Category Archives: Microsoft

Get Office 365 users with a specific license type via Powershell

Posted on by

It can sometimes be useful to get a list of Office 365 users with a specific license type via PowerShell. Instead of logging into the Office 365 portal and using a filtered view in the admin center, you can do it straight from the command line.

  • Connect to Office 365 via Powershell. If this cmdlet doesn’t work for you, follow this quick guide for instructions on installing the required PowerShell module.

Connect-MsolService

  • Run Get-MsolAccountSku to get a list of the current licenses in your Office 365 tenant. Make a note of the AccountSkuId value for the license you want to filter on.

Get-MsolAccountSku

Get-MsolAccountSku Information
  • Now you can edit this short script to get the users matching that license. In this case, we’re getting users with the EnterprisePremium license.

Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "EnterprisePremium"}

Replace EnterprisePremium with the AccountSkuID you’re trying to filter by. Since we’re using the -match operator we don’t need to type the entire AccountSkuID, we can just type enough of it to ensure that we’re only retrieving that specific one.

The script can be tweaked for specific use

Get-MsolUser -MaxResults 100000 | Where-Object {($_.licenses).AccountSkuId -match "EnterprisePremium"} | ft UserPrincipalName, IsLicensed | Out-File c:\temp\E3.csv

Get-MsolUser With Specific Office 365 License

Export these users to a text document

You can export these users to a text document using the Out-File cmdlet.

Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "EnterprisePremium"} | Out-file C:\temp\EnterprisePremiumUsers.csv

Source: https://gcits.com/knowledge-base/get-office-365-users-specific-license-type-via-powershell/

Terminal Server Inactive Printer Ports

Posted on by

During the restart of a Terminal Server, inactive TS ports should be deleted. When these inactive ports are not deleted, over time, a server can become sluggish or even hang because of this. When there are a lot of Inactive TS Ports in the registry, printer redirection may also suffer.

If you are experiencing OS performance, Print spooler or RDS printer redirection hangs, check the presences of Inactive TS Ports under the key:

HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}

If the subkeys with #TS001\device parameters in it have a “Port Description” with “Inactive TS Port” then the entier root key should be deleted.

With the powershell script below, it is possible to delete these Inactive TS Ports from a remote machine. The scripts reads an OU in the Active Directory where all RDSH servers are located and then it will delete all Inactive TS Ports from those servers.

#Get RDSH Servers
$servers = Get-ADComputer -Filter * -SearchBase "OU=Netherlands, OU=Session Hosts, OU=RDS2012, OU=Servers, OU=Infra,DC=infra,DC=imtech,DC=NL"  

#Delete inactive TS Ports (https://archive.codeplex.com/?p=inactivetsport)
foreach ($server in $servers) {
    $RemoteComputer =$server.name 
    if (Test-Connection -ComputerName $RemoteComputer -Count 1 -ErrorAction SilentlyContinue) { 
        Invoke-Command -ComputerName $RemoteComputer -ScriptBlock {
            $Gegevens = Get-ChildItem -path 'HKLM:SYSTEM\CurrentControlSet\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#ROOT#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}' -Recurse
            ($gegevens.Name ) -replace "\\Device parameters" | Select-Object -Unique | ForEach-Object { 
                $subkey = ($_ -replace "HKEY_LOCAL_MACHINE\\" , "HKLM:\") + "\Device Parameters"         
                $PortDescription = (Get-itemproperty -path $subkey)."Port Description"
                if ($PortDescription -eq "Inactive TS Port") {
                    $subkeydelete = ($_ -replace "HKEY_LOCAL_MACHINE\\" , "HKLM:\")
                    write-host "delete subkey from $env:COMPUTERNAME => $subkeydelete"
                    Remove-Item -Path $subkeydelete -Recurse                   
                }
            }
        } 
    }
}

For more information about this issue in Windows Server 2008 please check the site: https://archive.codeplex.com/?p=inactivetsport

How to enable the Disk Cleanup tool on Windows Server 2008 R2

Posted on by

source: https://support.appliedi.net/kb/a110/how-to-enable-the-disk-cleanup-tool-on-windows-server-2008-r2.aspx

How to enable the Disk Cleanup tool:

1) Go to Programs & Features, and in the Features section, enable/install “Desktop Experience”.   The downside to this is that you will need to reboot your server after installing this and it installs other components you do not need on a server.

