How to fix 550 5.7.520 Access denied, Your organization does not allow external forwarding.

If our organization controls two office365 tenants, at some point we may wish to enable forwarding of email from an address hosted in one of our tenants to an address hosted in another. When we enable the forward in O365 Exchange Admin, the end user may complain that every time they try to send a message to see if it is forwarded, they receive the following bounce back message:

Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)'

By default, Microsoft 365 Defender sets up an Anti-Spam outbound policy. And the policy default sets Automatic Forwarding to “Automatic: System Controlled.” Since we do not want to modify this default policy, instead we can create a policy (with a higher priority) that defines certain users or groups to allow forwarding.

  1. Go to www.office.com and log into the tenant which hosts the email address that we want to forward mail from. (do not log into the destination email address tenant)
  2. Open the Admin Center
  3. Next, click Show All (admin centers) and then click Security.

5. Next, in the Security / Microsoft 365 Defender Admin Center, under Email & Collaboration, click on Policies & rules.

6. Here, click on Threat Policies

7. Under Threat policies, click Anti-Spam.

8. Under the Default Anti-Spam outbound policy (Default) we will probably find Automatic Forwarding is set to Automatic – System-Controlled

9. Close the Default Policy and then at the top of the screen click the + Create Policy drop-down and choose Outbound

10. In the new Outbound policy, edit the description to something like “Custom Outbound Mail Forward“, and add the Users or Groups to the policy (whom you want to give the ability to forward.)

11. At the bottom of the new custom policy change Automatic Forwarding to: On – Forwarding is enabled

12. Save and close the new policy and that should do it. Try sending some test messages to see if the forward works correctly. We may need to change the new policy’s Priority to 0 if something still isn’t working. Also, don’t forget to double check the Automatic Forwarding on the mailbox itself.

Solved – Microsoft Teams Start Recording Button Grayed Out

If your users report that the “Start Recording” button in Microsoft Teams is disabled and/or “greyed” out and/or “grayed out,” then perhaps recently the storage path for Teams to One Drive had changed, or there was a policy change or a tenant change occurred which caused the problem. Regardless, the following resolved the issue and fixed the grayed out problem for us. Special thanks to Ryu_Yosei for providing a solution here; below is the step-by-step.

For starters, this resolution’s time-to-fix is about 20 minutes. You’ll first want to start by opening a Microsoft Exchange Online Powershell Module as an Administrator, into the Tenant that is having the issue. If you’re unfamiliar with how to do this, follow the instructions in the first part of the procedure/guide here. One caveat, is that in order to import the required MicrosoftTeams module, we want to ensure that we start the Exchange Powershell session as an Administrator.

How to Run the Microsoft Exchange Online Powershell Module as Administrator

After installing the Hybrid Exchange Shell, we will probably have a desktop shortcut. Right-clicking on the shortcut doesn’t give us the usual “Run as an Administrator” option. Instead, we’ll want to first start a command ‘cmd’ prompt, run that as an administrator first, and then launch the Exchange Shell from within the command prompt.

  1. Click the Start Button and type cmd
  2. Right click on the Command Prompt app and choose Run as an Administrator

4. Next, inside the Administrator command prompt, issue the commands

cd c:\Users\Username\Desktop

5. Next start the Exchange module by running the command:

"Microsoft Exchange Online Powershell Module.appref-ms"
Start Exchange Powershell as Administrator

Now the Exchange Powershell session should open as an administrator and we can continue.

How to set Microsoft Teams Global Identity AllowCloudRecordingForCalls to $True

  1. Inside the Exchange Powershell session, we’ll authenticate to our tenant with our username (email address) and the following command:
Connect-EXOPSSession -UserPrincipalName [email protected]

You may be prompted to log into O365, and perform multi-factor authentication if necessary. Next, if we do not already have the Teams module installed, issue the commands:

Get-Module MicrosoftTeams
Install-Module MicrosoftTeams

We’ll see some information asking to allow to trust the repo, so type y for yes.

