Thursday, February 19, 2015

Office 365 Domain install with a local share via Script and/or GPO

Warning: Uninstall all previous versions of office, that includes 2013 and 365 demos before proceeding
Users must be admins on their systems temporarily for the GPO to work.

Create a shared folder on your central server for example \\SRV-UTIL01\OfficeDeploy\

Download the Office Deployment Tool and extract to \\SRV-UTIL01\OfficeDeploy\

http://www.microsoft.com/en-us/download/details.aspx?id=36778

Create 2 XML files with the options

The first is Download.XML which sets your path, 32 or 64 bit, and is used for the download process:

<Configuration>
<Add SourcePath="\\SRV-UTIL01\OfficeDeploy\" OfficeClientEdition="64" >
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
</Product>
</Add>
</Configuration>

The second is Configuration.xml used to deploy Office 365 ProPlus package

Note: The example that is included with the Office Deployment Tool might as well be blank since it is rem’d out with the <!— and --!> Here is what it should look like when ready to use:

Note: Version is optional however it assures your system will use the media version you have in that path and not grab a newer version online.

<Configuration>
<Add SourcePath="\\SRV-UTIL01\OfficeDeploy\" Version="15.0.4649.1001" OfficeClientEdition="64" >
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
</Product>
</Add>
<Updates Enabled="TRUE" UpdatePath="\\SRV-UTIL01\OfficeDeploy\" />
<Display Level="None" AcceptEULA="TRUE" />
<Logging Path="\\SRV-UTIL\OfficeDeploy\Logfiles\" />
<Property Name="AUTOACTIVATE" Value="1" />
</Configuration>

Now to create your local copy of the media run the following command:
Setup.exe /Download Download.xml

Note: when you run the above command above it will create \\SRV-UTIL01\OfficeDeploy\Office\Data\Version\ and under that folder will have the large stream.x32 or .x64 files. This runs in a plain cmd line window with no output on status. So be patient as it will be downloading approx. 2GB of data or more.

While that is downloading you can modify or create your deployment script and GPO

For example OfficePush.bat as shown below:

OfficePush.bat

echo off
Rem Created by Kevin Oppihle http://Koppihle3.blogspot.com
If EXIST "C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe" goto 365Complete else goto :365Needed
:365Needed
Echo Installing Office 365 >c:\365.txt
\\SRV-Util01\OfficeDeploy\Setup.exe /configure \\SRV-Util01\officedeploy\configuration.xml >>c:\365.txt
:365Complete
Echo Office 365 Installed >c:\365.txt
Exit

The batch file above first confirms if office is already installed. If it is then if you open the txt file c:\365.txt it will say “Office 365 installed”. However if office is not installed it will use the deployment path outlined in the batch file to run the installation. While the installer is running the 365.txt file will say “installing Office 365” when the installation is completed the 365.txt file will change to “Office 365 Installed”. It is set to run minimized so to verify when it is completed reference the 365.txt file. The installation time depends on the network and PC speed but expect an average of 10 minutes. The office icons appear before the installer is completed. If you open an office application before the completion of the installer it will slow the process as it may download from online.

Now you need to copy the batch file to your sysvol scripts and assign the batch file to be a logon script of the users.

Note: this will check and install as necessary every time the user logs on so once your deployment is finished unassign the GPO.

Happy Office 365 Deployment!

Wednesday, February 18, 2015

AD how to reset the DSRM password

Log onto the Server as an Administrator

1. open Ntdsutil
2. set dsrm password.
3. reset password on server null.
4. Type the new password when you are prompted and enter
5. Reenter the new password and enter
6. Q to quit
7. Document the change

Powershell - Adding email address and other informational fields to AD in bulk

You setup your new domain imported or added user then realize you left out a field such as mail details. Since all users are different you can’t do a bulk select all and edit you have to set each one individually or via a .csv file and script. Here is a working example:

note: If your “user logon name” does not match your “user logon name (Pre-Windows 2000)” it will fail on those users.

Create an excel file with the following fields and export to a csv called c:\admailfield.csv

name mail
kevin.oppihle kevin.oppihle@domainname.com

Create a .txt file and input the following

$users=import-csv C:\Source\admailfield.csv
foreach($user in $users){
$u = Get-ADUser $user.name -Properties mail
$u.mail = $user.mail 
Set-ADUser -instance $u
}

Save the file as admailfiled.ps1

Open powershell as an administrator on you local AD server and run

 ./admailfield.ps1

You can then use AD users and computers to confirm the changes were added to AD

Credit References:

DuRand Bryant

Office 365 DirSync users getting domainname.onmicrosoft.com addresses as default

You setup Office 365 DirSync and the default domain for the users is domainname.onmicrosoft.com instead of your default defined domain in Office 365. It will not allow even the Office 365 administrator change the email addresses of individual users from the Office 365 console. The reason is with AD synchronization enabled by default it uses the proxy address field of the user sent from AD. If that is blank in AD it will use domainname.onmicrosoft.com.

You can either use ADSIedit to modify the proxy address fields individually for each user or you can use a powershell script and csv file such as the one below to do so in bulk.

Word of warning it will overwrite any existing proxyaddresses not just SMTP: (primary) it will also remove smtp: (aliases) if you run it as is.

Additionally if your “user logon name” does not match your “user logon name (Pre-Windows 2000)” it will fail on those.

