User Profile
Curious_Kevin16
Brass Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Exchange server transport logs reading tool
Hi Exchange Brain Trust, I need to get rid of any inactive IP addresses out of my SMTP receive connectors in Exchange 2019 server (Hybrid environment). Is there a free tool to monitor/study transport logs which provides a good UI as opposed to notepad readings? Appreciate any suggestions. Thank you!Programmatically remediate SharePoint and OneDrive Oversharing links
Hi SPO Brain Trust, Has anyone been able to work around a solution to programmatically remove oversharing links (from content level) from SharePoint sites and OneDrives as opposed to using 3rd party tooling? Very keen to hear your thoughts on this as we're looking at manually remediating these from our environment. Thank you!Auto-labelling in Purview-Which license or alternatives can be used rather than E5 ?
We are considering adopting Purview for Information Protection and DLP, but we are currently on E3 licenses. Given the extensive size of our SharePoint environment, auto-labelling is crucial for applying sensitivity labels to content across wide scopes automatically. My question is, are there any alternatives to upgrading licenses to E5 or adding the Compliance Add-on? Upgrading several thousand users to E5 or the Compliance Add-on requires significant justification, and I am wondering if there are other interim solutions we could leverage for a period of one year. Any thoughts would be greatly appreciated! Thank you! KevConvert large number of Public Teams to Private
Howdy Folks, We currently have a substantial number of public Teams in our environment and would like to convert as many of these to private as possible as part of our security and compliance remediation efforts. Is there a recommended approach for automating this task, potentially using a script? Additionally, what implications should we be aware of as a result of converting these Teams to private? Any advise/help is much much appreciated!What are the exact steps (the latest) to enable container support in Purview?
I've been pulling my hair out trying to figure this one for the last couple hours. Can someone help me out with the exact steps (the latest) to enable container support (SharePoint Sites, Teams, 365 Groups) in Purview? Thanks in advance !Fixing Oversharing links in SharePoint Online
Hi SharePoint Brain Trust, We are currently focused on addressing oversharing within our SharePoint environment. Previously, we had "Anyone" links enabled, but we have since upgraded the sharing settings to "Specific users only." However, we still need to remediate items that were previously shared too broadly. My question to the group is: Are there any native tools available for this task, aside from SharePoint Advanced Management (SAM)? If not, which third-party tools have you used or would you recommend for managing oversharing in SharePoint? Thank you! KevMoving Microsoft 365 authentication to Entra ID Cloud Auth from On-Prem ADFS
Hi Identity Brain Trust, Assuming this would be the right place for my question as I couldn't find any other hub more relevant for this one. We have several applications configured to be authenticated via ADFS. We are looking to move these gradually to Entra ID Cloud auth and decommission ADFS, eventually. I would like to test out how Microsoft 365 can be moved to Cloud Auth from ADFS for a certain group of people. I have tried to use ADFS migration wizard in Entra but 365 app is not showing in the ADFS Application Migration section of Entra ID. I've read this official guide but still couldn't find how this can be manually done when App Migration section won't have the app appearing there. - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-ad-fs-application-overview Appreciate any of your inputs on this one! KevActive directory security remediation items - seeking advise
Hi Active Directory Brain Trust, We're aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !! Deny Log On Through Remote Desktop Services Deny Log On Locally Deny log on as a service Deny access to this computer from the networkRe: Exchange multi tenant calendar sharing
Thanks so much VasilMichev for the quick turnaround ! If we think a bit ahead, can Multi-tenancy approach provide the same? we're interested on Multi-tenancy as we may be able to leverage its other capabilities as well in a later stage so its a win win. Can multi-tenancy facilitate calendar free/busy sharing ? Thanks again !Exchange multi tenant calendar sharing
Hi Exchange Brian Trust, I have 3 separate Exchange Online tenancies (all Hybrids) across different countries which I would like to connect for Calendar Free/Busy sharing. In the main tenant, we are using a SRV record for Autodiscover DNS publishing due to the number of domains being used (about 50 domains). My question is, what's the best way (knowing that we now have Multi-tenant capability too) to interconnect these 3 tenancies for Calendar sharing? Would this SRV record be a problem for this connection ? Thanks you and appreciate your inputs ! KevAdmin accounts which do not have the flag "This account is sensitive and cannot be delegated"
Hi AD Brain trust, I'm currently working on a security assessment for our internal AD environment. One of the item in the report is - Presence of Admin accounts which do not have the flag "This account is sensitive and cannot be delegated": 6 I'm struggling to understand the consequences of setting the flag for admin accounts. If anyone can shed some lights on the implications/recommendations to resolve this detection would be greatly appreciated ! Thank you!Re: Make On-Prem Public Folders Accessible to Exch Online Users-MailUser Obeject sync is confusing me
