -Check the license, type:
  C:\Program Files (x86)\Microsoft Office\Office16\cscript ospp.vbs /dstatus
• -Uninstall the license, type:
  cscript ospp.vbs /unpkey:[productkey]
  (ie: cscript ospp.vbs /unpkey:VMFTK)
• -Restart the system.

NOTES:
-https://docs.microsoft.com/en-us/outlook/troubleshoot/domain-management/unexpected-autodiscover-behavior
-https://support.microsoft.com/en-us/help/3211279/outlook-2016-implementation-of-autodiscover
-https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover?redirectedfrom=MSDN&view=exchserver-2019
-https://practical365.com/exchange-server/fixing-autodiscover-root-domain-lookup-issues-mobile-devices/

Details

Created: 07 May 2020

Windows 10 Activation Error | SLMGR

slmgr.vbs /dlv
-access denied: 0xc0000022

-software-protection service is not started (sppsvc).
-try to start: access denied

-regedit
-go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
-go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Software Protection
-go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC
-go to: HKEY_LOCAL_MACHINE\SYSTEM\WPA

-permissions
-USER: NT Service\SPPSVC
-add: FULL CONTROL

-restart

slmgr.vbs /dlv
Find the Activation Code.

slmgr.vbs /dli activation-code-here
Find the details.

changepk.exe /ProductKey 12345-12345-12345-12345-12345

NOTES:
https://digitalbamboo.wordpress.com/tag/windows-software-protection-will-not-start-access-denied-5/

Details

Created: 30 April 2020

Here are my travels getting QCA9377/ath10k working with Ubuntu 18.04 LTS.

The system needs both the driver and the firmware.

$lspci
02:00.0 Network controller: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (rev 31)

$ sudo dmesg | grep ath10k
[ 23.189587] ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
[ 23.497366] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:02:00.0.bin failed with error -2
[ 23.497373] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/cal-pci-0000:02:00.0.bin failed with error -2
[ 23.553780] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/QCA9377/hw1.0/firmware-6.bin failed with error -2
[ 23.725428] ath10k_pci 0000:02:00.0: qca9377 hw1.1 target 0x05020001 chip_id 0x003821ff sub 17aa:0901
[ 23.725429] ath10k_pci 0000:02:00.0: kconfig debug 0 debugfs 1 tracing 1 dfs 0 testmode 0
[ 23.725786] ath10k_pci 0000:02:00.0: firmware ver WLAN.TF.1.0-00002-QCATFSWPZ-5 api 5 features ignore-otp crc32 c3e0d04f
[ 23.823833] ath10k_pci 0000:02:00.0: board_file api 2 bmi_id N/A crc32 8aedfa4a
[ 24.455129] ath10k_pci 0000:02:00.0: htt-ver 3.44 wmi-op 4 htt-op 3 cal otp max-sta 32 raw 0 hwcrypto 1
[ 25.139469] ath10k_pci 0000:02:00.0 wlp2s0: renamed from wlan0

https://www.dell.com/support/article/en-us/sln306440/killer-n1535-wireless-firmware-manual-update-guide-for-ubuntu-systems?lang=en

$cd /lib/firmware/ath10k/QCA9377/HW1
$cp WLAN.TF.2.1/firmware-6.bin_WLAN.TF.2.1-00016 firmware-6.bin
(Be sure to use the higher/newest firmware number)

$dmesg | grep -i "error\|warn\|fail"
[ 1.162573] RAS: Correctable Errors collector initialized.
[ 7.807736] EXT4-fs (sda5): re-mounted. Opts: errors=remount-ro
[ 23.497366] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:02:00.0.bin failed with error -2
[ 23.497373] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/cal-pci-0000:02:00.0.bin failed with error -2
[ 23.553780] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/QCA9377/hw1.0/firmware-6.bin failed with error -2

$ uname -r
4.15.0-99-generic

$sudo apt-get update
$sudo apt-get upgrade
$sudo apt-get dist-upgrade

$sudo nmcli dev wifi list

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

# v18.04.4 has a newer kernel but it is not installed automatically on LTS.
# Let's install the newer kernel:
$sudo apt install --install-recommends linux-generic-hwe-18.04 xserver-xorg-hwe-18.04

$ uname -r
5.3.0-51-generic

Details

Created: 28 April 2020

Let's say that you have an external domain that your company regurlarly works with. You want to customize some items for this external domain such as you want them to get out of office replys and you want the domain to not have a MailTip message that it is an external user.

New-RemoteDomain -DomainName externaldomain.tld -Name externaldomain
set-remotedomain externaldomain -IsInternal $true -AutoReplyEnabled $true -AutoForwardEnabled $true

No more MailTips for this set.

Get the details by:

get-remotedomain externaldomain |fl

Details

Created: 23 April 2020

If someone is set to Out of Office and you try to send them an email, before you hit the SEND button, you might get a message that states the Out of Office message. This is a MailTip. There are other MailTips as well. The most common are enabled by default. The advanced MailTips are disabled by default.

One advanced MailTip is a notice when sending an email to outside the company. This can be helpful for certain companies. Here is how to see the current settings:

To get the MailTip setting:
Get-OrganizationConfig |findstr /i mail

To set a MailTip to show when sending outside the company:
set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true

Ideally, I wanted to turn this on for a group of people but leave it off for everyone else. I could not find a way, so I just left it on for everyone. Going ISO27001 and getting certified will probably encourage this setting anyway.

NOTES:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips
https://docs.microsoft.com/en-us/powershell/module/exchange/organization/set-organizationconfig?view=exchange-ps

Details

Created: 15 April 2020

Here is how to diagnose remotely.

1. Show network connections (in CMD):
   netsh wlan show interfaces
2. Get the profile:
   get-netconnectionprofile -name "wifi-profile-name-here"
3. If the get-netconnectionprofile/set-netconnectionprofile says "Provider load failure" then check the bitness:
   [Environment]::Is64BitProcess
   (If says "false" then you are running 32-bit.)
4. Get the profile (in Powershell):
   get-netconnectionprofile -name "wifi-profile-name-here"
5. Set the profile to Private (in Powershell):
   set-netconnectionprofile -name "wifi-profile-name-here" -NetworkCategory Private
6. Set the firewall to allow:
   Set-NetFirewallRule -DisplayGroup 'File And Printer Sharing' -Enabled True -Profile 'Private, Domain'

NOTES:

Here is the registry key to change the CATEGORY (1 = private, 0 = public):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Details

Created: 14 April 2020

Microsoft Teams has its own Powerhell Module. Please see the article on connecting to Azure/Office365.

Once connect to Microsoft Teams, you have a few options:

See all Teams:

get-teams

See all Teams a user is a member of:

get-teams -user This email address is being protected from spambots. You need JavaScript enabled to view it.