2) [RECOMMENDED] –  All you really need to do is copy some files that are already located on your server into specific system folders, as described at http://technet.microsoft.com/en-us/library/ff630161(WS.10).aspx

The location of the files you need to copy depend on your version of Windows:

Operating System Architecture File Location
Windows Server 2008 R2 64-bit C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe
Windows Server 2008 R2 64-bit C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\cleanmgr.exe.mui
Windows Server 2008 64-bit C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.0.6001.18000_en-us_b9f50b71510436f2\cleanmgr.exe.mui
Windows Server 2008 64-bit C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.0.6001.18000_none_c962d1e515e94269\cleanmgr.exe.mui
Windows Server 2008 32-bit C:\Windows\winsxs\x86_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.0.6001.18000_en-us_5dd66fed98a6c5bc\cleanmgr.exe.mui
Windows Server 2008 32-bit C:\Windows\winsxs\x86_microsoft-windows-cleanmgr_31bf3856ad364e35_6.0.6001.18000_none_6d4436615d8bd133\cleanmgr.exe

Windows Server 2012:

C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.2.9200.16384_none_c60dddc5e750072a\cleanmgr.exe
C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.2.9200.16384_en-us_b6a01752226afbb3\cleanmgr.exe.mui

Windows Server 2012 R2:  must install Desktop Experience. Use Powershell command:
Install-WindowsFeature Desktop-Experience

 

Once you’ve located the files move them to the following locations (Server 2012 non-R2 and earlier):

  1. Copy Cleanmgr.exe to %systemroot%\System32.
  2. Copy Cleanmgr.exe.mui to %systemroot%\System32\en-US.

You can now launch the Disk cleanup tool by running Cleanmgr.exe from the command prompt.

If an old cleanup manager is used, windows update files will not be cleaned. For this you need Microsoft hotfix 2852386

Synching Microsoft NPS (RADIUS) servers

Posted on by

source: http://www.routereflector.com/2016/07/syncing-microsoft-nps-servers/

Use the following powershell script to sync microsoft NPS (radius) servers.

Export-NpsConfiguration -Path C:\TEMP\LocalNPSExportedConfig.xml

$CurrentServerNPS = $env:computername

$NPServers = Get-ADGroupMember "RAS and IAS Servers"
$NPServers | ForEach-Object {

	$NPServerName = $_.Name

	if ($NPServerName -ne $CurrentServerNPS) {
		$NPServerName
		copy-item Export-NpsConfiguration -Path  \\$NPServerName\C$\TEMP\LocalNPSExportedConfig.xml
		Invoke-Command -ComputerName $NPServerName -ScriptBlock {Export-NPSConfiguration -Path C:\TEMP\BackupNPSExportedConfig.xml
		Invoke-Command -ComputerName $NPServerName -ScriptBlock {Import-NPSConfiguration -Path C:\TEMP\LocalNPSExportedConfig.xml
	}
}

 

Failed To Open or Edit GPO

Posted on by

source: https://mohdzmaili.wordpress.com/2017/02/15/failed-to-open-or-edit-gpo/comment-page-1/#comment-30

 

Group Policy Object cannot be opened or edited with the error: Failed to open Group Policy Object. You might not have the appropriate rights.

Details: The volume for a file has been externally altered so that the opened file is no longer valid.

gpo1

gpo2

Solution:

  • Get GPO GUID: from Group Policy Management Console (GPMC) –> choose GPO –> from right pane go to Details tab –> go to Unique ID field.
  • Open the path: C:\Windows\SYSVOL\sysvol\<Domain>\Policies\<GPO GUID>\User
  • Delete “registry.pol” file.

