Room permissions Office 365

/0 Comments/in /by

Microsoft Hosted Exchange – How to grant a user full permissions on a room mailbox in Office 365:

Email address of user to be granted access:    User123@domain.com
Room mailbox email address:      Room123@domain.com

You need to do that through Powershell.  Powershell is part of Windows 7.  From your Windows 7 machine, run Powershell as admin (right click on Powershell and choose Run as Admin).
In powershell command, type the following commands:
Set-ExecutionPolicy unrestricted
Choose Y to confirm
$cred=Get-Credential
(You will be prompted for Office 365 admin user, and If you are an administrator in Office 365 then type your email adddress as user and your email password).

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection

Import-PSSession $session

Add-MailboxPermission -Identity room123@domain.com -User user123@domain.com -AccessRights FullAccess -InheritanceType All -AutoMapping:$false

 

My Notes on changing permissions on public folders

same as above steps expect last step is:

Get-PublicFolder -Identity “\CPM” -Recurse | Add-PublicFolderClientPermission -User “UserNameHere-WhichIsFirstpartOfEmailAddressBeforethe@” -AccessRights Owner

 

My Notes on changing permissions on public calendars:

add-MailboxFolderPermission -Identity CalendarName@domain.com:\Calendar -User User@domain.com -AccessRights PublishingAuthor

Get-MailboxFolderPermission -Identity calendor@domain.com:\calendar

Remove-MailboxFolderPermission -Identity user@mycompany:\calendar -user myuser@mycompany.com

My Notes on setting password to never expire for a user:

Find users PasswordNeverExpires status:

Get-MSOLUser -MaxResults 2000 | Select PasswordNeverExpires | export-csv c:\result.txt

Start Microsoft Online Services Module for Power Shell (download from web if not arelady installed). “Run As” Admin. Type the following:

Connect-MsolService

Check the password policy for that user:
Get-MSOLUser -UserPrincipalName user@domain.com | Select PasswordNeverExpires
Substitute user@domain.com by the username that you want to change password policy for.

Change it to never expires:
Set-MsolUser -UserPrincipalName user@domain.com -PasswordNeverExpires $true
Substitute user@domain.com by the username that you want to change password policy for.

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles. https://bostonit.wpengine.com/it-companies-boston/

Find us on Bing, http://www.bing.com

Windows takes long time to shutdown

/0 Comments/in /by

Windows Server 2008 Takes Too Long to Restart or Shutdown.

Had two identical Lenovo ThinkServer servers loaded with Windows Server 2008 SP1 (not R2) and when restarting or shutting down, it would take over 30 minutes for them to restart.

When you press restart in Windows, Keyboard and Mouse appear unresponsive and the screen halts.

It turned out that Windows 2008 Server was configured to clear the page file upon shut down/restart and that was delaying the process of server going down. To fix the issue, go to the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

and change ClearPageFileAtShutdown value to 0 instead of 1

Alternatively, you can go to Programs, Administrative Tools, Local Security Policy, Security Settings, Local Policies, Security Options, In the right pane, right click on Shutdown: Clear virtual memory pagefile. Change it to disabled.

After you make the change, reboot the server (it might still take a long time to reboot because the setting will take effect next time you boot).

If you have a Domain Policy configured make sure you change that setting in the Domain Group Policy on the Domain Controller.

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Quota warning

/0 Comments/in /by

 

Users don’t receive Mailbox Quota Warnings in Microsoft Exchange 2010 SP1/SP2 – Quota Warnings Aren’t Generated

This is a design update that Microsoft made in Exchange 2010 Service Pack 1. Prior to Service Pack 1, quota warning messages were generated automatically whenever the mail users hit the quota warning threshold. After Service Pack 1 that won’t be generated unless you:

EITHER

Set the “prohibit send” quota value. You can go to Microsoft site or do a Google search to find out more about how that works.

OR

Add a new Flag/Registry key:

Resolutions:

We are going to add the necessary flag.

Add the following registry key and restart the Information Store. Quota notification emails will start working, and people will start getting them once a day if they have exceeded the quota value.

Run Regedit, and go to the following:

HKEY_LOCAL_MACHINE\System\CCS\Services\MsExchangeIS\ParametersSystem

Create a New DWORD Value.

Type CheckWarningQuota , and then press Enter.