NOTES:
https://docs.microsoft.com/en-us/powershell/module/teams/?view=teams-ps

Details

Created: 06 April 2020

See Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureAD

To see all the accounts in AzureAD:
Get-MsolUser -All $true
Get-AzureADUser -All $true

To see all the "Guest" accounts in AzureAD:
Get-MsolUser -All $true | ? {$_.UserType -eq "Guest"}
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'}

To get the details:
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'} |select objectid,userprincipalname

This will return the userprincicpal names of the guest accounts. Usually in the format of:
accountname_domainoutside.com#EXT#@tenant-name-internal.onmicrosoft.com

If you delete a "guest" user or "member" user, the account is "soft-deleted" and is still in AAD. The account will be in this state of 30 days until the account is permanently deleted:
Remove-MsolUser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it.
Remove-AzureADUser -ObjectID This email address is being protected from spambots. You need JavaScript enabled to view it.

While the account is in this state, the account can be restored. However, the account cannot be added/invited to another Team.

To view account in the state of "soft-deleted":
Get-MsolUser -All -ReturnDeletedUsers
Get-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c
This doesn't help much because we don't know the ObjectId. The only way I could find the ID is by looking at the AAD logs and filter for "Delete User".

To look at the logs, the AzureADPreview module must be installed:
Install-module AzureADPreview

After the AzureADPreview module is installed, run the following to check the logs for user deletion:
Get-AzureADAuditDirectoryLogs -Filter "category eq 'UserManagement' and OperationType eq 'Delete'" |ft
(The "Correlation ID" is the one you want.)

To permanently delete/hard-delete a guest:
Remove-MsolUser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -RemoveFromRecycleBin
Remove-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c

To restore an account:
Restore-MsolUser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it.
Restore-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c

NOTES:
Get-AzureADMSDeletedUser/Restore-AzureADMSDeletedDirectoryObject does not exist, yet.
AzureAD Module v2.0 documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0
AzureAD v2.0-preview documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0-preview
(Check out the difference in the documentation for "Deleted Objects" section to get a feel of where development is happening.)

Details

Created: 05 April 2020

Fail2Ban is amazing. It is a python script that monitors the apache logs and if it finds something bad, it blocks the IP address for a certain amount of time.

Overall config:

/etc/fail2ban/fail2ban.conf

Defining filter list:

/etc/fail2ban/jail.conf

Defining individual filters based on regex:

/etc/fail2ban/filter.d/filter-name.conf

Defining ignorecommands:

/etc/fail2ban/filter.d/ignorecommands/ignorecommand

You can test by using filters using fail2ban-regex :

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

Or with an ignorecommand:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/ignorecommands/ignorecommand

It will even pick up the ignorcommands already in the filter-name.conf:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/apache-scan.conf

You can print the matches:

fail2ban-regex --print-all-matched /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

There are a bunch of filters already available. It is just a matter of enabling them and defining them with a reach-back number (ie within the last 24 hours), a miss number (ie 3 strikes) and a block time (2 hr, 2 day, etc).

Since I've noticed that most traffic is through bad bots, that happens to be one of my favorites.

Details

Created: 03 April 2020

Create Shared Calendar

You have a few options.

1. -create a shared mailbox. Doing so, you can force this on someone's Outlook. However, they will not receive calendar reminders. Bummer.
2. -create a normal mailbox. Doing so, you will need to manually add the account to Outlook. Bummer.
3. -create a shared calendar from a typically mailbox. A little complicated, especially if a large group. But for a small group, this might work.
4. -create a public calendar. Available to everyone but they have to look for the calendar.
5. -create a room account. This allows the meeting to be scheduled on the room account and puts an event on the personal calendar where reminders happen.
6. -create Office 365 group / Unified Group. All Members of the group will automatically have the Group in Outlook. All members will automatically receive invites and notifications. Bummer.

I chose to setup a room account. This seems to be the most in line with what the client wants.

Details

Created: 02 April 2020

Let's say there is a world wide pandemic. Everyone suddenly wants-to/required-to work from home. How do you license everyone for Skype-for-Business/Teams? Here's how:

get-msoluser -maxresults 1000 | set-msoluser -usagelocation US | set-msoluserlicense -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

Now everyone is licensed for Skype-for-Business/Teams.

The problem becomes that there are accounts that should not be licensed; namely the "Health" mailboxes.

Here is how to find them:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $true -and $_.signinname -like "*Health*"}

Here is how to unlicense them:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $true -and $_.signinname -like "*Health*"} |set-msoluserlicense -removelicenses "foodomain:teams_commercial_trial"

Details

Created: 01 April 2020

Let's say you have an Office 365 Group. You add a bunch of people. They add events to the calendar. Everyone is getting the calendar invites. They don't want that.

OK, first step is to delete the Office 365 Group through the GUI. Easy enough.

Now it still shows in Outlook. We want it completely gone.

• -start POWERSHELL (as administrator).
• -connect to the AzureAD endpoint.
• -type: Get-AzureADMSDeletedGroup

It will show the ID.

• -type: Remove-AzureADMSDeletedDirectoryObject -id 6546513213652165361654

NOTES:
https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadmsdeleteddirectoryobject?view=azureadps-2.0-preview

Details

Created: 01 April 2020

Want to create a dynamic group for Office 365 Groups?

In Azure Active Directory, you should be able to create a group that is set dynamically depending on rules. This can be done through something called RULE-BUILDER.

It can be done. But it requires a P1 license for every account a part of the Office 365 Group/Unified-Group. This is $6 per month.

1-start POWERSHELL (as-admin).
2-type: Import-Module AzureADPreview
3-type: $LiveCred = Get-Credential
4-type in your username/password.
5-type: Connect-AzureAD -Credential $LiveCred
6-type: get-azureadmsgroup
7-type: get-azureadmsgroup -id 6541651431314646546541 |fl

You will see that MembershipRule and MembershipRuleProcessingState are blank. Let's set those items (2 options are given for MembershipRule as example).

• set-azureadmsgroup 654654654654 -membershipruleprocessingstate on
• set-azureadmsgroup 654654654654 -membershiprule $dynamicmembershiprule
• set-azureadmsgroup 654654654654 -MembershipRule "(user.department -contains ""Marketing"")"
• set-azureadmsgroup 654654654654 -GroupTypes "DynamicMembership"

Requires a P1 license. $6/user/month.

NOTES:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0

Details

Created: 01 April 2020

Do you have Skype for Business? If so, you either have a Lync server on-site (Lync is the former name of Skype for Business) or you have a cloud service with Office-365.

If you have an Office-365 service, do you want to control Skype for Business through powershell? Here's how:

1-install SKYPE-FOR-BUSINESS POWERSHELL-MODULE: https://www.microsoft.com/en-us/download/confirmation.aspx?id=39366
2-start POWERSHELL (as-admin).
3-type: Import-Module SkypeOnlineConnector
4-type: $LiveCred = Get-Credential
5-type in your username/password.
6-type: $sfbSession = New-CsOnlineSession -Credential $LiveCred
7-type: Import-PSSession $sfbSession

type: Get-CsConferencingPolicy -identity global
type: Set-CsConferencingPolicy –Identity global –EnableDialInConferencing $True

Details

Created: 31 March 2020

Office365 Groups | Unified Groups

Typically, Exchange has Distribution Groups. An email is sent to the group and everyone in the group receives a copy of the email.

