Sometimes, it can be usefull to disable access to the Exchange server for a specific mailbox. For exemple, in order to forbid Outlook Web App (Outlook on the Web for Exchange 2016) but you do not want to disable the user account. Or you can prestage the mailbox and only allow access to a specific date/ time.
This can also be used during a migration to another mail system: when the user is migrated, you can disable all access to force the user on the new messaging system. And prevent any email sent by the old Exchange.
Exchange Disable access
Let’s see how to disable all access for a mailbox using ECP or Exchange Powershell:
In order to reorganize an Active Directory forest, with multiple child domains into a single domain, I used the ADMT (Active Directory Migration Tool) 3.2 from Microsoft. This modification is an intraforest migration because all domains are in the same forest.
While ADMT supports an intraforest migration, I encountered a specific issue for migrated computers from a child domain to the parent domain: “The security database on the server does not have a computer account for this workstation trust relationship“
Security database trust relationship
Well, I was very perplex by this error, because the ADMT agent reported an successfully operation, and the computer account existed in the new Active Directory domain.
In fact, you will get this error each time you want to migrate a computer with an intraforest and the target operating system is Windows Server 2012 R2. Let’s see why and how to resolve this issue.
Sometimes, you may need to check the information stored in the Active Directory Global Catalog. This can happen if you want to check that the replication between GC located in separate site is done.
We can easily view the information in GC with ADSI Edit:
Let’s see how to connect to a GC using ADSI Edit.
During an Active Directory migration, I needed to do an inventory of the computers to migrate. Because some computers do not exist anymore but not removed from Active Directory. I created a Powershell script based on the Last Logon Timestamp property.
CSV file from the script
This powershell script creates a CSV file with the computer name, the last logon property and the operating system. Some domains were based on Windows Server 2003 or 2008, I could not use Active Directory commandlets, so I used the LDAP Search.
When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.
The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.
With Active Directory Users And Computers, we can:
- Display Bitlocker Recovery key for one computer.
- Search in all Active Directory for a Password ID.
- Delegate Rights to display confidential information.
Before Windows Server 2008, there was a limitation about password management: only one password policy and lockout policy could be applied to all users in the domain. Therefore, some organizations created several domains to manage different set of user / password policy.
With Windows Server 2008, Microsoft integrated Fine-Grained password policy. With this object, you can now create multiple password policy in the same domain and assign it to a specific user group. However, there was no built-in GUI to create Fine-Grained policy. We had to use ADSIEdit and Attribute Editor to assign a policy to a user group.
Windows Server 2012 uses Active Directory Administrative Center to give us the possibility to create Fine-Grained policy with a wizard. Let’s see how to do that easier.
Windows Server 2008R2 introduced a new feature in domain: Active Directory Recycle Bin. A great feature, but it was the first version, so we had to use Powershell to enable the feature, and to restore deleted item.
With Windows Server 2012 R2, Microsoft released a GUI for the Recycle Bin. It is integrated in the Active Directory Administrative Center. With ADAC, you can enable and restore deleted item easily. Of course, you can still do it with Powershell cmdlet.
System Center Configuration Manager 2012 R2 now supports SQL Server 2014. But you will have an error during the wizard if you try install SCCM 2012 SP1 /R2 on SQL Server 2014.
SCCM Installation Wizard checks the version of SQL Server. However, it treats SQL Server 2014 like a version not supported:
The SQL Server srvsql.lab.local is not accessible or its version not supported.
Microsoft released a patch to correct this problem. KB3020755
The description of the KB is “Restore fails when the site database” but we will copy dll into the Wizard folder.
We need to do 4 steps:
- Download and extract the KB into a temporary folder.
- Execute CM12-R2-QFE-KB3020755-X64-ENU-OOB.exe. It will extract 2 files : prereqcore.dll and setupcore.dll
- Copy these files into the SMSSETUP\BIN\X64\ folder.
- Exit and restart the installation Wizard.
SCCM Team wrote a post on this topic here
Sometimes, you need to create a lot of Organization Units into your Active Directory.
To do this, you can use the Active Directory Users and Computers but it can be quickly time consuming depends on the number of OU.
Hopefully, Microsoft integrated a powershell module with Active Directory. So, we can create a script to do this for us.