Right-click CheckWarningQuota, and then click Modify.

In the Value data box, type 1, and then click OK.

Exit the Registry and restart the Information Store.

If you find this article helpful, please send us a note to Mike@bostonIT.com so we can keep on adding more hands-on Knowledgebase articles.

Disable Open File warning

/0 Comments/in /by

How to Disable Open File Security Warning in Windows 7 When Openning Files on the Local or Network Drives:

 

Click Start –> Search or Run,

Type
gpedit.msc and hit enter

In the left pane, click on to expand User Configuration, Administrative Templates, Windows Components, and Attachment Manager.

In the right pane, double click on Inclusion list for low file types.

Enable it and type the kind/extension of file that you would like to disable the security warning for (if it is an EXE file, then type .exe). If you have multiple files (like bat, dba and xls, then seperate them with semicolon (;)
This is how that would look like:
.bat;.dba;.xls

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Remote Web Access is not allowed

/2 Comments/in /by

Remote Web Access is not allowed for your user account. Contact the person who manages your server.

Scenario:

We were hired by a customer to help troubleshoot an issue with Remote Web Access (RWA) after they had already migrated to Windows SBS 2011 Essential from Windows Server 2003 SBS. When people go to the RWA URL site, type username and password and hit login they get:

“Remote Web Access is not allowed for your user account. Contact the person who manages your server.”

They were unable to login not even as domain administrators.

The following error was logged in “C:\ProgramData\Microsoft\Windows Server\Logs\Dashboard”

[38300] 130221.160506.6590: IDENTITY: Add Group:RemoteAccess failed with ErrorCode:8ac

The following error was logged in “C:\ProgramData\Microsoft\Windows Server\Logs\WebApps\RemoteAccess.log”

[33088] 130220.211827.8285: RemoteAccess: [Identity] User validate passed but not permitted to enter.

Resolution:

It turned out that when the Windows server 2011 SBS Essential was migrated to from Windows Server 2003, a few steps were skipped in the process of migration! Here are the steps that are pertinent to the issue and that have fixed it for me.

1- Go to “Active Directory Users and Computers” and look for the security groups mentioned below, if you don’t find them then you must create them manually. To create those groups in Active Directory Users and Computers,, expand My Business, expand Users, and then expand SBSUsers. Right-click and click Create New Group. Create the group names below, click Security Group and for the scope for each group to Global, and then click Create. Repeat this step to create the remainder of the below security groups. (in short you need to create new security groups in Active Directory Users and Groups that didn’t migrated over – listed below – it could be anywhere in ADUC – nothing is special about that…). The groups are:

  • RA_AllowAddInAccess
  • RA_AllowComputerAccess
  • RA_AllowDashboardAccess
  • RA_AllowHomePageLinks
  • RA_AllowNetworkAlertAccess
  • RA_AllowRemoteAccess
  • RA_AllowShareAccess
  • WSSUsers

2- In “Active Directory Users and Computers” you also must add the “Authenticated Users” group to the “Pre-Windows 2000 Compatible Access” group.

In the navigation pane of Active Directory Users and Computers expand “YourDomainName”, and then click the Builtin folder. In the details pane, right-click the Pre-Windows 2000 Compatible Access group, and then click Properties. On the Members tab, click Add. Type Authenticated Users, and then click OK.

3- Now, because some accounts were migrated from the Windows 2003 Server, by default it does not have memberships to those Windows SBS 2011 Essentials security groups. To add group memberships to the accounts that you are using for migration, do the following:

Click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the navigation pane, expand YourDomainName, expand My Business, expand Users, and then expand SBSUsers. Open the administrator account or accounts to which you want to assign membership. Click the tab Member of and add all the “RA_…..” security groups above.

4- When creating new users account, use the Windows Small Business Server 2011 Dashboard instead of Active Directory Users and Computers.

5- If there is a user in Active Directory that you don’t see in the Dashboard, use the following steps to add it to the Dashboard:

Go to command line

cd “c:\Program Files\Windows Server\Bin”
Type WssPowerShell.exe
Type Import-WssUser -Name 

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Enable ZIP Extension for PHP

/0 Comments/in /by

How to Enable ZIP Extension for PHP on Linux – Ubuntu – ZIP.SO – PHP.INI – Efront – XAMPP/LAMPP

Download XAMMP from:
http://www.apachefriends.org/en/xampp-linux.html

That contains Apache 2.4.3, MySQL 5.5.27, and PHP 5.4.7.