Office365-Groups or Unified-Groups are now available.

Difference Between Exchange Groups and Office365 Groups

How is that different? Why would I want an Office365 Group instead of a traditional Distribution Group.

Mainly because there are the following additional features:

• -shared mailbox. Members still receive a copy in their personal inbox.
• -shared files.
• -shared calendar.
• -invite external guests.

The following article actually says it better than I can:

https://support.microsoft.com/en-us/office/why-you-should-upgrade-your-distribution-lists-to-groups-in-outlook-7fb3d880-593b-4909-aafa-950dd50ce188

Creating a Unified Group:

new-unifiedgroup foogroup

Adding members:

Add-DistributionGroupMember

Upgrading a group from a Distribution-Group to a Unified-Group:

Upgrade-DistributionGroup -DlIdentities This email address is being protected from spambots. You need JavaScript enabled to view it.

Upgrade Error

When I tried to upgrade one DistributionGroup to a UnifiedGroup, I got an error message, "ErrorReason: The specified distribution group is not eligible to be upgraded or you are not allowed to upgrade this distribution group."

What gives?

Well, this is because the Owner of the DistributionGroup was an unlicensed account, the Office365 Admin. Changing the owner to a licensed account, allowed the upgrade to happen.

Details

Created: 29 March 2020

Enabling Perfect Forward Secrecy | Fixing Perfect Forward Secrecy

Using ssllabs.com to test the certificate on a server will grade the certificate with a score (A, B, C, D, F). The grade was capped to B due to Perfect Forward Secrecy and gave the following for a reference:
https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

OK, I don't know what Perfect Forward Secrecy is. All I really care about is getting the grade to A. What do I have to do?

Reading the link, I thought the certificate was incorrect and started to look for how to recreate the certificate using ECDHE instead of RSA. That is because of the lines, "Instead of using the RSA method for exchanging session keys, you should use the Elliptic Curve Diffie-Hellman (ECDHE) key exchange" and my inability to understand where I "can still use the RSA public-key cryptosystem as the encryption algorithm, just not as the key exchange algorithm."

Recreating the certificate is incorrect. The certificate is fine using the instructions found in the other article on this site.

The solution is found in the Apache/HTTPD server with the settings found in the following file on the server:
/etc/httpd/config/httpd.conf

The server already had the following:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
#SSLHonorCipherOrder on

All I had to do was turn on the SSLHonorCipherOrder:
SSLHonorCipherOrder on

And while I was at it, turn off TLSv1.1 since that was removed in January 2020 from most major browsers:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

That left us with:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on

Restart Apache/HTTPD with:
apachectl -k restart

Enjoy the grade of letter A!

NOTES:
-use the following to see what ciphers are accepted: openssl ciphers -v
-the server didn't have the option to turn on the CipherOrder, I had to create a template fragment called 35SSL10SSLHonorCipherOrder and filed bug 10916. This will probably make its way into the base.
-for the curious, the following are the short steps:
config setprop modSSL HonorCipherOrder on
config setprop httpd-e-smith TLSv1.1 disabled
signal-event domain-modify
signal-event email-update

Details

Created: 25 March 2020

Skype for Business Microphone Not Working

Here's how to fix:

Details

Created: 17 March 2020

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing

Details

Created: 09 March 2020

Installing AutoCad from AutoDesk. Result: 

Here's how to fix:

Go to run.

Type ‘regedit’

click ‘ok’.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Check the location for “Common Documents”

It will be pointing to a non-existent location Eg. "Common Documents"="C:\\Users\\Public\\Documents"

Change the value data of common document as: "Common Documents"="d:\\Users\\Public\\Documents"

OR

create that non-existent folder Run AutoCAD 2014 setup again

Details

Created: 07 March 2020

Since I lose this all the time and spend too much time trying to find it again, here is a link to the Dell monitor guide:

https://www.dell.com/support/article/en-us/sln317180/identifying-dell-monitor-types-by-their-model-number?lang=en

Details

Created: 06 March 2020

Upgrade from Windows Server 2008 to Server 2012 R2 Fails on VMWare. There is no reason why. Then it rolls back to Windows Server 2008.

The anwser is to remove the RESERVED PARTITION. If you look at the device manager, there will be 2 partitions; 1 for the RESERVED PARTITION and 1 for WINDOWS.

1- set the main Windows parition as the boot:

Run command prompt as administrator
Type: bcdboot c:\windows /s c:
(You should get a message that states: Boot files successfully created.)
Open Disk Management, right-click on your C: drive and select Mark Partition as Active.
Reboot

2- remove the RESERVED PARTITION.
Edit the VM in WMWare to remove the RESERVED PARTITION HARD DRIVE. This will be the lowest partition size.
Reboot

That should do it!

If not, you might have to boot from a install ISO, go to REPAIR, ADVANCED, CMD and fiddle with DISKPART and BOOTREC.

Details

Created: 11 February 2020

Let's say you have a service installed but don't want the user to uninstall the service by accident.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

OR

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

Details

Created: 11 February 2020

Find Hostname from IP Address

Let's say you have a large internal global network and you have an IP address that is slamming your SAP server that is coming from a different network segment with a different DNS server.

How do you know what host that is?

In a large network, there might be different domains and different DNS servers. You can query your local DNS server:

nslookup 1.2.3.4

But the local DNS won't find it because the host is not registering with that Name Server.

So to make this work, find the DNS server on that network segment. Sometimes using a traceroute helps here:

tracert 10.20.30.40

This will show the network hops. Hopefully this will narrow down the DNS server for that segment and query it, like this:

nslookup 10.20.30.40 11.22.33.44

It will return the FDQN and IP address.

Details

Created: 05 February 2020

/WORK IN PROGRESS - DO NOT ATTEMPT/

My work with PXE boot was back in 2007 with BARTPE. A new project has come up and I need it again.

{{Languages}}

==PXE booting to ISO==

===Goal===
We want to boot ISO images via PXE (rather than through CD). This means that, as long as we have enough RAM in the local pc's, we can boot WINPE or any LIVE CD (such as KNOPPIX, PCLINUXOS, UBCD, etc).

===Assumptions===
You are a network/server administrator and know what TFTP, LIVEISO, PE and PXE -a network boot- means. You have a running SME SERVER and your SME SERVER is your DHCP server.

