Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Exchange Server’ Category

(2016-01-19) Free AD Tool For The IT Pro (4)

Posted by Jorge on 2016-01-19


While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

Z-Hire/Z-Term Active Directory, Exchange, Lync, Office 365 User Creation Tool

Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts, Office 365 cloud and SalesForce cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory user and Lync accounts will be created simultaneousy. This tool can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT user accounts with the option for custom scripts. Z-hire will decrease your new hire user account deployment time by 600%, without the need for complicated and expensive identity management solutions. This Active Directory User Creation Tool makes creating Active Directory users a breeze. Some of the features include:

  • Environment Auto detection/discovery (AD/Exchange/Lync/Office 365/SalesForce)
  • Copy existing Active Directory User to Z-Hire Template
  • Support for Active Directory user, Exchange Mailbox, Lync 2010, Lync 2013, Office 365 user and SalesForce user account
  • Template based deployment (allows consistency for all user accounts)
  • Office 365 account creation with major attributes
  • Office 365 license only mode (assign license only, when using DirSync)
  • Office 365 Hybrid mode ( for organizations running Office 365 in Hybrid mode)
  • Active Directory user account creation with major attributes
  • Active Directory group selection
  • Active Directory user duplicate SamAccountName verification
  • Lync 2010 account creation supporting all policies
  • SalesForce user creation support all major attributes
  • Faster performance (compared to previous version)
  • Bulk import from CSV / Text to provision Active Directory, Exchange, Lync and Office 365 users (version 5.3)
  • HRIS / WorkDay driven user provisioning (Automatically provision users from WorkDay and other HRIS Systems)
  • HRIS / WorkDay driven data sync (Automatically sync user data such as Title, Department from WorkDay and other HRIS systems)

Click HERE for more information

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, IT Pro Tools, OCS/Lync Server, Office 365, Windows Azure Active Directory | Leave a Comment »

(2015-12-17) The “Get-ADPermission” CMDlet Reports A Corrupted ACE

Posted by Jorge on 2015-12-17


You are managing Exchange through PowerShell and this time you are checking the AD permissions on a user account with a mailbox. For that you use the following PwoerShell command line:

Get-Mailbox -identity "<identity value>" | Get-ADPermission | Sort user | FT –AutoSize

The “<identity value>” specifies the mailbox that you want to view. You can use any value that uniquely identifies the mailbox. Values of example are:

  • Name
  • Display name
  • Alias
  • Distinguished name (DN)
  • Canonical DN
  • <domain name>\<account name>
  • Email address
  • GUID
  • LegacyExchangeDN
  • SamAccountName
  • User ID or user principal name (UPN)

The command executes and you are confronted with the following, or similar, error:

WARNING: The object IAMTEC.NET/Org-Users/EMPLOYEES/Users/ICT/Jorge.deAlmeidaPint has been corrupted, and it’s in an inconsistent state. The following validation errors happened:

WARNING: The access control entry defines the ObjectType ’18d30bdd-e673-6047-b13c-cffee0abb929′ that can’t be resolved..

image

Figure 1: The PowerShell CMDlet “Get-ADPermission” Throws Error About Corrupted ACE

After seeing this error you may think about incorrect ordering of ACEs, as explained in the blog post (2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP, or might even think your AD schema is in a bad shape.

This time, that is not the case.

Let’s investigate this step by step and see where the so called corruption came from!

When an ACE is defined, the specified security principal (user, group or computer) is assigned the specified permissions for an objectClass or for an attributeClass within a objectClass. In either case the specified objectClass or attributeClass is always translated under the hood to its corresponding schemaIDGUID. Every objectClass and attributeClass in the AD schema must have and has a unique schemaIDGUID value. When extending the AD schema it is not mandatory to specify a schemaIDGUID value in base64 format. If you do not specify a schemaIDGUID value, AD will generate a unique value for you. However, that is NOT a best practice. When extending the AD schema you should always specify a unique schemaIDGUID value. If you intend to deploy your schema extension to multiple AD forests, then the schemaIDGUID for the extended objectClass or attributeClass across all AD forest is preferably the same schemaIDGUID value.

