Windows Server 2012 IPAM Error: Unblock IPAM Access

Received the following error when attempting to provision a server to be managed by IPAM:

Unblock IPAM Access

unblockipamerror

Firewall? Nope
Network Connectivity? Yep

Since IPAM is applied through Group Policy I thought to run “gpresult /r” and lo-and-behold the policies were not being applied to the server due to security filtering. Somehow the automated provisioning task failed to add this server to policies security filter. Added the computer object to the filter and now IPAM is working.

Powershell Web Access Authorization error

Received this error on my initial attempt after setup of Powershell Web Access (pswa).

An authorization failure occurred. Verify that you are authorized to connect to the destination computer.pswaerror

 

The documentation is clear that there are no authorization rules on the “out-of-the-box” install of PSWA and so you have to use the Add-PswaAuthorizationRule cmdlet. Which I did and it still wasn’t working.

Small gotcha that isn’t so clear from the documentation:

You must set the -configuration name parameter as microsoft.powershell. You can’t just use any name you want.

Add-PswaAuthorizationRule -UserName "domain\john.doe" `
-ComputerName * -ConfigurationName microsoft.powershell

Well technically you can use any configuration name you want, you just have to specify that name when you try to log in to PSWA to replace the pre-filled value in the form. So just set the configuration name to microsoft.powershell and save yourself the headache.

pswaoptions

 

 

Powershell Remove Non-Routable proxyaddresses for mailbox migration to Exchange Online

When doing a migration from onrem to Exchange Online / Office 365, the proxy addresses on the mail object must all be internet routable. If you have aliases like @domain.local, these need to be removed before the mailbox can be moved.

I used this powershell script to accomplish this in my environment:

 

<#
.Synopsis
Remove nonroutable smtp aliases in preparation for mailbox migration
.DESCRIPTION
Long description
.EXAMPLE
remove-nonRoutableSmtpAddresses -Searchbase "OU=OrgUnit,DC=Domain,DC=com" -smtpsuffix "nonroutable.domain" -Verbose
#>
function remove-nonRoutableSmtpAddresses
{
[CmdletBinding(SupportsShouldProcess)]
Param
(
# Search base of users to search for
[Parameter(Mandatory=$true,
Position=0)]
$Searchbase,

# SMTP suffix to find and remove
[Parameter(Mandatory=$true,
Position=1)]
$smtpsuffix
)


$smtpsuffix = ("*" + $smtpsuffix + "*")
$users = get-aduser -Filter {proxyaddresses -like $smtpsuffix} -Properties proxyaddresses -SearchBase $Searchbase
foreach ($u in $users){
Get-ADUser $u -Properties proxyaddresses `
| foreach {$pr = $_.proxyaddresses -like $smtpsuffix}
set-aduser $u -Remove @{proxyaddresses=$pr} -verbose
}
}

Powershell Get List of Domain Contollers

Simple is better. And this is by far the simplest way I have found to get a cleanly formatted list of domain controllers in a domain:

Encase the get-addomain cmdlet in parentheses and call the property replicadirectoryservers.

Example:

PS C:\DEV> (Get-ADDomain domain.local).ReplicaDirectoryServers
NY-DC01.domain.local
NY-DC02.domain.local
BOSTON-DC01.domain.local
BOSTON-DC02.domain.local

 

Powershell Monitor Job Status

This is the framework for a basic monitoring of a PowerShell job.

The basic steps are to store the current jobs in to a variable named $jobs. Loop through the variable and increment $jobcount if the state of the job does not equal “Completed”. The script keeps looping until $jobcount is 0.

Lines 11 and 12 are merely demonstrative. You could put anything here you want…

do
{
   $jobcount = 0
   $jobs = Get-Job
   foreach ($job in $jobs)
   {
    if ($job.state -ne &quot;Completed&quot;){
    $jobcount++
    }
   }
   Write-Verbose "Active jobs: $jobcount"
   Start-Sleep -Seconds 5
}
until ($jobcount -lt 1)

New-ManagementRole in Exchange Online Powershell

Try as I could, I could not get the powershell command in this technet article to work in Exchange online: https://technet.microsoft.com/en-us/library/dd298073(v=exchg.150).aspx

The article cleverly suggests that to create a custom management role, you create a new role and then just strip out the commands you don’t want by filtering out certain commands and removing the rest. This worked fine in my on premise Exchange 2013 environment, but try as I could, it would not work in EOP.

Get-ManagementRoleEntry "Redmond Journaling View-Only\*" | `
Where { $_.Name -NotLike "Get*" } | `
Remove-ManagementRoleEntry

Attempting this command in Exchange Online you get the following:

PS C:\> Get-ManagementRoleEntry "Redmond Journaling View-Only\*" | `
Where { $_.Name -NotLike "Get*" } | `
Remove-ManagementRoleEntry -WhatIf

Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Redmond Journaling View-Only" to type


get-managementroleentry error

The problem seems to be with the identity parameter.

Long story short, I was able to use a foreach loop to do the same thing in Exchange Online.

$rolename = “Delegated Admin Transport Hygiene”
$excludeterm = "*quarantine*"

New-ManagementRole -Name $rolename -Parent “Transport Hygiene”

$role = Get-ManagementRoleEntry ($rolename + “\*”) | `
Where { $_.Name -NotLike $excludeterm `
-and $_.name -notlike "*SenderAddress*"}

foreach ($r in $role){
Remove-ManagementRoleEntry ($rolename + "\" + $r.Name) `
-Confirm:$false}

Powershell Rewrite SAMAccountName and UPN

The below script will rewrite the samaccountname and upn of users within your search scope to the format of firstinitial+lastname. If a conflict is detected a number is appended and retried until the set-aduser command succeeds. The script makes no attempt on accounts missing either firstname or lastname.

$searchbase = "OU=OrgUnit,DC=DOMAIN,DC=COM"
$srcusers = Get-ADUser -filter * -SearchBase $searchbase

foreach($s in $srcusers){
If ($s.Surname -like "*" -and $s.GivenName -like "*"){
$newname = (($s.GivenName).Substring(0,1)+$s.Surname)
$n = 1
do
{
$errvar = $null
set-aduser -Identity $s.samaccountname `
-SamAccountName $newname -UserPrincipalName ($newname + "@phsi.us") `
-ErrorAction Continue -ErrorVariable errvar -Verbose
$number = $n++
$newname = ((($s.GivenName).Substring(0,1)+$s.Surname) + $number)
$newname = $newname.Replace(".","")
$newname = $newname.Replace(" ","")

}
until ($errvar.count -eq 0)
}
}