===Install TFTP package on your SME SERVER===
-install SMESERVER-TFTP-SERVER on your SME SERVER: http://wiki.contribs.org/Tftp_server
yum --enablerepo=smecontribs install smeserver-tftp-server

-install SMESERVER-THINCLIENT on your SME SERVER: https://wiki.contribs.org/Thinclient
yum --enablerepo=smecontribs install smeserver-thinclient

-install SMESERVER-THINCLIENT-TS on your SME SERVER: https://wiki.contribs.org/Thinclient_usage
wget http://distro.ibiblio.org/smeserver/contribs/trevorb/7.x/Thinclient/smeserver-thinclient-ts-2.2-1.noarch.rpm
Access SERVER-MANAGER > Thin-Client panel.
Click to add another Thin Client Distribution
Upload smeserver-thinclient-ts-2.2-1.noarch.rpm

You now have a /tftpboot directory on the SME-SERVER.
Inside the /tftpboot directory is another directory /tftpboot/thinclient directory. 
Inside the /tftpboot/thinclient directory are the files necessary to make the PXE happen.

===Create TFTPBOOT structure on your SME SERVER===
-we need to move the files into the proper locations.

-change to the directory
cd /tftpboot

-create a GRAPHICS, ISO, COM32 directories
mkdir graphics iso com32

-move the pxelinux.0 file and the pxelinux.cfg directory to the /tftpboot
mv ./thinstation/pxelinux.0 ./
mv ./thinstation/pxelinux.cfg ./

-finally, move the thinstation directory to the iso directory and create any other directories in iso that you want for iso distributions. For example, BARTPE and MEMDISK
mv ./thinstation ./iso
mkdir ./iso/bartpe ./iso/memdisk

You now have the following structure in the /tftpboot directory:
graphics (The graphics directory is for graphics, naturally.)
iso (The iso directory is for the iso files.)
pxelinux.cfg (The pxelinux.cfg directory is the boot menu.)
pxelinux.0 (This file is what boots the remote system.)
com32 (The com32 directory is for the menu). 

===Download Syslinux Executable===
To boot ISO images we need an executable that can handle ISO's. Lucky for us, a bunch of executables for each distribution is already available in a project called SYSLINUX. SYSLINUX actually encompasses PXELINUX, ISOLINUX and EXTLINUX.

wget: https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/6.xx/syslinux-6.03.zip
unzip syslinux-6.03.zip

Inside the "bios" directory you will find different executables for different distributions. For example, MEMDISK is a special executable (legacy) that can boot floppy images, hard disk images and some ISO.

Let's copy the file bios\memdisk\memdisk to /tftpboot/iso/memdisk anyway that you can, such as through SCP.

In addition, let's copy the following files to the root of /tftpboot:
syslinux-6.03\bios\com32\elflink\ldlinux\ldlinux.c32
syslinux-6.03\bios\com32\menu\vesamenu.c32
syslinux-6.03\bios\gpxe\gpxelinux.0 (You already have the pxelinux.0 but pgxelinux.0 provides an additional way to boot which adds a few options such as booting over ftp, http, etc)

===Create an Windows-based ISO on your local pc===

Copy or download the ISO files to the iso directory.

++++++++++++++++++++++++++++++++++++++++++++++++++
++(no longer supported, here for archival purposes only)
++++++++++++++++++++++++++++++++++++++++++++++++++
===Create an Windows-based ISO on your local pc===

====BARTPE====
-download BARTPE on your local pc: http://www.nu2.nu/pebuilder/

-create a BARTPE disk using WINDOWS SERVER 2003 source (i386 directory)

-or if you don't have a WINDOWS SERVER 2003 source, you can use a WINDOWS XP SP2 source (i386 dir) but you'll have to replace the following file with a newer version from the WINDOWS SERVER 2003 SP1 download (see next section):
C:\pebuilder3110a\BartPE\I386\SYSTEM32\DRIVERS\ramdisk.sys

-you now have a BARTPE.ISO (on your local pc)

====Obtain WINDOWS SERVER 2003 SP1 files needed====
-download the WINDOW 2003 SERVER SP1:
https://www.google.com/search?q=WindowsServer2003-KB889101-SP1-x86-ENU.exe

(You now have a file called: WindowsServer2003-KB889101-SP1-x86-ENU.exe)

-open WINRAR to open the WindowsServer2003-KB889101-SP1-x86-ENU.exe file (the W2K3 file is just a self-extracting ZIP/CAB/TAR file)

-extract only the following files from the W2K3SP1:
ntdetect.com
ramdisk.sy_
setupldr.ex_
startrom.n1_

-The underscore files are compressed. We need to decompress/expand them:
expand ramdisk.sy_
expand setupldr.ex_
expand startrom.n1_

(You only need the ramdisk.sys file if you don't have a WINDOWS 2003 SERVER source to build your BARTPE from. See above section.)

===Transfer files to SME SERVER===
-copy the following files to the SME SERVER in the "/tftpdboot/iso/bartpe" directory:
ntdetect.com
setupldr.exe
startrom.n12
bartpe.iso

===Work with files in the TFTPDBOOT dir===
-the files are case-sensitive and need to be named exactly as follows:
ntdetect.com (lower-case)
NTLDR (rename the setupldr.exe to NTLDR, all caps)
startrom.0 (rename the startrom.n12 to startrom.0) (This is a ZERO)
BARTPE.ISO (all caps)

-create a winnt.sif:
vi winnt.sif

-the contents of the winnt.sif file:
[SetupData]
BootDevice = "ramdisk(0)"
BootPath = "\i386\System32\"
OsLoadOptions = "/noguiboot /fastdetect /minint /rdexportascd /rdpath=iso/bartpe/bartpe.iso"
++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++

 ====Create DEFAULT file====
-change to pxelinux.cfg directory and create the contents of the default file:
cd pxelinux.cfg
vi default

Each distribution iso will have a LABEL and a full-path-to-the-kernel. Currently, we have only 3; BARTPE, THINSTATION and KNOPPIX.

-the contents of the default file (note that this is case-sensitive reference the iso filename):
prompt 1
implicit 0
timeout 600
default foo

LABEL bartpe
kernel iso/bartpe/startrom.0

LABEL thinstation
kernel iso/thinstation/vmlinuz
append initrd=iso/thinstation/initrd ramdisk_blocksize=4096 root=/dev/ram0 ramdisk_size=524288 console=ttyS3 vga=791

LABEL knoppix
kernel iso/memdisk/memdisk
append initrd=iso/knoppix/knoppix.iso iso

===Summary of contents of TFTPBOOT dir===
-graphics
-iso
--iso/bartpe
---iso/bartpe/BARTPE.ISO
---iso/bartpe/ntdetect.com
---iso/bartpe/NTLDR
---iso/bartpe/startrom.0
---iso/bartpe/winnt.sif
--iso/thinstation
---iso/thinstation/vmlnuz
---iso/thinstation/initrd
---iso/thinstation/thinstation.conf.network
--iso/memdisk
---iso/memdisk/memdisk
--iso/knoppix
---iso/knoppix/knoppix.iso
-pxelinux.cfg
--pxelinux.cfg/default
-pxelinux.0
-gpxelinux.0
-ldlinux.c32
-vesamenu.c32

===Boot client PC===
-that should do it! Start your client PC and boot from the network.

