Manage AD from a PC that is not Member of the Domain

If you are remote and want to manage Active Directory from a computer that is not part of the AD domain.

VPN into the office
For Windows 10/11, add “RSAT: Active Directory Domain Services and Lightweight Directory Services Tool” to Windows. This is an Optional Feature in Windows so if you go to Optional Features you should be able to find it and add it.

Go to command line and change directory to C:\windows\system32

Run the following command

runas /netonly /user:User@Domain.Whatever “mmc dsa.msc /domain=Domain.Whatever”

Where user@Domain.Whatever is a domain user with domain admin privileges so if the user is John and the domain is domain.local, that would be John@Domain.local
Domain.Whatever would be Domain.local in the example above.

How to encrypt drive – Bitlocker – Command Prompt/line

 

How to encrypt drive of Windows 10 / 11 with Bitlocker and print encryption key to copy and save for future recovery.  Don’t save on the same C drive.

Run command line as admin

manage-bde -protectors -add C: -rp

 

How to Schedule Tasks from Command Line Windows 10/11

How to schedule a daily reboot or shutdown and at a certain time using command line / command prompt.  Applies to Windows 10/11

Below is an example of scheduling a shut down of a computer, daily at 6PM.

schtasks /create /sc daily /tn ShutdownAt6PM /tr “shutdown -s -f -t 2” /st 18:00 /NP

schtasks, command to schedule tasks.  the AT command that used to be with earlier versions of Windows has been deprecated

/create, To create a new task

/sc, to schedule frequency.  like once or daily.

/tn, name of the task.  this is a description

/tr, this is the command to schedule like “Shutdown -s -f -t 2”. -s to shutdown, -f to force shutdown, -t 2 to delay by 2 seconds.  The -s can be replaced by -r to reboot instead of shutdown.

/st, this is the time to execute the command.

/NP to run the schedule account on the Windows computers regardless whether the user is logged in or not.

How to Extract Private Key and SSL Certificate from a Certificate.pfx file

 

If you have an SSL certificate in pfx format (also called PKCS#12 format) and that usually includes the SSL certificate for your host or domain along with the private key (usually the key is secured with a password), and if you want to extract the certificate file and the private key, here what you can do

Assuming the name of the certificate is MyCertificate.pfx

1- download/Install/extract OpenSSL command line utility into a temp folder.

2- Copy the the MyCertificate.pfx certificate file into that folder.

3- To export the ssl certificate into pem format

openssl  pkcs12  -in  MyCertificate.pfx  -nokeys  -out  MyCertificate.pem

4- To export private key:
openssl  pkcs12  -in MyCertificate.pfx  -nocerts  -out  MyPrivateKey.pem  -nodes

5- To remove the passphrase/password from the private key:
openssl rsa  -in  MyPrivateKey.pem  -out   NewPrivateKey.key

Now you have you have the certificate MyCerificate.pem & the private key NewPrivateKey.key (the names here could be anything – you can name them or rename them to anything descriptive or to whatever your webserver/web application documentation requires).

 

My notes on Halo (unrelated to the above)

Open the “cert” on the servers desktop, backup the current certificate and private key and move them out.  Copy the new cert and private key and match the names to backup files..

Restart Halo services.

 

Microsoft Office 365 List of outgoing SMTP IP/Network addresses

The following are the outgoing IP addresses and networks of Microsft Office 365 SMTP/Email in case you need to know to white-list in your antispam or firewalls:

52.100.0.0/14
40.92.0.0/15
40.107.0.0/16
104.47.0.0/17
2a01:111:f403::/48
2a01:111:f400::/48

How to Map Network Drive to a SharePoint Folder

Mapping SharePoint Site/Folder to a network drive is only available with Windows Explorer.  This won’t work with Edge or any other browser.

If your SharePoint URL

https://www.MyCompanySite.SharePoint.Com

And the name of the site MySite (could be blank as it’s the root of SharePoint), and the folder on the root to map called Compliance.

1- Go to Control Panel, Internet Options and add that site to Trusted Site list.

