Solved – Cannot uncheck “Only trust email from addresses in my safe senders and domains list and safe mailing lists” Outlook.office.com office365 Junk email

A user complained that valid good email was being sent to the Junk email folder on outlook on the web. To get to the setting, click on the Gear Icon > View all outlook settings > Junk Email. Attempts to uncheck “Only trust email from addresses in my safe senders and domains list and safe mailing lists.” were unsuccessful and we cannot save the setting.

To uncheck the box permanently:

  1. Open Powershell ISE
  2. Run function Connect-O365
function Connect-O365{
	$o365cred = Get-Credential [email protected]
	$session365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $o365cred -Authentication Basic -AllowRedirection 
	Import-Module (Import-PSSession $session365 -AllowClobber) -Global
}

4. Run the command

Connect-O365

5. Log into Office 365 with Administrator account

Run the command Get-MailboxJunkEmailConfiguration emailaddress – replacing emailaddress with the user mailbox email address. Use other values from microsoft documentation here: https://docs.microsoft.com/en-us/powershell/module/exchange/antispam-antimalware/set-mailboxjunkemailconfiguration?view=exchange-ps

Get-MailboxJunkEmailConfiguration [email protected]

Results should be similar to below:

Run the following command to set TrustedListsOnly to False:

Set-MailboxJunkEmailConfiguration "[email protected]" -TrustedListsOnly $false

The checkbox should now be unchecked. Check to see if junk mail now works as intended.

Try AmazonFresh Free Trial

Hacked Office 365 Outlook Account cannot send or receive email

Recently a client complained that an Office 365 account had sent out spam messages to a number of clients. Later, the suspect account which had been sending spam could no longer send or receive email. However upon first glance at the mailbox, sent messages were sitting in the sent items folder, and messages sent to the account in question were not receiving bounce-back failures, but the messages sent to the affected account were not in the inbox. After we changed the password to the account, and enabled 2FA on the account we could still not send and receive mail. Below are the steps used to resolve this particular issue. In short, a malicious inbox rule had been created and outbound messages had been blocked by Microsoft.

  1. Log into the tenant’s Admin console with an Administrative account, and change the password of the affected account.
  2. Log into the affected account as the user using the new password.
  3. Click on the Gear icon and then under Your app settings, click Mail.

4. One in the Mail app Settings, go to Mail > Automatic Processing > Inbox and Sweep rules.

Here we can see a malicious rule had been created to mark all inbound mail as Read and move the message to the “RSS Subscriptions” folder:

5. Uncheck and turn off any malicious or invalid rules.

Also check for any new forwarding rules in Mail > Accounts > Forwarding:

6. When we look in our “RSS Subscriptions” folder we find some messages from Microsoft indicating the account has been blocked from sending mail because the account was flagged as sending spam:

Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send messages outside of your organization. Contact your email admin for assistance.

Remote Server returned '550 5.1.8 Access denied, bad outbound sender. For more information please go to http://go.microsoft.com/fwlink/?LinkId=875724. S(9333) [DM5PR10MB1914.namprd10.prod.outlook.com]'

7. To resolve this issue, we’ll need to go into the Action Center. Log into the Admin console > Admin Centers > Exchange > Protection > Action Center

8. In the Action center, we’ll find an issue flagged regarding our hacked user account. Take action on the issue and after a while due to permission propagation, it may take up to 2 hours for the account to be re-enabled for sending mail again.

9. It might be a good idea to contact Microsoft Support if you continue to experience problems with a user account sending spam. Changing the password should prevent malicious access. Most like the account had been phished or the computer the user has was compromised by a virus/malware or spyware. It’s recommended that the account have two-factor authentication or multi-factor authentication enabled to prevent the account from being hacked again.

tag: outlook cannot send or receive email but sent mail is in sent items folder

Solved – Office 365 Room Calendar Not Auto Processing or Accepting Meeting Requests

After having created a Resource Room in the Office365 Admin console (with an Enterprise E1 license,) you may find that meetings which are created in Outlook and which are sent, are not automatically processing and sending verification confirmations back to the person that created the event. Nor will new events populate the event in the new room’s Outlook calendar. In this case, there are a few things we can check to ensure the room behaves as intended.

