User Profile
Sblackery
Copper Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Re: Secure Score "this account is sensitive and cannot be delegated"
In our environment we don't have ADFS or Exchange, only 2 DCs one of which is also a CA (I know it's not recommended, but it's working fine) Last week, we went from completed status with the DCs still showing as exposed, to a completed status with nothing showing as exposed, but as of this morning it's back to not completed ('to address') and the DCs are showing as exposed again.Re: Secure Score "this account is sensitive and cannot be delegated"
I can confirm that today securescore has marked this recommendation as complete, thank you for that. There is one small oddity though, which is that the recommendation still lists the DCs in the 'exposed entities' section even though it's completed. I think this might be confusing for people who approach this recommendation from a point where they do have valid exposed entities they need to address, if the DC computer accounts are still listed there, but don't prevent completion.Re: Secure Score "this account is sensitive and cannot be delegated"
Hi - I see the learn documentation has been changed as you stated, but the securescore recommendation has not changed in either title or function (DCs are still listed). Does this mean the remediation steps should be followed for DCs also, or is the securescore update delayed? Thanks!Re: Secure Score "this account is sensitive and cannot be delegated"
micheleariis the issue that many people are having with this is not so much HOW to do this but whether it's acceptable to do it. The accepted wisdom for a long time now has been that you do NOT disable delegation on your DC computer accounts, that doing so will, in fact, degrade your domain functions, as domain services running on a DC rely on being able to delegate via the DC computer account to other servers in the domain. But this Secure Score requirement is requiring that the DC computer account delegation be removed. Frustratingly, all the official documentation on this, including the MS learn article specifically about this securescore requirement, completely ignore the computer accounts in the documentation. the learn article even shows computer accounts listed in it's example screenshot and then completely ignores them and only instructs on how to resolve delegation of sensitive USER accounts.5.3.4 Maximum Body Parts error makes no sense
So I have one user who is plagued with one of the weirdest problems I've ever known in 30+ years of working with exchange - this is on Office365 She is sending emails from Outlook on Windows but then getting an NDR: Delivery has failed to these recipients or groups: email address here Your message is larger than the size limit for messages. Please make it smaller and try sending it again. Diagnostic information for administrators: Generating server: GV1PR02MB8281.eurprd02.prod.outlook.com email address here Remote Server returned '554-5.3.4 Content conversion limit(s) exceeded 554 5.3.4 STOREDRV.Submit.Exception:ConversionFailedException; Failed to process message due to a permanent exception with message [BeginDiagnosticData]Content conversion: Maximum number of body parts (250) per message exceeded ConversionFailedException: Content conversion: Maximum number of body parts (250) per message exceeded[EndDiagnosticData]' That's not the weird part, the weird part is as follows: 1) Any other user can send the exact same message with no problem whatsoever 2) If I run an office repair (full online) or uninstall and reinstall office, then the problem goes away and her emails send again - for a short time, after about 20-30 emails they all start failing again with the above error. 3) None of the failing messages show up in exchange logs at all that I can find, ones that succeed I can see, ones that fail for other valid reasons I can see, but these 5.3.4 emails are just not in the logs at all, it seems like the server rejects them even before they enter mail flow logging. This is a largish and complex email they are trying to send, it does have a lot of inline images and some tables that I would expect to run the email up to around 30-40 parts (not sure how to check it). When this email is generating the 5.3.4 she can still send basic emails, it's only these complex ones that fail - but it's not the email that is the problem, other staff have been sending the same email in bulk (we are a PR company, it's a weekly mailer we send out to journalists) with no issues whatsoever, and as stated if we repair or reinstall office they temporarily send and then suddenly start failing again.Re: 5.3.4 Maximum Body Parts error makes no sense
Does anyone have ANY ideas? I can add to the list of things that fix the issue temporarily but then it re-occurs after a number of emails: A completely different, known good computer, clean user profile - same thing happened, user was able to send the emails fine for a few hours and then every one bounces with the body parts message.