PS C:\Users\jcoltrin> Install-Module MicrosoftTeams

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): y

Next we’ll want to connect to Microsoft Teams in our tenant with the command:

Connect-MicrosoftTeams

We’ll have the system return some information including our Account, Environment, Tenant, and TenantId. We can now check the status of our CsTeamsCallingPolicy with the command:

Get-CsTeamsCallingPolicy -Identity Global

In our case if we look at the entry for AllowCloudRecordingForCalls, we can see it is set to False:

Teams AllowCloudRecordingForCalls set to False

To change this to True, use the following command:

Set-CsTeamsCallingPolicy -Identity Global -AllowCloudRecordingForCalls $true

We can check to see if the command worked by issuing the previous command again:

Get-CsTeamsCallingPolicy -Identity Global

We can now see that AllowCloudRecordingForCalls is now set to True:

AllowCloudRecordingForCalls set to True

The setting should take place pretty much immediately across the tenant, however, users will still see the Start Recording button is disabled or grayed out until they completely Quit Teams and then restart the App again. To quit teams, in the bottom-right corner of the Windows primary desktop, down by the clock, expand the SysTray, right-click on the Teams icon and choose Quit.

How to Quit Microsoft Teams

Restart and/or Sign into Microsoft Teams again, start a test Call/Meeting with an associate, and check to see that Start Recording is now available and enabled.

Hopefully this guide helps restore your ability to record Teams calls. If something else worked for you, please leave a note in the comments below.

How to set up an Auto Responder or Automatic Replies for an Alias in O365 Exchange

When you manage a large amount of Exchange mailboxes, inevitably someone will leave the organization, and you have to setup autoreplies with a message stating the user is no longer available by email. Common sense dictates we will setup a noreply@ mailbox and add the terminated users as alias’ to that mailbox, but not so fast. After a few days of testing and working with support, we’ve found that setting up a shared mailbox with autoreplies enabled with the terminated user’s unique email address/alias, provides the most consistent results.

We’re not going to go through the myriad of possible scenarios about what your org does with a mailbox after a user leaves. Instead, we’ll assume the mailbox is now deleted, and forwarding of mail bound for that mailbox is no longer necessary. To be on the safe side, ensure you back up the mailbox in some way before deleting the mail.

When testing auto replies, you may want to use the Exchange Message Tracker to see the messages come in and go out. To get there, go to O365 Admin > Exchange > Mail Flow > Message Trace.

A good thing to note here is that while performing a message trace, when sending test messages to the newly created shared mailbox with Automatic Replies enabled from within the same tenant or domain, auto reply messages may Drop with the following error:

Date/Time DropReason: [{LED=250 2.1.5 RESOLVER.OOF.ExtToInt; handled external OOF addressed to internal recipient};{MSG=};{FQDN=};{IP=};{LRT=}]

This Drop message is actually an intended action, and is not an error, as it is probably used to prevent a loop of autoreplies within the same tenant.

Getting back to our original issue, to generate autoreplies, we first tried to setup a “noreply@” shared mailbox and add terminated user’s email addresses as aliases to the noreply box, but we got inconsistent results. Instead, we did the following.

How to Setup Automatic Replies for a Terminated User Mailbox

  • Create a shared mailbox with the terminated user’s email address. To do this go to 365 Admin Center > Groups > Shared mailboxes > Add a shared mailbox > Give the shared mailbox a name like “JDoe Term AutoReply” > Give the shared mailbox the (previously/actually used) email address of the terminated user. This does not use a mailbox license thereby freeing up a license. Alternatively, you can try simply converting the terminated user’s mailbox to a shared mailbox, but we had an inconsistent result doing this.
  • Next, simply click on the details of the shared mailbox, and under Automatic replies, click the Edit link:

Next place Checkmarks in both “Send automatic replies to senders inside this organization” and “Send automatic replies to senders outside this organization”

Add a reply blurb which can be something similar to the following:

The Representative you are trying to contact is no longer affiliated with this Corporation. You will be receiving communication with more information pertaining to the transition of the Representative on your account. If you have an urgent matter and would like to speak with someone, please call our Service Center at 800-555-5555 between the hours of 6am-5pm (PST).

Click “Save” at the bottom and you should be all set.

If you want to test, you can try sending an email from an account outside your organization. *Note – when we sent a test message from gmail, the autoreply ended up going into the gmail account’s spam folder.

If further errors are encountered, you may need to look at your spam/external forwarding policies in your mail filtering site at https://protection.office.com/antispam or reach out to MS Support.