-it will boot the pxelinux.0 and try to use any config files.

-at the prompt, when it asks for an image type: {bartpe | thinstation | knoppix}

-pretty cool, huh?

===Advanced Menu===
It is possible to create submenus. Just create a plain text file in tftpboot/pxelinux.cfg/ directory and use the same format as the default. The file can be named tools, memorytest, recovery, etc anything you want.

===Advanced Modern OS===
The problem becomes that modern OS's renders the memdisk approach useless because if you loaded the ISO with MEMDISK, once the kernel was read from the ISO and loaded into memory, the ISO data would be gone.

Details

Created: 31 January 2020

PHONE: Riiiiinnnnnngggg!!!! Riiiiinnnnnngggg!!!! Riiiiinnnnnngggg!!!!

ME: Hello

THEM: Yes, in Outlook, when I go my Deleted Items and click "Recover Deleted Items from Server" it only goes back 2 weeks.

Retention

Retention is how long something can be retrieved if it is deleted. By default, this is 14 days. This can be found with the RetainDeletedItemsFor value, like this:

get-mailbox foo.user |select RetainDeletedItemsFor

Now, there is also a retention on the MailboxDatabase (EDB) that covers all mailboxes on the EDB. This setting is the DeletedItemRetention value, like this:

Get-MailboxDatabase "mailbox.database.name" |select DeletedItemRetention

Setting

Note that Mailboxes will automatically get their settings from the Mailboxdatabase. To set custom settings, you must first disable using the Mailboxdatabase defaults, like this:

set-mailbox foo.user -UseDatabaseRetentionDefaults $false

Next, setting retention is like this:

set-mailbox foo.user -RetainDeletedItemsFor 30

Note that if you run this command while using the mailboxdatabase defaults, the setting will stay at the default value of 14.

Or in one command:

set-mailbox foo.user -UseDatabaseRetentionDefaults $False -RetainDeletedItemsFor 30

Details

Created: 24 January 2020

Open terminal.

• lsb_release -a
• sudo apt update
• sudo apt upgrade
• sudo apt dist-upgrade
• reboot
• sudo apt install update-manager-core
• sudo vim /etc/update-manager/release-upgrades
• typ: prompt=lts
• sudo do-release-upgrade
• reboot
• lsb_release -a

Details

Created: 24 January 2020

First, find the DNS servers:

Ubuntu >= 15: nmcli device show | grep IP4.DNS

Ubuntu <= 14: nmcli dev list iface | grep IP4

Second, change the DNS servers using the GUI.

Third, restart the service without rebooting the system:

Ubuntu >= 15: sudo systemctl restart NetworkManager.service

Ubuntu <= 14: sudo service network-manager restart

Details

Created: 20 January 2020

Came across a PowerEdge 2950 with a PERC (raid controller) that needed Windows Server installed. The Windows Server ISO didn't have the PERC drivers and trying to inject the drivers into the Windows Server ISO failed.

Had to reset the DRAC:

• -CTRL+E to access the DRAC settings to reset the password.
• -ssh into the DRAC.
• -issue the following to reset the DRAC: racadm racreset hard

Had to set the BIOS:

• -allow SATA port to be turned on for the DVD.
• -allow USB to boot.
• -USB to show as HD.
• -select boot menu.
• -select USB.

Had to use the Dell Systems Build and Update Utility (SBUU) v5.5.0 for this to work. This ISO is found here:

https://dl.dell.com/sysman/OM_v5.5.0_SUU_A00.ISO

Or the Dell System Management Tools and Documentation ISO here:
https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=p8v4x&oscode=wx64&productcode=poweredge-2950

Separate ISO's put together by running the following in command-prompt: copy /b om* OM_550_SUU_DVRPCK_A00.iso

After running through the options of the SBUU, the process looks for a DVD in the DVD drive. The process errors out if the DVD drive is unavailable and doesn't pick up the USB as the DVD. Go figure.

What makes this process difficult is because there are 54 downloads in the Dell Drivers web site for "SYSTEM-MANAGEMENT":

1. Sometimes it is referred to as the "Dell OpenManage Systems Build and Update Utility" with the "OM" in the title and ISO name.
2. Sometimes it is referred to as the "Dell DVD ISO - Dell Server Updates, v.5.5.0, A00."
3. Sometimes there are other ISO's that seem like they should work but don't. Such as the Dell Installation and Server Management (ISM) ISO aka "Dell CD ISO - Installation and Server Management v.5.2.0."
4. Sometimes the documenation refers to the Lifecycle Controller aka "Dell DVD ISO - Lifecycle Controller OS Driver Packs v.6.5.1" which doesn't work in my case.
5. Sometimes the driver download page refers to the "OS Driver Pack DVD ISO" aka "DELL LIFECYCLE CONTROLLER OS DRIVER PACK V7.0.0" which doesn't work in my case.
6. Sometimes the driver download page refers to the "Q1 Server Update Utility DVD ISO v7.2.1" which doesn't work in my case.
7. Sometimes the driver download page refers to the "Dell Systems Management Tools and Documentation DVD ISO ,V 7.3.0" which doesn't work in my case.
   
8. Sometimes the driver download page refers to the "Dell Windows OS install support pack, v6.3" or the "Dell Windows OS install support pack v7.0.0" which doesn't work in my case.
9. Sometimes the driver download page refers to the "Q1 Server Update Utility DVD ISO v7.2.1" which doesn't work in my case.

In addition, the downloads are broken up into:

• Embedded Server Management
• Secure Systems Management
• Systems Management

I'm not certain if a newer SBUU would work (or anything else for that matter):

https://www.dell.com/support/driver/us/en/04/DriversDetails?driverId=YH0GX&fileId=3406550491

Details

Created: 13 December 2019

Each mailbox in Exchange 2013 can have access through different ways:

1. ActiveSyncEnabled
2. OWAEnabled
3. PopEnabled
4. ImapEnabled
5. MapiEnabled
6. Exchange Web Services (EWS)

To see the options if they are set for TRUE/FALSE, use the get-casmailbox:

get-CASMailbox foo.user

To see for everyone:

get-casmailbox

To set OWA to be disabled:

set-casmailbox foo.user -OWAEnabled $false

So if you wanted to disable for everyone:

get-casmailbox | set-casmailbox -OWAEnabled $false

Likewise, if you want to do this with ActiveSync, the command is:

set-casmailbox foo.user -ActiveSyncEnabled $false

get-casmailbox | set-casmailbox -ActiveSyncEnabled $false

If you disable ACTIVESYNC, the account cannot get email on the MAIL app on iPhone. Most likely, you want to keep ACTIVESYNC turned on and OWA turned off.

In addition, you probably want to turn off EWS for the accounts. I've found that some 3rd party email apps (ie Blue Mail) use EWS to gather email rather than ACTIVESYNC. For whatever reason, this will not show in Exchange as a mobile device (ie Get-MobileDevice -Mailbox foo.user).

