Microsoft-Infrastructure on Janik von Rotz https://janikvonrotz.ch/categories/microsoft-infrastructure/ Recent content in Microsoft-Infrastructure on Janik von Rotz Hugo en Thu, 12 Oct 2017 15:54:08 +0000 Monitor and audit Active Directory user and group management https://janikvonrotz.ch/2017/10/12/monitor-and-audit-active-directory-user-and-group-management/ Thu, 12 Oct 2017 15:54:08 +0000 https://janikvonrotz.ch/2017/10/12/monitor-and-audit-active-directory-user-and-group-management/ <p>Traceability is key when collaborating in the Active Directory (AD). Multiple admins changing and updating permissions and policies makes it difficult being compliant with the company&rsquo;s policies. It is important to monitor mutations in the directory. By default audit policies are disabled for Domain Controllers (DC) and must be enabled explicitly. Enabling auditing for the DCs is quite easy, querying the logs for a specific event is a bit more difficult.</p> <p>In this guide you&rsquo;ll learn how to enable auditing for a specific case and how to query the audit logs for a specific event.</p> <p>The tutorial assumes that there is a:</p> <ul> <li>Domain Controller.</li> <li>Group policies, security groups, users, &hellip;</li> <li>Admins with DC access.</li> </ul> <h1 id="enable-auditing">Enable Auditing</h1> <p>Let&rsquo;s start by have a look on the already enabled audit categories.</p> <ul> <li>Log into the DC.</li> <li>Open PowerShell as admin.</li> <li>Run <code>auditpol /get /category:*</code></li> </ul> <p>The command returns a list of audit categories and its status. These settings have been enabled by either the auditpol tool or via GPOs.</p> <p>In our scenario we would like to track management of users and groups, which is part of the <strong>Audit Account Management</strong>. To enable this audit category create a new group policiy for the DC.</p> <ul> <li>Open the GPO management console.</li> <li>Right-click the <em>Domain Controllers</em> organizational unit.</li> <li>Create new GPO and open it in the GPO editor.</li> <li>Enable logging for subcategories: <code>Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; Security Options &gt; Audit: Force audit policy subcategory settings...</code></li> <li>Increase the security log size to 4GB: <code>Computer Configuration &gt; Windows Settings &gt; Security Settings &gt; Event Log &gt; Maximum security log size: 4268032</code></li> <li>Then navigate to <code>Computer Configuration &gt; Windows Settings &gt; Security Settings &gt; Advanced Audit Policy Configuration &gt; Account Management</code></li> <li>Enable the required audit categories.</li> <li>Make a <code>gpupdate /force</code> on the DC.</li> <li>Run <code>auditpol /get /Category:*</code> and double-check whether the settings are correct.</li> </ul> <p>If you open the security event log on the DC there should be events logging account management mutations.</p> <p>Source: <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise">Microsoft Docs - Monitoring Active Directory for Signs of Compromise</a></p> <h1 id="query-audit-logs">Query Audit Logs</h1> <p>As mentioned querying the event log is a bit more difficult. The event log viewer offers limited features for filtering events and searching by specific keywords. In contrast with PowerShell it is possible to filter and search the event log by any property and keyword.</p> <p>Here is a simple example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$LogName = <span style="color:#e6db74">&#34;security&#34;</span> </span></span><span style="display:flex;"><span>$StartTime = Get-Date(<span style="color:#e6db74">&#34;2017-10-12 12:50&#34;</span>) </span></span><span style="display:flex;"><span>$EndTime = Get-Date(<span style="color:#e6db74">&#34;2017-10-12 13:00&#34;</span>) </span></span><span style="display:flex;"><span>$SearchKey = <span style="color:#e6db74">&#34;username&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Get-WinEvent -FilterHashtable @{LogName=$LogName; StartTime=$StartTime;EndTime=$EndTime} | Where-Object {$_.Message <span style="color:#f92672">-match</span> $SearchKey} | select Id, TimeCreated, Message | Format-List </span></span></code></pre></div><p>Source: <a href="https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/20/filtering-event-log-events-with-powershell/">Hey, Scripting Guy! Blog - Filtering Event Log Events with PowerShell</a></p> Install SharePoint 2013 Three-tier Farm – Installing and Configuring Office Web Apps Server https://janikvonrotz.ch/2014/03/25/install-sharepoint-2013-three-tier-farm-installing-and-configuring-office-web-apps-server/ Tue, 25 Mar 2014 09:18:05 +0000 https://janikvonrotz.ch/2014/03/25/install-sharepoint-2013-three-tier-farm-installing-and-configuring-office-web-apps-server/ <p><em>This post of is part of my <a href="https://janikvonrotz.ch/projects/install-sharepoint-2013-three-tier-farm/">Install SharePoint 2013 Three-tier Farm</a> project.</em></p> <p>With Windows Server 2012 the deployment of Offic Web Apps Server got a lot easier.</p> <h1 id="installation">Installation</h1> <p>First install the prerequisites.</p> <pre><code>Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices,NET-Framework-Features,NET-Framework-Core </code></pre> <p>Download the Office Web Apps Server Installer from <a href="http://go.microsoft.com/fwlink/p/?LinkId=256561">http://go.microsoft.com/fwlink/p/?LinkId=256561</a></p> <p>And install the Office Web Apps Server</p> <p>Deploy a new Web Apps Server Farm with PowerShell.</p> <pre><code>New-OfficeWebAppsFarm -InternalUrl &quot;http://example.org&quot; -ExternalUrl &quot;http://example.org&quot; -EditingEnabled -AllowHttp:$true </code></pre> <h1 id="update">Update</h1> <p>In order to update a Office Web Apps Server installation you have to remove the existing Office Web Apps Farm.</p> <pre><code>Remove-OfficeWebAppsMachine </code></pre> <p>Now you can install the required updates.</p> <p>If the installation has been finished create the Office Web Apps Farm again according to your settings.