Ondrej Žilinec – IT Blog

ADFS deafult changes language of its pages based on language sent from user’s browser. User’s browser sends http header called Accept-Lanaguage. This means that if, for examle, user with Regional settings set to Slovak accesses ADFS website, all pages are in Slovak language. When someone else comes with Regional settings set to English, all pages are in English language.

There was a need for one ADFS portal I implemented to change ADFS websites’ language to one static language – Slovak (multilanguage option shoule be set off). I digged into ADFS files stored deafult at C:\inetpub\adfs\ls\. After couple minutes I found file called Global.asax.cs which contained something about languages. After coulpe minutes trying to understand .NET I figured out what have to be done to change language to Slovak.

On line number 45 I found following line:

I changed this line to:

Since then everything works only in Slovak language. Just a remark: if you are using ADFS Proxy you have to change this settings on ADFS Proxy server. It doesn’t have to be changed on ADFS server (non-proxy).

Couple days ago I wrote about Remote Assistance. I wanted to make this feature as close as possible to administrators so I decided to implement special item in context menu of ADUC. Let’s do it.

We need to prepare script first. I wrote very simple one:

==========

‘
‘ Script to run Remote Assitance on domain computer
‘

Set wshArguments = WScript.Arguments
Set objUser = GetObject(wshArguments(0))

‘
‘ Check if Remote Assistance is installed
‘

Set fso = CreateObject(“Scripting.FileSystemObject”)
If (fso.FileExists(“C:\Windows\System32\msra.exe”)) Then
 ‘ Is istalled
 Set objShell = WScript.CreateObject(“WScript.Shell”)
 Return = objShell.Run(“C:\Windows\System32\msra.exe /offerra ” & objUser.dNsHostName, 1, true)
Else
 ‘ Is not installed, error.
 Wscript.Echo “Microsoft Remote Assistance is not installed on this machine.”
End If

==========

Let’s save this script as .vbs file into \\DOMAIN.LOCAL\NETLOGON directory. Now when we have a script, we need to create context menu in ADUC. This can be accomplished using ADSI Edit tool. Start ADSI Edit tool and look for CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domain,DC=local. There look for CN=computer-Display. Right-click on CN=computer-Display and select Properties.

 

 

In attribute adminContextMenu add following line:

2, &Remote Assistance,\\domain.local\NETLOGON\RemoteAssistance.vbs

Description:

2 – order number

&Remote Assistance – name of the item in context menu

\\domain.local\NETLOGON\RemoteAssistance.vbs – command to run

When you click OK, OK in ADSI Edit your work is done. Now when you click on computer account you can see and use following context menu item:

 

 

And that’s all folks.

When you play with w32time service to much and you want to reset it to its default settings you can run following commands:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

I just needed it 🙂

Today I published article how to make synchronization between Active Directory and Microsoft cloud Office 365. I also mentioned that you can filter which users you want to synchronize to cloud and which not. I also mentioned article where it’s described. I started to play with it, but it’s not as simple as I thought 🙂

They mention that you can filter on three conditions:

• Based on OU location
• Domain based
• User attribute

I wanted to investigate third option – filter on User attribute. So I started to read article. First and most important is to mention that you set filter on users which you DO NOT want to synchronize. 🙂 So I decided to synchronize users which have their attribude “department” set to value “IT”. So I had to set filter out all users which don’t have this attribute set. 🙂

Another catch in article is about location of MIISAdmin tool. Article specifies some disk location, but it’s completely different. On my Windows Server 2012 it was installed in:

 

 

When I want to sync account which have department attribute set to “IT” I had to do following:

Open up miisclient.exe and click on Management Agents:

 

 

Right click on AD Connector (Agent) and Properties:

 

 

On left side you have to select Configure Connector Filter, then on right select user and select New…:

 

 

Now declare new condition, which means we don’t want users that have department attribute set to IT:

 

 

OK, OK. I set in domain only users User10-User19 to have value set. Now let’s force synchronization (IMHO it could be something more inteligent and nicer 🙂 ).

Let’s go to installation folder and run DirSyncConfigShell.psc1:

 

 

Now I have to run Start-OnlineCoexistenceSync:

 

 

You can check if everythin works fine in Application events and you should have success on the end:

 

 

And on cloud Office 365 I see just users I wanted to see:

 

 

Only thing I’m missing is to filter based on group membership.