Office 365 Outlook for Desktop constantly prompts for login password after enabling MFA two factor authentication – how to Enable Modern Authentication for Exchange Online

If you have recently enabled MFA multi factor authentication or 2FA on your Office 365 tenant, your Microsoft Outlook for Office 365 MSO 16.0.11929 (desktop version) users may be prompted over and over for their password, even though you are sure you have the correct password and even the apppassword / app password hash. I’m sure you’ve tried to re-configure Outlook, look at Azure settings, reinstall Outlook, check your autodiscover records, make sure you have the correct Office Suite version and perhaps have even attempted to change the windows 10 registry with the following settings:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeLastKnownGoodUrl"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeHttpsRootDomain"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeSrvRecord"=dword:00000001

However doing these things did not resolve the issue, and the only fix that worked for us, was to follow the instructions on how to enable modern authentication for Exchange Online here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

So I thought it would be helpful to have a step-by-step how to enable modern authentication in Exchange Online for Office 365 based on the instructions provided in the link above.

With MFA enabled, connecting to Exchange Online with powershell is not as simple as it used to be, but still not all that bad. I’ve found the easiest way to connect to Exchange Online with Powershell is to do the following.

Note: A forewarning here, with certain browsers, when clicking on the Exchange Hybrid “Configure” button, and then installing the Hybrid configuration, the Office 365 login screen may may flash on the screen as a white box, and then disappears before you can authenticate and use your 2FA txt code. I’ve seen this when using Microsoft Edge, Chrome, and even the new version of Microsoft Edge based on Chromium. The only browser I’ve gotten this to consistently work with is the Internet Explorer browser built into Windows 10. The Internet Explorer browser is installed on Windows 10 by default, it’s hidden in the start menu under Accessories:

If you do attempt to run the Exchange Powershell Module using chrome you may encounter the error:

“Application cannot be started. Contact the application vendor.”

When clicking the Details… button, you may find information similar to the following:

PLATFORM VERSION INFO
	Windows 			: 10.0.18363.0 (Win32NT)
	Common Language Runtime 	: 4.0.30319.42000
	System.Deployment.dll 		: 4.8.3752.0 built by: NET48REL1
	clr.dll 			: 4.8.4121.0 built by: NET48REL1LAST_C
	dfdll.dll 			: 4.8.3752.0 built by: NET48REL1
	dfshim.dll 			: 10.0.18362.1 (WinBuild.160101.0800)

SOURCES
	Deployment url			: file:///C:/Users/Jason/Downloads/Microsoft.Online.CSE.PSModule.Client%20(3).application

IDENTITIES
	Deployment Identity		: Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.3527.0, Culture=neutral, PublicKeyToken=45baf49ae30bdb15, processorArchitecture=msil

APPLICATION SUMMARY
	* Installable application.
	* Trust url parameter is set.
ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of C:\Users\Jason\Downloads\Microsoft.Online.CSE.PSModule.Client (3).application resulted in exception. Following failure messages were detected:
		+ Deployment and application do not have matching security zones.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
	No transaction error was detected.

WARNINGS
	There were no warnings during this operation.

OPERATION PROGRESS STATUS
	* [4/3/2020 3:32:57 PM] : Activation of C:\Users\Jason\Downloads\Microsoft.Online.CSE.PSModule.Client (3).application has started.
	* [4/3/2020 3:32:57 PM] : Processing of deployment manifest has successfully completed.
	* [4/3/2020 3:32:57 PM] : Installation of the application has started.

ERROR DETAILS
	Following errors were detected during this operation.
	* [4/3/2020 3:32:57 PM] System.Deployment.Application.InvalidDeploymentException (Zone)
		- Deployment and application do not have matching security zones.
		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
			at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
			at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl, Uri& deploymentUri)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivationWithRetry(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
--- End of stack trace from previous location where exception was thrown ---
			at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivationWithRetry(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
			at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

COMPONENT STORE TRANSACTION DETAILS
	No transaction information is available.

At this point, it may be necessary to uninstall the existing module and then re-install and run using Internet Explorer. You may even receive the following error:

"You cannot start application Microsoft Exchange Online Powershell Module from this location because it is already installed from a different location."

To uninstall the module, click the Start Button > type “appwiz.cpl” and press Enter.

Inside of the Programs and Features screen find the application and click Uninstall.