  1. First, after creating the room, ensure that you, as an admin, are set as an owner of the room. Under O365 > Admin Center > Rooms and Resources > place a checkmark next to the room in question. Ensure that Allow repeating meetings and Automatic Processing is On. Then, click on Edit Exchange Settings:

2. In this example, we don’t use booking delegates. In the Exchange Settings for the new resource room, make sure Booking requests are accepted automatically. 

3. Edit the booking options, contact information, email address, and mailtip settings to your preferences and then click on Mailbox Delegation. Here, add yourself under Full Access so that we can go on to our next step.

4. Next, log into your own OWA admin Outlook online inbox. In Outlook, click your profile photo in the upper right corner and click “Open another mailbox.” Type the address of the room and open the webmail for the room.

5. Here you may see some emails of previous attempts to book events like the following with the error “Your calendar couldn’t be checked to see whether this event conflicts with other events.“:

6. This error lets us know that automatic processing is not working even though we have it set to “On” in our first step. Had the processing worked correctly, we wouldn’t even see this event email in the mailbox of the room in question. 

7. In the upper right corner, click the Gear icon, then under Your app settings, click Calendar.

8. In the calendar resource scheduling settings, ensure that under the scheduling options, “Automatically process event invitations and cancellations” is checked, and then click Save. 

9. In theory, these settings should be enough to get the calendar to auto process and verify, however, your results may vary. Test by creating a meeting event in outlook with the new room. When you send the meeting, you should receive a verification email in your inbox in less than a minute. If you don’t receive the verification, check the inbox of the calendar again. You’ll probably find more emails with the “Your calendar couldn’t be checked…” errors.

10. Time to open PowerShell and connect to your O365 Exchange with the following commands:

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

11. Run the following command to get the calendar processing conditions:

Get-CalendarProcessing -Identity "[email protected]" | Format-List

12. It’s helpful to first get a list of all calendar processing objects of a room that already works correctly to refer to when editing your new room’s permissions. If you don’t already have a room that you can reference, below is a list of my room that is not behaving normally:

13. Notice that ProcessExternalMeetingMessages is set to False. Let’s change this to True with the following command:

Set-CalendarProcessing [email protected] -ProcessExternalMeetingMessages $True

14. After making this and a few other changes displayed in the following screenshot, go ahead and try creating another test meeting and see if the autoprocessing behaves as it should. If you’re still having trouble, try referring to the screenshot below as an example, and use the “Set-CalendarProcessing” command to edit the values.

15. Once you successfully receive verifications and the calendar populates with events as it should, you may want to set the calendar to display the owner of the event and details of the event (rather than the event is listed in the calendar as only “Busy”.) To do so, follow the instructions I wrote in my article here

How to Enable Archiving for Outlook Office 365 and Move Old Mail into Archive

At some point, a user’s mailbox will reach the default quota for Enterprise E1 default of 50 GB, and they will have to either move mail into an archive or delete mail to continue to receive email. The user may receive the warning:

Your mailbox is near the maximum storage limit. Archive or delete items to create additional free space.

Our options at this point is to do one of three things: Upgrade the user’s license from E1 to E3 to double the mailbox size, permanently delete mail out of the mailbox, or archive the mail. Microsoft provides 50 additional GB of archive space for an E1 license (this number is subject to change.)

In many instances, the user may not want to delete any mail and would prefer to archive the mail. In my opinion, the ideal way to handle archiving is to create an online archive, rather than create .pst files on the local machine which could end up getting lost or deleted. Also managing local .pst archive files can be a pain. And lastly, if the archive is only available as a .pst file in the user’s PC, the archived mail will not be available from webmail or a different device.

If we want to create an online archive for the user on Office 365, there are a few simple steps to take in the Office 365 Admin console.