</p> <pre><code>New-OfficeWebAppsFarm -InternalUrl &quot;http://example.org&quot; -ExternalUrl &quot;http://example.org&quot; -EditingEnabled -AllowHttp:$true </code></pre> <p>The check wether Office Web Apps are running open your browser on:</p> <pre><code>http://example.org/hosting/discovery </code></pre> <h1 id="source">Source</h1> <p><a href="http://technet.microsoft.com/en-us/library/jj219455(v=office.15).aspx">Microsoft Technet: Deploy Office Web Apps Server</a> <a href="https://gist.github.com/janikvonrotz/9364202">Update Office Web Apps Server 2013</a></p> Install .NET Framework 3.5 on Windows Server 2012 and Windows Server 2012 R2 https://janikvonrotz.ch/2014/03/11/install-net-framework-3-5-on-windows-server-2012-and-windows-server-2012-r2/ Tue, 11 Mar 2014 07:30:44 +0000 https://janikvonrotz.ch/2014/03/11/install-net-framework-3-5-on-windows-server-2012-and-windows-server-2012-r2/ <p>To install the .Net Framework 3.5 on Windows Server 2012 and Windows Server 2012 R2 you have to enable the install feature from the online source.</p> <pre tabindex="0"><code class="language-dism" data-lang="dism"></code></pre><p>Now you should be able to install the feature with server management console.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2014/03/install-net-3.5-e1394519502205.jpg"><img src="https://janikvonrotz.ch/wp-content/uploads/2014/03/install-net-3.5-e1394519502205.jpg" alt="install .Net 3.5 on Windows Server 2012 R2"></a></p> Install SharePoint 2013 Three-tier Farm - Installing and Configuring SharePoint SQL Server https://janikvonrotz.ch/2014/02/25/install-sharepoint-2013-three-tier-farm-installing-and-configuring-sharepoint-sql-server/ Tue, 25 Feb 2014 13:52:33 +0000 https://janikvonrotz.ch/2014/02/25/install-sharepoint-2013-three-tier-farm-installing-and-configuring-sharepoint-sql-server/ <p><em>This post of is part of my <a href="https://janikvonrotz.ch/projects/install-sharepoint-2013-three-tier-farm/">Install SharePoint 2013 Three-tier Farm</a> project.</em></p> <p>In this post I&rsquo;ll show my best practice for an new SQL Server to run SharePoint properly.</p> <p>Let&rsquo;s get started with local user rights.</p> <!-- raw HTML omitted --> <p>The Group Local Administrators members are:<!-- raw HTML omitted --> <!-- raw HTML omitted --></p> <!-- raw HTML omitted --> <p>Based on you standards and options I have the following system configurations for you:</p> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <p>And now it&rsquo;s time to install the SQL server.</p> <!-- raw HTML omitted --> <p>The SQL Server 2008 R2 as in my case requires the .Net Framework 3.5. To install it on Windows server 2012 run this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>dism /online /enable-feature /featurename:NetFX3 /all /Source:d:sourcessxs /LimitAccess </span></span></code></pre></div><p>Only after executing this command you&rsquo;re able to install the .Net framework as usual with the wizard.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2014/02/Net-3.5-Installation-WinSev-2012.jpg"><img src="https://janikvonrotz.ch/wp-content/uploads/2014/02/Net-3.5-Installation-WinSev-2012.jpg" alt=".Net 3.5 Installation WinSev 2012"></a></p> <p>At this point where the SQL server installation I don&rsquo;t want to provide you a step by step guide, as you might install another version or this guide gets obsolete.</p> <p>I think the sql server configuration file is much more informative.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>;SQLSERVER2008 Configuration File </span></span><span style="display:flex;"><span>[SQLSERVER2008] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify the Instance ID for the SQL Server features you have specified. SQL Server directory structure, registry structure, and service names will reflect the instance ID of the SQL Server instance. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>INSTANCEID=&#34;MSSQLSERVER&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies a Setup work flow, like INSTALL, UNINSTALL, or UPGRADE. This is a required parameter. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ACTION=&#34;Install&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies features to install, uninstall, or upgrade. The list of top-level features include SQL, AS, RS, IS, and Tools. The SQL feature will install the database engine, replication, and full-text. The Tools feature will install Management Tools, Books online, Business Intelligence Development Studio, and other shared components. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>FEATURES=SQLENGINE,FULLTEXT,IS,BC,SSMS,ADV_SSMS </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Displays the command line parameters usage </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>HELP=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies that the detailed Setup log should be piped to the console. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>INDICATEPROGRESS=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Setup will not display any user interface. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>QUIET=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Setup will display progress only without any user interaction. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>QUIETSIMPLE=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies that Setup should install into WOW64. This command line argument is not supported on an IA64 or a 32-bit system. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>X86=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Detailed help for command line argument ENU has not been defined yet. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ENU=&#34;True&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Parameter that controls the user interface behavior. Valid values are Normal for the full UI, and AutoAdvance for a simplied UI. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>UIMODE=&#34;Normal&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify if errors can be reported to Microsoft to improve future SQL Server releases. Specify 1 or True to enable and 0 or False to disable this feature. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERRORREPORTING=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify the root installation directory for native shared components. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>INSTALLSHAREDDIR=&#34;C:Program FilesMicrosoft SQL Server&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify the root installation directory for the WOW64 shared components. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>INSTALLSHAREDWOWDIR=&#34;C:Program Files (x86)Microsoft SQL Server&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify the installation directory. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>INSTANCEDIR=&#34;C:Program FilesMicrosoft SQL Server&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify that SQL Server feature usage data can be collected and sent to Microsoft. Specify 1 or True to enable and 0 or False to disable this feature. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQMREPORTING=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify a default or named instance. MSSQLSERVER is the default instance for non-Express editions and SQLExpress for Express editions. This parameter is required when installing the SQL Server Database Engine (SQL), Analysis Services (AS), or Reporting Services (RS). </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>INSTANCENAME=&#34;MSSQLSERVER&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Agent account name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>AGTSVCACCOUNT=&#34;VBLSP1SQL_Agent&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Auto-start service after installation. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>AGTSVCSTARTUPTYPE=&#34;Automatic&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Startup type for Integration Services. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ISSVCSTARTUPTYPE=&#34;Automatic&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Account for Integration Services: DomainUser or system account. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ISSVCACCOUNT=&#34;NT AUTHORITYNetworkService&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Controls the service startup type setting after the service has been created. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASSVCSTARTUPTYPE=&#34;Automatic&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; The collation to be used by Analysis Services. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASCOLLATION=&#34;Latin1_General_CI_AS&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; The location for the Analysis Services data files. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASDATADIR=&#34;Data&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; The location for the Analysis Services log files. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASLOGDIR=&#34;Log&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; The location for the Analysis Services backup files. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASBACKUPDIR=&#34;Backup&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; The location for the Analysis Services temporary files. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASTEMPDIR=&#34;Temp&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; The location for the Analysis Services configuration files. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASCONFIGDIR=&#34;Config&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies whether or not the MSOLAP provider is allowed to run in process. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ASPROVIDERMSOLAP=&#34;1&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; A port number used to connect to the SharePoint Central Administration web application. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>FARMADMINPORT=&#34;0&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Startup type for the SQL Server service. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQLSVCSTARTUPTYPE=&#34;Automatic&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Level to enable FILESTREAM feature at (0, 1, 2 or 3). </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>FILESTREAMLEVEL=&#34;0&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Set to &#34;1&#34; to enable RANU for SQL Server Express. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ENABLERANU=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies a Windows collation or an SQL collation to use for the Database Engine. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQLCOLLATION=&#34;Latin1_General_CI_AS_KS_WS&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Account for SQL Server service: DomainUser or system account. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQLSVCACCOUNT=&#34;VBLSP1SQL_Engine&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Windows account(s) to provision as SQL Server system administrators. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQLSYSADMINACCOUNTS=&#34;VORDEFINIERTAdministratoren&#34; &#34;VBLSP1SQL_Admin&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Default directory for the Database Engine backup files. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQLBACKUPDIR=&#34;E:Microsoft SQL ServerBackup&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Default directory for the Database Engine user databases. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SQLUSERDBDIR=&#34;E:Microsoft SQL ServerData&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Provision current user as a Database Engine system administrator for SQL Server 2008 R2 Express. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ADDCURRENTUSERASSQLADMIN=&#34;False&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify 0 to disable or 1 to enable the TCP/IP protocol. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TCPENABLED=&#34;1&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specify 0 to disable or 1 to enable the Named Pipes protocol. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NPENABLED=&#34;0&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Startup type for Browser Service. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BROWSERSVCSTARTUPTYPE=&#34;Disabled&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies how the startup mode of the report server NT service. When </span></span><span style="display:flex;"><span>; Manual - Service startup is manual mode (default). </span></span><span style="display:flex;"><span>; Automatic - Service startup is automatic mode. </span></span><span style="display:flex;"><span>; Disabled - Service is disabled </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>RSSVCSTARTUPTYPE=&#34;Automatic&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Specifies which mode report server is installed in. </span></span><span style="display:flex;"><span>; Default value: “FilesOnly” </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>RSINSTALLMODE=&#34;FilesOnlyMode&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>; Add description of input argument FTSVCACCOUNT </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>FTSVCACCOUNT=&#34;NT AUTHORITYLOCAL SERVICE&#34; </span></span></code></pre></div><p>The most important configurations are the data directories and the user service accounts. In the last post we created several service accounts, you can use them now as showed here:</p> <p><!-- raw HTML omitted --><img src="https://janikvonrotz.ch/wp-content/uploads/2014/02/Installing-and-Configuring-SharePoint-SQL-Server.jpg" alt="Installing and Configuring SharePoint SQL Server"><!-- raw HTML omitted --></p> <p>You might have seen, the temdb is stored on the C drive and I know as s a best practice you should not have tempdb on the C drive because the OS has the paging file on C by default and you don&rsquo;t want the mixed I/O affecting tempdb performance. But let&rsquo;s be honest this action won&rsquo;t affect our SharePoint installation in any way.</p> <p>Now you should have installed the SQL server successfully. Open the management studio, log in and execute these statements:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Set Memory </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">EXEC</span> sys.sp_configure N<span style="color:#e6db74">&#39;show advanced options&#39;</span>, N<span style="color:#e6db74">&#39;1&#39;</span> RECONFIGURE <span style="color:#66d9ef">WITH</span> OVERRIDE </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">EXEC</span> sys.sp_configure N<span style="color:#e6db74">&#39;max server memory (MB)&#39;</span>, N<span style="color:#e6db74">&#39;10240&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span>RECONFIGURE <span style="color:#66d9ef">WITH</span> OVERRIDE </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">EXEC</span> sys.sp_configure N<span style="color:#e6db74">&#39;show advanced options&#39;</span>, N<span style="color:#e6db74">&#39;0&#39;</span> RECONFIGURE <span style="color:#66d9ef">WITH</span> OVERRIDE </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Set-Permission </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>USE [master] </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">CREATE</span> LOGIN [VBLsp1_admin] <span style="color:#66d9ef">FROM</span> WINDOWS <span style="color:#66d9ef">WITH</span> DEFAULT_DATABASE<span style="color:#f92672">=</span>[master] </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">EXEC</span> master..sp_addsrvrolemember <span style="color:#f92672">@</span>loginame <span style="color:#f92672">=</span> N<span style="color:#e6db74">&#39;domainsp1_admin&#39;</span>, <span style="color:#f92672">@</span>rolename <span style="color:#f92672">=</span> N<span style="color:#e6db74">&#39;dbcreator&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">EXEC</span> master..sp_addsrvrolemember <span style="color:#f92672">@</span>loginame <span style="color:#f92672">=</span> N<span style="color:#e6db74">&#39;domainsp1_admin&#39;</span>, <span style="color:#f92672">@</span>rolename <span style="color:#f92672">=</span> N<span style="color:#e6db74">&#39;securityadmin&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Backup Compression </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">EXEC</span> sys.sp_configure N<span style="color:#e6db74">&#39;backup compression default&#39;</span>, N<span style="color:#e6db74">&#39;1&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span>RECONFIGURE <span style="color:#66d9ef">WITH</span> OVERRIDE </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Max Parallelism </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sp_configure <span style="color:#e6db74">&#39;show advanced options&#39;</span>, <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span>RECONFIGURE <span style="color:#66d9ef">WITH</span> OVERRIDE; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span>sp_configure <span style="color:#e6db74">&#39;max degree of parallelism&#39;</span>, <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span><span style="display:flex;"><span>RECONFIGURE <span style="color:#66d9ef">WITH</span> OVERRIDE; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">GO</span> </span></span></code></pre></div><p>Last but not least update the SQL server installation.</p> <!-- raw HTML omitted --> <p>On the site <!-- raw HTML omitted --><a href="https://sqlserverbuilds.blogspot.ch/">https://sqlserverbuilds.blogspot.ch/</a><!-- raw HTML omitted --> you&rsquo;ll find the latest update definitions for your SQL server installation.</p> <p>In case you don&rsquo;t know you SQL server version run this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">SELECT</span> SERVERPROPERTY(<span style="color:#e6db74">&#39;productversion&#39;</span>), SERVERPROPERTY (<span style="color:#e6db74">&#39;productlevel&#39;</span>), SERVERPROPERTY (<span style="color:#e6db74">&#39;edition&#39;</span>) </span></span></code></pre></div> Install SharePoint 2013 Three-tier Farm - Deploy the SQL Server Backup Job https://janikvonrotz.ch/2014/02/07/install-sharepoint-2013-three-tier-farm-deploy-the-sql-server-backup-job/ Fri, 07 Feb 2014 10:24:03 +0000 https://janikvonrotz.ch/2014/02/07/install-sharepoint-2013-three-tier-farm-deploy-the-sql-server-backup-job/ <p><em>This post of is part of my <a href="https://janikvonrotz.ch/projects/install-sharepoint-2013-three-tier-farm/">Install SharePoint 2013 Three-tier Farm</a> project.</em></p> <p>A clean SQL Server maintenance plan should include three processes, backup, integrity check and index optimize.</p> <p>You could simply set up a SQL Server maintenance plan within the SQL Server management studio. But be aware that there are better solutions, E.g. <!-- raw HTML omitted -->Ola Hallengren&rsquo;s SQL Server Maintenance Solution<!-- raw HTML omitted --> is my absolutely favourite.</p> <p>Ola Hallengren is a Microsoft <!-- raw HTML omitted -->MVP <!-- raw HTML omitted -->who has simplified the installation of SQL Server maintenance plans. There are many other MVP&rsquo;s who even recommend his solutions over the SQL Server management solution:</p> <!-- raw HTML omitted --> <p><a href="https://www.brentozar.com/archive/2012/02/webcast-recording-dba-darwin-awards-index-edition/">Brent Ozar</a></p> <p>However the installation of the SQL ServerMaintenance Solution is very easy. A little bit more difficult is the scheduling, that&rsquo;s why I create a clone repository for Ola&rsquo;s SQL scripts and added and example of how to schedule these jobs.</p> <p>You&rsquo;ll find the repository on GitHub: <!-- raw HTML omitted --><a href="https://codeberg.org/janikvonrotz/SQL-Server-Maintenance">https://codeberg.org/janikvonrotz/SQL-Server-Maintenance</a><!-- raw HTML omitted --></p> Finally! Manage Exchange mailbox permissions with Active Directory groups https://janikvonrotz.ch/2014/01/27/finally-manage-exchange-mailbox-permissions-with-active-directory-groups/ Mon, 27 Jan 2014 19:04:37 +0000 https://janikvonrotz.ch/2014/01/27/finally-manage-exchange-mailbox-permissions-with-active-directory-groups/ <p>I&rsquo;ve tried many ways to assign permissions for an Active Directory group on a Exchange (2010) mailbox, but it&rsquo;s simply not possible.</p> <p>Fortunately nothing&rsquo;s impossible with PowerShell.</p> <p>The following script can handle this issue by:</p> <!-- raw HTML omitted --> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2014/01/Synchronize-Service-Mailbox-Access-Groups.jpg"><img src="https://janikvonrotz.ch/wp-content/uploads/2014/01/Synchronize-Service-Mailbox-Access-Groups-1024x413.jpg" alt="Synchronize Service Mailbox Access Groups"></a></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Synchronize Service Mailbox Access Groups&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Sync-ServiceMailboxAccessGroups.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, exchange, synchronization, access, mailbox, groups, permissions&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2014-01-27&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2014-01-27&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;0.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Connect Exchange Server</span> </span></span><span style="display:flex;"><span>$ExchangeServer = (Get-RemoteConnection ex1).Name </span></span><span style="display:flex;"><span>$PSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <span style="color:#e6db74">&#34;https://</span>$ExchangeServer<span style="color:#e6db74">/PowerShell/&#34;</span> -Authentication Kerberos </span></span><span style="display:flex;"><span>Import-PSSession $PSSession </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Config = @{ </span></span><span style="display:flex;"><span> OU = <span style="color:#e6db74">&#34;OU=Mailbox,OU=Exchange,OU=Services,OU=vblusers2,DC=vbl,DC=ch&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ADGroupFilter = @{ </span></span><span style="display:flex;"><span> NamePrefix = <span style="color:#e6db74">&#34;EX_&#34;</span> </span></span><span style="display:flex;"><span> NameInfix = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> NameSuffix = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ADGroup = @{ </span></span><span style="display:flex;"><span> NamePrefix = <span style="color:#e6db74">&#34;EX_&#34;</span> </span></span><span style="display:flex;"><span> PermissionSeperator = <span style="color:#e6db74">&#34;#&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ADGroupMailboxReferenceAttribute = <span style="color:#e6db74">&#34;extensionAttribute1&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> MailBoxFilter = @{ </span></span><span style="display:flex;"><span> RecipientTypeDetails = <span style="color:#e6db74">&#34;UserMailbox&#34;</span> </span></span><span style="display:flex;"><span> ADGroupsAndUsers = <span style="color:#e6db74">&#34;F_Mitarbeiter&#34;</span>,<span style="color:#e6db74">&#34;F_Archivierte Benutzer&#34;</span> </span></span><span style="display:flex;"><span> ExcludeDisplayName = <span style="color:#e6db74">&#34;FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>} | %{New-Object PSObject -Property $_} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># get domain name</span> </span></span><span style="display:flex;"><span>$Domain = <span style="color:#e6db74">&#34;</span>$(((Get-ADDomain).Name).toupper())<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># get ad user objects</span> </span></span><span style="display:flex;"><span>$Config.MailBoxFilter.ADGroupsAndUsers = $Config.MailBoxFilter.ADGroupsAndUsers | %{ </span></span><span style="display:flex;"><span> Get-ADObject -Filter {(Name <span style="color:#f92672">-eq</span> $_) <span style="color:#f92672">-or</span> (ObjectGUID <span style="color:#f92672">-eq</span> $_)} | %{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.ObjectClass <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;user&#34;</span>){$_.DistinguishedName </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($_.ObjectClass <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;group&#34;</span>){ Get-ADGroupMember $_.DistinguishedName -Recursive} </span></span><span style="display:flex;"><span> } | Get-ADUser -Properties Mail </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create mail list to filter mailboxes</span> </span></span><span style="display:flex;"><span>$Config.MailboxFilter.AllowedMails = $Config.MailBoxFilter.ADGroupsAndUsers | %{<span style="color:#e6db74">&#34;</span>$($_.Mail)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create SamAccountName list to filter mailbox permissions</span> </span></span><span style="display:flex;"><span>$Config.ADGroupFilter.AllowedUsers = $Config.MailboxFilter.ADGroupsAndUsers | %{<span style="color:#e6db74">&#34;</span>$($Domain + $_.SamAccountName)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># get exisiting mailbox permission ad groups</span> </span></span><span style="display:flex;"><span>$ADGroups = Get-ADGroup -Filter * -SearchBase $Config.OU -Properties $Config.ADGroupMailboxReferenceAttribute | where{$_.Name.StartsWith($Config.ADGroupFilter.NamePrefix) <span style="color:#f92672">-and</span> $_.Name.Contains($Config.ADGroupFilter.NameInfix) <span style="color:#f92672">-and</span> $_.Name.EndsWith($Config.ADGroupFilter.NameSuffix)} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># sync mailbox access groups for each mailbox</span> </span></span><span style="display:flex;"><span>$Mailboxes = Get-Mailbox | where{$_.RecipientTypeDetails <span style="color:#f92672">-eq</span> $Config.MailBoxFilter.RecipientTypeDetails <span style="color:#f92672">-and</span> $Config.MailboxFilter.AllowedMails <span style="color:#f92672">-notcontains</span> $_.PrimarySmtpAddress.tolower() <span style="color:#f92672">-and</span> $Config.MailBoxFilter.ExcludeDisplayName <span style="color:#f92672">-notcontains</span> $_.DisplayName} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$RequiredADGroups = $Mailboxes | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># set variables</span> </span></span><span style="display:flex;"><span> $ADPermissionGroups = @() </span></span><span style="display:flex;"><span> $Mailbox = $_ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Parsing permissions on mailbox: </span>$($_.Alias)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get existing permission groups</span> </span></span><span style="display:flex;"><span> $ADPermissionGroups = $ADGroups | where{(iex <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`$</span><span style="color:#e6db74">_.</span>$($Config.ADGroupMailboxReferenceAttribute)<span style="color:#e6db74">&#34;</span>) <span style="color:#f92672">-eq</span> $Mailbox.Guid} </span></span><span style="display:flex;"><span> $ADExistingPermissionGroupTypes = $ADPermissionGroups| where{$_} | %{$_.Name.split(<span style="color:#e6db74">&#34;#&#34;</span>)[<span style="color:#ae81ff">1</span>]} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get existing and allowed mailbox permissions</span> </span></span><span style="display:flex;"><span> $MailboxPermissions = $Mailbox | Get-MailboxPermission | where{$Config.ADGroupFilter.AllowedUsers <span style="color:#f92672">-contains</span> $_.User} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create an ad group foreach permissiontype that is required</span> </span></span><span style="display:flex;"><span> $NewADPermissionGroupTypes = $MailboxPermissions | %{<span style="color:#e6db74">&#34;</span>$($_.AccessRights)<span style="color:#e6db74">&#34;</span>.split(<span style="color:#e6db74">&#34;, &#34;</span>) | where{$_} | %{$_} | %{$_ | where{$ADExistingPermissionGroupTypes <span style="color:#f92672">-notcontains</span> $_}}} </span></span><span style="display:flex;"><span> $NewADPermissionGroupTypes | Group | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create ad group name foreach permission type</span> </span></span><span style="display:flex;"><span> $Name = $config.ADGroup.NamePrefix + $Mailbox.Displayname + $Config.ADGroup.PermissionSeperator + $_.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Add service mailbox access group: </span>$Name<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> New-ADGroup -Name $Name -SamAccountName $Name -GroupCategory Security -GroupScope Global -DisplayName $Name -Path $Config.OU -Description <span style="color:#e6db74">&#34;Exchange Access Group for: </span>$($Mailbox.Displayname)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Get-ADGroup $Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># set the reference from the adgroup to the mailbox</span> </span></span><span style="display:flex;"><span> iex <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`$</span><span style="color:#e6db74">_.</span>$($Config.ADGroupMailboxReferenceAttribute)<span style="color:#e6db74"> = </span><span style="color:#ae81ff">`&#34;</span>$($Mailbox.Guid)<span style="color:#ae81ff">`&#34;</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-ADGroup -Instance $_ </span></span><span style="display:flex;"><span> $ADGroup = $_ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># add existing members to the permission group</span> </span></span><span style="display:flex;"><span> $MailboxPermissions | where{$_.AccessRights <span style="color:#f92672">-match</span> $ADGroup.Name.split(<span style="color:#e6db74">&#34;#&#34;</span>)[<span style="color:#ae81ff">1</span>]} | %{ </span></span><span style="display:flex;"><span> Add-ADGroupMember -Identity $ADGroup -Members ($_.User <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;</span>$Domain<span style="color:#e6db74">&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># output ad permission groups</span> </span></span><span style="display:flex;"><span> $_ </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># check members foreach permission group</span> </span></span><span style="display:flex;"><span> $ADPermissionGroups | where{$_} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get permission type</span> </span></span><span style="display:flex;"><span> $Permission = $_.Name.split(<span style="color:#e6db74">&#34;#&#34;</span>)[<span style="color:#ae81ff">1</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get existin ad user groups</span> </span></span><span style="display:flex;"><span> $ADPermissionGroupUsers = $_ | Get-ADGroupMember -Recursive | select @{L=<span