Have a nice day,

 

Once upon the time there was customer asking if we can help them with integration their Active Directory with Office 365 cloud. The main request was to sync Active Directory users into Office 365 cloud and then test Office 365 applications on their computers.

Registration for free Office 365

First you need to check prices and packages you want to use. I wanted to test it so I registered HERE. In free month you can use licences for 10 users. Don’t forget to register for Office 365 Midsize Business, only this version of Ouffice 365 can sync AD. After registration I have received e-mail with my account to log into Office 365 portal. After firt logon there is really not to many things to configure. I have to notice that I received testing domain @AtosSlovakia.onmicrosoft.com. This is what you need to have.

Preparing playground

So I have my playground setup:

• Domain name: DOMAIN.LOCAL
• Domain controller: MT-SERVER01.DOMAIN.LOCAL
• Server which will synchronize data into cloud Office 365: MT-SERVER02.DOMAIN.LOCAL

Computer which will do synchronizaction needs to accomplished couple conditions:

• Must have Microsoft .NET Framework 3.x
• In cannot be domain controller
• Must be part of the domain
• It can be Windows Server 2008, Server 2008 R2 or Server 2012
• If you have less than 50 000 objects in AD which you want to sync you can use Microsoft SQL Server 2008 Express. Other way you need to use “normal” SQL
• Active Directory forest functional mode has to be Windows Server 2003 and higher

More HERE.

I also need to generate some users in domain which I will upload into cloud. I just have created 50 bulk users using following powershell script:

I have received testing domain suffix from Office 365 @AtosSlovakia.onmicrosoft.com so I have to set it as aditional UPN for new created users:

• Open Active Directory Domain and Trusts
• Right click on Active Directorz Domains and Trusts and click Properties
• Type defined UPN and click OK

Setup Active Directory Synchronizaction

When you log on Office 365 portal you go to “users and groups” and select Active Directory synchronization Set up.

Then you have to complete 6 steps (not really work to do) to make it work:

Activation of AD Sync tool can take about 24 hours:

While we will wait for activation of feature, let’s install Directory Sync Tool on server MT-SERVER02.DOMAIN.LOCAL.

Read more…

I installed Microsoft Lync couple monts ago at one customer. He asked me when his licence will expire. I knew date when Lync was installed (28/2/2013) and expiration period for Microsoft Lync server (180 days). I used power of shell (powershell) to check it out:

How cool is that? I really love powershell 🙂

Trvalo mi nejaky ten cas kym som pochopil (vsimol si v zatvorke), ze “Nastroj na pripravu systemu” je po nasom SysPrep 🙂

Naco to prekladaju? Len s tym matu nepriatela. 🙂

I was facing weird problem with computers when I was trying to migrate computer accounts between two active directory domains. When you use ADMT to migrate computer accounts, ADMT installs ADMT Agent on computer and this ADMT Agent makes all changes during computer account migration.

Problem

When there was computer with ESET Smart Security installed I had following problems. First problem was that migration failed and in ADMT log file I received following error:

2013-04-12 16:29:54 The Active Directory Migration Tool Agent will be installed on CENTRALA.DOMAIN.LOCAL
2013-04-12 16:29:59 WRN1:0000 Could not open SCManager on \\CENTRALA.DOMAIN.LOCAL : GetLastError() returned 5
2013-04-12 16:29:59 WRN1:7015 Failed to connect to the service control manager on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.
2013-04-12 16:29:59 ERR2:7006 Failed to install agent on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.

 So error number 5 means I have no rights somewhere. After reading couple pages of ADMT documentation I found out that ADMT installs ADMT Agent using Admin share called ADMIN$. So I tried to access ADMIN$ share on computer CENTRALA.DOMAIN.LOCAL. I received following error:

I have never seen such an error:”An attempt was made to logon, but the network logon service was not started.”. I checked services on computer CENTRALA.DOMAIN.LOCAL and Windows was right. Service NETLOGON was Disabled!

Solution

I had to temporary turn off ESET Smart Security (I would preffer not use this software at all 🙂 ) and also enable and start service NETLOGON.