  1. Log into the Office365 Admin console, then click on Admin centers > Security and Compliance:
  2. Next, on the navigation bar, expand Data Governance, and click Archive
  3. Now on the right-hand pane, we will see all of our mailboxes and find out if the Archive Mailbox for Office 365 is enabled or disabled.
  4. To enable the archive on a disabled user’s mailbox, first select the user. If we have a lot of users, do a search for the user’s name and then highlight the correct mailbox we want to change.
  5. We can see in the screenshot above, my account already has Archive mailbox: enabled. If the account’s archive had been disabled, we would simply click the Enable link. When we click enable, we will get the following Warning:
If you enable this person's archive mailbox, items in their mailbox that are older than two years will be moved to the new archive. Are you sure you want to enable this archive mailbox? Yes No

9. Click Yes.

10. What happens next is, as the warning states, mail that is over 2 years old will begin to be archived. We will also get some new features in both Outlook online, as well as in Outlook 2016/Outlook 2013. We can wait for the auto-archiving to take place, but we can also take some immediate action to archive old mail online.

11. Pretty much immediately in Outlook online, we will get new Archive buttons, and an archive folder here:

We won’t see the archive buttons until we click on an individual message. If we do click on a message and select it, we will see the Archive button available.

12.  We can also select multiple emails and then right-click on the highlighted messages. A wizard will appear on the screen. Click the Archive button to move these emails to the archive folder.

13. If reducing the size of the mailbox immediately is our goal, we can start by archiving our largest emails first. At the top of the mail folder, whether it be the inbox, Sent Items, or Deleted Items folder, we’d click the Filter button > Sort by > Size.

14. Select the “Enormous” items first by clicking on the top email, hold down the Shift button, then select the bottom email and it will highlight all of the messages in between. Next, right-click and choose Archive.

15. In the desktop version of Outlook 2013/2016, only after a few hours will we have our new Archive folder available. This may take up to 24 hours depending on the speed of replication of settings from Office 365 down to the client. Once the folder is available, however, I find the process of moving mail out of the inbox, sent items or cut/paste of subfolders into the archive much easier.

I don’t have mail over 2 years old in my mailbox, so I’m not sure if it will automatically create subfolders dependent on where they originally lived so let me know in the comments if you notice automatic folder creation.

In order for someone to find an old message, they will only need to search their mailbox in Outlook online or Search Archive in Outlook 2013/2016.

 

Solved – Skype for Business 2016 emoticons missing repair without re-install

How to repair and fix Skype for Business 2016 by clearing the cache, and get back the emoticons which have been replaced by words in parenthesis.

For example, an associate sent me the following screenshot:

We can see that the emoticons  have been replaced by (rock)(dance).

To fix this problem without re-installing Microsoft Office or Skype, clear the Skype Cache by doing the following (which I found in an MS Support forum here.)

1. In the Skype main windows, click the gear in the top right-hand corner.

2. Choose File – Sign Out to log out of Skype for Business.

3. On the Sign In window, choose the link to Delete my sign-in info.

4. In the pop-up window to forget sign in info, click Yes.

5. Click the gear, choose File> Exit to exit and close Skype. Close all other Office Applications.

6. Go to the location:
C:\Users\<username>\AppData\Local\Microsoft\Office\16.0\Lync – you can get here quickly by going to Start > Run > %appdata$% > Enter.

7. Locate the sip_YourProfileName folder and delete it if it exists. In some cases, it will not. Open the Tracing folder and delete all files inside of it. Do not delete the Tracing folder itself. If you receive a message that the action can’t be completed because a file is Open or that you need Administrator permission to delete a file, click the Skip button. Close Windows File Explorer

8. Open a command prompt (in Windows, click the Start button, type cmd and select the command prompt from the menu. Type ipconfig /flushdns and press the enter key on your keyboard to clear the DNS cache.

9. Sign back into Skype/Lync.

10. Once Skype is open, make sure you go back into Gear > Tools > Options > IM > and place a checkmark to show emoticons again.

11. Test to see if the emoticons have returned!

If all else fails, you might want to completely uninstall Office and/or Skype for Business, delete the Appdata\Local\Microsoft\Office\16.0\Lync folder completely, and then re-install again. But hopefully, this procedure will save you some time.

Lastly, a user comment below has had success with several people (thanks Chris!)