2- Open Internet Explorer, login to the share point site and save password on log in.

https://mycompanysite.sharepoint.com/sites/MySite/Shared Documents/Compliance

3- Map the network drive to the Compliance SharePoint folder using the following format

In Explorer choose to Map a network drive, choose a drive and point it to

https://MyCompanySite.SharePoint.com@SSL\DavWWWRoot\sites\MySite\Shared Documents\Compliance

 

Office 365 Mailbox Migration Status Stuck Syncing

Office 365 Mailbox Migration Status Stuck Syncing

We had a mailbox that wouldn’t complete migrating from a hybrid setup with on-premise Microsoft Exchange 2013 Server to Office 365. We’ve cancelled the migration several time and restarted it but it always got hung up at the end without completing, with status Syncing or InProgress… left it even for days and wouldn’t complete

We’ve found out that some corruption in the calendar ACLs that was causing the issue… Office 365 portal wouldn’t show any message about corruption or skipped items….

We connected to Office 365 through PowerShell and issued the following commands which would approved skipped items (that we never prompted to approve in the migration using the browser which was odd, then the 2nd command would complete it)

Set-MigrationBatch  -Identity  TypeNameOfTheBatchHere  -ApproveSkippedItems
Complete-MigrationBatch  -Identity  TypeNameOfTheBatchHere

Outlook “Need Password” With No Prompt – Office 365 Multifactor Authentication

After migrating mailboxes from on-premise Exchange 2013 to Office 365, some Microsoft Outlook 2016/2019/Office 365 clients kept on getting a message on the bottom right-hand corner of Outlook saying “Need Password” without being prompted to enter it, they would click on the message and it would disappear, and Outlook would resume receiving emails but after a little time that message would come up again.. this behavior continues persistently through the day…

Modern Authentication is enabled and might have contributed to the issue.

1- The following registry keys fixed the issue (Close Outlook and other MS programs before making changes).  Reboot computer after making changes.  Add as DWORD and set to 1.  You can save it to a reg file and double-click to add the keys automatically:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
“Version”=dword:00000001
“EnableADAL”=dword:00000001
“DisableADALatopWAMOverride”=dword:00000001
“DisableAADWAM”=dword:00000001

 

2- Now browse to the following registry location:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover

Find out if the following DWORD exists

ExcludeExplicitO365Endpoint”

and if it does delete it.

3- Reboot your the computer after that.

Modern Authentication / Outlook 2016 Password / OWA / App Password

In Office 365 two factor authentication (2FA), App Password is used for older versions of Microsoft Outlook or for non Microsoft email clients on devices like MACs or smart phones.

After enforcing 2FA in Office 365 and if you are trying to configure Outlook 2016 for email, and Outlook keeps rejecting the password that you have been using and that works with OWA, while if you try the App Password it works in Outlook, then you might want to add a registry key to enable and enforce Modern Authentication.

Make sure Modern Authentication is turned on on the Office 365 Portal.  Login as admin, expand Settings, click Org Settings, Select Modern Authentication and turn it on.

  • Outlook 2010 doesn’t support Modern Authentication
  • Outlook 2013 supports Modern Authentication but you need to add the following two registry keys.  DWORD and set to 1.

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

The following key will enforce it.

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

 

  • Outlook 2016 supports modern authentication and it is ON by default but we’ve had to enforce it in some instances because Outlook kept prompting for a password and wouldn’t take the password that worked with OWA but Outlook worked with App Password.  Enforcing Modern Authentication made Outlook 2016 accept the regular office 365 password (that worked OWA password).   Add the following DWORD and set to 1

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

Note: registry changes might result in problems and serious issues with computers and software.  Do it at your own risk.

 

How to Force Sync Azure AD Connect with Azure Office 365

 

If you have Azure AD Connector with Azure Office 365 and want to force Sync AD with Azure when you have just created a new user, start PowerShell on the server that has Azure AD Connect installed and type:

import-Module ADSync

Get-ADSyncScheduler

Start-ADSyncSyncCycle -PolicyType Delta