Conclusion

Every computer I migrated and had installed ESET Smart Security had the same problems. So IMHO ESET Smart Security has changed service NETLOGON to Disabled. I really don’t understand why this is necessary, but I think it’s not right way “smart security product” should protect your computer.

I found one article about disabling NETLOGON service as security practice. It’s maybe good security practice, but there is also pitfall stated on websie:

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

I’m wondering what other functions are not available when NETLOGON disabled (besides not accessible ADMIN$ share) on domain member computer.

I hope this helps someone 🙂

We had Active Directory domain called DOMAIN.LOCAL. There was Exchange 2010 installed. It was fully functional. After some time I added new sub-domain/child domain SUB.DOMAIN.LOCAL and migrated users with mailboxes from DOMAIN.LOCAL to SUB.DOMAIN.LOCAL.

Problem

When users from SUB.DOMAIN.LOCAL logged into OWA they received following view:

Error stated: Exception message: Could not find any available Domain Controller in domain DC … so problem is probably in the way Exchange locates domain controllers. When users clicked F5 or refreshed website, he could see his e-mails normally.

There was also event 2130 logged on Exchange server saying Exchange Active Directory Provider could not find an available domain controller in the domain.

Solution

When you want to install Exchange into Active Directory domain, you need to prepare forest and also domain before you install it. You use setup.com (from installation DVD of Exchange) with some switches (for example /PrepareSchema, /PrepareAD,…). So new added domain SUB.DOMAIN.LOCAL to existing AD Forest was not prepared for Exchange implementation. I ran following command setup.com /PrepareDomain:SUB.DOMAIN.LOCAL:

If you have more then one domain to prepare for Exchange, you can use command setup.com /PrepareAllDomains.

The best way to run /PrepareDomain or /PrepareAllDomains is:

• to be logged domain controller with role Schema Admin
• to be member of Enterprise Admins group
• to be member of Schema Admins group

I hope you will not make same mistake as I did 🙂

 

Couple of days I’ve got question from my friend if there is way to setup Exchange mailbox to be Read-only for other users in company. I never needed it, because when someone else needed to access other’s mailbox, I just set FullAccess rights on mailbox and everythin worked fine.

Testing scenario

Exchange 2010

Tester user called Tester with following content of mailbox:

Tester user called Tester02 wich wants to access whole mailbox of user Tester, but Read-only.

When I set Reviewer for user Tester02 on mailbox Tester under Outlook:

Problem

When I connect Tester’s mailbox into Tester02’s Outlook profile I can see following:

So I can see only Inbox. I don’t see any folder underneath it. We can check this permissions also using Powershell:

When we look on mailbox folder permissions underneath Inbox, for example “Inbox\My friends” folder, we can see following:

This means that mailbox folder permissions are not inherited. So we can set permission per folder. So let’s test to add permission to folder Inbox and subfolder “My friends”:

and now we can see also subfolders under account Tester02:

This means that using Outlook or powershell commandlet Add-MailboxFolderPermission can set permissions only on one folder and these settings are not inherited! This is really weird. I couldn’t find any setting to allow inheritance.

Another way to set permissions of mailbox folders is set permissions on whole mailbox. This can be set by users which have rights to manage exchange mailboxes. Let’s look on powershell cmd-let Add-MailboxPermission. This cmdlet allows you to set just following access rights: FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermision, ChangePermision and ChangeOwner. Neither one of these rights define Read-only access to mailbox.

Solution

So there is no easy way to share whole mailbox between users in read-only manner. Only way I can think of is to run some powershell script. For example:

Add-MailboxFolderPermission tester -User tester02 -AccessRights Reviewer

 

ForEach($folder in (Get-MailboxFolderStatistics -Identity tester) )

{

$fname = “tester:” + $folder.FolderPath.Replace(“/”,”\”);

Add-MailboxFolderPermission $fname -User tester02 -AccessRights Reviewer

}

where “tester” is account with shared mailbox and “tester02” is account which want to access shared mailbox.

After this powershell commands are done, Tester02 can see Tester’s mailbox:

 

 

But when user Tester creates new folder in his mailbox, user Tester02 will not see it unless user Tester sets permissions on new mailbox folder.

I hope guys from Microsoft will solve this issue in next release of Exchange. 🙂