The error mentions “ObjectType ’18d30bdd-e673-6047-b13c-cffee0abb929’”. The specified GUID value is NOT the objectGUID, it is the schemaIDGUID value of the objectClass or attributeClass that is causing the error. So, let’s search using the specified schemaIDGUID value.

For I’m going to use PowerShell through the following command to find the objectClass or attributeClass:

$rawGuid = ([guid]’18d30bdd-e673-6047-b13c-cffee0abb929′).toByteArray();

Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | FL

The query result is:

image

Figure 2: Result Of The PowerShell Query In Searching For An objectClass Or attributeClass Through The schemaIDGUID

The name of the attributeClass already tells you how special it is, but that’s because I named it like that. In reality you will not see that. The real answer is hidden in the searchFlags property. If you look above you will 904, and that does not tell you much, unless you decode it yourself, or use ADFIND from joeware.net. (@joe: stop laughing!)

Now let’s use ADFIND through the following command to find the objectClass or attributeClass:

adfind -schema -f "schemaIDGUID={{GUID:18d30bdd-e673-6047-b13c-cffee0abb929}}" -binenc –flagdc

The query result is

image

Figure 3: Result Of The ADFIND Query In Searching For An objectClass Or attributeClass Through The schemaIDGUID

Of course ADFIND will return the same attributeClass, but at the same time it decoded searchFlags and systemFlags. When looking at the searchFlags property you will see the attribute has been configured with the confidentiality bit. Now, what’s special about that? You may remember it or not, but to be able to read the data in a confidential attribute, you must be either a member of “Domain Admins” or a member of “Account Operators” or a member of any other group that has Full Control on the corresponding object, or you must have at least the “Control Access” extended right.

Now the ONLY tools, I know of, that can both read (interpreter) and set the “Control Access” extended right, are DSACLS, LDP and ADFIND/ADMOD. Any other tools, may not process/interpreter it correctly. Those tools then either do not display the “Control Access” extended right or throw some weird error, like the PowerShell CMDet “Get-ADPermission”.

Now you might think “Yeah right. Your attribute is a custom AD schema extension and its has been implemented/designed in a bad way!”. Again, that’s not the case. This AD schema extension or any other AD schema I have ever designed has followed best practices! By default, the AD schema also contains attributeClasses that have been configured with the confidentiality bit. To find those attributeClasses, read the (2014-12-19) Finding Attributes Marked As Confidential. Now choose an attribute you like, and configure it with the “Control Access” extended right (do this in a TEST environment).

To configure the “Control Access” extended right for the confidential attribute on an OU that targets user objects, execute the following command:

DSACLS "<DN of OU>" /G "<Security Pincipal>:CA;<Confidential Attribute>;user" /I:S

Now, execute the Get-ADPermission CMDlet as specified at the beginning of this blog post. You should see a similar error about a corrupted ACE.

Therefore the conclusion is, that this is caused by the GET-ADPermission CMDlet (bug!) that misinterpreters the “Control Access” extended right. I know this occurs in Exchange Server 2010 and Exchange Server 2013, and most likely also in Exchange Server 2016. The Exchange Product Team, most likely, will never fix this as it is very low priority and there is no real issue here. If you really want to change the behavior of the GET-ADPermission CMDlet, then you need to submit a Design Change Request (DCR) will and impact analysis, including any monetary harm or loss you have due to this behavior. Good luck in trying to do that! You are better off ignoring this and paying real attention to some other stuff that’s more important! Smile

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Confidential, Exchange Server, PowerShell | 5 Comments »

(2014-02-27) Exchange OWA Through ADFS

Posted by Jorge on 2014-02-27


In following blog posts you can read how you can access OWA through federation and kerberos constrained delegation (KCD):

In the scenarios above the Claims To Windows Token Service (C2WTS) was used to perform the KCD part as ADFS itself is not capable of doing that

With the release of Exchange 2013 SP1, it is now natively supported and you do not need to perform all kinds of manual steps. Instead of using the C2WTS, you can now use the Web Application Proxy (WAP) to perform the KCD part.

see: Using AD FS claims-based authentication with Outlook Web App and EAC

Although I have not tried this myself, after reading it quickly I noticed a few weird things:

  • Step 1: Although true what is said, I would like to suggest the following regarding the certificates:
    • Service Communication Certificate for ADFS –> CA issued from an internal PKI if available, otherwise CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.)
    • Token Signing Certificate for ADFS –> CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.). Although possible, you should not use self-signed certificates or CA issued from an internal PKI
    • Token Encryption Certificate for ADFS –> CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.). Although possible, you should not use self-signed certificates or CA issued from an internal PKI
  • Step 2: If you are using CA issued certs for Token Signing Certificate and the Token Encryption Certificate you need to install ADFS through FSCONFIG.EXE (ADFS v2.0 and ADFS v2.1) or INSTALL-ADFSFARM (ADFS v3.0) and specify the thumbprint of the certificates. You need to make sure those certificates are in the local certificate store first!
  • Step 2: it is not true you require a group Managed Service Account. Sure that would be preferred, you must have at least one W2K12 DC or higher to be able to support that. However in all cases you can still use a normal service user account.
  • Step 3: I’m kind of surprised to see the so called require claims rules for both the OWA relying part trust as the EAC relying party trust. Like I said, I have not done this myself yet, but I would expect to only require the pass-through of the UPN claim on both RP trusts. Of course you need to ask yourself "if I pass it through, where do I pass it from then?" Right! You gather the UPN claim by using a claim rule on the claims provider trust. How you do that differs from ADFS v2.x and ADFS v3.0. With ADFS v2.x you need to perform an LDAP query (using the LDAP Claim Rule Template) and in ADFS v3.0 you can pass it through (see: "(2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v2.0" and "(2014-02-10) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v3.0 (Update 1)")
  • Step 4: No clue WHY the claims rules are being added, again. That was already done in step 3. Again no clue why you need the Primary SID and the Group SID
  • Step 5: I saw the following line: "Although Web Application Proxy isn’t required" Huh? Who’s going to do the KCD part then? I agree you should use WAP when allowing external access. But for internal access, if WAP is not required, is that the reason why they are sending the "Primary SID" claim and the "Group SID" claim? Hmmmm, interesting. I wonder if ADFS has some hidden feature regarding KCD. To be investigated!

Well, have fun!

If you try it yourself, please let me know your findings. Thanks in advance

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

 

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Exchange Server, OWA, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-02-25) Updates For Exchange 2007, 2010 And 2013 Released To Support W2K12R2 OS, AD, DFL/FFL

Posted by Jorge on 2014-02-25


Today Microsoft released updates for Exchange 2007, 2010 and 2013 to be supported:

  • On a W2K12R2 server
  • In an AD with W2K12R2 DCs
  • In an AD where DFL/FFL is W2K12R2

Exchange 2007

  • Technical details can be read here.
  • SP3 RU13 and later provides that support. Get RU13 from here.

Exchange 2010

  • Technical details can be read here.
  • SP3 RU5 and later provides that support. Get RU5 from here.

Exchange 2013

  • Technical details can be read here.
  • SP1 and later provides that support. Get SP1 from here.

The supportability matrix is available here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, Windows Server | Leave a Comment »

(2012-01-29) Exchange Management Console Not Working And Exchange Management Shell Missing In Exchange Server 2010

Posted by Jorge on 2012-01-29


After installing Exchange Server 2010 in my test environment and applying the latest service pack for it (SP2) I got the following error when starting the Exchange Management Console.

image

Figure 1: Exchange Management Console In Exchange Server 2010 – Failed To Initialize

(X) Initialization Failed

The following error occurred while searching for the on-premises Exchange server:

The term ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ConnectFunctions.ps1’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. It was running the command ‘. ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ConnectFunctions.ps1”.

In addition I saw that the shortcut for the Exchange Management Shell was missing.

image

Figure 2: Exchange Management Shell For Exchange Server 2010 Missing

The solution to both issues is mentioned in the following blog post:

Although it mentions SP1, it will also work for SP2.

PS: have you seen the Exchange Management Console Troubleshooter? Get it here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Exchange Server, PowerShell | 3 Comments »

(2011-06-20) Free Exchange Tools For The IT Pro (1)

Posted by Jorge on 2011-06-20


While browsing the internet I found the following Exchange related tools that might be worth checking out. Have fun!

