January 11th, 2022 | Tags: , ,

To replace SSL certificate for the AD FS Server in a Office 365 environment, you need to perform some actions to re-establish the proper functionality.

When the SSL certificate expires, the Office 365 authentication process doesn’t work and the users are no longer able to access their emails. The replacement of the SSL certificate is the only solution to get the service back.

 

Import and replace SSL certificate in AD FS server

To perform an SSL certificate request for AD FS, you can follow this detailed guide.

Log onto the AD FS server and from the Certificates Management Console import the new certificate to the server in the Personal certificate store. Right click Certificates item and select All Tasks > Import option. Read more…

November 27th, 2021 | Tags:

The Server Message Block (SMB) network protocol is used to share and access folders, files, printers, and other devices over network (TCP port 445). In this article, we will look at which versions (dialects) of SMB are available in different versions of Windows (and how they relate to samba versions on Linux); how to check the SMB version in use on your computer; and how to enable or disable the SMBv1, SMBv2, and SMBv3 dialects.

SMB Protocol Versions in Windows

There are several versions of the SMB protocol (dialects) that have consistently appeared in new Windows versions (and samba) :

  • CIFS – Windows NT 4.0
  • SMB 1.0 – Windows 2000
  • SMB 2.0 – Windows Server 2008 and Windows Vista SP1 (supported in Samba 3.6)
  • SMB 2.1 – Windows Server 2008 R2 and Windows 7 (Samba 4.0)
  • SMB 3.0 – Windows Server 2012 and Windows 8 (Samba 4.2)
  • SMB 3.02 – Windows Server 2012 R2 and Windows 8.1 (not supported in Samba)
  • SMB 3.1.1 – Windows Server 2016 and Windows 10 (not supported in Samba)

Read more…

November 27th, 2021 | Tags:

Note:
Remember to install MSOnline module before running script.

#Provide directory path and prefix for output files
$LogDirectory = "c:\Temp\"
$LogFileName = "Office_365_License_"
 
if(!(Test-Path $LogDirectory))
{
    Write-Host "Provided directory was not found, directory will be created now..."
    New-Item -Path $LogDirectory -ItemType Directory
}
 
Import-Module MSOnline
Connect-MsolService
 
Write-Host "Connecting to Office 365..."
 
# Get a list of all licences available for tenant and gahter users which have license assigned
$LicenseTypes = Get-MsolAccountSku | Where {$_.ConsumedUnits -ge 1}
$Users = Get-MsolUser -All| Where-Object {$_.isLicensed -eq "True"}
 
foreach ($license in $LicenseTypes) 
{   
 
    Write-Host "Gathering users with license " $LicenseName -ForegroundColor Green
     
    $AccountsArray = @()
    $LicenseName = $license.AccountSkuId
    $FileLicenseName = $license.accountskuid.Replace(':','')
         
    # Gather accounts which have specific license assigned
    $Accounts = $Users | Where-Object {$_.licenses.accountskuid -contains $LicenseName}
 
    foreach ($Account in $Accounts) {
         
        $thislicense = $Account.licenses | Where-Object {$_.accountskuid -eq $LicenseName}
        $Properties =  @{
         "UserPrincipalName" = $Account.UserPrincipalName
         "DisplayName" = $Account.DisplayName
         "AccountSku" = $LicenseName
        }
         
        foreach ($row in $($thislicense.servicestatus)) {
             
            $Properties.Add($row.ServicePlan.ServiceName,$row.ProvisioningStatus)
         
        }
         
        $AccountArrayRow = New-Object PSObject -Property $Properties
        $AccountsArray += $AccountArrayRow
    }
     
    $FileName = ($LogDirectory+$LogFileName+$FileLicenseName)
    $AccountsArray | Export-CSV -Path $FileName'.csv' -NoTypeInformation
     
    Write-Host "Export to file for license $LicenseName completed" -ForegroundColor Green
}           
 
Write-Host ("Output files available under " + $LogDirectory) -ForegroundColor Green

 

November 27th, 2021 | Tags: ,

This script might be useful in getting users that haven’t logged for a longer amount of time. It is checking lastlogondate property:

Get-ADUser -Identity $Env:username -Properties 'Name','Enabled','WhenCreated','LastLogonDate','lastlogontimestamp','PasswordExpired'

lastlogondate

Please be aware that it gets a date only from the specified Domain Controller. In this case, I added a logon server in the server parameter and I was looking only for enabled users in People OU.

Below you can find the final script for getting users who haven’t logged in longer than 30 days. It will save results to CSV file on your desktop and finally, in the end, it will open results in a new pop-up window.