chrisslroth, Any reasons why Public folders in EXO isn't a good idea ? (except its just being a legacy feature). That'lll require recreation of permissions and everything from scratch. Is there any option to import the content/structure directly other than migrating? Thanks a lot for your information!Make On-Prem Public Folders Accessible to Exch Online Users-MailUser Obeject sync is confusing me
Howdy Exchange Brain Trust! I'm working on a exchange server 2019 migration to EXO. Part of it is Public folders but at this stage I do not want to migrate them but simply make them working cross-premises for migrated users. I've followed this official guide from MS - https://learn.microsoft.com/en-us/exchange/hybrid-deployment/set-up-modern-hybrid-public-folders but the first step (Synchronize MailUser objects script execution) output is confusing me. [PS] C:\Temp>.\Sync-ModernMailPublicFolders.ps1 -CsvSummaryFile:sync_summary.csv Checking for mail-enabled System folders... Found 0 mail-enabled System folders. Getting all public folders. This might take a while... Found 200 public folders. 8 of those are mail-enabled. 1 folders are mail-enabled with no AD object. 7 folders are mail-enabled and are properly linked to an existing AD object. Getting all MailPublicFolder objects... 10 MailPublicFolders are orphaned. Building EntryId HashSets... 10 orphaned MailPublicFolder objects. 1 of those orphans point to mail-enabled folders that point to some other object. 2 of those orphans point to mail-disabled folders. Results: 1 folders should be mail-disabled, either because the MailRecipientGuid does not exist, or because they are system folders. These are listed in the file called: C:\Temp\FoldersToMailDisable.txt After confirming the accuracy of the results, you can mail-disable them with the following command: Get-Content "C:\Temp\FoldersToMailDisable.txt" | % { Disable-MailPublicFolder $_ } 7 MailPublicFolders are orphans and should be deleted. They exist in Active Directory but are not linked to any public folder. These are listed in a file called: C:\Temp\MailPublicFolderOrphans.txt After confirming the accuracy of the results, you can delete them with the following command: Get-Content "C:\Temp\MailPublicFolderOrphans.txt" | % { $folder = ([ADSI]("LDAP://$_")); $parent = ([ADSI]"$($folder.Parent)"); $parent.Children.Remove($folder) } 1 MailPublicFolders are duplicates and should be deleted. They exist in Active Directory and point to a valid folder, but that folder points to some other directory object. These are listed in a file called: C:\Temp\MailPublicFolderDuplicates.txt After confirming the accuracy of the results, you can delete them with the following command: Get-Content "C:\Temp\MailPublicFolderDuplicates.txt" | % { $folder = ([ADSI]("LDAP://$_")); $parent = ([ADSI]"$($folder.Parent)"); $parent.Children.Remove($folder) } The duplicates we are deleting contain email addresses that might still be in use. To preserve these, we generated a script that will add these to the linked objects for those folders. After deleting the duplicate objects using the command above, run the script as follows to populate these addresses: .\C:\Temp\AddAddressesFromDuplicates.ps1 No mail-disabled public folders with proxy GUIDs were found. 2 MailPublicFolders are disconnected from their folders. This means they exist in Active Directory and the folders are probably functioning as mail-enabled folders, even while the properties of the public folders themselves say they are not mail-enabled. This can be complex to fix. Either the directory object should be deleted, or the public folder should be mail-enabled, or both. These directory objects are listed in a file called: C:\Temp\MailPublicFoldersDisconnected.txt Done! Confirm Are you sure you want to perform this action? Performing the operation "Remove File" on target "C:\Temp\sync_summary.csv". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y ------------------------------------------------------- My Questions are: 1. Does this mean the output of the script was just "observation only" no objects were synced? (all I need at this stage is to allow EXO users access on-prem public folders. Is this step really necessary for that?) 2. Also received the error at the end after saying "Y" to the prompt to "Performing the operation "Remove File" on target. Is this only affecting the file removal or overall sync as well? Any clarity around these questions are really appreciated !! Thank you! KevExchange Hybrid Configuration Wizard error - root element is missing when connecting to 365
Hi Exchange Brain trust, I have an Exchange 2016 environment where I recently joined a Exchange 2019 server to move everything and eventually decommission 2016 server. Everything is configured manually to match what we currently have in 2016 server - configuration wise, they both are identical now. We don't have any mailbox on-prem. Its just being used for administration and SMTP relay. The question is, do we still have to run Hybrid Config Wizard ? The reason I'm asking is, I'm stuck on the following stage with an error I pulled my hair off for hours trying to figure the root cause. Connectivity is all working well. Any idea would be really appreciated !Exchange Server 2019 Installation Fails with too many prerequisites check errors!
