Thursday, June 15, 2017

Skype for Business - Network password required to connect



Most enterprises use a corporate proxy to control Internet access for an organisation. Skype for Business makes connections to the Internet to display the tips on start up and this can cause the dreaded error message displayed above and a lot for help desk calls.

So this is how we can stop this from happening

Whitelist the following URS for unauthenticated access







Then we can add the following reg keys via group policy or res workspace depending on the environment.

We then need to create some reg keys.

Open Regedit and go to location HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync 
Create new Dword name “IsBasicTutorialSeenByUser” with value:1 
Create new Dword name TutorialFeatureEnabled with value:0

###############################################################
 HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry
Name: DisableTelemetry
Type: DWORD
Value: 160000 (Decimal)
######################################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User Settings\ClientTelemetry]
"Count"=dword:00000001
###############################################################
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\User Settings\ClientTelemetry\Create\Software\Microsoft\Office\Common\ClientTelemetry]
"DisableTelemetry"=dword:29810
###############################################################

Credit:





Thursday, March 30, 2017

How to lock down Office365 Global Admin access with managements scopes.


I have not posted a blog entry in quite some time, I have been crazy busy working for my new employer Evros and busy with my kids. I hope this blog will prove useful to anyone out there that follows my blog and promise a lot Blog posting to follow focusing on data protection, advanced threat analytics and AZURE

To help describe why an enterprise would like to lock down global admin access, I would like to describe a typical enterprise organisation and scenario.

Contoso.com is an enterprise organisation that consists of 15 companies. 
Contoso.com is the root AD Forest of the organisation and all other companies have their own child domains.
Contoso.com is the head office of the organisation and are responsible for data protection and governance within the organisation.
AD Connect synchronizes the root forests and child domains.

Contoso would like to remove global admin privileges from ICT Admin staff in one of the organisation's companies Fabrikam and grant the ICT admin staff some custom Exchange Online administration privileges. The Fabrikam ICT admin staff must also have the ability to log Office365 service requests.

The following steps are required to lock down the Fabrikam ICT staff access to Office365 as per Fabrikam's parent company Contoso's new security and data protection policies.

#####################Exchange Management Shell############################
####Create Management Scope
New-ManagementScope -Name "EO-FABRIKAM" -RecipientRestrictionFilter {customattribute10 -like "FABRIKAM"}
####All mail enabled objects  in the Fabrikam child domain will have the value 'Fabrikam' added to Active Directory attribute: Extenstionattribute10
####Create a Role Group
New-RoleGroup -NameEO-FABRIKAM-Roles "User Options", "Address Lists", "Distribution Groups", "Team Mailboxes", "Mail Recipients", "Reset Password", "Mail Recipient Creation", "Message Tracking", "Move Mailboxes","Migration","Retention Management","UM Mailboxes", "UM Prompts" , "Unified Messaging"    -Members “EO Fabrikam Admins” -CustomRecipientWriteScopeEO-FABRIKAM-ManagedBy “Organization Management”

####Note: When assigning the members to a security group. The security group must be a mail enabled security group.

####################Windows Azure Active Directory###########################
 

Function

Commandlet

Import CSV

$Users = Import-Csv "CSV PATH"

Assign Role

$Users | ForEach-Object {Add-MsolRoleMember -RoleMemberEmailAddress $_.UserPrincipalName -RoleName "Service Support Administrator"}

####Note: It is not possible to assign service administrator roles per security group


############################Summary####################################

Fabrikam ICT admins can access the Exchange Online Control Panel via this URL: https://outlook.office365.com/ecp
Fabrikam ICT admins can log Office365 service request via this URL:

#############################Next Steps##################################
The next steps would be to create similar management scopes and role groups for SharePoint Online and Skype for Business. (New Blog Post to Follow)
Once Contoso have locked down access for all the companies within their organisation the next step will be developing compliance and governance policies in the Security and Compliance center in Office365




Tuesday, April 19, 2016

One Drive for Business next gen client


Finally OneDrive really is OneDrive, The next gen client uses the same engine for OneDrive personal and OneDrive for business. I have always found the OneDrive personal client better than the OneDrive for business client.