Note: if you have migrated SYSVOL replication type from FRS to DFSR, open the path:  C:\Windows\SYSVOL_DFSR\sysvol\<Domain>\Policies\<GPO GUID>\User

Resetting Administrator Password in Windows 2012

Posted on by

Instructions

To reset the password on your Windows 2012 server, simply complete the following steps:

  • Boot from the Micrsoft Windows Server 2012 DVD
  • From the Windows Setup menu, click “Next”.
  • Select “Repair your computer”
  • Under Choose and option, click on “Troubleshoot”.
  • Under Advanced options, click “Command Prompt”.
  • At the command prompt, run the following commands:
    d:
    cd windows\system32
    ren Utilman.exe Utilman.exe.old
    copy cmd.exe Utilman.exe
  • Close the command prompt and then click “Continue”.
  • The server should now boot and present the logon screen. Here click Windows Key + U.
  • At the prompt you can now change the password, by typing the following command:
    net user administrator Password123
    This will set the password for the Administrator user to be Password123 (case sensitive).

    If a new (adminstrator) user is needed, type the following commands:
    net user “OtherUser” Password123 /add
    net localgroup administrators “OtherUser” /add

Closing the command prompt, you should now be able to log back onto the server using the password you have provided in the last step.

 

Cleanup Steps

Once you have verified you can log on to the server you will have repeat the steps above and boot using the Windows Server 2008 DVD/ISO and run the command prompt again.

  • Restart your server and once again, boot from the Micrsoft Windows Server 2012 DVD
  • From the Windows Setup menu, click “Next”.
  • Select “Repair your computer”
  • Under Choose and option, click on “Troubleshoot”.
  • Under Advanced options, click “Command Prompt”.
  • At the command prompt, run the following commands:
    d:
    cd windows\system32
    ren utilman.exe utilman.exe.new
    copy utilman.exe.old utilman.exe
  • Close the command prompt and then click “Continue”.

You should be back up and running as if nothing ever happened.

 

source: http://www.kieranlane.com/2013/09/18/resetting-administrator-password-windows-2012/

Copy SQL server database role

Posted on by

source: http://stackoverflow.com/questions/6300740/how-to-script-sql-server-database-role

 

With the following script a script is generated which can be used to copy a SQL database role

declare @RoleName varchar(50) = 'RoleName'

declare @Script varchar(max) = 'CREATE ROLE ' + @RoleName + char(13)
select @script = @script + 'GRANT ' + prm.permission_name + ' ON ' + OBJECT_NAME(major_id) + ' TO ' + rol.name + char(13) COLLATE Latin1_General_CI_AS 
from sys.database_permissions prm
    join sys.database_principals rol on
        prm.grantee_principal_id = rol.principal_id
where rol.name = @RoleName

print @script

 

Active Directory – How to display Bitlocker Recovery Key

Posted on by

source: http://www.alexandreviot.net/2015/06/10/active-directory-how-to-display-bitlocker-recovery-key/

 

Active Directory – How to display Bitlocker Recovery Key

When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.

The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.

With Active Directory Users And Computers, we can:

  • Display Bitlocker Recovery key for one computer.
  • Search in all Active Directory for a Password ID.
  • Delegate Rights to display confidential information.

Feature installation

Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. It is integrated in features since Windows Server 2008.

To install Bitlocker Recovery Key feature:

  • Go to Server Manager.
  • On Features Page select Remote Server Administration Tools.
  • Check Bitlocker Drive Encryption Administration Utility.
    • Check Bitlocker Drive Encryption Tools.
    • Bitlocker Recovery Password Viewer.

Bitlocker Recovery Key Feature

Bitlocker Recovery Key Feature

Computer Object

After the installation, just close and open Active Directory Users And Computers again.