Set DisableRicherEditCanSetReadOnly to 1 in regedit 
path: Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync\

Always, back up the registry key before you change anything in the registry. 

Use Powershell to Get a List of Users with Out of Office enabled in Outlook Office365

How to get a list of users who have enabled Out of Office in Outlook with Office365 PowerShell

For administrators of Office 365, you may need to occasionally get a list of users who have set up or enabled their Out of Office in Outlook. In my case, we needed to see which parking spots were available on campus in a pinch, and who was not coming in the next day. To do this with PowerShell we’ll need to first connect to our Office 365 Exchange Tennant.

  1. In PowerShell ISE, enter the following code into the code view, save the function as Connect-O365.ps1, and then hit the green Play button.
  2. function Connect-O365{
     $o365cred = Get-Credential [email protected]
     $session365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $o365cred -Authentication Basic -AllowRedirection 
     Import-Module (Import-PSSession $session365 -AllowClobber) -Global
    }
  3. Next, execute the new function with the following command:
  4. Connect-O365
  5. Replace the username and password with your Office365 admin credentials (not your on-premise domain credentials.) This will log you into your Exchange Admin with PowerShell where we can run our Out of Office commands.
  6. With authentication out of the way, now all we need to do is run the following command to get a list of mailbox identities who have AutoReply configured (and not disabled), and sort by Identity, Start Time, End Time, and Auto Reply State:
  7. Get-Mailbox -ResultSize Unlimited | Get-MailboxAutoReplyConfiguration | Where-Object { $_.AutoReplyState -ne "Disabled" } | Select Identity,StartTime,EndTime,AutoReplyState
  8. This will run for a while, and could take several minutes, but should produce a list similar to the following:

Office365 Outlook Room Calendar not showing details – displays busy only – fix when Set-MailboxFolderPermission does not resolve

Solved: Office365 O365 Resources Rooms and & Equipment cannot view details or subject in shared calendar, can only see “Busy” and Set-MailboxFolderPermission did not fix or resolve.

So a room calendar would not display who reserved the room, and users requested that the calendars for room reservations display who reserved the room and the details. By default the event only displays “Busy”. Most posts I found online for this issue have the same resolution: use Set-MailboxFolderPermission to display details, comments, subject, and organizer. I did this and tried this using the identity in quotes as well as the full email address of the room, however the Set-MailboxFolderPermission setting did not work and the calendar would still only show “Busy”.

I was able to resolve the problem by looking at the rights of the users.

I found that the Calendar Access Rights for the User: “Default” only had {AvailabilityOnly}

To check permissions and fix this issue, first open PowerShell and connect to your O365 Exchange with the following commands:

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

Once connected, first check that the default user has the correct AccessRights and permissions to work with the calendar. As you can see below here, the Default user has {AvailabilityOnly} permissions when issuing the following command:

Get-MailboxFolderPermission [email protected]:\Calendar
PS C:\admin> Get-MailboxFolderPermission [email protected]:\Calendar

FolderName           User                 AccessRights
----------           ----                 ------------
Calendar             Default              {AvailabilityOnly}
Calendar             Anonymous            {None}

I changed the AccessRights from {AvailabilityOnly} to {PublishingAuthor} with the following command:

Set-MailboxFolderPermission -Identity "[email protected]:\Calendar" -User default -AccessRights PublishingAuthor

And then ensured the identity has the correct CalendarProcessing switches with this command:

Set-CalendarProcessing -Identity "[email protected]" -AddOrganizerToSubject $true -DeleteComments $false -DeleteSubject $false

Now the event’s details and subject can be viewed by everyone. This change takes place pretty quickly, within a minute – the “Busy” events should change to display the details when you close/open Outlook and/or switch between the calendars in Outlook online. Hope this saves someone else a call to MS Support.

In the event the new room’s Calendar is not auto processing or accepting meeting requests, check out my article here:

Solved – Office 365 Room Calendar Not Auto Processing or Accepting Meeting Requests

Please leave a comment, thanks.