The next gen client uses the same engine and it just works, no more sync issues. To ensure you are using the correct client browse to https://onedrive.live.com/about/en-us/download/ and click on the download link and update your client.

After your client is updated you should have version 17.3.6381.0405 as per the image below



After the client has been updated, Sync your personal OneDrive and select only the folders required. Then right click on the OneDrive icon in the system tray and select : settings. You can now add a business account as per the image below and select only folders required for syncing.



If you have Office installed the next thing is to disable OneDrive for Business client startup which is part of the Office suite as per image below.


So now finally , OneDrive simply works and a lot of the old limitations like the 20,000 item sync limit have been removed.





Tuesday, March 22, 2016

Folder Filtering and mapping with Dell MFNE

 
 
This is an update to my original posting which is featured on Dell KB18650
 
During work on a another global Domino to Exchange migration , I have added some more filters which may become useful for these type of migrations.
 
CUSTOM FOLDER MAPPINGS
 
~INBOX=Inbox
~SENT=Sent Items
~CALENDAR=Calendar
~CONTACTS=Contacts
~TASKS=Tasks
~TRASH=Deleted Items
~DRAFTS=Drafts
~OUTBOX=Outbox
~JOURNAL=Journal
JUNKMAIL=Junk E-mail
JUNKMAIL_2013=Junk Email
Chat History=Conversation History
RSS Subscriptions=RSS Feeds
 