A new tab is now available on computer object:  Bitlocker Recovery with some information:

  • Recovery Key : this key must be given to the user if needed.
  • Computer name and date
  • Password ID:  User must give you this information. (First 8 digit)

Bitlocker Recovery Key Tab

Bitlocker Recovery Key Tab

Bitlocker Recovery Key Lookup Tool

Sometime, you don’t have the computer name because the remote user doesn’t know it. You only have first 8 digit code. Don’t panic, there is a solution for that too. ?

We can search for 8 digit code in all computer objects:

  • Right click on your domain name.
  • Select Find Bitlocker Recovery Password.

Find Bitlocker Recovery Password

Find Bitlocker Recovery Password

  • Enter the first 8 digit and click Search. You will find the computer and the recovery key.

Bitlocker Find Recovery Key

Bitlocker Find Recovery Key

Delegation Rights

If a helpdesk team exists in your enterprise, you maybe want to give them the right to display this information. However, Recovery key is a confidential information and standard users can not view it.

Bitlocker Recovery Key Standard User

Bitlocker Recovery Key Standard User

We need to delegate some rights on the targeted OU to specific group.

  • Right click on the targeted OU and select Delegate Control.

OU Delegate Control

OU Delegate Control

  • Add groups which need to view Recovery Key.

Delegate Group

Delegate Group

  • Select Create a custom task to delegate.

Custom task to delegate

Custom task to delegate

  • Choose Only the following object in the folder and check MSFVE-RecoveryInformation objects.

MSFVE-RecoveryInformation

MSFVE-RecoveryInformation

  • Give Full Control on this object.

Full Control Right

Full Control Right

  • Helpdesk user can now view Recovery information.

Recovery Key Granted user

Recovery Key Granted user

More

You can get more information about Bitlocker here.

Quickly list all mailboxes to which a particular user has access

Posted on by

From Vasil Michev

source: http://www.michev.info/Blog/Post/77/Quickly-list-all-mailboxes-to-which-a-particular-user-has-access

 

  • List all mailboxes to which a particular user has Full Access permissions:

PS C:\> Get-Mailbox | Get-MailboxPermission -User vasil

Identity             User                 AccessRights

——–             —-                 ————

HuKu                 Vasil Michev         {FullAccess}

retail               Vasil Michev         {FullAccess}

sharednew            Vasil Michev         {FullAccess}

testplan2            Vasil Michev         {FullAccess}

WC                   Vasil Michev         {FullAccess}

  • List all shared/user/room/whatever mailboxes to which particular user has Full Access permissions:

PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil

Identity             User                 AccessRights

——–             —-                 ————

HuKu                 Vasil Michev         {FullAccess}

retail               Vasil Michev         {FullAccess}

sharednew            Vasil Michev         {FullAccess}

testplan2            Vasil Michev         {FullAccess}

  • List all mailboxes to which members of a particular security group have access:

PS C:\> Get-Mailbox | Get-MailboxPermission -User secgrp

Identity             User                 AccessRights

——–             —-                 ————

Bathroom             secgrp               {FullAccess}

  • List all mailboxes to which a user has Send As permissions:

PS C:\> Get-Mailbox | Get-RecipientPermission -Trustee vasil

Identity                            Trustee                             AccessControlType                   AccessRights

——–                            ——-                             —————–                   ————

sharednew                           Vasil Michev                        Allow                               {SendAs}

  • List all user mailboxes to which members of a particular security group have access:

PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-RecipientPermission -Trustee secgrp

Identity                            Trustee                             AccessControlType                   AccessRights

——–                            ——-                             —————–                   ————

HuKu                                secgrp                              Allow                               {SendAs}

  •  List all mailboxes to which a particular security principal has Send on behalf of permissions:

PS C:\> Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match “vasil”}

Name                      Alias                ServerName       ProhibitSendQuota

—-                      —–                ———-       —————–

Bathroom                  bathroom             amspr03mb084     49.5 GB (53,150,220,288 bytes)

WC                        WC                   dbxpr03mb096     9.5 GB (10,200,547,328 bytes)