Create an excel file with the following fields and export to a csv called c:\mailboxlist.csv

name ProxyAddress
kevin.oppihle SMTP:kevin.oppihle@domainname.com

Create a .txt file and input the following

$users=import-csv C:\mailboxlist.csv
foreach($user in $users){
$u = Get-ADUser $user.name -Properties mail,department,ProxyAddresses
$u.ProxyAddresses = $user.ProxyAddress 
Set-ADUser -instance $u
}

Save the file as proxyemail.ps1

Open powershell as an administrator on you local AD server and run

 ./proxyemail.ps1

You can then use ADSIedit to confirm the proxy addresses were assigned to the users.

With the next DirSync process the updates should push to Office 365

Credit References:

Daryl Hunter, DuRand Bryant

Office 365 using DirSync users cannot change passwords in Office 365

If you do directory sync from AD to Office 365 users will not be able to change their passwords on the Office 365 portal. Since the AD sync is a one way process the password changes do not come back into AD locally. Thus by default the Office 365 Portal will not allow users to change their passwords as they will just be overwritten by the local AD.

The problem this creates is sometimes you have a mix of users some local and some that may not have local domain access to change their passwords. The following is a work around using OU exclusion from DirSync.

First we need to put the users in a separate OU such as “Webmail” then we will exclude that OU from DirSync. That will allow them to change from “Directory Synced” to “Cloud”. Which you can confirm in the Office 365 Admin Console. Here are the steps:

Caution: Seasoned Domain Admins Only this is Active Directory and email flow will be impacted for users as they are changed

“you break it you bought it…”

Copy Shortcut to desktop

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
clip_image001

Open and select Management Agents and The Active Directory Connection:

clip_image003

Right Click and Select Properties:

clip_image005

Select Configure Directory Partitions and Containers:

clip_image006

You will be prompted for credentials enter in your LOCAL ADSync Username and Password

clip_image008

Browse and Exclude the OU:
clip_image009

Select “OK” “OK”

You can now force the DirSync process.
Open up PowerShell as Administrator and Run the following command to initiate a sync:

Import-Module DirSync
Start-OnlineCoexistenceSync -fullsync

clip_image010

Select the Operations tab to view status:
clip_image012

Note Deletions in the bottom right:
clip_image013

Note: force the DirSync process 2 to 3 times to make sure all settings synchronize

Log onto Office365 portal> Deleted Users> Select Users> Restore Users:

clip_image015

clip_image017

clip_image019

The users should now be able to change their passwords from the webmail interface. If not use the admin console to force a password reset per user to purge out any AD password settings.

In my testing since I performed this process after hours and quickly restored the accounts little to no email was kicked back as “recipient does not exist” additionally the end users did not notice any impact to their email as it is in a limbo state not yet truly “deleted”

I would recommend you use a test account or 2 to make sure you have the process down before doing any mass moves.

Office 365 Active Directory DirSync how to exclude or specify an OU

If you do directory sync from AD to Office 365 you may not want to replicate all users and groups in your full AD structure which is what is replicated by default. You can exclude or specify which OU’s to synchronize using the following instructions.

Caution: Seasoned Domain Admins Only

“you break it you bought it…”

Create the following shortcut to the desktop

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
clip_image001

Open and select Management Agents and The Active Directory Connection:

clip_image003

Right Click and Select Properties:

clip_image005

Select Configure Directory Partitions and Containers:

clip_image006

You will be prompted for credentials enter in your LOCAL ADSync Username and Password:

clip_image008

Browse and Include or Exclude the OU’s as necessary:
clip_image009

Select “OK” “OK”

You can now force the DirSync process.
Open up PowerShell as Administrator and Run the following command to initiate a sync:

Import-Module DirSync
Start-OnlineCoexistenceSync -fullsync

clip_image010

Select the Operations tab to view status:
clip_image012

Note the Deletions in the bottom left as I excluded a previously synchronized OU:
clip_image013

You can click on the Export Statics fields above for further information.

Note: I recommend forcing the DirSync process 2 to 3 times to make sure all settings synchronize

Log onto Office365 portal and confirm settings changes. In my example it moved the excluded OU Users to Deleted Users as shown below:

clip_image014

Note: if you make a mistake and exclude an OU you didn’t mean to or vice versa. Make the change ASAP and rerun through the sync process and the accounts should be re-enabled/disabled as necessary. If they appear as “In Cloud” that means it is not AD synced.

FileZilla secure FTP setup:

https://filezilla-project.org/download.php?type=server

Install using defaults then start customizing:
clip_image002

Internal IP Address:
clip_image004

You can specify what IP’s are blocked or allowed:
clip_image006

Use a custom port range so you can specify the range in firewall and the external IP:
clip_image008
Review buffer settings:
clip_image010
Specify admin interface port:
clip_image012

Configure logging:
clip_image014
Set any speed limits:
clip_image016

Generate a new Certificate and point Private Key and Certificate file to the same certificate.crt:
clip_image018

Note: external certificates would not work properly even with format changes

Enable automatic bans and customize settings as necessary:

clip_image020

Configure your External Firewall to port forward and allow traffic:

clip_image021

Configure the Firewall Inbound and Outbound Rules on the FileZilla Server:

clip_image023

clip_image025

Name rules SFTP IN and SFTP OUT:
clip_image027 

Ports 21,22,990 and the port range specified earlier:
clip_image029
Setup the users and groups:
clip_image030
clip_image032
Setup shared folders:
clip_image034

Now you are ready to test