FOLDER FILTERS
 
filter0=($Alarms)
filter1=(Group Calendars)
filter2=(Rules)
filter3=($Design)
filter4=Alarms
filter5=(CalSummary)
filter6=(~MAPISP(Internal))
filter7=(IPMCOMMONVIEWS)
filter8=(IPMVIEWS)
filter9=(Search Root)
filter10=($MAPIInbox)
filter11=($MAPIInfo)
filter12=($MAPIIPM Subtree)
filter13=($MAPIOutbox)
filter14=($MAPISent)
filter15=($MAPITrash)
filter16=(Discussion Threads)
filter17=($ToDo)
filter18=($FolderInfo)
filter19=($POP3)
filter20=(To do's\By Category)
filter21=(To do's\By Status)
filter22=(Mail Threads)
filter23=($FolderAllInfo)
filter24=($Inbox-Categorized1)
filter25=(MAPIUseContacts)
filter26=(APIUseContacts)
filter27=($MAPIUseContacts)
filter28=$MAPIUseContacts
filter29=JUNKMAIL
filter30=(JUNKMAIL)
filter31=($JUNKMAIL)
filter32=$JUNKMAIL
filter33=EML
filter34=(EML)
filter35=($EML)
filter36=$EML
filter37=(Manage Folders)
filter38=Manage Folders
filter39=$Manage Folders
filter40=($Manage Folders)
filter37=(Custom Expiration\By Date)
filter38=Custom Expiration\By Date
filter39=$Custom Expiration\By Date
filter40=($Custom Expiration\By Date)
filter41=FolderHiddenPublic
filter42=(FolderHiddenPublic)
filter43=(namecolumn)
filter44=(attachment icon)
filter45=$(FolderHiddenPublic)
filter46=($FolderHiddenPublic)
Filter47=(~CustomExpiration)
Filter48=(&CustomExpiration)
Filter49=(CustomExpiration)
Filter50=CustomExpiration
Filter51=$CustomExpiration
Filter52=($CustomExpiration)
Filter53=(~EML)
Filter54=(&EML)
Filter55=(EML)
Filter56=EML
Filter57=$EML
Filter58=($EML)
Filter59=(~FolderHiddenPublic)
Filter60=(&FolderHiddenPublic)
Filter61=(FolderHiddenPublic)
Filter62=FolderHiddenPublic
Filter63=$FolderHiddenPublic
Filter64=($FolderHiddenPublic)
Filter65=(~MAPIUseContacts)
Filter66=(&MAPIUseContacts)
Filter67=(MAPIUseContacts)
Filter68=MAPIUseContacts
Filter69=$MAPIUseContacts
Filter70=($MAPIUseContacts)
Filter71=(~NameColumn)
Filter72=(&NameColumn)
Filter73=(NameColumn)
Filter74=NameColumn
Filter75=$NameColumn
Filter76=($NameColumn)
Filter77=(~Stationery)
Filter78=(&Stationery)
Filter79=(Stationery)
Filter80=Stationery
Filter81=$Stationery
Filter82=($Stationery)
Filter83=(~Drafts)
Filter84=(&Drafts)
Filter85=(Drafts)
Filter86=Drafts
Filter87=$Drafts
Filter88=($Drafts)
Filter89=(~Manage Folders)
Filter90=(&Manage Folders)
Filter91=(Manage Folders)
Filter92=(Manage Folders)
Filter93=$(Manage Folders)
Filter94=($Manage Folders)
Filter95=(~Sent)
Filter96=(&Sent)
Filter97=(Sent)
Filter98=Sent
Filter99=$(Sent)
Filter100=(~SametimeInfo)
Filter101=(&SametimeInfo)
Filter102=(SametimeInfo)
Filter103=SametimeInfo
Filter104=$SametimeInfo
Filter105=($SametimeInfo)
Filter106=(~Attachment Icon)
Filter107=(&Attachment Icon)
Filter108=(Attachment Icon)
Filter109=Attachment Icon
Filter110=$Attachment Icon
Filter111=($Attachment Icon)
Filter106=(~Custom Expiration\Manage Folders)
Filter107=(&Custom Expiration\Manage Folders)
Filter108=(Custom Expiration\Manage Folders)
Filter109=Custom Expiration\Manage Folders
Filter110=$Custom Expiration\Manage Folders
Filter111=($Custom Expiration\Manage Folders)
Filter112=(~By Date)
Filter113=(&By Date)
Filter114=(By Date)
Filter115=By Date
Filter116=$By Date
Filter117=($By Date)
Filter118=((~Custom Expiration\Manage Folders))
Filter119=((&Custom Expiration\Manage Folders))
Filter120=((Custom Expiration\Manage Folders))
Filter121=(Custom Expiration\Manage Folders)
Filter122=($Custom Expiration\Manage Folders)
Filter123=(($Custom Expiration\Manage Folders))
Filter124=((~Custom Expiration\By Date))
Filter125=((&Custom Expiration\By Date))
Filter126=((Custom Expiration\By Date))
Filter127=(Custom Expiration\By Date)
Filter128=($Custom Expiration\By Date)
Filter129=(($Custom Expiration\By Date))
Filter130=(~Company Column)
Filter131=(&Company Column)
Filter132=(Company Column)
Filter133=Company Column
Filter134=$Company Column
Filter135=($Company Column)
Filter136=(~E-mail Column)
Filter137=(&E-mail Column)
Filter138=(E-mail Column)
Filter139=E-mail Column
Filter140=$E-mail Column
Filter141=($E-mail Column)
Filter142=(Custom Expiration\Manage Folders)
Filter143=(To do's\Incomplete)
Filter144=FolderRefInfo
Filter145=(Custom Expiration\Expired Documents)
Filter146=(Recently Archived)
Filter147=MAPIIPMCOMMONVIEWS
Filter148=MAPIIPMVIEWS
Filter149=MAPINet Folder Inbox
Filter150=MAPISearch Root
Filter151=PrivateIcon
Filter152=(By Person)
Filter153=Phone Column
Filter154=Address column
Filter155=EML
Filter156=MAPIUseContacts


Thursday, July 2, 2015

Synchronize an Exchange Online Mailbox with a different Active Directory Forest.


I recently worked on a project whereby I was migrating a Global Company that owned a number of business and they wanted to break down the barriers between the different brands and all collaborate under a new brand in Office365.

