Custom role to create resource groups at a subscription level in Azure

This will allow members of this role to create RG’s at the subscription level.

Create the file input.json


{
"Name": "Resource Group Manager",
"IsCustom": true,
"Description": "Lets you manage resource groups at the subscription level.",
"Actions": [
"Microsoft.Resources/subscriptions/resourceGroups/*"
],
"NotActions": [

],
"DataActions": [

],
"NotDataActions": [

],
"AssignableScopes": [
"/subscriptions/"
]
}

Connect using Azure PowerShell, and import


New-AzureRMRoleDefinition -InputFile ''

You may have to log out of the Azure portal and log back in before you see the new role showing up. Then just add users to the role.

PowerShell script block to list all members from a list of groups

This will loop through the groups that it finds that match the “like” section of the script, then output the users from each group with headings to separate. The formatting could be cleaned up a bit on output, but…….meh it works.


$groups = Get-ADGroup -filter {SamAccountName -like "*GROUPNAMEHERE*"}
For ($i=0; $i -lt $groups.Length; $i++){
$groups[$i].SamAccountName
write-host ------------------------
Get-ADGroupMember $groups[$i] | select SamAccountName
write-host ************************
}

Restoring an Exchange Online deleted mailbox to a different users account in a subfolder

This comes into play when an employee leaves an organization. The mailbox is deleted in O365, but the manager wants a copy of their mailbox as a subfolder in their own mailbox before the soft deleted mailbox is gone for good. Here is what to do:

Connect to Exchange Online:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get the GUID of the deleted mailbox

Get-Mailbox -SoftDeletedMailbox | select name,guid

Issue the restore command

New-MailboxRestoreRequest -SourceMailbox GUIDFROMABOVE -TargetMailbox -TargetRootFolder "NAMEOFFOLDERTORESTORETO" -AllowLegacyDNMismatch

Once the restore has began, you should see a sub folder with the name you chose in the inbox of the target account. To monitor the restore progress, use this

Get-MailboxRestoreRequest | fl

RDS Session Host server running server 2008 R2 – lost icons in web portal

From time to time, this happens when a 2008 R2 server restarts when it is configured with the RDS session host role. The icons for the applications that are published from the server no longer appear in the web portal. This can be due to missing WMI properties on the server itself. The fix:

– Start the WMI Control MMC snapin
– Right-click the WMI Control node and select properties
– Go to the Security tab
– Navigate to Root->CIMV2->TerminalServices
– With TerminalServices selected, click the Security button
– Ensure that TS Web Access Computers is in the list with Execute Methods, Enable Account, and Remote Enable set to “allow”

After this is done, I have had to restart the SH server and test again. If that does not help, restarting the WA server does seem to help.

Searching for and restoring deleted AD user objects using PowerShell

The command to search for the deleted object. Use this command via PowerShell logged into a DC, or from a PowerShell window that has the AD cmdlets imported.

Get-ADObject -Filter 'samaccountname -eq ""' -IncludeDeletedObjects

This will return a value for the user if it finds a deleted user that matches this search criteria. If it does, and it is the user you wish to restore, pipe the output to Restore-ADObject to restore it like so:

Get-ADObject -Filter 'samaccountname -eq ""' -IncludeDeletedObjects | Restore-ADObject

Exchange 2010 Receive Connectors and Powershell

To dump them to a file:


$FormatEnumerationLimit =-1
Get-ReceiveConnector “” | fl remoteipranges > c:\scripts\iplist.txt

And to import them from a file:


$rc = Get-ReceiveConnector -Identity “
Get-Content "c:\scripts\addrelayips.txt" | foreach {$rc.RemoteIPRanges += "$_"}
Set-ReceiveConnector "" -RemoteIPRanges $rc.RemoteIPRanges

This *will* append to any IP’s existing in the list already.

Finding where the domain admin account is in use

It’s bound to happen. Too many people become aware of the domain administrator password, and then it becomes used all over the place for bad – *bad* things. So, how do you find out where it’s being used? Here is a good start.

