Archive for the ‘Exchange Server’ Category

(2016-01-19) Free AD Tool For The IT Pro (4)

Posted by Jorge on 2016-01-19

While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

–

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

–

Z-Hire/Z-Term Active Directory, Exchange, Lync, Office 365 User Creation Tool

Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts, Office 365 cloud and SalesForce cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory user and Lync accounts will be created simultaneousy. This tool can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT user accounts with the option for custom scripts. Z-hire will decrease your new hire user account deployment time by 600%, without the need for complicated and expensive identity management solutions. This Active Directory User Creation Tool makes creating Active Directory users a breeze. Some of the features include:

Environment Auto detection/discovery (AD/Exchange/Lync/Office 365/SalesForce)
Copy existing Active Directory User to Z-Hire Template
Support for Active Directory user, Exchange Mailbox, Lync 2010, Lync 2013, Office 365 user and SalesForce user account
Template based deployment (allows consistency for all user accounts)
Office 365 account creation with major attributes
Office 365 license only mode (assign license only, when using DirSync)
Office 365 Hybrid mode ( for organizations running Office 365 in Hybrid mode)
Active Directory user account creation with major attributes
Active Directory group selection
Active Directory user duplicate SamAccountName verification
Lync 2010 account creation supporting all policies
SalesForce user creation support all major attributes
Faster performance (compared to previous version)
Bulk import from CSV / Text to provision Active Directory, Exchange, Lync and Office 365 users (version 5.3)
HRIS / WorkDay driven user provisioning (Automatically provision users from WorkDay and other HRIS Systems)
HRIS / WorkDay driven data sync (Automatically sync user data such as Title, Department from WorkDay and other HRIS systems)

–

Click HERE for more information

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, IT Pro Tools, OCS/Lync Server, Office 365, Windows Azure Active Directory | Leave a Comment »

(2015-12-17) The “Get-ADPermission” CMDlet Reports A Corrupted ACE

Posted by Jorge on 2015-12-17

You are managing Exchange through PowerShell and this time you are checking the AD permissions on a user account with a mailbox. For that you use the following PwoerShell command line:

Get-Mailbox -identity "<identity value>" | Get-ADPermission | Sort user | FT –AutoSize

The “<identity value>” specifies the mailbox that you want to view. You can use any value that uniquely identifies the mailbox. Values of example are:

Name
Display name
Alias
Distinguished name (DN)
Canonical DN
<domain name>\<account name>
Email address
GUID
LegacyExchangeDN
SamAccountName
User ID or user principal name (UPN)

–

The command executes and you are confronted with the following, or similar, error:

WARNING: The object IAMTEC.NET/Org-Users/EMPLOYEES/Users/ICT/Jorge.deAlmeidaPint has been corrupted, and it’s in an inconsistent state. The following validation errors happened:

WARNING: The access control entry defines the ObjectType ’18d30bdd-e673-6047-b13c-cffee0abb929′ that can’t be resolved..

Figure 1: The PowerShell CMDlet “Get-ADPermission” Throws Error About Corrupted ACE

–

After seeing this error you may think about incorrect ordering of ACEs, as explained in the blog post (2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP, or might even think your AD schema is in a bad shape.

This time, that is not the case.

–

Let’s investigate this step by step and see where the so called corruption came from!

–

When an ACE is defined, the specified security principal (user, group or computer) is assigned the specified permissions for an objectClass or for an attributeClass within a objectClass. In either case the specified objectClass or attributeClass is always translated under the hood to its corresponding schemaIDGUID. Every objectClass and attributeClass in the AD schema must have and has a unique schemaIDGUID value. When extending the AD schema it is not mandatory to specify a schemaIDGUID value in base64 format. If you do not specify a schemaIDGUID value, AD will generate a unique value for you. However, that is NOT a best practice. When extending the AD schema you should always specify a unique schemaIDGUID value. If you intend to deploy your schema extension to multiple AD forests, then the schemaIDGUID for the extended objectClass or attributeClass across all AD forest is preferably the same schemaIDGUID value.

–

The error mentions “ObjectType ’18d30bdd-e673-6047-b13c-cffee0abb929’”. The specified GUID value is NOT the objectGUID, it is the schemaIDGUID value of the objectClass or attributeClass that is causing the error. So, let’s search using the specified schemaIDGUID value.

