Exchange Geek's Weblog

I'm a Geek!

Archive for the ‘Active Directory’ Category

Finding Windows Server Versions and Editions in Active Directory

Posted by Milind Naphade on 27/04/2011

I came across this requirement at one of my customer’s environment. They have a huge network of Windows Server systems and do not have any details of their Windows Servers in Active Directory. Unfortunately, Active Directory stores very limited information with Computer accounts so it becomes necessary to logon to each computer and then find out this information. In our case we had more than 350 servers which made it even more difficult. Computers running Windows Vista and later and Windows 2008 and later will add their server edition details with their computer accounts in active directory as well but for the operating systems earlier to Windows 2003 and XP it becomes a trouble.

I prefer using Quest AD cmdlets while working with AD objects because they save a lot of time and lines of code. I have used it one more time here and here is the script that worked for us:

 

$objComputers = Get-QADComputer -SizeLimit 0 -IncludeAllProperties | Where-Object {$_.OperatingSystem -like "Windows Server *"} | Select-Object dnshostName

foreach ($objComputer in $objComputers)

{
    if (Test-Connection -ComputerName $objComputer.dNSHostName -Count 1 -ErrorAction SilentlyContinue)
    {
    $WMIResult = Get-WmiObject Win32_OperatingSystem -ComputerName $objComputer.dNSHostName -ErrorAction SilentlyContinue
    Write-Host $objComputer.dNSHostName ":" $WMIResult.Caption
    }
   
    else
    {
    Write-Host $objComputer.dnsHostname "is not reachable"
    }
}

Here is the output of the script:

image

Please note: you need Quest Active Directory Management Cmdlets installed on the computer where you run this script from.

Advertisements

Posted in Active Directory | Comments Off on Finding Windows Server Versions and Editions in Active Directory

Finding Users with Blank (Null) Passwords in AD

Posted by Milind Naphade on 30/03/2011

This could help a lot of people I thought. This comes originally from http://seclists.org/pen-test/2007/Apr/21

 

You just have to change the portion ‘LDAP://dc=exchange,dc=local’  of the script and put your domain name there. Simply copy and paste it in a notepad and then save the notepad as .vbs

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

blankPWD = ""
strDomain = InputBox ("Enter the domain DN: ")
Set objConn = CreateObject("ADODB.Connection")
Set objCmd =   CreateObject("ADODB.Command")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objCmd.ActiveConnection = objConn

objCmd.Properties("Page Size") = 10000
objCmd.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCmd.CommandText = "SELECT AdsPath FROM ‘LDAP://dc=exchange,dc=local’ WHERE objectCategory=’user’"
Set objRecordSet = objCmd.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
   strPath = objRecordSet.Fields("AdsPath").Value
   Set objUser= GetObject(strPath)
   objUser.ChangePassword blankPWD, blankPWD
   If Err= 0 or Err = -2147023569 Then
       Wscript.Echo objUser.CN
   End If
   Err.Clear
   objRecordSet.MoveNext
Loop

 

Hope this helps.

Posted in Active Directory | Comments Off on Finding Users with Blank (Null) Passwords in AD

Disabling Outlook Anywhere Per User

Posted by Milind Naphade on 05/01/2011

RPC/HTTPS was the first name when outlook anywhere access was introduced with Exchange Server 2003. Exchange 2003 did not provide a very granular control on it though. With increase in productivity it also brought a concern with it. It could allow configuring user’s mailbox on any outlook client even if the user was not supposed to do it. Result, people could make unauthorized copies of their mailboxes on their home PCs and laptops.

Exchange 2007 SP1 and later has a great feature of disabling outlook anywhere access per user basis. It is a very simple process of running few commands in powershell and the administrator is done with the configuration. Lets take a look:

To disable outlook anywhere for a single user:

Get-Mailbox –Identity <username> | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To disable it for all users:

Get-Mailbox –ResultSize Unlimited | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To disable it for selected users only:

  • Identify the user who need to be blocked access to Outlook Anywhere.
  • Make a list of all such user’s user accounts.
  • Put it in a simple text file as below:

User1

User2

User3

  • Now save this text file to any location you want with name Mailboxes.txt. In my case it is D:\Mailboxes.txt
  • Simply run the script below.

$Mailboxes = Get-Content D:\Mailboxes.txt
Foreach ($Mailbox in $Mailboxes)
{
Set-CASMailbox -Identity $Mailbox -MAPIBlockOutlookRpcHttp:$true -Verbose
}

The harder way:

Each mailbox in active directory has an attribute named ProtocolSettings on it. When you have outlook anywhere enabled for a specific user mailbox the value of ProtocolSettings is set to MAPI§§§§§0§§§, HTTP§1§1§§§§§§, OWA§1 and when you disable outlook anywhere the value of this attribute changes to MAPI§§§§§1§§§, HTTP§1§1§§§§§§, OWA§1

I would not touch these attributes in AD unless there is a good reason to do so but thought it could help for some people for troubleshooting. Hope this post helps Smile

Posted in Active Directory, Exchange 2010, Exchange Server 2007 | 1 Comment »

Additional Mailbox Auto Mapping in Exchange 2010 SP1

Posted by Milind Naphade on 13/10/2010

A user having full mailbox access on another mailbox can have that mailbox added in outlook profile so that he/she don’t have to logon to that mailbox separately. This has been a regular practice for many organization. Normally a support mailbox where all support requests are stored is a common example of an additional mailbox added to outlook profiles.

Outlook 2007 and earlier version did the job very well but there was always a limitation in case an outlook profile needs to reconfigured or the user’s computer changes. User or the IT support needed to add the additional mailbox back to user’s profile. How about an idea where user’s/IT support don’t need to add additional mailboxes once they are configured? Yes. That is very much possible if you are running Exchange 2010 SP1 and Outlook 2010.

Let’s take a look at how to get this working.

First you need grant Full Mailbox Access to the additional mailbox you are willing to add in outlook. In my case I have a support mailbox which is added in a user’s profile named Exchange Geek.

Use EMC or EMS to grant full mailbox access permission to support mailbox.

image

Now click on Add button and add the user account which needs full access.

image

After this get back to the desktop where outlook is installed. I configure an outlook profile for user Exchange Geek and add the Support Mailbox in the profile.

image

So, How it works even after you lose your windows profile or outlook profile? Exchange 2010 stores the full access permission in active directory. Simply similar to what Exchange 2003 or 2007 did.

If you open the additional mailbox properties in adsiedit.msc you will observe the attribute msExchDelegateListLink having its value as DN of the user account who has full access to the additional mailbox.

image

Outlook 2010 fetches this value automatically and configure an additional mailbox that you had added previously. When outlook profile is reconfigured, outlook picks up the additional information from your mailbox. Your mailbox now hold the information about the additional mailboxes that you added recently and didn’t remove them intentionally. A new folder named Shared Data is created within the mailbox table which contains all information about the additional mailboxes that you ever added.

image

I hope this helps people to prevent reconfiguring the mailboxes 😉 Please do let me know your comments and feedback if you have any.

Posted in Active Directory, Exchange 2010, Outlook | 5 Comments »