After uninstall, log into your tenant (with an administrator account) at https://www.office.com using Internet Explorer 11, and click the Admin link:

Next, Expand the Menu on the left menu by clicking Show All… and then click on Exchange:

Next we want to click on the Hybrid link to get to our Powershell Configure button:

Go ahead and install the component if it asks, and when it completes, you’ll be greeted with a Windows Powershell screen with the following message:

Experience the fast and reliable Exchange PowerShell V2 Cmdlets via new PowerShellGallery module. Go to https://aka.ms/exops-docs

This PowerShell module allows you to connect to Exchange Online service.
To connect, use: Connect-EXOPSSession -UserPrincipalName <your UPN>
This PowerShell module allows you to connect Exchange Online Protection and Security & Compliance Center services also.
To connect, use: Connect-IPPSSession -UserPrincipalName <your UPN>

To get additional information, use: Get-Help Connect-EXOPSSession, or Get-Help Connect-IPPSSession

We now want to initiate our session using the instructions provided. At the prompt, type in the command:

Connect-EXOPSSession -UserPrincipalName [email protected]

You’ll now be prompted to sign into your tenant (Work or School). You’ll see some status bars go by and then be prompted with a warning about unapproved verbs (for example banish?)

So now we want to (only look before making changes) get our organization structure, and more precisely, find the status of our OAuth2ClientProfileEnabled setting by issuing the command:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Your output should look similar to the following (with the exception being that your result will probably be set to False:)

Finally we can set this to True by using the following command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

To verify the command was successful, run the previous command again:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

That’s about it! Give the setting about an hour to propagate and then try testing Outlook on the desktop again. You may get a few clients where their profile needs to be recreated. You can do this by going into the control panel > (1) choose Small Icons > (2) Mail Microsoft Outlook 2016.

Then click Show Profiles

Click Add…

Now when setting up the new mail account, you should be prompted with the modern authentication and you’ll be prompted for your txt code or Microsoft Authentication Application.

Hacked Office 365 Outlook Account cannot send or receive email

Recently a client complained that an Office 365 account had sent out spam messages to a number of clients. Later, the suspect account which had been sending spam could no longer send or receive email. However upon first glance at the mailbox, sent messages were sitting in the sent items folder, and messages sent to the account in question were not receiving bounce-back failures, but the messages sent to the affected account were not in the inbox. After we changed the password to the account, and enabled 2FA on the account we could still not send and receive mail. Below are the steps used to resolve this particular issue. In short, a malicious inbox rule had been created and outbound messages had been blocked by Microsoft.

  1. Log into the tenant’s Admin console with an Administrative account, and change the password of the affected account.
  2. Log into the affected account as the user using the new password.
  3. Click on the Gear icon and then under Your app settings, click Mail.

4. One in the Mail app Settings, go to Mail > Automatic Processing > Inbox and Sweep rules.

Here we can see a malicious rule had been created to mark all inbound mail as Read and move the message to the “RSS Subscriptions” folder:

5. Uncheck and turn off any malicious or invalid rules.

Also check for any new forwarding rules in Mail > Accounts > Forwarding:

6. When we look in our “RSS Subscriptions” folder we find some messages from Microsoft indicating the account has been blocked from sending mail because the account was flagged as sending spam:

Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send messages outside of your organization. Contact your email admin for assistance.

Remote Server returned '550 5.1.8 Access denied, bad outbound sender. For more information please go to http://go.microsoft.com/fwlink/?LinkId=875724. S(9333) [DM5PR10MB1914.namprd10.prod.outlook.com]'

7. To resolve this issue, we’ll need to go into the Action Center. Log into the Admin console > Admin Centers > Exchange > Protection > Action Center

8. In the Action center, we’ll find an issue flagged regarding our hacked user account. Take action on the issue and after a while due to permission propagation, it may take up to 2 hours for the account to be re-enabled for sending mail again.

9. It might be a good idea to contact Microsoft Support if you continue to experience problems with a user account sending spam. Changing the password should prevent malicious access. Most like the account had been phished or the computer the user has was compromised by a virus/malware or spyware. It’s recommended that the account have two-factor authentication or multi-factor authentication enabled to prevent the account from being hacked again.

tag: outlook cannot send or receive email but sent mail is in sent items folder

How to Enable Archiving for Outlook Office 365 and Move Old Mail into Archive

At some point, a user’s mailbox will reach the default quota for Enterprise E1 default of 50 GB, and they will have to either move mail into an archive or delete mail to continue to receive email. The user may receive the warning:

Your mailbox is near the maximum storage limit. Archive or delete items to create additional free space.