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

Anti Spam for Exchange
NetWrix Anti Spam for Exchange is a FREEWARE anti-spam solution for Microsoft Exchange Server or Microsoft Small Business Server (SBS). The product is very easy to install and run, works on the server, and doesn’t require any client-side components. All incoming messages are checked for known spam criteria, such as Spam URL Realtime Block Lists (SURBL) and keyword filtering, and then suspected e-mails are delivered to user’s Junk E-mail folder.

Click HERE for more information

Catch-All Mailbox Configurator for MS Exchange

Microsoft Exchange has no native support for catch-all mailboxes, but the freeware NetWrix Catch-All Mailbox Configurator tool is a very easy way to configure a catch-all e-mail with a couple of mouse clicks and without any custom scripts and tricky configuration steps. You just install this tool on your Hub Transport or Edge Transport Exchange server and specify an e-mail domain and e-mail address to which all uncaught mail should be forwarded.

Click HERE for more information

Exchange Change Reporter

NetWrix Exchange Change Reporter is a Microsoft Exchange auditing solution that tracks and reports all changes made to all Exchange Server configurations and permissions. The product generates reports that show all created, deleted, and modified objects and settings. Four basic questions are answered: What changed? How was it changed? Who did it? When was it changed? Powered by AuditAssurance™ technology, the Exchange Change Reporter tracks changes to configuration settings, creation and deletion of mailboxes, information stores, Exchange servers, connectors, protocol parameters, storage groups and many other types of objects and their permissions. The modification events indicate "before" and "after" values for all modified settings, for example, the previous name of a recently renamed mailbox or how the mailbox quotas looked like before they were changed.

Click HERE for more information

Exchange Mail Archiver

Exchange Mail Archiver archives all e-mail messages in a central location and makes them available for quick e-Discovery/compliance responses with protection against content tampering in PST files and mailboxes. Archived messages are stored in a highly compressed format to minimize storage usage and increase Exchange server efficiency, and original messages in mailboxes are replaced with short URLs making them available to mailbox owners with minimal user impact. The usage of Exchange Mail Archiver also removes hassles of PST file maintenance and mailbox quota management: PST files can be completely removed from your Exchange environment without increasing mailbox quotas.

Click HERE for more information

Non-owner Mailbox Access Reporter for Exchange

NetWrix Non-owner Mailbox Access Reporter is a FREE tool that detects all situations when administrators and other users have gained access to another user’s mailbox. The product shows exactly who accessed what mailboxes over the last day, month, or year, allowing you to detect unauthorized activity from users with excessive or misconfigured rights who may be trying to steal confidential information from the mailboxes of company executives and management. The auditing and reporting of non-owner mailbox access ensures that internal policies and regulatory compliance requirements are met.

Click HERE for more information

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Exchange Server, IT Pro Tools | Leave a Comment »

(2011-06-15) Pictures/Photos In Exchange/Outlook

Posted by Jorge on 2011-06-15


Multiple (blog) resources on the internet contain information how to add and leverage pictures/photos in AD to be shown in Exchange/Outlook. I have summarized these resources below for your convenience.

WARNING: Be aware that storing pictures/photos in AD may increase the size of the NTDS.DIT extensively (depends of course on the amount of pictures and the size of each picture) and do not forget that the upload of this information impacts AD replication. It is just yet another attribute with information that needs to be replicated

Also see: Pictures/Photos in Active Directory

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Exchange Server | Leave a Comment »

(2010-10-28) Component Poster: "Exchange Server 2010 HUB Transport Role Architecture And Extensibility"

Posted by Jorge on 2010-10-28


Get the PDF from here: Exchange Server 2010 HUB Transport Role Architecture and Exchange Server 2010 HUB Transport Role Extensilibity

image

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Exchange Server | Leave a Comment »

(2010-10-28) Component Poster: "Exchange Server 2010"

Posted by Jorge on 2010-10-28


Get the PDF from here: Exchange Server 2010 Component Architecture

clip_image001

clip_image002

clip_image003

image

clip_image005

clip_image006

clip_image007

clip_image008

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Exchange Server | Leave a Comment »

(2010-10-28) Component Poster: "Exchange Server 2007"

Posted by Jorge on 2010-10-28


Get the PDF from here: Exchange Server 2007 Component Architecture

clip_image001

clip_image002

clip_image003

clip_image004

clip_image005

clip_image006

clip_image007

clip_image008

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Exchange Server | Leave a Comment »

 
%d bloggers like this: