Friday, November 30, 2018

User unable to login to RDP Farm after you re-enable them?

We had a strange issue. We had a user leave and since we knew when she was leaving i set the account to expire at a certain date. A couple days after she left they re hired her for some part time work so I set the radio button back to Never Expires.

The user called saying she couldn't log on to our RDP farm. After looking over everything we noticed she was in the correct group, she was getting emails on her phone (we use O365/EXO) and I even tried to disable and re-enable her account.

For giggles we reset her password and sure enough that worked. I don't know if its a bug in AD that if you set an account to expire and then change it back to never expire it doesn't really send the "All Clear" to all the systems or what. Such a strange issue.

Thursday, February 8, 2018

Enable .NET 3.5 on Windows 10

Go into RegEdit and set the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU folder.  

DoubleClick on UseWUServer(UseWindowsUpdateServer) and change the value to 0

Saturday, December 30, 2017

Removing O365 Hybrid Config - Exchange 2010/2016

I'm finishing up our companies migration to O365/Exchange Online (EXO). When migrating your on prem users to EXO, O365 has a Hybrid Configuration Wizard (HCW) that does the bulk of the work for you to setup your servers to talk to O365 and vice versa.

Once the HCW completes, all you should have to do is logon to your O365 global admin account and migrate users. This is great but......

They have next to no documentation on how to remove the hybrid configuration, especially if you want to keep an exchange server on prem.

Let's take a few minutes and discuss why you would want to keep an exchange server on prem. It took me a little time to figure out why as some blog posts I couldn't follow.

The main reason you would want to keep an on prem exchange server is if you are using AD Connect (used to be called DirSync) to sync passwords and users from your on prem AD to Azure AD/O365.

If you have AD Connect syncing to Azure AD/O365, then your on prem AD is still the source of authority. Basically what this means is that even though all your users mailboxes are in O365/EXO you can't manipulate any attributes. For example, you can't add another SMTP email address to a user using the O365 admin page. It'll give you an error telling you that the attributes are on your on prem AD. To get around this, you should keep an exchange server on prem. This server does not need to be anything big. Maybe a small VM to handle the mailbox role if using Exchange 2016. All you need it for is to manage users.

In my case I had an Exchange 2010 environment and all i wanted to do was remove those 2010 servers and keep the 2016 server but I couldn't find anything that told me the order to do things or how to create mailboxes on prem that would then sync up to O365 for EXO to create the mailbox for the user.

I finally found THIS site from technet. While it was an older post it worked for me. My only issue was when I tried to remove the Federate trust with the powershell command i got an error so i just went to the EMC and removed it from there.

At this point in time my confusion was (and always has been) how do I now get my 2016 server to create a mailbox for a user and send it to O365 now that the hybrid config is gone? I couldn't find any place that tells you what to d, only thats its possible.

Turns out is easier than I thought. Once you create your user an AD, run this comment in EMS: Enable-MailUser -Identity John -ExternalEmailAddress

This will create the correct attributes that when you AD Connect sync the changes to Azure AD/O365 it will create the mailbox for that user, as long as you have given that user the correct license in O365.

The one thing I do notice when I do this is that on my 2016 server, the user is listed under Contacts and not mailbox. All the users that I migrated using the HCW show up in the mailbox section as O365 users. Under the O365 admin, the user shows up in the mailbox section.

I'll update the post if I find out a way to make it so that it shows up as a mailbox in both. Hopefully they do so that I can keep everything consistent.

EDIT 12/31/17 - I found out that if you run this command after creating a user it will create the mailbox on O365 and it will be listed as an O365 mailbox in the 2016 server:  Enable-RemoteMailbox "wjones" -RemoteRoutingAddress "

Thursday, December 7, 2017

Add O365 License to users in bulk

We are moving to O365 and I needed a way to add our O365 licenses in bulk. To do this I used PowerShell.

First you need to install the AzureAD V2 PowerShell. This is very easy if you have Windows 10. You will do this:

Install-Module AzureAD

Once you install the module you will need to connect to your account:


It will prompt you for your O365 global admin credentials. Once you are connected you can see what your License SKU is by doing this:

Get-AzureADSubscribedSku | Select Sku*,*Units

The one we have it called ENTERPRISEPACK. You will need the SkuID. From this point you can put in the code below. I used a CSV file with a header of UserPrincipalName (UPN) and then below that the users. The UPN looks like an email address.

$file = import-csv test.csv

foreach ($user in $file){

$upn = $user.UserPrincipalName

$user2 = Get-AzureADUser -SearchString $upn

Set-AzureADUser -ObjectId $user2.ObjectId -UsageLocation US

$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

$License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"

$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

$LicensesToAssign.AddLicenses = $License

Set-AzureADUserLicense -ObjectId $user2.ObjectId -AssignedLicenses $LicensesToAssign


This went through all my users in the CSV file and assigned the E3 license to their account.

Tuesday, October 31, 2017

Windows 10 Update kills RDP connection when using Remote Desktop Gateway

We had some of our users who were having issues logging in from home after updating their Windows 10 desktops. We use a Remote Desktop Gateway and it was throwing an error saying that they couldn't connect because and error occurred (very helpful).

The big problem we had was that it was random. Someone else who had the same update was able to login without any issues, thus making the issue harder to troubleshoot.

After troubleshooting with one of my users he found this blog post that had the answer.

In short this is what you need to do:

"open regedit and browse to HKLM\SYSTEM\CurrentControlSet\Control\Lsa and look for a DWORD value called LMCompatibilityLevel. If LMCompatibilityLevel is present, and it is set to anything under a value of 3, the user will fail to authenticate to the RD Gateway server. Instruct the user to either change the value to 3, or delete the DWORD entirely. Then reboot the computer and try again."

Once we did that on his computer and rebooted he was able to log back in. 

Monday, January 9, 2017

Room Calendars Not Auto Accepting Invites?

If you have a Room calendar that is not auto accepting invites do this:

Check to make sure its a Room:

get-mailbox <Identity>| fl *type*,*link*,*share*

If it's not a Room, make it a Room:

Set-Mailbox <Identity> -Type Room

Make sure its set to auto accept invites:

Get-CalendarProcessing <Identity> | fl AutomateProcessing

The AutomateProcessing attribute should be set to AutoAccept

To change it if it's not set to AutoAccept:

Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept -ConflictPercentageAllowed 0 -maximumConflictInstances 0

I got this info from KB Article 2005631 on Microsoft's Support site.

Tuesday, December 13, 2016

Add Members to Distribution Group From CSV File

I had a hard time finding a simple way to add users to an existing DL from a CSV file. I stitched together a couple ways I found on the web. One uses an Exchange powershell command and the other uses an active directory powershell command


Import-CSV "File Name.csv" | ForEach {Add-DistributionGroupMember -Identity "Group Name" -Member $_.SamAccountName}


 Import-Csv "File Name.csv" | % {Add-ADGroupMember -Identity "Group Name" -  Member $_.SamAccountName}

In both cases you must have a CSV file with a header of SamAccountName and then the user accounts below that. For Example:


Also, if you use the Active Directory Command inside an Exchange Management Shell, be sure to import the AD module:

import-module activedirectory

You can put in another header if you like (UPN, SMTP Address, etc), but I've found SamAccountName works best for me.

User unable to login to RDP Farm after you re-enable them?

We had a strange issue. We had a user leave and since we knew when she was leaving i set the account to expire at a certain date. A couple d...