Our options at this point is to do one of three things: Upgrade the user’s license from E1 to E3 to double the mailbox size, permanently delete mail out of the mailbox, or archive the mail. Microsoft provides 50 additional GB of archive space for an E1 license (this number is subject to change.)

In many instances, the user may not want to delete any mail and would prefer to archive the mail. In my opinion, the ideal way to handle archiving is to create an online archive, rather than create .pst files on the local machine which could end up getting lost or deleted. Also managing local .pst archive files can be a pain. And lastly, if the archive is only available as a .pst file in the user’s PC, the archived mail will not be available from webmail or a different device.

If we want to create an online archive for the user on Office 365, there are a few simple steps to take in the Office 365 Admin console.

  1. Log into the Office365 Admin console, then click on Admin centers > Security and Compliance:
  2. Next, on the navigation bar, expand Data Governance, and click Archive
  3. Now on the right-hand pane, we will see all of our mailboxes and find out if the Archive Mailbox for Office 365 is enabled or disabled.
  4. To enable the archive on a disabled user’s mailbox, first select the user. If we have a lot of users, do a search for the user’s name and then highlight the correct mailbox we want to change.
  5. We can see in the screenshot above, my account already has Archive mailbox: enabled. If the account’s archive had been disabled, we would simply click the Enable link. When we click enable, we will get the following Warning:
If you enable this person's archive mailbox, items in their mailbox that are older than two years will be moved to the new archive. Are you sure you want to enable this archive mailbox? Yes No

9. Click Yes.

10. What happens next is, as the warning states, mail that is over 2 years old will begin to be archived. We will also get some new features in both Outlook online, as well as in Outlook 2016/Outlook 2013. We can wait for the auto-archiving to take place, but we can also take some immediate action to archive old mail online.

11. Pretty much immediately in Outlook online, we will get new Archive buttons, and an archive folder here:

We won’t see the archive buttons until we click on an individual message. If we do click on a message and select it, we will see the Archive button available.

12.  We can also select multiple emails and then right-click on the highlighted messages. A wizard will appear on the screen. Click the Archive button to move these emails to the archive folder.

13. If reducing the size of the mailbox immediately is our goal, we can start by archiving our largest emails first. At the top of the mail folder, whether it be the inbox, Sent Items, or Deleted Items folder, we’d click the Filter button > Sort by > Size.

14. Select the “Enormous” items first by clicking on the top email, hold down the Shift button, then select the bottom email and it will highlight all of the messages in between. Next, right-click and choose Archive.

15. In the desktop version of Outlook 2013/2016, only after a few hours will we have our new Archive folder available. This may take up to 24 hours depending on the speed of replication of settings from Office 365 down to the client. Once the folder is available, however, I find the process of moving mail out of the inbox, sent items or cut/paste of subfolders into the archive much easier.

I don’t have mail over 2 years old in my mailbox, so I’m not sure if it will automatically create subfolders dependent on where they originally lived so let me know in the comments if you notice automatic folder creation.

In order for someone to find an old message, they will only need to search their mailbox in Outlook online or Search Archive in Outlook 2013/2016.

 

Solved – Skype for Business 2016 emoticons missing repair without re-install

How to repair and fix Skype for Business 2016 by clearing the cache, and get back the emoticons which have been replaced by words in parenthesis.

For example, an associate sent me the following screenshot:

We can see that the emoticons  have been replaced by (rock)(dance).

To fix this problem without re-installing Microsoft Office or Skype, clear the Skype Cache by doing the following (which I found in an MS Support forum here.)

1. In the Skype main windows, click the gear in the top right-hand corner.

2. Choose File – Sign Out to log out of Skype for Business.

3. On the Sign In window, choose the link to Delete my sign-in info.

4. In the pop-up window to forget sign in info, click Yes.

5. Click the gear, choose File> Exit to exit and close Skype. Close all other Office Applications.

6. Go to the location:
C:\Users\<username>\AppData\Local\Microsoft\Office\16.0\Lync – you can get here quickly by going to Start > Run > %appdata$% > Enter.