Follow instructions on the site (All it takes is just download and unzip into /opt/lampp. It’s pre-compiled).

For Apache, you might want to update the root directory of the http server to “/opt/lampp” (edit /opt/lampp/etc/httpd.conf and make sure the following path in the file is correct ServerRoot “/opt/lampp”).

Enable zip extension for php with apache by:

1- Un-commenting zip.so in /opt/lampp/etc/php.ini. (The latest version of XAMPP, as of this article, is compiled with zip support for PHP but you need to follow the few steps mentioned here to enable it and make it work).

2- Un-commenting and updating the path of the extension_dir in php.ini (extension_dir = “/opt/lampp/lib/php/extensions/no-debug-non-zts-20100525”)

3- Downloading zip.so into the Extension Dir.

You can download the modified php.ini, httpd.conf and the zip.so described above here:

Download php.ini
Download zip.so 
Download http.conf file

Clear browser cache.

Stop and start XAMPP
/opt/lampp/lampp stop
/opt/lampp/lampp start

Now you can download efront and unzip into /opt/lampp/efront..

If you find this section helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

AnyConnect not able to establish a connection to the specified secure gateway

/1 Comment/in /by

AnyConnect was not able to establish a connection to the specified secure gateway – Cisco VPN Linux / RedHat and RHEL / Ubuntu, Debian:

Scenario:

When using the Linux Cisco AnyConnect client x64 (like MAC, Ubuntu, Redhat RHEL and Debian) you might get the error above or if you connect through command like you might get the following errors:

>/opt/cisco/anyconnect/bin/vpn connect vpn.domain.com
Cisco AnyConnect Secure Mobility Client (version 3.1.02043) .

Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.

  >> state: Disconnected
  >> state: Disconnected
  >> notice: Ready to connect.
  >> registered with local VPN subsystem.
  >> contacting host (vpn.domain.com) for login information...
  >> notice: Contacting vpn.domain.com.
VPN> AnyConnect cannot verify the VPN server: vpn.domain.com
Connecting to this server may result in a severe security compromise!
AnyConnect is configured to block untrusted VPN servers by default.  
Most users choose to keep this setting.
If this setting is changed, 
AnyConnect will no longer automatically block connections to potentially malicious network devices.

Change the setting that blocks untrusted connections? [y/n]: y

Changing this VPN Preference may result in a severe security compromise!

Change the setting that blocks untrusted connections? [y/n]: y
  >> warning: Connection attempt has failed.
  >> state: Disconnected


>sudo /opt/cisco/anyconnect/bin/vpn connect vpn.domain.com
Cisco AnyConnect Secure Mobility Client (version 3.0.07059) .

Copyright (c) 2004 - 2012 Cisco Systems, Inc.
All Rights Reserved.


>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (vpn.domain.com) for login information...
>> notice: Contacting vpn.domain.com.
VPN>
>> Please enter your username and password.
Group: VPNGroup

Username: [UserName] UserName
Password:
>> state: Connecting
>> notice: Establishing VPN session...
>> error: AnyConnect was not able to establish a connection to the 
specified secure gateway. Please try connecting again.
>> notice: Connection attempt has failed.
>> state: Disconnected

Resolution:

1- Before you start troubleshooting the issue on the client side, make sure SSL certificates are installed and configured properly on the ASA. Go to http://www.digicert.com/help/ and test your server SSL certificate, if you see any issues, talk to your system admin to fix. In addition to your company SSL certificate, intermediate certificate from the ssl provider needs to be installed on the asa too, and that web tool can show you any issues in that regard (this is a common issue – missing intermediate cert) .

2- Important: Upgrade to the latest Cisco AnyConnect client. You can download that from the cisco TAC site but you need a username and a password. The latest version of Anyconnect as of this article is 3.1.04066.

3- In one of the cases the Cisco ASA had a Go Daddy SSL Certificate. Copying Go Daddy certificate from that Linux SSL Certificate folder to Cisco SSL certificate folder on the linux machine forced Anyconnect to trust that certificate.

sudo cp /etc/ssl/certs/Go* /opt/.cisco/certificates/ca/

If you are using a different 3rd party SSL certificate on the ASA, then you need to copy that certificate the same way

You can also copy all the certificates from /etc/ssl/certs/ to /opt/.cisco/certificates/ca/ if you are not sure what certificate you are using.

If you get this error in Windows make sure you stop Internet Sharing service in Windows services

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Downgrading Windows 8 to Windows 7 Freezes and hangs

/0 Comments/in /by

Downgrading Windows 8 to Windows 7 Freezes and hangs – How to install Windows 7:

Scenario:

I had a brand new HP ProBook 4440s Laptop that came preloaded with Windows 8. Customer wanted to downgrade it to Windows 7 x64 but during the very initial steps of the Windows 7 installation, the Windows installation screen would freeze and it wouldn’t go on:

Resolution:

That was basically a BIOS UEFI setting. Reboot PC and go to BIOS, go to System Configuration, Boot Options and change setting there to “Legacy” mode. Change setting, save and reboot. That should fix it. Try installing Windows 7 again and it should work this time.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

The directory service is missing mandatory configuration

/3 Comments/in /by

The operation failed because: Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=domain-name,DC=com to Active Directory Domain Controller \\DC.domain-name.com.
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

Scenario:

When trying to demote one of Windows 2008 Domain Controllers, you get the above error message.

Resolution:

Copy the script below into a file and call it Script.vbs.

const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
' Assume the command line argument is the NDNC (in DN form) to use.
NdncDN = inArgs(0)
Else
Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN"
End if

if (NdncDN <> "") then

' Convert the DN form of the NDNC into DNS dotted form.
Set objTranslator = CreateObject("NameTranslate")
objTranslator.Init ADS_NAME_INITTYPE_GC, ""
objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)

Wscript.Echo "DNS name: " & strDomainDNS

' Find a domain controller that hosts this NDNC and that is online.
set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE")
strDnsHostName = objRootDSE.Get("dnsHostName")
strDsServiceName = objRootDSE.Get("dsServiceName")
Wscript.Echo "Using DC " & strDnsHostName

' Get the current infrastructure fsmo.
strInfraDN = "CN=Infrastructure," & NdncDN
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner

' If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then

' Set the fsmo holder to this domain controller.
objInfra.Put "fSMORoleOwner", strDsServiceName
objInfra.SetInfo

' Read the fsmo holder back.
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner

End if
End if

 

Now go to command line on that DC and run the script by typing the following:

cscript Script.vbs DC=ForestDNSZones,DC=contoso,DC=com

Where:
DC=costoso is the Windows Domain. My Windows Domain was called Domain1.com so I replaced costoso with Domain1. So the command for me was:

cscript Script.vbs DC=ForestDNSZones,DC=Domain1,DC=com

Now try the dcpromo again.

If that doesn’t work go to command line and type:

DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. | zero hour sleep 

dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int -attr fSMORoleOwner

and see if the result show an old DC you had and had demoted previously but still have traces in domain.  Use edsiedit to clean up remove that DC.  
the following article might help you

http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

BurFlags – D4

/in /by

Reinitializing/Forcing File Replication Service FRS using Registry key BurFlags D4:

Have you been in the situation where you’re unable to replicate AD changes made across 2003 Domain Controllers? I have been there several times, and the last time was when I was attempting to transfer the Global Catalog role for an Exchange Server migration, however any AD changes I had made never replicated across DCs. Also had failing SYSVOL replication problems. The only thing that worked for me was when I did an Authoritative FRS restore by changing the BurFlags registry key to D4 and then restarting the File Replication service – that was done on the DC that had replication and SYSLOG issues.

BurFlags registry key contains REG_DWORD values, and is located in the following location in the registry:
“HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\ Backup/Restore\Process at Startup”

The most common values for the BurFlags registry key are:

D2: also known as a non-authoritative mode restore.
D4: also known as an authoritative mode restore.

Changing the BurFlags key to D4 will reinitialize replication.

For more instructions, please refer to the following Knowledgebase article:

http://support.microsoft.com/kb/290762

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Registry Caution: Do not use registry editor to edit the registry directly unless you have no alternative and directed by Microsoft. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. We recommend you have a full backup of the system before making changes to registry. Do it at your risk. bostonIT doesn’t assume any unintended consequences.