Hi Brain Trust, I'm trying to install Exchange 2019 server to replace my current Exchange 2013 server. I have all required permissions (Schema Admin, Enterprise Admin, Organization Management etc etc..) in the current environment and the Domain, Forest Functional levels are 2012 R2 as well. When I'm trying to run the exchange setup, the prerequisite check fails with a load of errors! Our AD environment is very simple. Single domain with about 6 DCs. Does anyone have an idea what could be causing this? Errors --------------- Error: The Active Directory schema isn't up-to-date, and this user account isn't a member of the 'Schema Admins' and/or 'Enterprise Admins' groups. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-SchemaUpdateRequired?view=exchserver-2019 Error: Global updates need to be made to Active Directory, and this user account isn't a member of the 'Enterprise Admins' group. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-GlobalUpdateRequired?view=exchserver-2019 Error: The local domain needs to be updated. You must be a member of the 'Domain Admins' group and 'Organization Management' role group, or 'Enterprise Admins' group to continue. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-LocalDomainPrep?view=exchserver-2019 Error: You must be a member of the 'Organization Management' role group or a member of the 'Enterprise Admins' group to continue. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-GlobalServerInstall?view=exchserver-2019 Error: You must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-DelegatedBridgeheadFirstInstall?view=exchserver-2019 Error: You must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-DelegatedCafeFirstInstall?view=exchserver-2019 Error: You must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-DelegatedFrontendTransportFirstInstall?view=exchserver-2019 Error: You must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-DelegatedMailboxFirstInstall?view=exchserver-2019 Error: You must use an account that's a member of the Organization Management role group to install or upgrade the first Client Access server role in the topology. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-DelegatedClientAccessFirstInstall?view=exchserver-2019 Error: Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter on a computer in the domain astc and site Depot, and wait for replication to complete. See the Exchange setup log for more information on this error. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-AdInitErrorRule?view=exchserver-2019 Error: The forest functional level of the current Active Directory forest is not Windows Server 2012 R2 or later. To install Exchange Server 2019, the forest functional level must be at least Windows Server 2012 R2. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-ForestLevelNotWin2012R2?view=exchserver-2019 Error: Either Active Directory doesn't exist, or it can't be contacted. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-CannotAccessAD?view=exchserver-2019 Warning: Setup will prepare the organization for Exchange Server 2019 by using 'Setup /PrepareAD'. No Exchange Server 2016 roles have been detected in this topology. After this operation, you will not be able to install any Exchange Server 2016 roles. For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-NoE16ServerWarning?view=exchserver-2019How to deal with an existing mailbox in Exchange Online (due to Teams being used) before migrating
We have a scenario where Teams being used across the organization with a cloud identity. These accounts were recently consolidated with On-premises by soft matching via Entra ID Connect Sync. The issue now is, due to Teams were used with the cloud identity before account consolidation, there's a Exchange Online Mailbox for every user. We now have to migrate on-premises mailboxes to EXO as we've deployed Exchange Hybrid. My question is, how do we deal with this existing EXO mailbox ? what is the best practice to avoid potential issues to Teams and its data associated with the existing mailbox ? I really appreciate your thoughts ! Thank youAdmin accounts and Defender email alerts
This must be a common scenario - Our admin accounts don't have mailboxes associated for obvious reasons. Mailboxes are for normal users but Microsoft says the Defender for Cloud apps alerts are sent to Admin account's email address. This doesn't make sense. How can this be sorted ? What are the workarounds others are using? Thank you! KevWhich MDCA roles will get email notifications by default in Defender for Cloud Apps?
Hi Experts, We've recently setup Defender for Cloud Apps but none of the accounts receive email alerts (some of these accounts have associated mailboxes - Security admin, Cloud App Security Admin etc..). My questions are: How do we setup alerts for admins those who doesn't have mailbox associated to their admin accounts? Which roles will natively receive email alerts for default policies? or is it not based on roles? This is a grey area in MDCA for me and really appreciate any inputs you may have!. Thanks, Kev