SmarterMail Enterprise 15.5 – Export / Import iCalendar/Outlook calendar into SmartMail

How to import iCalendar events into SmartMail / SmarterMail Enterprise IMAP calendar

So one of my clients have a team that have been using iCalendar to share calendars, but have decided to migrate to SmarterMail Enterprise 15.5 IMAP/Exchange for their team calendar sharing. While there is no direct way to import iCalendar events into SmartMail directly, there is a two-step approach that works pretty well.

In this case, the clients only want to migrate historical data and not current/future events. It sounds harder than it is, but the migrations shouldn’t take long and with minimal effort. If you don’t have spare gmail accounts to use then you may want to create new gmail accounts just for this purpose, or delete all calendar events in an existing google calendar between migrations.

One thing that I did notice is that reoccurring appointments will be transferred over and this may in turn create duplicates if you already have appointments in SmartMail that are reoccurring. It may be wise to remove reoccurring appointments from the source calendar prior to doing the first export.

As always it’s best to first backup your data prior to doing anything, then run a few tests to make sure that all calendar events, items, and attachments transfer successfully during the migration.

But in our test case, the Outlook (icalendar) – to – GMAIL – to – SmartMail works perfectly fine.

First go to Outlook > File menu > Open & Export > Import/Export > Select your iCalendar (and any other calendars you’d like to export):

Export to .CSV > Calendar (here you can select date range of events to be exported) > save to something like c:\Users\jcoltrin\Desktop\jasoncalendar.csv

Then

Login to any Google account/Gmail > Calendar > Gear Icon > Settings > Calendars > Import calendar > choose jasoncalendar.csv (import successful.)

Calendar items display in my google calendar:

Then now that the calendar items are in my google calendar, I went into smartmail account  > settings > Advanced Settings > Mailbox Migration > Account type: GMAIL > next > Check “Calendar” > do the Google authentication (which works well and uses Google’s authentication). >  Import

Now the same calendar items are in my Smartmail Calendar.

New Active Directory User and Office365 New User Powershell Procedure

As a systems administrator, quite often you’ll need to create new user accounts in Active Directory and MSOnline Office 365. It’s good to streamline your new user creation procedure as much as possible to make the process faster and more accurate. Thanks to PowerShell, we can turn a whole bunch of point and clicks into just a few PowerShell commands. In this example procedure we will first create an Active Directory AD user account with powershell and a .csv file and then add that user into multiple groups with a different powershell script and a .txt file that has a list of the groups. We will also use another powershell script to get the canonical name of the groups so that our script can find the LDAP location of the group in Active Directory. Secondly, because we do not run our own exchange server we will use powershell to connect to Office365, and create a new user there, license the user, and then add the user to some distribution groups. Prerequisites are powershell, and import AD components and MSOnline components.

  1. Go to https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Create-Active-7e6a3978 and download the create_ad_users.zip and extract to c:\newusers\
  2. Edit create_ad_users.ps1 lines 92 and 98 to accommodate longer last names. In the original script it only allows for first initial and then a truncated last name of 4 characters. In my case, we have some users with long last names, so I set those values to 20:
  3. If($replace.length -lt 20)
    {
      $lastname = $replace
    }
    Else
    {
      $lastname = $replace.substring(0,20)
    }
    
  4. Copy info from your HR department about the new user into the .csv file c:\newusers\import_create_ad_users.csv
  5. Run PS C:\newusers> .\create_ad_users.ps1
  6. Next check the new username in ADUC for such things as account name, address, phone number etc. to ensure the entries are accurate.
  7. With our new user account created, most likely we will want to make that user a member of several security groups. To do that with PowerShell, we need to make sure that we have the correct LDAP names for our groups and place them into a file named groups.txt. In order to do so, we need to run another powershell script named find-dn.ps1 . The code is as follows:
    # Function Find Distinguished Name
    function find-dn { param([string]$adfindtype, [string]$cName)
        # Create A New ADSI Call
        $root = [ADSI]''
        # Create a New DirectorySearcher Object
        $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
        # Set the filter to search for a specific CNAME
        $searcher.filter = "(&(objectClass=$adfindtype) (CN=$cName))"
        # Set results in $adfind variable
        $adfind = $searcher.findall()
        
