21 January 2022

Count your Active directory objects

When installing AADConnect you need to size your server according to this table:

Hardware requirements for Azure AD Connect

The following table shows the minimum requirements for the Azure AD Connect sync computer.


To quickly count all objects in your Active Directory do this:

1|
(Get-ADObject -SearchBase "dc=Mydomain,dc=com" -LDAPFilter "(objectCategory=*)").Count

This will show all objects.

If you want to know how many user, group, computer account, distribution group and security group objects there are do this:
1|
2|
3|
4|
5|
6|
7|
$ADUser = (Get-AdUser -Filter *).Count
$ADGroup = (Get-ADGroup -Filter *).Count
$ADComputer = (Get-ADComputer -Filter *).Count
$Distribution_Groups = (Get-ADGroup -Filter {GroupCategory -eq "Distribution"}).count
$Security_Groups = (Get-ADGroup -Filter {GroupCategory -eq "Security"}).count
$ADObjects = $ADUser + $ADGroup + $ADComputer + $Distribution_Groups + $Security_Groups
$ADObjects

13 January 2022

Enable TLS 1.3 on Windows Server 2022

HTTP/3 support is an opt-in option on Windows Server 2022 via a registry key named "EnableHttp3" with value 1 at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters".
Running this command from an elevated prompt will create the key:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

Then restart the http.sys service or reboot Windows to apply the setting.

It is likely the web service will need to advertise it is available over HTTP/3 as well using “Alt-Svc” headers in HTTP/2 responses (though this can also be done using HTTP/2 ALTSVC frames). This allows clients who connect over HTTP/2 to learn the service’s HTTP/3 endpoint and use that going forward. This is done by sending an HTTP/3 ALPN (“Application-layer Protocol Negotiation”) identifier with HTTP/2 responses advertising a specific version of HTTP/3 to use for future requests. Sending the ALTSVC frame can be done by http.sys. That can be enabled by setting the “EnableAltSvc” registry key with the command below.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f

After that run the following in PowerShell:

Enable-TlsCipherSuite -Name TLS_CHACHA20_POLY1305_SHA256 -Position 0

Finally, add the HTTP/3 response header to your IIS website. 

Under the HTTP Response Headers, add a custom HTTP response header with the following information:
Name: alt-svc
Value: h3=":443"; ma=86400; persist=1


After adding the response header, enabling the cipher suites and merging the registry keys, reboot your Windows Server 2022 server.

06 January 2022

Set Outlook delegate permission with PowerShell

Sometimes my users ask things I didn't know existed.

The question I got was: Why can't I see the meeting invitations sent to the persons mailbox and calendar I manage in my own inbox? I knew it had to do with delegates, but thought that could only be set by the owner of the mailbox. Turns out I was wrong, it can be set by the admin with PowerShell.

It's always PowerShell 😜

First check the current permissions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Get-MailboxFolderPermission "TargetUser:\agenda"

FolderName           User                 AccessRights                           SharingPermissionFlags
----------           ----                 ------------                           ----------------------
Agenda               Default              {AvailabilityOnly}
Agenda               DestinationUser      {PublishingEditor}                     Delegate
Agenda               SomeUser             {Reviewer}
Agenda               SomeUser2            {LimitedDetails}
Agenda               TargetUser           {LimitedDetails}
Agenda               SomeUser3            {Editor}                               Delegate

Then remove all the existing permissions for the destination user:

 1
2
3
4
5
6
Remove-MailboxFolderPermission "TargetUser:\agenda" -User DestinationUser

Confirm
Are you sure you want to perform this action?
Removing mailbox folder permission on Identity:"TargetUser:\agenda" for user "DestinationUser".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

There's a few things to note before setting the permissions. To be able to grant the delegate permissions and all options the AccessRight has to be "Editor", the SharingPermissionsFlags need to be separated with a comma, and the option to SendNotificationToUser expects a boolean value so set a $False for no notification or $True to send a notification to the user:

 1
2
3
4
5
add-MailboxFolderPermission "TargetUser:\agenda" -User DestinationUser -SharingPermissionFlags delegate,canviewprivateitems -AccessRights editor -SendNotificationToUser $true

FolderName           User                 AccessRights                           SharingPermissionFlags
----------           ----                 ------------                           ----------------------
Agenda               DestinationUser      {Editor}                               Delegate, CanViewPrivateItems

That's it