To disable EWS for a single account:

Set-CASMailbox foo.user -EWSEnabled $False

And to disable EWS for everyone:

get-casmailbox | set-casmailbox -EWSEnabled $false

Or it can be done on the entire Organization config:

Set-OrganizationConfig -EWSEnabled $False

Details

Created: 11 December 2019

Here you go:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
New-VM -Name MyMachine -path C:\installs\vm-machine -MemoryStartupBytes 512MB
New-VHD -Path C:\installs\vm-machine\MyMachine\mymachine.vhdx -SizeBytes 10GB -Dynamic
Add-VMHardDiskDrive -VMName MyMachine -path "C:\installs\vm-machine\MyMachine\mymachine.vhdx"
Set-VMDvdDrive -VMName MyMachine -ControllerNumber 1 -Path "C:\installs\vm-machine\MyMachine\connector-59.0.0.52.iso"

Adjust as needed.

Details

Created: 18 October 2019

Your Meeting Was Declined in Outlook/Exchange 2013. This resource does not accept meetings longer than 1440 minutes.

Resource rooms are set by default to 1440 minutes/24 hours/1 day.

To change, there is a different table than the one for get-mailbox, you have to use Get-CalendarProcessing | Set-CalendarProcessing.

To get the current settings:

Get-CalendarProcessing foo.resource |fl

You will see:

MaximumDurationInMinutes: 1440

To set for longer:

Set-CalendarProcessing foo.resource -MaximumDurationInMinutes 4320


NOTES:

https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/Set-CalendarProcessing?redirectedfrom=MSDN&view=exchange-ps

Details

Created: 17 October 2019

Dell Command is a driver update tool that comes with a Dell computer system. You can run the tool via command line. Awesome!

Note that this is in v2.3/v2.4 and not in v3.0 (Yikes!) but is re-introduced in v3.1.

SIMPLE DELL COMMAND UPDATE

cd c:\program files (x86)\Dell\CommandUpdate

dcu-cli.exe

dcu-cli.exe /scan

dcu-cli.exe /applyUpdates


dcu-cli.exe /applyUpdates -updateType=driver,bios,firmware

It will go through find the drivers, download them and install them automatically.

Because this is via command line, this can be pushed out through the entire network.

ADVANCED DELL COMMAND UPDATE

Now Dell releases all in one driver packs (aka CAB files) for their business systems (Latitude, Precision, etc). You can download the CAB file in a central location and roll out the CAB file to the system (be certain to choose the right CAB file and match the CAB file name to the model number):

dcu-cli.exe" /driverRestore \\MyServer\MyRepositoryShare\E7470-win10-A11-F4MTJ.CAB

REALLY ADVANCED DELL COMMAND UPDATE

There is a Dell Command Deploy Driver Pack

https://www.dell.com/support/article/us/en/04/how14097/driver-pack-catalog?lang=en

NOTES:

DELL COMMAND UPDATE: https://www.dell.com/support/manuals/us/en/04/command-update-v2.4/dcu_ug_v2.4/command-line-interface-reference?guid=guid-92619086-5f7c-4a05-bce2-0d560c15e8ed&lang=en-us

DELL CAB FILES: https://www.dell.com/support/article/us/en/04/sln312414/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment?lang=en

Details

Created: 14 October 2019

Want to set an out of office reply for an account in Exchange 2013? Here's how:

GET

To get the current settings:

Get-MailboxAutoReplyConfiguration foo.user

SET

To set the Out of Office reply:

Set-MailboxAutoReplyConfiguration foo.user -AutoReplyState Scheduled `
-StartTime “10/14/2019” -EndTime “12/15/2019” `
-ExternalMessage “Type External automatic reply here” `
-InternalMessage “Type External automatic reply here”

EXAMPLE

It can be tough to set escpecially if you have double-quotes. The backtick when used at the end of the line is used to join to the next line. Also, the backtick is used to escape the double-quote. Example for escaping quotes:

Set-MailboxAutoReplyConfiguration foo.user –AutoReplyState Scheduled `
-StartTime “10/14/2019” -EndTime “12/15/2019” `
–ExternalMessage “

NOTES:

-https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-mailboxautoreplyconfiguration?view=exchange-ps

Details

Created: 26 September 2019

Setting

Once upon a time, Skype was Skype and everything was good. Then Microsoft bought them and everything became confusing; really confusing.

In another point in the time, Slack came into existence. It caught steam. All the cool kids used it, the marketing was a bit viral and the company went public company on the NYSE.

Competition

To compete, Microsoft developed Microsoft-Teams; the Microsoft version of Slack.

Microsoft added Teams to their Office365 packages so anyone with an Office365 account could use Microsoft Teams. But it still wasn't enough.

To make the offering more attractive, they offer Microsoft-Teams for free. This is up to 300 accounts on the same domain.

Convergence

At this point Skype for Business is becoming Microsoft Teams:
https://docs.microsoft.com/en-us/microsoftteams/faq-journey

What is interesting is that if you have a Microsoft Teams License (free), you can use Skype for Business:
https://products.office.com/en-us/microsoft-teams/free

1- Signup for free Office365 account: https://portal.office.com

Unlicensed accounts are free. You cannot do anything per se but it doesn't cost anything, so there is no harm.

2- Sync with on-site Active Directory (if needed)

If you have an onsite AD, you can setup a separate server just for the purpose of syncing with Office365 Azure Active Directory.

Download Microsoft Azure Active Directory Connect here:
https://www.microsoft.com/en-us/download/details.aspx?id=47594

 3- Assign Microsoft Teams License

You'll have to Connect to Office365/AzureAD via Powershell but once you do, you can perform 3 steps.

    3a- assign a Location:

    set-msoluser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -usagelocation US

    3b- check the Office365 Licenses

    get-msoluser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. |fl |findstr /i licen

    3c- assign a Microsoft Teams License

    set-msoluserlicense -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

4- Download Skype for Business Basic

To make matters worse, documentation will try to convince you to download the software at: https://portal.office.com/account#installs

While this is logical, this will not work if you have Office 2016/2019 installed. This is because the download is a click-to-run (c2r) application. C2R applications cannot be mixed with others.

The Skype for Business Basic Full Client (448.1 MB) is found here:
https://www.microsoft.com/en-us/download/details.aspx?id=49440

Or if you need to download in Powershell through wget:
wget 'https://download.microsoft.com/download/8/7/E/87E24B50-9C85-4B1D-A581-94AA037803F8/LyncEntry_bypass_ship_x64_en-us_exe/lyncentry.exe' -outfile 'lyncentry_x64.exe'

Typically, Skype for Business Basic needed an onsite Lync Server or an Offce365 account (Office 365 ProPlus, Office 365 Enterprise E3 or Office 365 Enterprise E4).

I guess because of the convergence of Skype for Business and Microsoft Teams, the Microsoft Teams license will work with Skype for Business Basic now.