        # If Search has Multiple Answers 
        if ($adfind.count -gt 1) {
            $count = 0 
            foreach($i in $adfind)
            {
                # Write Answers On Screen
                write-host $count ": " $i.path
                $count += 1
            }
            # Prompt User For Selection
            $selection = Read-Host "Please select item: "
            # Return the Selection
            return $adfind[$selection].path
        }
        # Return The Answer
        return $adfind[0].path
    }

    This code should be inserted into a new PowerShell ISE tab and then saved as find-dn.ps1 . Running the code will produce a new PowerShell function (but will not write any output to the screen.) Find the group names in ADUC that you want the CN name for, and then use the following command(s) to return the CN name:

    find-dn "group" "FinanceGroup"

    The script will return something similar to the following:

    LDAP://CN=FinanceGroup,CN=Users,DC=intranet,DC=contoso,DC=com

    Remove the part “LDAP://” and copy the remaining string into the c:\newusers\groups.txt file, which after finding the rest of your group CN names, should look something similar to the following:

    CN=FinanceGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=HRGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=OperationsGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=ITGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=AccountingGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=ComplianceGroup,CN=Users,DC=intranet,DC=contoso,DC=com
    CN=MarketingGroup,CN=Users,DC=intranet,DC=contoso,DC=com
  8. Now that we have our CN security group names, we can add the user(s) into the groups with the following script. For this step we can utilize the script found here: https://community.spiceworks.com/topic/459481-adding-users-to-multiple-security-groups-in-ad – which was contributed by Martin9700 . Copy the following script into a new PowerShell ISE tab and name the file Add-MultipleGroups.ps1 :
    #requires -Version 3.0
    Param (
        [Parameter(Mandatory,ValueFromPipeline)]
        [String[]]$Groups,
        [Parameter(Mandatory)]
        [String[]]$Users,
        [switch]$Passthru
    )
    
    Begin {
        Try { Import-Module ActiveDirectory -ErrorAction Stop }
        Catch { Write-Error "Unable to load Active Directory module, is RSAT installed?"; Exit }
        $Result = @()
    }
    
    Process {
        ForEach ($Group in $Groups)
        {   Try {
                Add-ADGroupMember $Group -Members $Users -ErrorAction Stop
                $Result += [PSCustomObject]@{
                    Group = $Group
                    AddMembers = $Users -join ", "
                }
            }
            Catch {
                Write-Error "Error adding members to $Group because $($Error[0])"
                $Result += [PSCustomObject]@{
                    Group = $Group
                    AddMembers = $Error[0]
                }
            }
        }
    }
    
    End {
        If ($Passthru)
        {   $Result
        }
    }
  9. Run the following command to add user to the appropriate security groups:
PS C:\newusers> .\Add-MultipleGroups.ps1 -Groups "CN=ITGroup,CN=Users,DC=intranet,DC=contoso,DC=com","CN=OperationsGroup,CN=Users,DC=intranet,DC=contoso,DC=com" -users user1, user2

With the above script you can use the file to run a number of different options as well such as:

You can just put the group names in -Groups:

.\Add-MultipleGroups.ps1 -Groups "testgroup1","testgroup2" -users user1,user2,user3,user4

You can use a text file (either in Groups or via pipeline):

.\Add-MultipleGroups.ps1 -Groups (Get-content c:\groups.txt) -users user1,user2,user3,user4

Get-content c:\groups.txt | .\Add-MultipleGroups.ps1 -Groups -users user1,user2,user3,user4

You can also use Get-Content for users, but you can pipe it:

Get-content c:\groups.txt | .\Add-MultipleGroups.ps1 -Groups -users (Get-content c:\users.txt)

You can confirm in ADUC that the users are now members of the security groups in our groups.txt file.