For I’m going to use PowerShell through the following command to find the objectClass or attributeClass:

$rawGuid = ([guid]’18d30bdd-e673-6047-b13c-cffee0abb929′).toByteArray();

Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | FL

The query result is:

Figure 2: Result Of The PowerShell Query In Searching For An objectClass Or attributeClass Through The schemaIDGUID

–

The name of the attributeClass already tells you how special it is, but that’s because I named it like that. In reality you will not see that. The real answer is hidden in the searchFlags property. If you look above you will 904, and that does not tell you much, unless you decode it yourself, or use ADFIND from joeware.net. (@joe: stop laughing!)

Now let’s use ADFIND through the following command to find the objectClass or attributeClass:

adfind -schema -f "schemaIDGUID={{GUID:18d30bdd-e673-6047-b13c-cffee0abb929}}" -binenc –flagdc

The query result is

Figure 3: Result Of The ADFIND Query In Searching For An objectClass Or attributeClass Through The schemaIDGUID

–

Of course ADFIND will return the same attributeClass, but at the same time it decoded searchFlags and systemFlags. When looking at the searchFlags property you will see the attribute has been configured with the confidentiality bit. Now, what’s special about that? You may remember it or not, but to be able to read the data in a confidential attribute, you must be either a member of “Domain Admins” or a member of “Account Operators” or a member of any other group that has Full Control on the corresponding object, or you must have at least the “Control Access” extended right.

–

Now the ONLY tools, I know of, that can both read (interpreter) and set the “Control Access” extended right, are DSACLS, LDP and ADFIND/ADMOD. Any other tools, may not process/interpreter it correctly. Those tools then either do not display the “Control Access” extended right or throw some weird error, like the PowerShell CMDet “Get-ADPermission”.

–

Now you might think “Yeah right. Your attribute is a custom AD schema extension and its has been implemented/designed in a bad way!”. Again, that’s not the case. This AD schema extension or any other AD schema I have ever designed has followed best practices! By default, the AD schema also contains attributeClasses that have been configured with the confidentiality bit. To find those attributeClasses, read the (2014-12-19) Finding Attributes Marked As Confidential. Now choose an attribute you like, and configure it with the “Control Access” extended right (do this in a TEST environment).

To configure the “Control Access” extended right for the confidential attribute on an OU that targets user objects, execute the following command:

DSACLS "<DN of OU>" /G "<Security Pincipal>:CA;<Confidential Attribute>;user" /I:S

Now, execute the Get-ADPermission CMDlet as specified at the beginning of this blog post. You should see a similar error about a corrupted ACE.

–

Therefore the conclusion is, that this is caused by the GET-ADPermission CMDlet (bug!) that misinterpreters the “Control Access” extended right. I know this occurs in Exchange Server 2010 and Exchange Server 2013, and most likely also in Exchange Server 2016. The Exchange Product Team, most likely, will never fix this as it is very low priority and there is no real issue here. If you really want to change the behavior of the GET-ADPermission CMDlet, then you need to submit a Design Change Request (DCR) will and impact analysis, including any monetary harm or loss you have due to this behavior. Good luck in trying to do that! You are better off ignoring this and paying real attention to some other stuff that’s more important! Smile

–

Posted in Active Directory Domain Services (ADDS), Confidential, Exchange Server, PowerShell | 5 Comments »

(2014-02-27) Exchange OWA Through ADFS

Posted by Jorge on 2014-02-27

In following blog posts you can read how you can access OWA through federation and kerberos constrained delegation (KCD):

–

In the scenarios above the Claims To Windows Token Service (C2WTS) was used to perform the KCD part as ADFS itself is not capable of doing that

–

With the release of Exchange 2013 SP1, it is now natively supported and you do not need to perform all kinds of manual steps. Instead of using the C2WTS, you can now use the Web Application Proxy (WAP) to perform the KCD part.

see: Using AD FS claims-based authentication with Outlook Web App and EAC

Although I have not tried this myself, after reading it quickly I noticed a few weird things:

Step 1: Although true what is said, I would like to suggest the following regarding the certificates:

Service Communication Certificate for ADFS –> CA issued from an internal PKI if available, otherwise CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.)
Token Signing Certificate for ADFS –> CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.). Although possible, you should not use self-signed certificates or CA issued from an internal PKI
Token Encryption Certificate for ADFS –> CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.). Although possible, you should not use self-signed certificates or CA issued from an internal PKI