I synchronized a number of forests from around the world into the organization's Office365 tenant using the new Azure Active Directory synchronization tool. 

One of the businesses shared their Exchange Server (Business A)  with another business (Business B) and to migrate their mailboxes I implemented an Exchange Hybrid and migrated the mailboxes into Exchange Online. 

Business A Active Directory was authoritative for Business B mailboxes. So how do we disjoin them from Business A and synchronize them with Business B , so that Business B can perform identity management on their own Active Directory Forest.

So the following steps explain how to do this. This can of course be scripted if there were hundreds or thousands of users.


  1. Run this command on Business B Active Directory Forest to obtain all user's immutable ID
    ldifde -f con -r userprincipalname=sean@contoso.com -l objectguid
  2. Then on in the AAD tool stop synchronizing the users' from Business B
  3. This will then delete the users accounts, got to the Office365 recycle bin and restore the user's account. This will also convert the user's account to a cloud identity.
  4. The run this command in  the 'Windows Azure Active Directory Module for Windows PowerShell' to convert the cloud user's immutable id so that it matches the object guids obtained in step 1

    set-MsolUser -UserPrincipalName sean@contoso.com -ImmutableID I3/MGNcBbUWWVs+jXPTH4g==
  5. Finally their are some attributes that we need to match from Business A Active Directory Forest with each user's account in Business B Active Directory

    msExchAddressBookFlags
    msExchMailboxGuid
    msExchMasterAccountSid
    msExchRemoteRecipientType
  6. No we are ready to sync the OU with the AAD tool from Business B and Business B Active Directory will be the authoritative Active Forest for these mailboxes. 

Tuesday, March 31, 2015

Dell Migrator for Notes to Exchange - Admin Pool



As of from yesterday 30.01.15 , The admin pool feature stopped working.

To resolve this issue , assign a license to all the admin pool accounts.

Also I noticed that I could configure /adjust the Office 365 PowerShell Throttling in the MFNE console. So to Resolve this perform the following steps.


1.) Open the MNE Migration Manager.
2.) Click the Menu button in the upper right and select Global Default Settings.
3.) In the text file that opens, save the copy of current Global Default Setting, and locate the [PowerShell] heading.
4.) Remove the [PowerShell] heading and all values directly beneath it.
5.) Save and Close the file.
6.) Exit the MNE Migration Manager.
7.) Open the MNE Migration Manager and try configuring the Office 365 PowerShell Throttling settings again. You can also refer to the following KB article:


Sunday, December 28, 2014

Script to add legacyexchangedn as x500 alias into AD user object for Exchange Online

If a scenario existed whereby there was a non exchange hybrid like lotus notes or group wise messaging platform and some users were using Office365 and co-existence was achieved by uploading all of the onpremise users' as external contacts. Office365 users recipients have messages forwarded to from the source messaging platform. 

As you begin to convert the onpremise users' to federated or managed users. You need to capture that user's legacyexchangedn and ingest it into the users' AD users' proxyaddresses attribute as an x500 alias to prevent potential NDRs from existing Office365 users.

So run this Exchange Online command

get-mailcontact - resultsize unlimited | select-object legacyexchangedn,primarysmtpaddress | export-csv "csv file path" delete the first line 1 from the output of the csv

Then download this SCRIPT and edit the following lines


  • edit line 11 and enter your domain name
  • edit line 25 and enter your domain name
Then hold down shift and right click on the csv and select copy as path and paste the path into the window as per the image below and press the green play button.

This script will then search the root of the domain based on the domain name and mailnickname and add an x500 alias into the users' proxyaddresses attribute which will then be synced to Office365 via dirsync

So before the OU containing the AD user objects that needs to be synced you will need to run this command as there will be conflicts in dirsync.

import-csv "C:\Users\admin\Desktop\contacts to be deleted\contacts.csv" | Foreach-Object{Get-Mailcontact $_.primarysmtpaddress | remove-mailcontact -Confirm:$false}

Credit : Eduardo Martin