Active Directory

Tech Short: PowerShell to list users in AD security group

You want to get a list of users who exist as members of a AD (Active Directory) security group. Here are some quick steps on accomplishing this task.

Lets begin:

  1. Open PowerShell or PowerShell ISE
  2. Type Import-Module ActiveDirectory
  3. Followed by Get-ADGroupMember -identity “Group Name” | select name | Out-GridView

And there you go, fast and simple to do.

 

Remove Dead Exchange Servers from Active Directory

Working with  my Exchange 2012 Hybrid configuration I into the following error:

ERROR : Subtask NeedsConfiguration execution failed: Configure MRS Proxy Settings

Execution of the Get-WebServicesVirtualDirectory cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings.

The task wasn’t able to connect to IIS on the server ‘exchange’. Make sure that the server exists and can be reached from this computer: The RPC server is unavailable.

This is because I did not properly remove the retired exchange servers form Active Directory during past migrations to Exchange 2013.

To remove these objects to continue with your Hybrid configuration task do the following:

  1. Launch the run dialog (Windows Key + R)
  2. Type in the command “adsiedit.msc” and press OK
  3. In the drop down menu select “Configuration”
  4. Expand “CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\CN=Servers”
  5. Right click on the dead server and “Delete”
  6. Navigate to ”CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\CN=Databases”
  7. Right click on each dead database and “Delete”

Step 1-5 will get you past the Hybrid error, but you might as well cleanup while your here.

The Truth – Single Sign On with Outlook and Office 365

After many twists and turns on this bumpy road of setting up a Hybrid Deployment of Exchange Online with AD Sync and ADFS for SSO.  I am faced with yet another issue.

Let me tell you what does work with the single sign on:

  • Outlook via Web Access
  • Office 365 Portal
  • Office 365 SharePoint
  • Office 365 Yammer
  • Office 365 Web Apps
  • Office 365 Lync Online

For the most part any Office 365 web services offered using a web browser, as long as its Internet Explorer.

Missing from the above list of working items is Outlook! That’s right; Outlook doesn’t work.

In fact; users of Outlook will be prompted to enter their credentials on first use.  Let me break right here and describe first use.

First use is any time you open Outlook, you will be prompt for a password to log in.  Unless you save it.

In addition to having to save your password locally in the Windows Credential Manager, you will need to update this password which was saved each and every time you change your password.

This is not my understanding of what the term “Single Sign On” was to be. Good job to Microsoft’s Office 365 Marketing Team.  You had/have so many of us as believers.

At this time I am very disappointed about the Outlook prompts for password credentials. Perhaps they will fix in the future.

Research

I was able to find the following ADFS White Paper on Office 365 Single Sign-On with AD FS which should provide more details.

I also found info confirming that Outlook wasn’t designed to support Single Sign On.  It has even been quoted “The Office 365 experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience.”KB2535227 (A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource)

I apologize for the somewhat rant; but felt I needed to share this before many of you waste a lot of time and investment on trying to get something like this working, to only find out one of the major reasons to use it doesn’t work.

Perhaps Microsoft should read the Internet more before misusing terms such as SSO.

“With SSO, a user logs in once and gains access to different applications, without the need to re-enter log-in credentials at each application.”

http://www.techopedia.com/definition/4106/single-sign-on-sso

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

http://en.wikipedia.org/wiki/Single_sign_on

Single signon takes away the need for the user to enter further authentications when switching from one application to another.”

http://www.webopedia.com/TERM/S/single_signon.html

Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords. Single sign-on reduces human error, a major component of systems failure and is therefore highly desirable but difficult to implement.

http://www.opengroup.org/security/sso/

– Jermal

Manually Remove Auto-Mapped Exchange Mailboxes

Beginning with Exchange 2010 then on to Exchange  2013. User who used the client Outlook 2007/2010/and 2013  had a new feature called automapping.

Automapping takes advantage of Exchange auto-discovery services to map mailboxes which  a user has “Full Access” permissions granted.

This is very helpful to the end user as he or she is no longer required to know or learn how to add additional mailboxes to Outlook.

The not so helpful side is when a users access is removed and a ghosted mailbox folder exists in Outlook that the user is unable to remove.  Attempts to close the mailbox result in a message that reads:

This group of folders is associated with an e-mail account. To remove the account, click the File Tab, and on the info tab, click Account Settings, Select the e-mail account, and then click Remove.

Thank’s but this doesn’t work.  In fact even on a a clean install of Outlook the user still has the ghost folders associated to their Outlook Client.

 

So to tackle this issue, I used ADSIedit.

  1. Open ADSIEdit (WinKey R to open Run and type adsiedit.msc)
  2. Connect to the Default Naming Context. (Click OK)
  3. Locate the mailbox that you once were granted Full Access Permissions and …
  4. Right-click on the object, view properties.
  5. Scroll down to MsExchDelegateListLinked attribute.
  6. Click Edit, select the User Object and click Remove your information.

 

Now give it a little time for the change to replicate out in our Active Directory, you will later find these folders to be gone.

To prevent this from occurring when adding mailboxes you could always run the following command to disable automapping:

Add-MailboxPermission -Identity user@jermsmit.com
-User admin@jermsmit.com -AccessRights FullAccess
-AutoMapping:$false

 

Update from the comments 6/5/2017:
To find the mailbox, you actually find the AD user account, under the OU=Domain Name, within ADSIEdit.  – Thanks ‘ splunch ‘ for the info.

Windows 8: fixing trust relationship issues

Dear Jermal, here is some info that you may find useful in the future. I hope that you share with your friends, coworkers and the readers of your blog.

From time to time I have found myself having to reset the computer account of a workstation that was left offline. In most cases this workstation was a virtual machine with a computer password that expired. A clear sign of this is the message “The trust relationship between this workstation and the primary domain failed.” 

This can be fixed by classic steps of removing the computer from the domain and then joining it back. You could also attempt to log into active directory users and computers and reset the computer object; I haven’t had much success with this. Perhaps I’m to impatient to wait for replication.

Another method is to use PowerShell and the Test-ComputerSecureChannel method.

By loading up PowerShell (as Administrator) you can run the Test-ComputerSecureChannel cmdlet (pronounced “command-let”). Running this command on a working machine will return the value of “True”

If the Test-ComputerSecureChannel cmdlet returns False, use the Repair switch to repair the secure channel. That command will look like this: “Test-ComputerSecureChannel

I hope this helps,

Sincerely,

Jermal

 

P.S. – You will need to be logged in under a cached Administrator account on the computer; To do this you just remove yourself from the network and log in under your credentials.