Note that the download is called: lyncentry.exe

5- Install Skype for Business Basic

6- Login to Skype for Business Basic

That's it! It should work! Good job, well done!

Details

Created: 25 September 2019

Just like disabling Microsoft Telemetry, the Google Chrome Software Reporter Tool can become a pain. Let's turn it off.

In my other article about adding GPO ADMX files to control Chrome, I explain how to add the ADMX files to the GPO to control CHROME so I won't go through that again.

• -new GPO.
• -name: c-chrome-cleanup-disabled
• -settings: COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > GOOGLE > GOOGLE-CHROME
• -select CONTROL-HOW-CHROME-CLEANUP-REPORTS-DATA-TO-GOOGLE
• -set: DISABLED

• -select ENABLE-CHROME-CLEANUP-ON-WINDOWS
• -set: DISABLED

Save the GPO but don't forget to turn off User-Configuration: DETAILS > USER-CONFIGURATION-SETTINGS-DISABLED.

Apply GPO where needed.

Details

Created: 25 September 2019

Windows Telemetry does "stuff." I don't want it to do that "stuff." In certain cases, it hogs resources sometimes it becomes out of control.

• -new GPO.
• -name: c-disable-telemetry
• -settings: COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > WINDOWS-COMPONENTS > DATA-COLLECTION-AND-PREVIEW-BUILDS
• -select ALLOW-TELEMETRY
• -set: ENABLED:0 (only works on Windows Enterprise).

But wait, there's more:

• -settings: COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > SYSTEM > INTERNET-COMMUNICATION-MANAGEMENT > INTERNET-COMMUNICATION-SETTINGS
• -select TURN-OFF-WINDOWS-CUSTOMER-EXPERIENCE-IMPROVEMENT-PROGRAM
• -set: ENABLED.

Save the GPO but don't forget to turn off User-Configuration: DETAILS > USER-CONFIGURATION-SETTINGS-DISABLED.

That's it! Link to all OU's necessary.

Details

Created: 26 August 2019

So routes in an MPLS cisco router can have the following codes; the highlighted ones are the most common I see:

Codes:

• L - local
• C - connected
• S - static
• R - RIP
• M - mobile
• B - BGP
• D - EIGRP
• EX - EIGRP external
• O - OSPF
• IA - OSPF inter area
• N1 - OSPF NSSA external type 1
• N2 - OSPF NSSA external type 2
• E1 - OSPF external type 1
• E2 - OSPF external type 2
• i - IS-IS
• su - IS-IS summary
• L1 - IS-IS level-1
• L2 - IS-IS level-2
• ia - IS-IS inter area
• * - candidate default
• U - per-user static route
• o - ODR
• P - periodic downloaded static route
• H - NHRP
• l - LISP
• + - replicated route
• % - next hop override

As elsewhere, you can see the routes by:

show ip route

Or you can search for a route by (ie search for routes to 10.116.x.x):

show ip route | incude 10.116

 To add a route to the MPLS router nodes, the route must be added as a STATIC route to the node that is LOCAL to the subnet.

For example, we add a new node to the MPLS network. That new node has the following network as a LOCAL subnet: 10.116.0.10/32.

This network would show as the following:

L        10.116.0.10/32 is directly connected, GigabitEthernet0/1

The new node also has the following network as a subnet 10.116.15.0/24. The problem is that while the subnet at the location will already know about the subnet, the other locations will not know about the subnet until it is advertised/distributed across the MPLS network routers.

If you try to traceroute a address on the new subnet from a different location, the other routers will not know what to do and bounce the packet to the default route, causing a loop/bounce.

As stated above, to resolve, the STATIC route must be added to the router where the subnet is located:

S        10.116.15.0/24 [1/0] via 10.116.1.1

To add a static route:
enable
config t
ip route 10.116.15.0 255.255.255.0 10.116.1.1
(note that CIDR doesn't work. ie: ip route 10.251.10.0/24 10.162.100.2)

Once that is added, the other routers will pickup the route as a BGP route:

B        10.116.15.0/24 [20/0] via 10.162.131.38

B routes (BGP) will pick up routes from their neighbor. You can view by:
show ip bgp

O routes (OSPF routes) will pick up routes as well. You can view by:
show ip ospf

Details

Created: 22 August 2019

Let's say you have a bunch of files to rename. You want to minus the first 10 characters of each file. What's the best way?

It depends.

Total Commander

My favorite for small-to-medium batches is Total Commander. It understands REGEX and it shows the before-names and after-names before committing the command.

• -highlight the files (they show as red filenames).
• -click FILE > MULTI-RENAME-TOOL (the rename box shows)
• -find RENAME-MASK (in the upper-left).
• -type: [N10-]
• -adjust according to your situation.
• -click START (at the bottom-right).

This should do it!

Powershell

For powershell, the command will be something like:

get-childitem 'c:\path\to\file\*.txt | rename-item -newname { [string]($_.name).substring(8) }

Or if you need to split at an underscore "_".

Get-ChildItem'c:\path\to\file'|Rename-Item-NewName{ $_.BaseName.Split('_')[0]+ $_.Extension}

NOTES

https://www.ghisler.ch/wiki/index.php/Multi-rename_tool

Details

Created: 15 August 2019

TeamViewer uninstall.

First, stop the service:

sc stop teamviewer

See if the service stopped:

sc query teamviewer

See if there is any TeamViewer process running:

powershell "ps |findstr /i team"

If there is a TeamViewer process running, taskill it:

taskkill /F /T /IM teamviewer.exe

Run the uninstall command:

"C:\Program Files (x86)\TeamViewer\uninstall.exe" /S

Details

Created: 12 August 2019

This information is in other articles that are posted but they can be overly complicated. This is the TLDR version.

Start Powershell

• -start POWERSHELL (as administrator).

Office365 Endpoints | O365 Endpoints | Azure Endpoints | Microsoft Online Endpoints

From here you have the option to connect to different ENDPOINTS of Office365/AzureAD. The information is the same but data is displayed differently depending on which endpoint is being used.

The ENDPOINTS I use regularly are:

1. OUTLOOK/Exchange-Online
2. AzureAD
3. MSOnline
4. Graph (new!)
5. Skype-for-Business/Teams
6. Microsoft Teams

Note that all modules can be found here (although look closely as the names can be unnatural to some):
https://docs.microsoft.com/en-us/powershell/module/

See Installed Modules

If you want to see the installed modules in your current session, you can view by:

Get-InstalledModule

If you want to see all modules and their install location:

get-module -listavailable

Install Module

To connect to the endpoints, a module must be installed into Powershell. So if this is the first time, depending on the endpoint,use the following

1. Outlook/Exchange-Online: type: Install-Module ExchangeOnlineManagement
2. AzureAD: type: Install-Module AzureAD (or Install-Module AzureADPreview)
3. MSOline: type: Install-Module MSOnline
4. Graph: type: install-module microsoft.graph
5. Skype-for-Business/Teams: Import-Module SkypeOnlineConnector
6. Teams: Install-Module MicrosoftTeams

Note that this only has to be done once. After the module is installed into Powershell, it remains.

