Restoring an Exchange Online deleted mailbox to a different users account in a subfolder

This comes into play when an employee leaves an organization. The mailbox is deleted in O365, but the manager wants a copy of their mailbox as a subfolder in their own mailbox before the soft deleted mailbox is gone for good. Here is what to do:

Connect to Exchange Online:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get the GUID of the deleted mailbox

Get-Mailbox -SoftDeletedMailbox | select name,guid

Issue the restore command

New-MailboxRestoreRequest -SourceMailbox GUIDFROMABOVE -TargetMailbox -TargetRootFolder "NAMEOFFOLDERTORESTORETO" -AllowLegacyDNMismatch

Once the restore has began, you should see a sub folder with the name you chose in the inbox of the target account. To monitor the restore progress, use this

Get-MailboxRestoreRequest | fl

Searching for and restoring deleted AD user objects using PowerShell

The command to search for the deleted object. Use this command via PowerShell logged into a DC, or from a PowerShell window that has the AD cmdlets imported.

Get-ADObject -Filter 'samaccountname -eq ""' -IncludeDeletedObjects

This will return a value for the user if it finds a deleted user that matches this search criteria. If it does, and it is the user you wish to restore, pipe the output to Restore-ADObject to restore it like so:

Get-ADObject -Filter 'samaccountname -eq ""' -IncludeDeletedObjects | Restore-ADObject

Finding where the domain admin account is in use

It’s bound to happen. Too many people become aware of the domain administrator password, and then it becomes used all over the place for bad – *bad* things. So, how do you find out where it’s being used? Here is a good start.

On each domain controller in the site (or domain if you want to go that wide) save the security log to an EVTX file. Be sure to take a look at how much information is contained in there. Your logs may roll over so quickly that it may contain less than a day, so this may need to be ran several times over a weeks period of time to catch it all.

Once you have that done, download and install Log Parser Studio from Microsoft. Run this, and create a new query. In the query field, replace whatever is there (if anything) with this:


SELECT
timegenerated,
EXTRACT_TOKEN(Strings,6,'|') AS Domain,
RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) AS User,
EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|')) AS UserName,
EXTRACT_TOKEN(Strings,18,'|') AS ClientAddress,
EventID
FROM 'c:\temp\logname.evtx'
WHERE EventID=4624 AND UserName='domain\Administrator' /* xp/2003 = 682 */
ORDER BY timegenerated

The result is Log Parser Studio going through each of these logs that you specify in your own path above, and combing out only the results for the Administrator account. Much easier than doing it yourself! Do this for each log from the domain controllers that you have collected.

Now, seek and destroy where the account is being used!

AD FS Time skew adjustment

As normal in life, not everyone’s clock is going to be 100% spot on exactly the same time. AD FS does not like this when using SAML, so here is how to adjust it! You should only do this if you need to, and should only adjust it small amounts at a time. If you need to adjust it too much, something else is wrong or a clock is really far off somewhere along the way.


Set-AdfsRelyingPartyTrust -TargetName "" -NotBeforeSkew <#>

This will adjust it in minutes.

Creating and submitting a CSR with SAN’s using the Microsoft certificate request tool

Cerating SSL certificates for the management interfaces on an IronPort C360.

First, make sure your CA is configured to accept SAN attributes in a request. To do so, login to your CA and do the following:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Browse to http://<servername>/certsrv and fill out the form, accepting most defaults. Change the following:

Check the box for “Mark keys as exportable”

In the attributes box, add the SAN attributes in the following format:

san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com

Submit and install the certificate. Find it, and export it to a .PFX file. Assign a password at the time of export. Then, import the PFX into the IronPort server, and assign that certificate to the management interface.