7. Locate the sip_YourProfileName folder and delete it if it exists. In some cases, it will not. Open the Tracing folder and delete all files inside of it. Do not delete the Tracing folder itself. If you receive a message that the action can’t be completed because a file is Open or that you need Administrator permission to delete a file, click the Skip button. Close Windows File Explorer

8. Open a command prompt (in Windows, click the Start button, type cmd and select the command prompt from the menu. Type ipconfig /flushdns and press the enter key on your keyboard to clear the DNS cache.

9. Sign back into Skype/Lync.

10. Once Skype is open, make sure you go back into Gear > Tools > Options > IM > and place a checkmark to show emoticons again.

11. Test to see if the emoticons have returned!

If all else fails, you might want to completely uninstall Office and/or Skype for Business, delete the Appdata\Local\Microsoft\Office\16.0\Lync folder completely, and then re-install again. But hopefully, this procedure will save you some time.

Lastly, a user comment below has had success with several people (thanks Chris!)

Set DisableRicherEditCanSetReadOnly to 1 in regedit 
path: Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync\

Always, back up the registry key before you change anything in the registry. 

New Active Directory User and Office365 New User Powershell Procedure

As a systems administrator, quite often you’ll need to create new user accounts in Active Directory and MSOnline Office 365. It’s good to streamline your new user creation procedure as much as possible to make the process faster and more accurate. Thanks to PowerShell, we can turn a whole bunch of point and clicks into just a few PowerShell commands. In this example procedure we will first create an Active Directory AD user account with powershell and a .csv file and then add that user into multiple groups with a different powershell script and a .txt file that has a list of the groups. We will also use another powershell script to get the canonical name of the groups so that our script can find the LDAP location of the group in Active Directory. Secondly, because we do not run our own exchange server we will use powershell to connect to Office365, and create a new user there, license the user, and then add the user to some distribution groups. Prerequisites are powershell, and import AD components and MSOnline components.

  1. Go to https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Create-Active-7e6a3978 and download the create_ad_users.zip and extract to c:\newusers\
  2. Edit create_ad_users.ps1 lines 92 and 98 to accommodate longer last names. In the original script it only allows for first initial and then a truncated last name of 4 characters. In my case, we have some users with long last names, so I set those values to 20:
  3. If($replace.length -lt 20)
    {
      $lastname = $replace
    }
    Else
    {
      $lastname = $replace.substring(0,20)
    }
    
  4. Copy info from your HR department about the new user into the .csv file c:\newusers\import_create_ad_users.csv
  5. Run PS C:\newusers> .\create_ad_users.ps1
  6. Next check the new username in ADUC for such things as account name, address, phone number etc. to ensure the entries are accurate.
  7. With our new user account created, most likely we will want to make that user a member of several security groups. To do that with PowerShell, we need to make sure that we have the correct LDAP names for our groups and place them into a file named groups.txt. In order to do so, we need to run another powershell script named find-dn.ps1 . The code is as follows:
    # Function Find Distinguished Name
    function find-dn { param([string]$adfindtype, [string]$cName)
        # Create A New ADSI Call
        $root = [ADSI]''
        # Create a New DirectorySearcher Object
        $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
        # Set the filter to search for a specific CNAME
        $searcher.filter = "(&(objectClass=$adfindtype) (CN=$cName))"
        # Set results in $adfind variable
        $adfind = $searcher.findall()
        
        # If Search has Multiple Answers 
        if ($adfind.count -gt 1) {
            $count = 0 
            foreach($i in $adfind)
            {
                # Write Answers On Screen
                write-host $count ": " $i.path
                $count += 1
            }
            # Prompt User For Selection
            $selection = Read-Host "Please select item: "
            # Return the Selection
            return $adfind[$selection].path
        }
        # Return The Answer
        return $adfind[0].path
    }

    This code should be inserted into a new PowerShell ISE tab and then saved as find-dn.ps1 . Running the code will produce a new PowerShell function (but will not write any output to the screen.) Find the group names in ADUC that you want the CN name for, and then use the following command(s) to return the CN name:

    find-dn "group" "FinanceGroup"

    The script will return something similar to the following:

    LDAP://CN=FinanceGroup,CN=Users,DC=intranet,DC=contoso,DC=com

    Remove the part “LDAP://” and copy the remaining string into the c:\newusers\groups.txt file, which after finding the rest of your group CN names, should look something similar to the following:

    CN=FinanceGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=HRGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=OperationsGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=ITGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=AccountingGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=ComplianceGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=MarketingGroup,CN=Users,DC=intranet,DC=contoso,DC=com
  8. Now that we have our CN security group names, we can add the user(s) into the groups with the following script. For this step we can utilize the script found here: https://community.spiceworks.com/topic/459481-adding-users-to-multiple-security-groups-in-ad – which was contributed by Martin9700 . Copy the following script into a new PowerShell ISE tab and name the file Add-MultipleGroups.ps1 :
    #requires -Version 3.0
    Param (
        [Parameter(Mandatory,ValueFromPipeline)]
        [String[]]$Groups,
        [Parameter(Mandatory)]
        [String[]]$Users,
        [switch]$Passthru
    )
    
    Begin {
        Try { Import-Module ActiveDirectory -ErrorAction Stop }
        Catch { Write-Error "Unable to load Active Directory module, is RSAT installed?"; Exit }
        $Result = @()
    }
    
    Process {
        ForEach ($Group in $Groups)
        {   Try {
                Add-ADGroupMember $Group -Members $Users -ErrorAction Stop
                $Result += [PSCustomObject]@{
                    Group = $Group
                    AddMembers = $Users -join ", "
                }
            }
            Catch {
                Write-Error "Error adding members to $Group because $($Error[0])"
                $Result += [PSCustomObject]@{
                    Group = $Group
                    AddMembers = $Error[0]
                }
            }
        }
    }
    
    End {
        If ($Passthru)
        {   $Result
        }
    }
  9. Run the following command to add user to the appropriate security groups:
PS C:\newusers> .\Add-MultipleGroups.ps1 -Groups "CN=ITGroup,CN=Users,DC=intranet,DC=contoso,DC=com","CN=OperationsGroup,CN=Users,DC=intranet,DC=contoso,DC=com" -users user1, user2

With the above script you can use the file to run a number of different options as well such as:

You can just put the group names in -Groups:

.\Add-MultipleGroups.ps1 -Groups "testgroup1","testgroup2" -users user1,user2,user3,user4

You can use a text file (either in Groups or via pipeline):

.\Add-MultipleGroups.ps1 -Groups (Get-content c:\groups.txt) -users user1,user2,user3,user4

Get-content c:\groups.txt | .\Add-MultipleGroups.ps1 -Groups -users user1,user2,user3,user4

You can also use Get-Content for users, but you can pipe it:

Get-content c:\groups.txt | .\Add-MultipleGroups.ps1 -Groups -users (Get-content c:\users.txt)

You can confirm in ADUC that the users are now members of the security groups in our groups.txt file.

Add users to Office 365 and Distribution Groups with PowerShell

Great! Now that we have our user accounts created on the AD side of things, we will move on to adding our user(s) into Office365:

With PowerShell up and running will will issue the following commands:

From https://www.petri.com/use-powershell-create-assign-licenses-office-365-users

Import-Module MSOnline

Connect-MsolService

Now we will create the user with the following command:

New-MsolUser -UserPrincipalName [email protected] -DisplayName ‘User 1’ -FirstName User -LastName 1

This command will return something like the following (sorry about the formatting:)

PS C:\Users\jcoltrin> New-MsolUser -UserPrincipalName [email protected] -DisplayName ‘User 1’ -FirstName User -LastName 1



Password                                   UserPrincipalName                          DisplayName                                isLicensed

--------                                   -----------------                          -----------                                ----------

Suso4007                                   [email protected]                       User 1                                False

Now we need to add a license to the user account. We need to do two things before we can assign the licenses. First is we need to to determine the different sku’s we have available to license, and second, we need to set the usage location. To accomplish the first part, we can issue the command:

Get-MsolAccountSku

Second, by using the instructions here: https://social.technet.microsoft.com/Forums/ie/en-US/bfde2a73-579c-409b-a7cd-77110048c7b7/license-enabling-script?forum=onlineservicesadministrationcenter

We can set the MS Online user’s principal location:

Set-MsolUser -UserPrincipalName [email protected] -UsageLocation US


Set-MsolUserLicense -UserPrincipalName [email protected] -AddLicenses Contoso:STANDARDPACK

Now that the user is licensed, we will add the account to a few Exchange Distribution Groups. We will need to import a new PSSession from outlook.com before we can run the Exchange commands. Import the session by first creating a function called “Connect-O365” by running the following (just like we created the function find-dn above):

function Connect-O365{
 $o365cred = Get-Credential [email protected]
 $session365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $o365cred -Authentication Basic -AllowRedirection 
 Import-Module (Import-PSSession $session365 -AllowClobber) -Global
}

Save and name this function: Connect-O365.ps1 and run it. We now have a function that we can run:

.\Connect-O365.ps1
Connect-O365

(enter creds)

Now we can add the distribution group members with the group identity and member name in quotes:

Add-DistributionGroupMember -Identity "Finance" -Member "[email protected]"

Add-DistributionGroupMember -Identity "AllEmployees" -Member "[email protected]"

A number of these scripts and commands can be combined into .ps1 files to optimize the workflow even further. With the information here you should have a good place to start. Let me know in the comments how you added your own features to the procedure.

Microsoft Bizspark – free business software for 3 years

If you’re thinking about which cloud service to use for a startup business, Microsoft just upped the ante with BizSpark.

Microsoft BizSpark https://www.microsoft.com/bizspark#start-two is really an amazing deal for business start-ups. If you wish you could get Microsoft software for free or for a huge discount check out their offer. BizSpark offers the following services and software for free for three years:

BizSpark gives startups 3 years of free stuff – software, services, tech support, and Azure cloud. Your startup qualifies if it is less than 5 years old, is privately held, and earns less than $1M annually. And at the end of your 3 years, you keep all the software you’ve downloaded – at no cost.

To expand on this service what you get with the Microsoft Bizspark details are the following:

Get up to $750 per month of FREE Azure cloud services for 3 years; that’s $150 per month each for up to 5 developers.

This potentially is a $27000 value!

Membership puts all Microsoft development and test software at your fingertips, including Azure, Windows, and Office 365 – for free. Plus, enjoy access to hundreds of free training classes, technical content, and 4 break-fix phone support incidents to help you on your journey.

It’s pretty amazing that BizSpark, in addition, also offers up to $120,000 worth of Azure credit.

Makes me want to go out and start a new business – hmm, maybe jasoncoltrin.com would qualify?

Exchange/Outlook 2010 autodiscover certificate error name mismatch

Exchange/Outlook 2010 autodiscover certificate error name mismatch

Recently some users have been receiving the following autodiscover certificate error when opening outlook:

Security Alert: autodiscover.domainname.org

Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate.

√ The security certificate is from a trusted party

√ The security certificate date is valid

X The name on the security certificate is invalid or does not match the name of the site

Firstly, we host exchange at a different hostedexchange.com, and our autodiscover uses a wildcard certificate “*.hostedexchange.com”. So starting with the client I made sure to view the certificate. The correct name on the certificate listed was “*hostedexchange.com.”

1. I installed the certificate on to the client PC into the trusted store. Closed outlook/opened again and still the same error.

2. I looked at the proxy settings in the account setup and found that the ‘server name’ and msstd: were correct, they were.

3. We used nslookup externally and found that there are no valid dns records pointing to autodiscover.domainname.org

4. We used https://www.testexchangeconnectivity.com/ and found that while it does automatically check for autodiscover.domainname.org, dns did not return a value; it failed

5. From the client we were able to ping autodiscover.domainname.com, the ping returned an internal ip address of our mail server.

6. So from the results above it appears as though the client (or citrix server’s hosted desktop in this instance) had an incorrect dns entry.

7. From a (run as administrator) command prompt I issued an “ipconfig /flushdns” command on the client server but the error persisted, and pings still replied from autodiscover.domainname.org

8. We checked the hosts file on the server (c:\windows\system32\drivers\etc), and sure enough there was an old entry for autodiscover.domainname.org

9. In order to edit the hosts file, did a “Run as administrator” to open notepad, edited the file and saved successfully.

10. Issued another ipconfig /flushdns

Now when the client opens, the request to get autodiscover.domainname.org fails, and there is no mismatch of certificate names.