Posted on

Who can join a workstation to the Active Directory domain?

By default all domain users have the ability to add a workstation to the domain.

Limits on the number

The limitation on this task is that any one user can add a maximum of 10 workstations to the domain.

Impact

When the user reaches the maximum number of computers joined to the domain, he receives this error message

Who added a workstation to active directory?

To find out who added a workstation to the active directory, simply run this ppowershell script created based on this article:

Using PowerShell to Discover Who Added a Client to Your Domain

Clear-Host

Write-Host "I'm writing ms-DS-MachineAccountQuota"

# List the current value of ms-DS-MachineAccountQuota
Get-ADDomain |
Select-Object -ExpandProperty DistinguishedName |
Get-ADObject -Properties 'ms-DS-MachineAccountQuota' |
Select-Object -ExpandProperty ms-DS-MachineAccountQuota





Write-Host "Number clients in this environment"
Get-ADComputer -Filter * | Measure-Object | Select-Object -ExpandProperty Count
Write-Host "Number users in this environment"
Get-ADUser -Filter * | Measure-Object | Select-Object -ExpandProperty Count


Write-Host ""
Write-Host "Who did this?"
$Clients = Get-ADComputer -Properties ms-ds-CreatorSid, WhenCreated -Filter {ms-ds-creatorsid -ne "$Null"}
$Users = Get-ADUser -Filter *

ForEach ($C in $Clients)
{
ForEach ($U in $Users)
{
If ($U.Sid -eq $C.'ms-ds-creatorsid')
{
$C | Select-Object -Property @{
Name = 'ComputerName'; Expression = {$C.Name}},
@{Name = 'WhenCreated'; Expression = {$C.WhenCreated.DateTime}},
@{Name = "UserName"; Expression = {$U.Name}
}
}
}
}

Change the limit on the number of workstations

It is possible to modify this number by increasing it or bringing it to 0. If it is set to 0, users will have to have particular permissions to be able to add a computer to the domain.

To do this, from the domain controller, launch the adsiedit.msc command.

On the left, position yourself on the main node that begins with “DC=…”. Right-click -> Properties. The key with the number to change is MS-DS-MachineAccountQuota.

 

Restrict adding a workstation to the domain to a group

It is possible to limit the ability to add workstations to the domain to a group of users by acting directly on the GPOs

Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment

Look for the “Add workstations to the domain” entry and change it to specify only the users and groups that can perform the add operation.

Posted on

AD – Active Directory – Export Users Password Expiration Date to a file

how to get the password expiration date for Active Directory User Accounts.

Open PowerShell and run the command

$ExportPath = 'c:\temp\passwordexpiration.csv’
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTim
Posted on

Active Directory: change server roles

In a multiserver Windows Active Directory Server environment, it may be necessary to move roles from one server to another.

Which server has Active Directory roles?

To find out which server has the Active directory roles type the command:

NETDOM QUERY FSMO

Transfer roles with command line.

Open a Dos prompt and type:

ntdsutil

then

roles

then

connections

then

Connect to server ServerFQDN

Where server is the server you want to pass roles to

Then

quit

Depending on the roles you want to switch, type the following commands:

Ruolo Credenziali Comando
Master for domain naming Enterprise Administrators Seize naming master
Master schema Schema Administrators Seize schema master 
Iìnfrastructur master  Domain Admins Seize infrastructure master 
Master PDC emulator Domain Admins Seize pdc
master RID Domain Admins Seize rid master
Posted on

microsoft wsus : questions and answers

How to update group policy on a client ?

gpupate /force

Which wsus server is registered on a client ?

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate"

How to print group policy group for a client on screen ?

Gpresult /r

How to  confirm whether the update has been downloaded on the WSUS server first ?

Add file staus option. In wsus , in update window, right click on grid header and select “File Status”. The green icon means that the update is ready for installation.

How to get update log in a client via PoerShell ?

Open Powershall with admin privileges and digit :

Get-WindowsUpdateLog

This command will build a wsus client log on desktop.

How to remove a windows computer from wsus updating

Posted on

Error from Filezilla Client to Microsoft IIS FTP Server

When you connect to ftp server create with Microsoft IIS using Filezilla Client you should have this error

GnuTLS error -48: Key usage violation in certificate has been detected. Could not connect to server

Your configuration settings are something like this :

  • Protocol: FTP – File Transfer Protocol
  • Encryption: Require explicit FTP over TLS

The problem is with self signed certificate on server side. This is a problem with the certificate generation of Microsoft IIS, as it does not allow the certificates to be used for digital signatures.