Step 2: If you are using CA issued certs for Token Signing Certificate and the Token Encryption Certificate you need to install ADFS through FSCONFIG.EXE (ADFS v2.0 and ADFS v2.1) or INSTALL-ADFSFARM (ADFS v3.0) and specify the thumbprint of the certificates. You need to make sure those certificates are in the local certificate store first!
Step 2: it is not true you require a group Managed Service Account. Sure that would be preferred, you must have at least one W2K12 DC or higher to be able to support that. However in all cases you can still use a normal service user account.
Step 3: I’m kind of surprised to see the so called require claims rules for both the OWA relying part trust as the EAC relying party trust. Like I said, I have not done this myself yet, but I would expect to only require the pass-through of the UPN claim on both RP trusts. Of course you need to ask yourself "if I pass it through, where do I pass it from then?" Right! You gather the UPN claim by using a claim rule on the claims provider trust. How you do that differs from ADFS v2.x and ADFS v3.0. With ADFS v2.x you need to perform an LDAP query (using the LDAP Claim Rule Template) and in ADFS v3.0 you can pass it through (see: "(2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v2.0" and "(2014-02-10) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v3.0 (Update 1)")
Step 4: No clue WHY the claims rules are being added, again. That was already done in step 3. Again no clue why you need the Primary SID and the Group SID
Step 5: I saw the following line: "Although Web Application Proxy isn’t required" Huh? Who’s going to do the KCD part then? I agree you should use WAP when allowing external access. But for internal access, if WAP is not required, is that the reason why they are sending the "Primary SID" claim and the "Group SID" claim? Hmmmm, interesting. I wonder if ADFS has some hidden feature regarding KCD. To be investigated!

–

Well, have fun!

If you try it yourself, please let me know your findings. Thanks in advance

–

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Exchange Server, OWA, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-02-25) Updates For Exchange 2007, 2010 And 2013 Released To Support W2K12R2 OS, AD, DFL/FFL

Posted by Jorge on 2014-02-25

Today Microsoft released updates for Exchange 2007, 2010 and 2013 to be supported:

On a W2K12R2 server
In an AD with W2K12R2 DCs
In an AD where DFL/FFL is W2K12R2

–

Exchange 2007

Technical details can be read here.
SP3 RU13 and later provides that support. Get RU13 from here.

Exchange 2010

Technical details can be read here.
SP3 RU5 and later provides that support. Get RU5 from here.

Exchange 2013

Technical details can be read here.
SP1 and later provides that support. Get SP1 from here.

–

The supportability matrix is available here.

–

Posted in Active Directory Domain Services (ADDS), Exchange Server, Windows Server | Leave a Comment »

(2012-01-29) Exchange Management Console Not Working And Exchange Management Shell Missing In Exchange Server 2010

Posted by Jorge on 2012-01-29

After installing Exchange Server 2010 in my test environment and applying the latest service pack for it (SP2) I got the following error when starting the Exchange Management Console.

Figure 1: Exchange Management Console In Exchange Server 2010 – Failed To Initialize

–

(X) Initialization Failed

The following error occurred while searching for the on-premises Exchange server:

The term ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ConnectFunctions.ps1’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. It was running the command ‘. ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ConnectFunctions.ps1”.

–

In addition I saw that the shortcut for the Exchange Management Shell was missing.

Figure 2: Exchange Management Shell For Exchange Server 2010 Missing

–

The solution to both issues is mentioned in the following blog post:

Exchange Management Shell (EMS) missing after applying Exchange 2010 SP1

–

Although it mentions SP1, it will also work for SP2.

–

PS: have you seen the Exchange Management Console Troubleshooter? Get it here.

–

Posted in Exchange Server, PowerShell | 3 Comments »

(2011-06-20) Free Exchange Tools For The IT Pro (1)

Posted by Jorge on 2011-06-20

While browsing the internet I found the following Exchange related tools that might be worth checking out. Have fun!

–

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

–

Anti Spam for Exchange
NetWrix Anti Spam for Exchange is a FREEWARE anti-spam solution for Microsoft Exchange Server or Microsoft Small Business Server (SBS). The product is very easy to install and run, works on the server, and doesn’t require any client-side components. All incoming messages are checked for known spam criteria, such as Spam URL Realtime Block Lists (SURBL) and keyword filtering, and then suspected e-mails are delivered to user’s Junk E-mail folder.

