Tuesday, November 19, 2019

Adding Full Mailbox permissions to on prem shared mailboxes for O365 Migrated user in Hybrid environment

Task for granting O365 migrates user full mailbox permissions must be done with Exchange on-premises PowerShell. For purpose of this short article we will be adding simple steps to get this task taken care of and cmdlet goes with it. Following scenario is not supported https://docs.microsoft.com/en-us/exchange/permissions The following permissions or capabilities aren't supported: Send-As Lets a user send mail as though it appears to be coming from another user's mailbox. Auto-mapping Enables Outlook, when it starts, to automatically open any mailboxes that a user has been granted Full Access to. Folder permissions Grants access to the contents of a particular folder. Change the variables to make sure it fits into your scenario. Also make sure you are connected to both On-premises and O365 PowerShell to get the work done below. # VARS $CloudMB1 = "John.Born@SecuredNinja.org" # Cloud Mailbox $SharedMB1 = "HRShared1@SecuredNinja.org" # On pRem $SharedMB2 = "HRShared2@SecuredNinja.org" # On prem # ADDING MB Permissions Write-host "Adding AD Permissions" Add-MailboxPermission –Identity $SharedMB1 –User $CloudMB1 ` –AccessRights FullAccess –AutoMapping $True -InheritanceType All # VERIFy AD PERMISSIONS Write-host "Verifying AD Permissions" $Output1 = Get-Mailbox -Identity $SharedMB1 | Get-MailboxPermission |` where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} |` Select-Object User,AccessRights,IsInherited,Deny # ADD Write-host "Adding Permissions" Add-RecipientPermission -Identity $SharedMB1 -Trustee $CloudMB1 -AccessRights SendAs #VERIFY Write-host "Verifying Permissions" Get-RecipientPermission -Identity $SharedMB1 # REMOVE Write-host "REMOVING Permissions" $removeUser = "Casey.Dedeal@SecuredNinja.org" Remove-RecipientPermission -Identity $SharedMB2 -Trustee $removeUser -AccessRights SendAs -WhatIf # REMOVE Write-host "REMOVING Permissions" $CloudMB = "Casey.DedealSecuredNinja.org" Remove-MailboxPermission –Identity $SharedMB2 –User $CloudMB –AccessRights FullAccess -WhatIf Casey Dedeal Azure Certified Solutions Architect

Tuesday, January 8, 2019

How to Renew Expires Office Web Apps Server SSL Certificate



If you want trouble, then let Lync certificates expire and struggle to figure out how to bring the service up and running. Office WebApp servers will provide, PowerPoint presentation capabilities to Skype clients and you will quickly notice the existed function is no longer working due to not having valid certificate and Office Web Apps service won’t come up.
Issue:

Office Web Apps Service is not starting (Service name: WACSM) Lync PowerShell commands won’t run due to same issues, and will fail with following warnings. “-OfficeWebAppsFarm: It does not appear that this machine is part of an Office Web Apps Server farm. “Assuming you did not change any other setting, your server is part of existing Web Apps Server, the PS command won’t run due to WACSM service issues listed earlier.
Fixing the issue:

  1. Copy new certificate to first Web Apps Server C:\temp drive
  2. Log onto first Web Apps Server via RDP
  3. Open MMC console and add certificates snap-in, on the certificates Local computer | Personal | Certificates, delete expired certificate and import new one.
  4. Take a note of certificate name (Issued to)
  5. Close MMC.
  6. Open following directory (\ProgramData\Microsoft\OfficeWebApps\Data\FarmState\settings.xml)
  7. Open Setting.xm file with notepad
  8. Locate following line and make sure Certificate name matches the imported certificate name.
  9. Server1.SecuredNinja.com
(SettingName="CertificateName"DataType="System.String">Server1.SecuredNinja.com")






  1. Close XML file
  2. Restart Office Web Apps Service (Service name: WACSM)







Casey, Dedeal
Principal Systems Engineer

Wednesday, December 26, 2018

Lync Front Service hangs on "starting" status on Lync 2013 Servers.



The common cause of Lync FE servers service to hang is related to non self-assigned certificates found on the Trusted Root Certificate store. Lync servers does use HTTP/s to communicate each other and the issue mentioned will break this behavior. Until such certs removed, FE service wont come back to its health state.


Step # 1
 Identify the certs causing this issue, run below PS from problem Lync FE Server.




 
<#



.NOTES
#=============================================
# Script : Non_Self_Assigned_Certs-Scan.ps1
# Created : ISE 3.0
# Author(s) : casey.dedeal
# Date : 12/26/2018  
# Org : ETC Solutions
# File Name :
# Comments :
# Assumptions :
#==============================================
SYNOPSIS :
DESCRIPTION :
Acknowledgements : Open license
Limitations : None
Known issues : None
Credits : None
.EXAMPLE
.\Non_Self_Assigned_Certs-Scan.ps1
MAP:
-----------
(1)_.Adding Vars
(2)_.Check Log Folder create one if ! exist
(3)_.Scan Local Machine Trusted Root Certs Store
(4)_.Open File
Cleanup all Certs listed on the log file.
Certs could be pushed via GPO, if that is the case
You will have find the GPO and make sure, problems
Cers have been removed from Policy.


#>



 

#(1)_.Adding Vars


$Fname = "None-Self-Certs-Report.txt"
$TargetFolder = "C:\temp\Logs\"
$file = $TargetFolder + $Fname



#(2)_.Check Log Folder create one if ! exist


if(!(Test-Path -Path $TargetFolder))


{

write-host "()_Creating Target Folder" -f Yellow
New-Item -ItemType directory -Path $TargetFolder

}

#(3)_.Scan Local Machone Trusted Root Certs Store


$Report = Get-Childitem cert:\LocalMachine\root -Recurse |`
?{$_.Issuer -ne $_.Subject} | fl *
$Report | Out-File


 


Step # 2
Delete the problem certificates from Trusted root store, it is easy to identify these certificates as
"Issued From" and "Issues To" wont match. Check to make sure these certs are not getting pushed via GPO if so, you will need to make sure such GPO is cleared out.


Step # 3
Reboot FE server and make sure FE service comes up. Check event logs to make sure related event logs are cleared.


Related KB


Casey, Dedeal
Principal Systems Engineer





Tuesday, July 17, 2018

Exchange Transport Service stops after installing July 2018 Updates


After installing Windows security updates KB4338823 and KB4338818, Transport service on Exchange 2010 Sp3 servers will stop processing mail. When this article is written MS has confirm this as an issue (bug) and confirmed the patch is on its way. Both updates seem to be causing issues with TCP/IP stack which then affects Exchange application, transport issues.

As of now you should uninstall both updates and wait for MS to come up with another KB which KB4338823 and KB4338818 broke at the first time.


Oz Casey, Dedeal

Principal Systems Engineer

https://simplepowershell.blogspot.com/  (blog)

https://smtp25.blogspot.com/ (blog)

https://telnet25.wordpress.com/ (blog)

https://twitter.com/Message_Talk (Twitter)