How to generate a valid certificate with IIS

This is a server-side issue, and it did not appear previously because earlier versions of FileZilla shipped with a GnuTLS version that didn’t make this check.

Quoting Tim Kosse’s post in the FileZilla forum thread:

In any case, the problem is with your server’s X.509 certificate chain: Either the server certificate itself or another certificate in the chain has a key usage restriction that is violated. For example a certificate with a key usage restriction to signing cannot be used to authenticate TLS connections. See section 4.2.1.3 of RFC 5280.

This is a problem with the certificate generation of Microsoft IIS (but may also happen if you incorrectly generated a certificate with another method), as it does not allow the certificates to be used for digital signatures. OpenSSL is much more relaxed about this and won’t fail because of it, so it may work with other apps.

On the client side, you can either disable TLS, downgrade to an earlier version of FileZilla (neither of these is recommended due to potential security risks), or use a different client which uses another library such as OpenSSL for now.

How to generate a valid certificate with IIS

This needs to be done on the server side, Yobviously.you can generate the certificate with PowerShell instead until the issue is fixed by Microsoft. Open PowerShell in admin mode.

The following powershell command will create our self-signed certificate for our binding and store it in the Personal Store (Note how I also store a reference to the certificate in a variable called $cert this will be needed further on):

$binding = "192.168.1.70"
$cert = New-SelfSignedCertificate -DnsName "$binding" -CertStoreLocation "cert:\LocalMachine\My"

However, this is not enough to make the certificate work for HTTPS in our browser. We need to add our newly created certificate to the Trusted Root Certificate store. To do this we take our $cert variable which references our created certificate and add it to our Trusted Root Certificate store like so:

$DestStore = new-object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root,"localmachine")
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)
$DestStore.Close()

Now you have to set the new certicate on your ftp site using IIS Admin.

Posted on

Migrate IMAP mailboxes to Microsoft 365 – Office 365 – Exchange online

Here are the steps required in sequence to migrate an IMAP domain to Exchange Online.

  1. Add the domain to your Microsoft 365 tenant. You don’t have to complete the mail server setup.
  2. Add domain users to Microsoft 365. Each user must have a Microsoft 365 Business Basic, Standard, or Premium license
  3. Prepare the csv file for migration, separated by commas. In the first line put EmailAddress, UserName, Password. In the following lines the data: “EmailAddress is the Microsoft account,” UserName “is the imap server account and” Password “is the imap server password

example of csv

EmailAddress,UserName,Password
terrya@contoso.edu,contoso\terry.adams,1091990
annb@contoso.edu,contoso\ann.beebe,2111991
paulc@contoso.edu,contoso\paul.cannon,3281986
  1. Log in as an administrator in Microsoft 365 and go to the Exchange admin center. (Note: this guide is for the “classic” Exchange administration interface. Select “recipients” on the left; select “migration” at the top.
  2. At the center of the page there is a button with three dots: …. Selecting it, the endpoint is inserted, that is the Imap source server. In the next window add the new endpoint (IMAP).
  3. Create a new migration. launch the migration
  4. once the migration is complete, in the tenant, you can finish configuring the domain for what concerns the mail server, following the instructions on the tenant and changing your dns

The Rules of Migration

You can put all users in a migration. When a migration ends in error, you can delete a user from it and put the same user in another migration. You can have multiple migrations at the same time but the same user cannot exist in more than one migration. Migration can exist for up to 60 days.

It is not a migration

In reality, Microsoft does a more sophisticated operation than a “trivial” migration: it makes a sync. Synchronize entire imap mailbox to Exchange mailbox in one direction (from imap to exchange). It is sophisticated but less effective than a normal migration: it is not in real time but after 24/30 hours. So if you want to replace the mail server, users would lose at least 24 hours of email.

Configuring perspectives

On Outlook clients, you can add the new Exchange account online. It will be the same as the old mailbox, but will be managed by Exchange. For a while you will then have 2 mailboxes that manage the same mail but on different servers: one is the old imap server, the other one the new Exchange server. When the migration is finished and you have also moved the mx records on the dns, you can delete the old mailbox. Before doing this, however, you must also memorize the contacts and the calendar from the “old” to the “new”:

Contacts: select all contacts, right click, select “move” and then “copy to folder …”, Exchange mailbox contacts.

Calendar: To move appointments between 2 calendars: both calendars and drag appointments from old to new.

Problems in migration

If you have any problem you can investigate using PowerShell. First install ExchangeOnlineManagement.