To install a few at the same time:
install-Module msonline,ExchangeOnlineManagement,AzureADPreview,Microsoft.Graph

Also note that since the AzureAd module is being actively developed, the "preview" module, or beta-version, has additional commands that the current release does not. However only one of the AzureAD modules (either AzureAD or AzureADPreview) can be installed at a time.

Connect to Endpoint

After the module is installed into Powershell, the connection is as follows:

1. OUTLOOK/Exchange-Online: type:
   Connect-ExchangeOnline
   Connect-ExchangeOnline -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -DelegatedOrganization adatum.onmicrosoft.com
   Old-way: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
   Import-PSSession $Session -AllowClobber
2. AzureAD: Connect-azuread
   Import-PSSession $Session -AllowClobber
3. MSOnline: Connect-MsolService
4. Graph: Connect-mggraph (It will ask for your creds via browser)
5. Skype-for-Business/Teams: type:
   $sfbSession = New-CsOnlineSession
   Import-PSSession $sfbSession
6. Teams: Connect-microsoftteams
   Import-PSSession $Session -AllowClobber

Which Endpoint Is Best

It depends on what you are trying to do.

1. OUTLOOK/Exchange-Online: for the Exchange portion of Office365. Should be easy to determine if it is needed.
2. AzureAD: new endpoint that seems to have development in the works. To me the commands are long and arduous but it has the advantage of automation or workflow.
3. MSOnline: tried and true as a legacy option that seems to work best.
4. MS Graph: the new, new endpoint that is the official current supported endpoint.
5. Skype-for-Business/Teams: for the Skype-for-Business/Teams portion of Office365.
6. Teams: for the Microsoft Teams portion of Office365.

Remove Module

Here is how to unload/remove a module:

remove-Module ModuleNameHere
(ie: remove-Module AzureAD)

Uninstall Module

Here is how to uninstall a module:

Uninstall-Module ModuleNameHere
(ie: Uninstall-Module AzureAD)

Or if you have multiple versions:
Uninstall-Module AzureADPreview -AllVersions

Details

Created: 07 August 2019

As a refresher, get-msoluser and get-azureaduser are similar but provide information differently.

This is a case where it seems to be easier to use get-msoluser.

To see all accounts:

get-msoluser

That returns a maximum of 500 results in a command, so you can check with (20000 represents some really high number because 'unlimited' or 'all' doesn't exist):

get-msoluser -maxresults 20000


To search for a specific account:

get-msoluser -searchstr foo.user

To see if accounts are licensed:

get-msoluser -maxresults 20000 |where {$_.islicensed -eq $true}

To see if accounts are not licensed:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $false}

To see if accounts are not licensed and filter through the external contacts and healthmailboxes:

get-msoluser -maxresults 1000 |?{$_.islicensed -eq $false} |?{($_.UserPrincipalName -notlike "HealthMailbox*") -and ($_.userprincipalname -notlike "*#EXT#*")}

To see an example of the details of a licensed account for ADHOC:

get-msoluser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. |fl |findstr /i licen
IndirectLicenseErrors                  : {}
IsLicensed                             : True
LicenseAssignmentDetails               : {Microsoft.Online.Administration.LicenseAssignmentDetail}
LicenseReconciliationNeeded            : False
Licenses                               : {foodomain:RIGHTSMANAGEMENT_ADHOC}

To see an example of the details of an unlicensed account:

get-msoluser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. |fl |findstr /i licen
IndirectLicenseErrors                  : {}
IsLicensed                             : False
LicenseAssignmentDetails               : {}
LicenseReconciliationNeeded            : False
Licenses                               : {}

To assign a license to an account, you might think that set-msoluser has a key/value but they break it out to set-msoluserlicense (which is weird because there is no get-msoluserlicense). But before that is possible, the account must be set for USAGELOCATION (which is set-msoluser):

set-msoluser -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -usagelocation US

set-msoluserlicense -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

Likewise for removing the license:

set-msoluserlicense -UserPrincipalName This email address is being protected from spambots. You need JavaScript enabled to view it. -removeLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

What options are available for the license key?

Glad you asked. Here is how to get the options for your tenant:

Get-MsolAccountSku

If something doesn't show, it is because it has not been provisioned.

Details

Created: 06 August 2019

So it is easy to find out what USER is a member of what GROUP. Or vice-versa.

What is not as easily available is finding out what USER has access to another account. Or another way of putting it is; how to find mailboxes that have additional permissions than just their own?

Here's how:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}}

Or if you need to create an Excel document out of it:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

Notes:

This is found in the article for Remove Mailbox Permissions That Are Not Inherited but the info might be hidden there.

Details

Created: 02 August 2019

For whatever reason, I had an account in Azure AD that picked up the @foobar.onmicrosoft.com domain rather than the actual local domain. I suspect this happened because there was already an account manually created as a Global Admin so when the AD sync was happening, it could not create an account and defaulted to the onmicrosoft.com account.

In any regard, you can delete the account on Azure AD without affecting the Local AD. After the deletion, sync back to Azure AD from the Local AD.

These are the steps:

Connect to Office365/ExchangeOnline

Set-ExecutionPolicy RemoteSigned

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session -AllowClobber

Connect to MSOnline

Install-Module AzureAD

Install-Module MSOnline

Connect-MsolService -Credential $LiveCred

Get the User / Delete the User

get-msoluser -searchstring foouser

get-MsolUser -ObjectId 33f85584-acde-4c23-aa00-d8ab654a258b

remove-MsolUser -ObjectId 33f85584-acde-4c23-aa00-d8ab654a258b

Connect to AzureAD & Verify the Account Does not Exist

Connect-azuread -Credential $LiveCred

get-AzureADUser

get-azureaduser -searchstring fooname

Permanently Delete

Go to Azure Acive Directory > Users > Deleted Users

Select User

Permanently Delete

Sync from Local AD

Then to sync back from the Local AD.

-connect directly to the system that has Azure AD Connect.

Check the schedule:

Get-ADSyncScheduler

Run the sync:

Start-ADSyncSyncCycle -PolicyType Delta

Notes

get-msoluser and get-azureaduser are pretty much the same in that they will provide the same basic details. They are different in that they connect to different endpoints of the service and therefore provide similar information but provide it differently.

In short, get-msoluser is the 'old way' and get-azureaduser is the 'new way.'

The problem is that the old way is easier to use and not everything is in the new way.

Details

Created: 02 August 2019

Of course you can use the DNS at the REGISTRAR (GoDaddy, Enom, etc) level but what if you have access to the server but not the domain?

Two files are needed:

1. index.php
2. .htaccess (don't forget the leading '.' and there are no extensions)

The contents of the index.php file to redirect to the new web site:


    header('Location: https://foo.tld');
?>