30 January 2019

Export AD OU's Users and Groups & Import to test AD with a new domain name

Well this was a fun task, export Active Directory OU's, all users and groups and import everything into a new test active directory with a different domain name.

First export every thing I need:
-OU's:
Get-ADOrganizationalUnit -filter * | select Name,DistinguishedName | Export-csv -path C:\temp\OUexport.csv -NoTypeInformation
-Users: (per specific OU)
Get-ADUser -Filter * -SearchScope OneLevel -SearchBase "OU=Users,DC=domain,DC=lan" -Properties CanonicalName,CN,DisplayName,GivenName,Name,Surname | Export-Csv "C:\Temp\PeopleExport.csv"
Get-ADUser -Filter * -SearchScope OneLevel -SearchBase "OU=External,OU=Users,DC=domain,DC=lan" -Properties CanonicalName,CN,DisplayName,GivenName,Name,Surname | Export-Csv "C:\Temp\ExternalExport.csv"
Get-ADUser -Filter * -SearchScope OneLevel -SearchBase "OU=Regular Accounts,OU=Users,DC=domain,DC=lan" -Properties CanonicalName,CN,DisplayName,GivenName,Name,Surname | Export-Csv "C:\Temp\RegularAccountsExport.csv"
Get-ADUser -Filter * -SearchScope OneLevel -SearchBase "OU=RandomName,OU=External,OU=Users,DC=domain,DC=lan" -Properties CanonicalName,CN,DisplayName,GivenName,Name,Surname | Export-Csv "C:\Temp\RandomNameExternalExport.csv"
-Groups:
Get-ADgroup -filter * | select Name,DistinguishedName,samaccountname,groupcategory,groupscope | Export-csv -path "C:\temp\GroupsExport.csv"
Then copy the .csv's to the new domain controller in C:\Temp.
Go through the files an find and replace the domainname to the new domainname.

You have to do something extra for the Group's.
In Notepad++ search and replace the CN- value for the DistinguishedName value.
It will look like this in the csv file:
"Name","DistinguishedName","samaccountname","groupcategory","groupscope"
"HelpServicesGroup","CN=HelpServicesGroup,DC=NewDomain,DC=local","HelpServicesGroup","Security","DomainLocal"

But it needs to be:
"Name","DistinguishedName","samaccountname","groupcategory","groupscope"
"HelpServicesGroup","DC=NewDomain,DC=local","HelpServicesGroup","Security","DomainLocal"

This is because the CN does not exist yet.
To replace the "CN=*," value use this in notepad++: \CN=.*?,
Where "\CN=" searches for "CN=", "*" searches for everything between "=" and "," and "?," stops the search where the "," is found.

Then import:
-OU's:
#Import AD Module - RSAT must be installed or run from DC
Import-Module ActiveDirectory
#Varibale location for CSV file
$ous = Import-Csv -Path "C:\temp\OUexport.csv"
# For each function to create OU's 
foreach ($ou in $ous)  
{               
# Function Variables
    $ouname = $ou.name
    $oudn = $ou.DistinguishedName
# Function
    New-ADOrganizationalUnit -Name $ouname -Path $oudn  -ManagedBy 'domain admins'
}
-Users:
Import-Csv .\PeopleExport.csv | New-ADUser -Enabled $True -Path 'OU=People,DC=sapgrc,DC=local' -AccountPassword (ConvertTo-SecureString Pass123 -AsPlainText -force)            
Import-Csv .\externenExport.csv | New-ADUser -Enabled $True -Path 'OU=Externen,OU=People,DC=sapgrc,DC=local' -AccountPassword (ConvertTo-SecureString Pass123 -AsPlainText -force)            
Import-Csv .\algemeneaccountsexport.csv | New-ADUser -Enabled $True -Path 'OU=Algemene Accounts,OU=People,DC=sapgrc,DC=local' -AccountPassword (ConvertTo-SecureString Pass123 -AsPlainText -force)            
Import-Csv .\testexternenExport.csv | New-ADUser -Enabled $True -Path 'OU=TEST,OU=Externen,OU=People,DC=sapgrc,DC=local' -AccountPassword (ConvertTo-SecureString Pass123 -AsPlainText -force)
-Groups:
#Import AD Module - RSAT must be installed or run from DC            
Import-Module ActiveDirectory            
#Import CSV            
$csv = Import-Csv -Path "C:\Temp\GroupsExport.csv"            
#Loop through all items in the CSV            
ForEach ($item In $csv)            
{            
    #Create the group if it doesn't exist            
    $create = New-ADGroup -Path $item.DistinguishedName -SamAccountName $item.SamAccountName -GroupCategory $item.GroupCategory -GroupScope $item.GroupScope -Name $item.Name             
    Write-Host "Group $($item.Name) created!"            
}            


And there you have it.

22 January 2019

The content cannot be displayed in a frame - Exchange On-Premises - Exchange Online - Exchange Hybrid

After setting up your Hybrid Exchange connection and logging in to the Exchange Control Panel trying to move your first mailbox to Exchange Online you need to login to Office365.

When you click the login button on the popup you receive the following error:
Now this is fairly easy to fix, just add the url https://outlook.office365.com to the trusted sites in Internet Explorer.
But then this:
The option is greyed out.

There are 2 ways to get around this, one through the registry and one through a group policy:
Add the following to a textfile and paste in:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey]
"https://outlook.office365.com"="2"
Save as a .reg and execute.

This can also be stored in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey.

The check if the settings are present run in PowerShell:

$(get-item "HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey").property            
            
$(get-item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey").property            

The group policy goes like this:
  • Start -> type gpedit.msc -> hit Enter
  • navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
  • in the right-hand panel, double-click on the Site to Zone Assignment List option, then click Show...
  • trusted sites are the ones with 2 in the Value column (1 = Intranet, 3 = Internet, 4 = Restricted)
If that doesn't work (that option is set to "Not Configured" or the list is empty), try the same, except instead of Computer Configuration, start with User Configuration.












03 January 2019

Enable audit logging on all mailboxes in your tenant - Optimize your SecureScore

If you want to achieve the highest Secure Score number you will be advised to enable mailbox auditing by the SecureScore actions list.
If you follow the link provided in the article you will land on a Github page that has a script to enable auditing on all mailboxes in a tenant.
But it was missing one type of mailbox, the SchedulingMailbox.
I added the missing mailbox type in the command below, now it works as it should.

First login to your tenant with global admin rights or Exchange Online admin privileges:
Connect-EXOPSSession
Check how your settings are now:
Get-Mailbox -ResultSize Unlimited | Select Name, AuditEnabled, AuditLogAgeLimit | Out-Gridview
Then turn on audit logging on all mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or 
RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox" -or RecipientTypeDetails -eq "SchedulingMailbox"}
 | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 -AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, 
SendOnBehalf, Create, UpdateFolderPermission -AuditDelegate Update, SoftDelete, HardDelete, SendAs, Create, UpdateFolderPermissions, 
MoveToDeletedItems, SendOnBehalf -AuditOwner UpdateFolderPermission, MailboxLogin, Create, SoftDelete, HardDelete, Update, MoveToDeletedItems
Check again to be sure all mailboxes are enabled for audit logging:
Get-Mailbox -ResultSize Unlimited | Select Name, AuditEnabled, AuditLogAgeLimit | Out-Gridview