style="color:#e6db74">&#34;User&#34;</span>;E={$($Domain + $_.SamAccountName)}} </span></span><span style="display:flex;"><span> $MailboxUsers = $MailboxPermissions | where{$_.AccessRights <span style="color:#f92672">-match</span> $Permission} | select user </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># compare these groups and update members</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($ADPermissionGroupUsers){ </span></span><span style="display:flex;"><span> $PermissionDiff = Compare-Object -ReferenceObject $ADPermissionGroupUsers -DifferenceObject $MailboxUsers -Property User </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># add member</span> </span></span><span style="display:flex;"><span> $PermissionDiff | where{$_.SideIndicator <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;&lt;=&#34;</span>} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Add mailbox permission: </span>$Permission<span style="color:#e6db74"> for user: </span>$($_.User)<span style="color:#e6db74"> on mailbox: </span>$($Mailbox.Alias)<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> Add-MailboxPermission -Identity $Mailbox.Alias -User $_.User -AccessRights $Permission </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove member</span> </span></span><span style="display:flex;"><span> $PermissionDiff | where{$_.SideIndicator <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;=&gt;&#34;</span>} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Remove mailbox permission: </span>$Permission<span style="color:#e6db74"> for user: </span>$($_.User)<span style="color:#e6db74"> on mailbox: </span>$($Mailbox.Alias)<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> Remove-MailboxPermission -Identity $Mailbox.Alias -User $_.User -AccessRights $Permission -Confirm:$false </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#output ad permission group to delete old ad permission groups</span> </span></span><span style="display:flex;"><span> $_ </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADGroups | where{$RequiredADGroups <span style="color:#f92672">-notcontains</span> $_} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Remove service mailbox access group: </span>$Name<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> Remove-ADGroup -Identity $_ -Confirm:$false </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Remove-PSSession $PSSession </span></span><span style="display:flex;"><span>Write-PPErrorEventLog -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -ClearErrorVariable </span></span></code></pre></div><p>Latest version of this script: <!-- raw HTML omitted --><a href="https://gist.github.com/8653473">https://gist.github.com/8653473</a><!-- raw HTML omitted --></p> <!-- raw HTML omitted --> <p>To run this script properly and use commands as <code>Write-PPEventLog</code> I recommend you to install my project <!-- raw HTML omitted -->PowerShell Profile<!-- raw HTML omitted -->.</p> Change Active Directory User Password Expiration Mode https://janikvonrotz.ch/2013/12/11/change-active-directory-user-password-expiration-mode/ Wed, 11 Dec 2013 17:35:45 +0000 https://janikvonrotz.ch/2013/12/11/change-active-directory-user-password-expiration-mode/ <p>To change an Active Directory users password expiration mode you can use this PowerShell snippet:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Get-ADGroupMember <span style="color:#e6db74">&#34;Group1&#34;</span> -Recursive | </span></span><span style="display:flex;"><span>Get-ADUser -Properties PasswordNeverExpires | </span></span><span style="display:flex;"><span>where {$_.enabled <span style="color:#f92672">-eq</span> $true <span style="color:#f92672">-and</span> $_.PasswordNeverExpires <span style="color:#f92672">-eq</span> $false} | </span></span><span style="display:flex;"><span>select -First <span style="color:#ae81ff">50</span> | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host $_.UserPrincipalName </span></span><span style="display:flex;"><span> Set-ADUser $_ -PasswordNeverExpires $true </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Latest version of this snippet: <!-- raw HTML omitted --><a href="https://gist.github.com/7913696">https://gist.github.com/7913696</a><!-- raw HTML omitted --><!-- raw HTML omitted --></p> Get Active Directory User Membership Groups Recursively https://janikvonrotz.ch/2013/12/11/get-active-directory-user-membership-groups-recursively/ Wed, 11 Dec 2013 11:46:37 +0000 https://janikvonrotz.ch/2013/12/11/get-active-directory-user-membership-groups-recursively/ <p>To get a users member shipments recursively I&rsquo;ve written an extended function based on the already existing function <code>Get-ADPrincipalGroupMembership</code> it simply loops through the users member shipments and outputs the data in tree styled list.</p> <p>This function is part of my <!-- raw HTML omitted -->PowerShell Profile project<!-- raw HTML omitted -->. Install this framework to get the latest version of this function.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Get Active Directory Principal Group Membership Recurse&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Get-ADPrincipalGroupMembershipRecurse.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, get, prinicipal, group, membership, recurse&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-12-11&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-12-11&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;1.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> Get-ADPrincipalGroupMembershipRecurse{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.</span><span style="color:#e6db74">SYNOPSIS</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Get Active Directory principal group membership recursively. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.</span><span style="color:#e6db74">DESCRIPTION</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Get Active Directory principal group membership recursively. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.PARAMETER ADUser </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Active Directory user to report. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.PARAMETER ADGroup </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Looping parameter not required! </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.PARAMETER ADGroup </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Looping parameter not required! </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.</span><span style="color:#e6db74">EXAMPLE</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> PS C:&gt; Get-ADPrincipalGroupMembershipRecurse -ADUser (Get-ADUser user1) | Out-GridView </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [CmdletBinding()] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">param</span>( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$false)] </span></span><span style="display:flex;"><span> [ValidateNotNullOrEmpty()] </span></span><span style="display:flex;"><span> $ADUser, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$false)] </span></span><span style="display:flex;"><span> [ValidateNotNullOrEmpty()] </span></span><span style="display:flex;"><span> $ADGroup, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$false)] </span></span><span style="display:flex;"><span> $Level = <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># loop select for user parameter</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($ADUser){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get membership groups of user and run this function</span> </span></span><span style="display:flex;"><span> $ADGroups = Get-ADPrincipalGroupMembership $ADUser | %{ </span></span><span style="display:flex;"><span> Get-ADPrincipalGroupMembershipRecurse -ADGroup $_ -Level ($Level+<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get max number of levels</span> </span></span><span style="display:flex;"><span> $Levels = ($ADGroups | %{$_.Level} | measure -Maximum).Maximum + <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># display the results in columns</span> </span></span><span style="display:flex;"><span> $ADGroups | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create a column item</span> </span></span><span style="display:flex;"><span> $Item = New-Object <span style="color:#960050;background-color:#1e0010">–</span>TypeName PSObject </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create a column for each level</span> </span></span><span style="display:flex;"><span> $Index = <span style="color:#ae81ff">1</span>;<span style="color:#66d9ef">while</span>($Index <span style="color:#f92672">-ne</span> $Levels){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># place the value in the right level</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Level <span style="color:#f92672">-eq</span> $Index){ </span></span><span style="display:flex;"><span> $Item | Add-Member <span style="color:#960050;background-color:#1e0010">–</span>MemberType NoteProperty <span style="color:#960050;background-color:#1e0010">–</span>Name <span style="color:#e6db74">&#34;Level </span>$Index<span style="color:#e6db74">&#34;</span> <span style="color:#960050;background-color:#1e0010">–</span>Value $_.Name </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> $Item | Add-Member <span style="color:#960050;background-color:#1e0010">–</span>MemberType NoteProperty <span style="color:#960050;background-color:#1e0010">–</span>Name <span style="color:#e6db74">&#34;Level </span>$Index<span style="color:#e6db74">&#34;</span> <span style="color:#960050;background-color:#1e0010">–</span>Value <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $Index += <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#output</span> </span></span><span style="display:flex;"><span> $Item </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># loop select for group parameter</span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($ADGroup){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># show a progress</span> </span></span><span style="display:flex;"><span> Write-Progress -Activity <span style="color:#e6db74">&#34;Collecting Data&#34;</span> -Status <span style="color:#e6db74">&#34;</span>$($_.Name)<span style="color:#e6db74">&#34;</span> -PercentComplete (Get-Random -Minimum <span style="color:#ae81ff">1</span> -Maximum <span style="color:#ae81ff">100</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># return the item and its level</span> </span></span><span style="display:flex;"><span> $_ | select Name,@{L=<span style="color:#e6db74">&#34;Level&#34;</span>;E={$Level}} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># check for further membershipments of this group and loop this function</span> </span></span><span style="display:flex;"><span> Get-ADPrincipalGroupMembership $_ | %{ </span></span><span style="display:flex;"><span> Get-ADPrincipalGroupMembershipRecurse -ADGroup $_ -Level ($Level+<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><!-- raw HTML omitted --> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/12/Get-Active-Directory-User-Membership-Groups-Recursively-Output-Example.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/12/Get-Active-Directory-User-Membership-Groups-Recursively-Output-Example.png" alt="Get Active Directory User Membership Groups Recursively - Output Example"></a></p> Making Exchange Distribution Lists Externally Available https://janikvonrotz.ch/2013/11/12/making-exchange-distribution-lists-externally-available/ Tue, 12 Nov 2013 08:36:52 +0000 https://janikvonrotz.ch/2013/11/12/making-exchange-distribution-lists-externally-available/ <p>This might not be best practise but based on the situation you as administrator have to enable this feature.</p> <p>Making distribution lists externally available is great for spammers, so if you enable this feature, do this as less as possible.</p> <p>To enable a exchange distribution list for external use I recommand to use this simple PowerShell command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Set-DistributionGroup &lt;groupname&gt; -RequireSenderAuthenticationEnabled $false </span></span></code></pre></div>