On each domain controller in the site (or domain if you want to go that wide) save the security log to an EVTX file. Be sure to take a look at how much information is contained in there. Your logs may roll over so quickly that it may contain less than a day, so this may need to be ran several times over a weeks period of time to catch it all.

Once you have that done, download and install Log Parser Studio from Microsoft. Run this, and create a new query. In the query field, replace whatever is there (if anything) with this:


SELECT
timegenerated,
EXTRACT_TOKEN(Strings,6,'|') AS Domain,
RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) AS User,
EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|')) AS UserName,
EXTRACT_TOKEN(Strings,18,'|') AS ClientAddress,
EventID
FROM 'c:\temp\logname.evtx'
WHERE EventID=4624 AND UserName='domain\Administrator' /* xp/2003 = 682 */
ORDER BY timegenerated

The result is Log Parser Studio going through each of these logs that you specify in your own path above, and combing out only the results for the Administrator account. Much easier than doing it yourself! Do this for each log from the domain controllers that you have collected.

Now, seek and destroy where the account is being used!

AD FS Time skew adjustment

As normal in life, not everyone’s clock is going to be 100% spot on exactly the same time. AD FS does not like this when using SAML, so here is how to adjust it! You should only do this if you need to, and should only adjust it small amounts at a time. If you need to adjust it too much, something else is wrong or a clock is really far off somewhere along the way.


Set-AdfsRelyingPartyTrust -TargetName "" -NotBeforeSkew <#>

This will adjust it in minutes.

AD FS 3.0 random connection issues

When using AD FS 3.0, sometimes it is necessary to perform some troubleshooting. In this case, I was having random connectivity issues to the back end AD FS server. Here are the steps taken to resolve:

 

1. Enable debug logging. To do this:

a.  Edit C:\windows\adfs\Microsoft.IdentityServer.Servicehost.exe.config. Find the area for <system.diagnostics, and change each of them that are “off” by default to “Verbose”. Save and close the file.

b. From an Admin PowerShell, run “wevtutil sl “AD FS 2.0 Tracing/Debug” /L:5″

c. In the event viewer, go to the view menu and choose to show debug logs.

d. Under Application and Services Logs/AD FS Tracing/ right click on the debug log and choose enable.

 

After reviewing the logs, in my case I had an error with Event ID 53, source of AD FS Tracing. It read:

Encountered exception during Run of Microsoft.IdentityServer.Service.Synchronization.DrsSslBindingBackgroundTask task. Exception: The certificate represented by thumbprint <a thumbprint was here> could not be found in the Target Computer Personal certificate store. Check the thumbprint value and ensure that the desired certificate is installed in the Local Computer Personal certificate store.

StackTrace: at Microsoft.IdentityServer.WebHost.Configuration.CertificateUtility.GetCertFromLocationMyStore(StoreLocation location, String thumbprint, Boolean validOnly)

at Microsoft.IdentityServer.WebHost.Configuration.Providers.DrsSslBindingProvider.GetDrsSslBindingCertificate(Int32 drsPort, X509Certificate2& drsCertificate)

at Microsoft.IdentityServer.Service.Synchronization.DrsSslBindingBackgroundTask.Run(Object context)”

 

I then compared that thumbprint above to the thumbprints of the existing SSL certificates installed on my server. Not to my surprise, none of them matched. But – the question was then what is trying to use this certificate and how can I change it?

 

After some digging, I went back into an admin command prompt, and looked at the results from “netsh http show sslcert” and sure enough, there was my bad certificate thumbprint. Make note of the appid listed here for each entry!!

 

You can delete the entries using “netsh http delete sslcert hostnameport=<yourhost>:<yourport>

 

You can then re add the new, proper entries using “netsh http add sslcert hostnameport=<yourhost>:<yourport> certhash=<yourcertthumbprint> appid=<appid noted above> certstorename=MY”

 

After doing this, a restart of the AD FS service, and things were back on track. No more errors in the event logs and SSO was working again.