Click HERE for more information

–

Catch-All Mailbox Configurator for MS Exchange

Microsoft Exchange has no native support for catch-all mailboxes, but the freeware NetWrix Catch-All Mailbox Configurator tool is a very easy way to configure a catch-all e-mail with a couple of mouse clicks and without any custom scripts and tricky configuration steps. You just install this tool on your Hub Transport or Edge Transport Exchange server and specify an e-mail domain and e-mail address to which all uncaught mail should be forwarded.

Click HERE for more information

–

Exchange Change Reporter

NetWrix Exchange Change Reporter is a Microsoft Exchange auditing solution that tracks and reports all changes made to all Exchange Server configurations and permissions. The product generates reports that show all created, deleted, and modified objects and settings. Four basic questions are answered: What changed? How was it changed? Who did it? When was it changed? Powered by AuditAssurance™ technology, the Exchange Change Reporter tracks changes to configuration settings, creation and deletion of mailboxes, information stores, Exchange servers, connectors, protocol parameters, storage groups and many other types of objects and their permissions. The modification events indicate "before" and "after" values for all modified settings, for example, the previous name of a recently renamed mailbox or how the mailbox quotas looked like before they were changed.

Click HERE for more information

–

Exchange Mail Archiver

Exchange Mail Archiver archives all e-mail messages in a central location and makes them available for quick e-Discovery/compliance responses with protection against content tampering in PST files and mailboxes. Archived messages are stored in a highly compressed format to minimize storage usage and increase Exchange server efficiency, and original messages in mailboxes are replaced with short URLs making them available to mailbox owners with minimal user impact. The usage of Exchange Mail Archiver also removes hassles of PST file maintenance and mailbox quota management: PST files can be completely removed from your Exchange environment without increasing mailbox quotas.

Click HERE for more information

–

Non-owner Mailbox Access Reporter for Exchange

NetWrix Non-owner Mailbox Access Reporter is a FREE tool that detects all situations when administrators and other users have gained access to another user’s mailbox. The product shows exactly who accessed what mailboxes over the last day, month, or year, allowing you to detect unauthorized activity from users with excessive or misconfigured rights who may be trying to steal confidential information from the mailboxes of company executives and management. The auditing and reporting of non-owner mailbox access ensures that internal policies and regulatory compliance requirements are met.

Click HERE for more information

–

Posted in Exchange Server, IT Pro Tools | Leave a Comment »

(2011-06-15) Pictures/Photos In Exchange/Outlook

Posted by Jorge on 2011-06-15

Multiple (blog) resources on the internet contain information how to add and leverage pictures/photos in AD to be shown in Exchange/Outlook. I have summarized these resources below for your convenience.

–

WARNING: Be aware that storing pictures/photos in AD may increase the size of the NTDS.DIT extensively (depends of course on the amount of pictures and the size of each picture) and do not forget that the upload of this information impacts AD replication. It is just yet another attribute with information that needs to be replicated

–

GAL Photos: Frequently Asked Questions
- Explains the requirements to display pictures/photos in Outlook and also mentions technology specific information
Enabling Outlook 2003 and 2007 to display Exchange GAL photos
- Explains how to leverage Outlook 2003 or Outlook 2007 to display the pictures available in AD
GAL Photos in Exchange 2010 and Outlook 2010
- Explains how to leverage the Exchange 2010 powershell CMDlets to upload pictures/photos into AD and how to leverage Outlook 2010 to display those pictures
Upload picture in Outlook 2010 using the Exchange Management Shell (Exchange 2010)
- Explains how to leverage the Exchange 2010 powershell CMDlets to upload pictures/photos into AD and how to leverage Outlook 2010 to display those pictures
Follow-Up: import-recipientdataproperty
- Explains how to leverage different Exchange versions and different Outlook versions to show pictures stored in AD (REMARK: not using the Outlook Social Connector, which DOES allow the usage of pictures in Outlook 2003/2007. See first link in this post!)
GAL photos in Exchange 2010
- Explains how to leverage the Exchange 2010 powershell CMDlets and a custom made tool to upload pictures/photos into AD