Connect to the tenant:

Connect-ExchangeOnline -UserPrincipalName <your Admin Username>

The password request screen appears.

List of all endpoints in the tenant

get-migrationendpoint|FL

endpoint test

Test-MigrationServerAvailability -Endpoint <Identity of the endpoint from above>

view sync configuration of single user

Get-SyncRequest -Mailbox  <user>

esport migration result for a user

Get-MigrationUserStatistics <user> -IncludeSkippedItems -IncludeReport 
-DiagnosticInfo "showtimeslots, showtimeline, 
verbose" | Export-Clixml C:\temp\MigMyUser.xml

Exchange mailboxes have a 35MB limit. If you have to move something bigger during the migration you have to change this limit.

Set-Mailbox -Identity <user> -MaxReceiveSize 150MB

Documentation:

Posted on

Register a web application with Azure AD Portal App Registration to connect to a Microsoft 365 tenant

PowerShell Limits

Through Powershell it is possible to connect to a Microsoft 365 tenant to perform operations on users, groups and any other element of the tenant. When you use this tool, Powershell presents you with the mask for entering your account and password. You can write accounts and passwords directly in the Powershell script but it would be a serious security compromise.

Application

An alternative is to build a software that connects directly to the Tenant through customized keys present in the Tenant itself. In other words, it is necessary to communicate to the Tenant that there is a certain application that is authorized to access the Tenant. Furthermore, for each operation that you want to perform on the Tenant it is necessary to specify the appropriate permissions. To create these applications, we recommend that you follow the excellent tutorial “.Net Core console application for calling Microsoft Graph“.  This post proposes the images present in the previous tutorial only to specify how the application must be prepared on the Microsoft Tenant.

Register a web application with Azure AD Portal App Registration

Open a browser and navigate to the Azure Portal. Login using your account. Select the resource “Azure Active Directory”. On the left side menu, select “App regitstration”. Click New registration from the current page.

On the Register an application page, specify the following values:

  • Name = Name of your Application
  • Supported account types
  • Redirect URI
    • Type = Web
    • Value = https://localhost:8080   (*)

(*) The Redirect URI value must be unique within your domain. This value can be changed at a later time and does not need to point to a realy hosted URI.

It is now necessary to store 2 values that will be used in your application:

  • Application (client) ID
  • Directory (tenant) ID

Certificates & secrets

Click Certificates & secrets.

  1. Click New client secret.
  2. On the Add a client secret dialog, specify the following values:
    • Description = Your secret’s description
    • Expires = In 1 year (for example)
  3. Click Add.

After the screen has updated with the newly created client secret copy the VALUE of the client secret. This secret string is never shown again, so make sure you copy it now.

API permissions

Click API permissions.

  • Click Add a permission
  • On the Request API permissions panel select Microsoft Graph.

  • Select Application permissions.

Now you have to choose between the permissions to authorize your app. For example, to create an application to read alla information about Tenant’s users, in the “Select permissions” search box type “User”.Select User.Read.All from the filtered list. At the end, on the API permissions content blade, click Grant admin consent for the Tenant.

Summary of the data necessary for the application

Let’s see what data your application needs to connect and operate on the Microsoft Tenant.

  • applicationId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • applicationSecret = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • tenantId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
  • redirectUri = “https://localhost:8080”;
  • domain = “yourtenant.onmicrosoft.com”;

Permissions

  • User.Read.All : Read all users’ full profiles
  • User.ReadWrite.All : Read and write all users’ full profiles
  • Group.ReadWrite.All : Read and write all groups
  • Notes.ReadWrite.All : Read and write all OneNote notebooks

Documentation

Posted on

Apache on Windows – AH00072: make_sock: could not bind to address [::]:80

Scenario

On your Windows computer, Apache does not start. Go to the event viewer and find the event with error:

AH00072: make_sock: could not bind to address [::]: 80

Problem

The problem is that an application is using the same port 80 as your site on Apache. How to find out what this application is?

Open the command prompt (cmd). Type

netstat -ano

You see all open ports on your computer used by applications. Find the line that (in this case) is about port 80. The PID column shows the number of the program that is using your port.

Open task manager, in the tab “Details” through the PID column you will find the program that is using your port.

Solution

You have 2 possibilities: either stop the program or, if you need the program, change the port used by this program, if possible, or the one used by Apache.

If the program you found through the PID is System, it means that Windows itself is blocking the door. Open the services and you need to stop the “World Wide Web Publishing Service” service. You will also have to set the start in manual, if instead it were in Automatic, because otherwise the next day the problem would reoccur.