Setting up new Exchange Online users on RDS servers - powershell

My company is currently migrating our on prem Exchange users to the hosted Exchange Online platform. Migrating users is easy but we have hit a snag when on boarding new users. Our environment has multiple RDS servers. In the past we would setup a users mailbox on one server and when they would log in to another server the settings would follow them. That does not seem to be the case with Exchange Online. We are having to logon to each RDS server and manually set them up each time they logon to a new one(only for new users). If the user had an old on prem Exchange account that we migrated to the cloud then those settings get over-written and their Exchange Online account comes over no problem. Just trying to figure out a way that will setup the new user EOL accounts when they logon to the new servers. We are using Roaming profiles too if that helps. Maybe some sort of powershell script that I can modify with the new users names when I am setting them up?

Sounds like the AutoDiscovery isn´t working correctly. Please check with the Microsoft Remote Connection analyzer if you see any errors (e.g. as explained in KB 2404385). Here is by the way a good starting point how that should work.

Related

Exchange Hybrid Mailbox Creation / Sync error

I have a hybrid environment with on-prem exchange (almost done migrating) and O365 Email.
I create a new user in our on-prem AD via powershell. It syncs properly via AADConnect to our Azure environment and creates the O365 user and Exchange online (O365) email account. Using powershell I can correct proxy addresses and the msExchRecipient/Remote attributes.
The expected result is that I have an email account on both sides for the hybrid environment, with the on-prem Exchange srerver showing the Mailbox Type as "Office 365".
For one particular user, I ended up with email accounts in both on-prem and online exchange as expected. The user receives messages in their O365 account. However, messages that are trapped by our Mimecast server are not getting through. The Mailbox Type listed in on-prem is "User". This is messing up the mail routing for incoming messages from outside the domain.
Is there a way I can powershell my way out of this mess and somehow convert the mailbox type from "User" to "Office 365"? I can't migrate the user because the account already exists in O365. If I delete the O365 I would lose the email.
Should I have my powershell user creation script create the ad user, create the on-prem mailbox and also perform the migration? At least until we are fully migrated and out of our hybrid environment?
For this user, would it work to delete the AD and on-prem Exchange, and re-create both manually? How would I connect the on-prem to online exchange without losing the mail?
Any insight into this can of worms would be greatly appreciated.
One of the documents I referenced is this one about Recipient Type Values:
https://answers.microsoft.com/en-us/msoffice/forum/all/recipient-type-values/7c2620e5-9870-48ba-b5c2...
: Keith

Identify login with Administrative access on SSAS instance using query or Powershell

Want to identify the users/login with Administrative access on server to migrate them to new server's. I have tried Select * from $System.TMSCHEMA_ROLE_MEMBERSHIPS but these give information regarding the particular database i need more at server level.
Ssas users are done quite differently from normal databases. Ssas uses only the active directory account of the user trying to connect.
On server level the only security is done in the properties of the server, there you can select active directory users with administrative access to the server.
On database level you can create roles, give them access to (part of a) database and link active directory users/groups to them.
Using the analysisservices namespace of microsoft you already mentioned you can look trough every role in every database and note the permissions.
As far as I know you can't actually use this namespace to see all the administrators of the user. But unless you have an unreasonable amount of administrators the best solution might be to just open the server in sql server management studio, click on properties, security and write down all the AD members manually.
I hope this helps you and good luck!

Using DB2 on Windows 10 computer with PIN instead of password (Azure AD accounts)

I'm new to DB2 database. I installed DB2 Express-C on my local machine (Windows 10) to play with it, and I created a sample database.
If I understand correctly, DB2 uses Windows accounts for access to database. The installation created a db2admin user, but this one does not have access to the sample database. So my understanding is that my Windows account has access to this database.
So here is the problem. My company uses Azure Active Directory accounts, using Windows Hello to log in - that means, using a PIN to log in instead of a password (meaning my password does not work for login). However, if I want to connect to the database, I need to do this with my account's password. How can I do this? Do I need to create a local account on my machine instead of using Azure account?
If you are able to create a local-user on your workstation, and assign it a password, and ensure it is a member of local groups DB2USERS (and optionally) DB2ADMNS if those local-groups exist, that is likely to be the easiest option.
You may need to have Windows local-administrative rights to be able to perform those actions.
You can then connect to any local Db2-databases with that local-account and its password (regardless of how you sign-in to Windows).
If you allowed Db2-installation to create local user db2admin (and give it a password) then that local-account is also able to connect to local Db2-databases, including the SAMPLE database. So it's unclear why you write that db2admin account does not have access to SAMPLE database. As long as db2admin has a valid password then that account can connect to SAMPLE if all default settings are active.
Db2-LUW is able to integrate with Active-Directory provided pre-requisites are met and special configuration is performed, see documentation. But unless you have special security plugins for Db2, then any account that wants to connect to local Db2-databases will need a password. With special security plugins, other forms of authentication are possible.
Windows 10 Azure account login gives license to only one user to access windows account. If you login with db2admin in your windows you might lost azure account I am facing such issues.
Better to communicate with IT team of your company and ask to provide DB2ADMN right to your Azure login user. DB2 install properly but not able to create database permission/authorization issue coming.

How to detach, unlink, clear, remove, or rollback VSTS connection to Azure AD

There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes

Exchange logs with powershell

I am trying to get connection logs from exchange online via powershell.
I have managed to log in to exchange online with powershell, but do not know any cmdlets that would allow me to obtain a list of connections made. What I am trying to achieve is to see a log entry when someone has logged in to their mailbox and downloaded their emails. Ideally I am looking for their IP.
get-logonstatistics no longer works (exchange 2013).
Any help at all would be greatly appriciated!
For On-Premise Exchange you are looking forMailbox Transport service logs which sit in
%ExchangeInstallPath%TransportRoles\Logs\Mailbox\Connectivity
but you have to explicitly enable them first.
This article will get you started
http://technet.microsoft.com/en-us/library/bb124500(v=exchg.150).aspx
You can't really do that in O365 without raising a ticket with MS, the only available cmdlets are:
http://help.outlook.com/en-us/140/dd575549.aspx