Access Delegation on DC’s WMI

Re-blog form Source

It is always good to remember  that the Administrators group provides full control over the Domain Controllers and is just as critical of a group to keep users out of.

In the Domain Admins group, we all have seen accounts for monitoring, PowerShell queries, etc. Those typically only need WMI access to pull information to monitor/audit. By following the theory of least privilege, it allows you to still give access needed to watch your infrastructure, without potentially compromising access.

Continue reading “Access Delegation on DC’s WMI”

Project “Honolulu” update 1802

We have talked a few months back about the new management experience Microsoft wants to add in their Server products, Project “Honolulu”.

So  we did get an update that adds more cool  features.

For you have it already installed then you will see on the top that there is an update available. 

Continue reading “Project “Honolulu” update 1802”

Project “Honolulu” update 1711

We have talked a few months back about the new management experience Microsoft wants to add in their Server products, Project “Honolulu”.

So a few days back we did get an update that adds some really cool new features.

For you have it already installed then you will see on the top that there is an update available. 

Continue reading “Project “Honolulu” update 1711”

Split-Brain DNS and Windows

This is something that coming back over and over again. For most windows admins is/was an issue till the Windows 2k16. I always preferred to handle split-dns in a linux environment than building a separate server just to provide the external, NAT, Geo-location IPs.

0334.SplitBrain

Though as the Active Directory loves DNS, it is hard to separate it. At last we do have a solution with the new policies and split-scope zones. Below I will provide a simple scenario where you are having two networks and the subnets are NATed. In my experience the best way to handle it is by scripting and building the server from the scratch. Outsource you can add the AD integrated zones, but there are things you maybe don’t want to inherit.

So at first is good to create a number of CSV files to hold the SRV, A, CNAME , Zones and the outsource don’t forget to add , where is needed, a column with the NATed IP.

Continue reading “Split-Brain DNS and Windows”

Office 365/Hybrid Exchange and New Mailboxes

During my short time with O365 and especially the Exchange Hybrid configuration, I did discover the one of the hardest things to do is to decide which is the best course of action for creating new mailboxes. Either create them on-prem first and then do a migration to the cloud or start from the cloud and then configure a remote mailbox at the on-prem?

Personally i do prefer creating the remote mailbox and the O365 user/mailbox at once by using the New-RemoteMailbox command. But there is something missing in the parameters , the Shared Mailbox trigger.

So for creating a  mailbox in the a Hybrid environment, and then if it is needed to make a Shared on we would first connect to Exchange management shell,  use the get-Credential command to set the username and credentials that you will use for the mailbox.cred

Continue reading “Office 365/Hybrid Exchange and New Mailboxes”

Office 365 and Full Mailboxes

During the last months I came across an influx of full mailboxes. In most cases were used to relay messages from other platforms. One of those has exceeded our Organization default quota by 102% and of course the rest were at 97% to 99% of the current quota.

My first though was to change the Retention policy down to a month with the users approval and start the  Managed Folder Assistant which unfortunately did not solve the issue. You can find more on that on Sam’s IT Blog.

When working with Exchange online Powershell there are several things to keep in mind:

  • You can have up to 3 Sessions at the same time
  • Exchange Online sessions do have restricted language mode enabled and you can find a way to solve the variable issue on michev.info
  • There is a Powershell Throttle , please refer to this post on how to calculate your micro delays .

Continue reading “Office 365 and Full Mailboxes”