Add users to Office 365 and Distribution Groups with PowerShell

Great! Now that we have our user accounts created on the AD side of things, we will move on to adding our user(s) into Office365:

With PowerShell up and running will will issue the following commands:

From https://www.petri.com/use-powershell-create-assign-licenses-office-365-users

Import-Module MSOnline

Connect-MsolService

Now we will create the user with the following command:

New-MsolUser -UserPrincipalName [email protected] -DisplayName ‘User 1’ -FirstName User -LastName 1

This command will return something like the following (sorry about the formatting:)

PS C:\Users\jcoltrin> New-MsolUser -UserPrincipalName [email protected] -DisplayName ‘User 1’ -FirstName User -LastName 1



Password                                   UserPrincipalName                          DisplayName                                isLicensed

--------                                   -----------------                          -----------                                ----------

Suso4007                                   [email protected]                       User 1                                False

Now we need to add a license to the user account. We need to do two things before we can assign the licenses. First is we need to to determine the different sku’s we have available to license, and second, we need to set the usage location. To accomplish the first part, we can issue the command:

Get-MsolAccountSku

Second, by using the instructions here: https://social.technet.microsoft.com/Forums/ie/en-US/bfde2a73-579c-409b-a7cd-77110048c7b7/license-enabling-script?forum=onlineservicesadministrationcenter

We can set the MS Online user’s principal location:

Set-MsolUser -UserPrincipalName [email protected] -UsageLocation US


Set-MsolUserLicense -UserPrincipalName [email protected] -AddLicenses Contoso:STANDARDPACK

Now that the user is licensed, we will add the account to a few Exchange Distribution Groups. We will need to import a new PSSession from outlook.com before we can run the Exchange commands. Import the session by first creating a function called “Connect-O365” by running the following (just like we created the function find-dn above):

function Connect-O365{
 $o365cred = Get-Credential [email protected]
 $session365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $o365cred -Authentication Basic -AllowRedirection 
 Import-Module (Import-PSSession $session365 -AllowClobber) -Global
}

Save and name this function: Connect-O365.ps1 and run it. We now have a function that we can run:

.\Connect-O365.ps1
Connect-O365

(enter creds)

Now we can add the distribution group members with the group identity and member name in quotes:

Add-DistributionGroupMember -Identity "Finance" -Member "[email protected]"

Add-DistributionGroupMember -Identity "AllEmployees" -Member "[email protected]"

A number of these scripts and commands can be combined into .ps1 files to optimize the workflow even further. With the information here you should have a good place to start. Let me know in the comments how you added your own features to the procedure.

Exchange/Outlook 2010 autodiscover certificate error name mismatch

Exchange/Outlook 2010 autodiscover certificate error name mismatch

Recently some users have been receiving the following autodiscover certificate error when opening outlook:

Security Alert: autodiscover.domainname.org

Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate.

√ The security certificate is from a trusted party

√ The security certificate date is valid

X The name on the security certificate is invalid or does not match the name of the site

Firstly, we host exchange at a different hostedexchange.com, and our autodiscover uses a wildcard certificate “*.hostedexchange.com”. So starting with the client I made sure to view the certificate. The correct name on the certificate listed was “*hostedexchange.com.”

1. I installed the certificate on to the client PC into the trusted store. Closed outlook/opened again and still the same error.

2. I looked at the proxy settings in the account setup and found that the ‘server name’ and msstd: were correct, they were.

3. We used nslookup externally and found that there are no valid dns records pointing to autodiscover.domainname.org

4. We used https://www.testexchangeconnectivity.com/ and found that while it does automatically check for autodiscover.domainname.org, dns did not return a value; it failed

5. From the client we were able to ping autodiscover.domainname.com, the ping returned an internal ip address of our mail server.

6. So from the results above it appears as though the client (or citrix server’s hosted desktop in this instance) had an incorrect dns entry.

7. From a (run as administrator) command prompt I issued an “ipconfig /flushdns” command on the client server but the error persisted, and pings still replied from autodiscover.domainname.org

8. We checked the hosts file on the server (c:\windows\system32\drivers\etc), and sure enough there was an old entry for autodiscover.domainname.org

9. In order to edit the hosts file, did a “Run as administrator” to open notepad, edited the file and saved successfully.

10. Issued another ipconfig /flushdns

Now when the client opens, the request to get autodiscover.domainname.org fails, and there is no mismatch of certificate names.