        #Import Modules ##########################################################         
        Try{
            Import-Module ActiveDirectory -ErrorAction Stop
        }
        Catch{
            Write-Warning $_.Exception.Message
            Read-Host "Script will end. Press enter to close the window"
            Exit
        }
  
  
        #Params ##################################################################
        $LastLogon   = (Get-Date).AddDays(-30).ToFileTime()
        $ReportPath  = "$env:userprofiledesktop"
        $FileDate    = Get-Date -Format "yyyyMMddHHmmss"
        $OutputCsv   = "$ReportPathLastLogonDate_users_$FileDate.csv" 
  
  
        # Query params ############################################################## 
        $Params = @{
            LDAPFilter   = "(&(objectclass=user)(useraccountcontrol=512)(lastlogontimestamp<=$LastLogon))"
            Server       = ($env:LOGONSERVER -replace "\",'')
            SearchBase   = 'OU=People,DC=powershellbros,DC=com'
            Properties   = 'Name','Enabled','WhenCreated','LastLogonDate','lastlogontimestamp','PasswordExpired'
        }
  
  
        #Get all ENABLED users from OU ####################################
        Get-ADUser @Params | Select Name,
                                    Enabled,
                                    whenCreated,
                                    lastlogondate,
                                    PasswordExpired | Export-Csv $OutputCsv -NoTypeInformation 
  
  
        #Import CSV and display results ##########################################
        Import-CSV $OutputCsv | Out-GridView -Title 'Users > 30days'
November 27th, 2021 | Tags:
  1. If the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2ClientDisabledByDefault is present, the value should be 0.
  2. If the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2ClientEnabled is present, value should be 1.
  3. Check if TLS 1.2 is set as the default secure protocol in WinHTTP for Windows versions Windows Server 2008 R2, Windows Server 2012, and Windows 7.
How to check if TLS 1.2 is the default secure protocol in WinHTTP:
Compatible versions: Windows Server 2008 R2, 2012, and Windows 7
  1. Check Microsoft update ‘kb3140245’ is installed.
  2. Check if the below registry key contains the value ‘0x00000A00’ or ‘0x00000800’:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttpDefaultSecureProtocols
  3. If it is a 64 bit machine, check ‘Wow6432Node’ path also:
    HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionInternet SettingsWinHttpDefaultSecureProtocols
October 29th, 2021 | Tags:

How to enable information rights management in SharePoint Online?

Information Rights Management (IRM) Polices in SharePoint Online protect sensitive content from unauthorized users by preventing users from printing or saving copies of a file. Information Rights Management can be applied to Office documents such as Word, Excel, PowerPoint and PDF, XPS files.

Step 1: Make sure Rights Management is Activated in the Microsoft 365 Admin Center

Unlike SharePoint On-premises, you don’t have to install anything to implement IRM as Office 365 comes with pre-installed. IRM settings are scoped at the list or library level. However, You must activate the Information Rights Management Service for the organization from the Office 365 admin center first before IRM can be applied to the SharePoint library or list. To activate IRM in Office 365, follow these steps:

  • Login to Microsoft Admin Center at https://admin.microsoft.com
  • Expand Settings from left navigation >> Click on Settings >> Click on ‎”Microsoft‎ ‎Azure Information Protection”
    configure irm for sharepoint online

 

October 29th, 2021 | Tags:

Disabled accounts

If an organization has a provisioning process in place for governing (automatically) the enabling and disabling of account status and (or) there is a good frequency of guest / vendor engagement, this process is very effective. Owing to the uncertainty attached to such vendor engagement that has an uncertain expiry date, an automated process can’t be preset.

Also in a scenario where a vendor engagement needs to be controlled due to inactivity, the account can be disabled provisionally for security and can be re-enabled upon need.

A disabled account can be set at: Account -> Properties -> Account tab ->Account Options -> select checkbox “Account is disabled” Read more…

September 17th, 2021 | Tags:

On the domain controller, open the group policy management tool.

Windows 2012 - Group Policy Management

Create a new group policy.

Read more…

June 15th, 2020 | Tags:

The permissions on the certificate template do not allow the current user to enroll this type of certificate. You do not have permission to request this type of Certificate

Certificate Renew You do not have permission to request this type of Certificate

Apparently I had to assign Enroll permissions to the Certificate template security for the computer requesting the certificate. Read more…

May 15th, 2020 | Tags: ,

Adobe Patches for May 2020

The Adobe updates for May are just two patches covering 36 CVEs. Two of these CVEs were reported through the ZDI program. The patch for Adobe Acrobat and Reader covers 24 Critical and Important-rated CVEs that mostly consist of Out-of-Bounds (OOB) Reads and Writes. There are also some buffer overflows, memory corruptions, stack exhaustion, and Use-After-Free (UAF) bugs fixed. The patch for the Adobe DNG Software Development Kit (SDK) fixes four Critical-rated heap overflows and eight Important-rated OOB Reads. The overflows could lead to code execution, so if you use the DNG format for your digital photography, definitely make sure you are patched. None of these bugs are listed as publicly known or under active attack at the time of release.

Microsoft Patches for May 2020

For May, Microsoft released patches for 111 CVEs covering Microsoft Windows, Microsoft Edge (EdgeHTML-based), ChakraCore, Internet Explorer, Microsoft Office, and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Dynamics, .NET Framework, .NET Core, and Power BI. Of these 111 CVEs, 16 are rated Critical and 95 are rated Important in severity. Eleven of these CVEs were reported through the ZDI program. None of the bugs being patched are listed as being publicly known or under active attack at the time of release. That makes three months in a row that Microsoft has released patches for more than 110 CVEs. We’ll see if they maintain that pace throughout the year. Read more…