TechOnTip Weblog

Run book for Technocrats

Find ADFS Database Server details

Posted by Brajesh Panda on February 4, 2016

Get-WmiObject -namespace root/adfs -class securitytokenservice

Output from a farm where SQL is used as backed.

__GENUS : 2

__CLASS : SecurityTokenService

__SUPERCLASS :

__DYNASTY : SecurityTokenService

__RELPATH : SecurityTokenService=@

__PROPERTY_COUNT : 2

__DERIVATION : {}

__SERVER : ADFS01

__NAMESPACE : root\adfs

__PATH : \\ADFS01\root\adfs:SecurityTokenService=@

ConfigurationDatabaseConnectionString : Data Source=SQL01.techontip.local;Initial Catalog=AdfsConfiguration;Integrated

Security=True

ConfigurationServiceAddress : net.tcp://localhost:1500/policy

PSComputerName : ADFS01

Output from a farm where WID database is used

__GENUS : 2

__CLASS : SecurityTokenService

__SUPERCLASS :

__DYNASTY : SecurityTokenService

__RELPATH : SecurityTokenService=@

__PROPERTY_COUNT : 2

__DERIVATION : {}

__SERVER : ADFS02

__NAMESPACE : root\adfs

__PATH : \\ADFS02\root\adfs:SecurityTokenService=@

ConfigurationDatabaseConnectionString : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial

Catalog=AdfsConfiguration;Integrated Security=True

ConfigurationServiceAddress : net.tcp://localhost:1500/policy

PSComputerName : ADFS01

Posted in Mix & Match | Leave a Comment »

Custom ADFS Claim Rules – Country/Office/CountryCode/SpecificGroup/FixedValue/ObjectGuid/eduPerson

Posted by Brajesh Panda on February 4, 2016

Earlier I have posted an article about Claim Language. Here it is: https://techontip.wordpress.com/2014/03/10/the-claims-rule-language-in-active-directory-federation-services/

In this article I am going to show you few regularly used custom claims, for which you need to write custom claim rules.

Before you create custom claim rules make sure you have claim descriptions created.

Custom Claim

country, office, countrycode_iso

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/country", "http://custom.techontipadfs.com/adattribute/office", "http://custom.techontipadfs.com/adattribute/countrycode_iso"), query = ";co,physicalDeliveryOfficeName,c;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Filtered Groups – Pass specific groups starting with a value like referral

http://blogs.technet.com/b/askds/archive/2013/05/07/ad-fs-2-0-claims-rule-language-part-2.aspx

https://social.technet.microsoft.com/wiki/contents/articles/8008.ad-fs-2-0-selectively-send-group-membership-s-as-a-claim.aspx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rule 1: GroupAdd

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Rule 2: GroupFilter

# Just filter one group

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral"]

=> issue(claim = c);

# Filter out multiple groups.

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)referral|(?i)techontip deals"]

=> issue(claim = c);

Note: Here (?i) is for not case sensitive, and | is for OR

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass fixed value

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(type = "Test1", value = "Techontip Int User");

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(Type = "orgdir", Value = "techontip");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pass ObjectGUID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ObjectGuid

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://custom.techontipadfs.com/adattribute/ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transform to eduPerson Claims

Shibboleth is preconfigured to assert multiple attributes of the eduPerson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS 2.0 custom rule language to generate Shibboleth-compliant claims.

http://technet.microsoft.com/en-us/library/gg317734%28v=ws.10%29.aspx#BKMK_EditClaimRulesforRelyingPartyTrust

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. 1st add a normal LDAP Claim – like UserPrincipal to UPN

2. 2nd Transform above claim to eduPerson claim. Below example converts above UPN to eduPerson. Here "urn:oid:0.9.2342.19200300.100.1.1" can be anything, as per application config.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"%5D

=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"%5D = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Posted in Mix & Match | Leave a Comment »

Bypass or Exclude Mails from Clutter

Posted by Brajesh Panda on January 26, 2016

Office 365 has a new interesting feature called Clutter. It uses Machine Learning language and automatically moves ignored (?) messages to Clutter folder. If any user doesn’t want it at all, they can On/Off from OWA. But as admin you can configure transport rules and set ‘X-MS-Exchange-Organization-BypassClutter’ message header to True. This will help Exchange Online to put the message in Inbox instead of Clutter folder.

Here are few examples of transport rules;

If the message…

Is received from “EmailAddress”

Do the following…

set message header ‘X-MS-Exchange-Organization-BypassClutter’ with the value ‘True’

If the message…

sender ip addresses belong to one of these ranges: <SourceIPAddresses>

Do the following…

and set message header ‘X-MS-Exchange-Organization-BypassClutter’ with the value ‘True’

Posted in Mix & Match | Leave a Comment »

Skype for Business Online: Dial-In Conferencing Reporting

Posted by Brajesh Panda on January 25, 2016

Here is my tiny script to report all user level Dial-In Conferencing details from Skype for Business Online Tenant. Useful if you have integrated InterCall, Pgi etc.

# Connect to SfB Online

C:\Script\Connect-LyncOnline-Powershell-Brajesh-Ver2.ps1

# Dial In Users

$DialInUsers = Get-CsOnlineUser -Filter {AcpInfo -ne $null} -ResultSize Unlimited | select FirstName, LastName, DisplayName, UserPrincipalName, SIPAddress, HostingProvider, Office, CountryAbbreviation, CountryOrRegionDisplayName, ACPInfo

# Add Properties

$DialInUsers | Add-Member -MemberType NoteProperty TollNumber ”

$DialInUsers | Add-Member -MemberType NoteProperty TollFreeNumber ”

$DialInUsers | Add-Member -MemberType NoteProperty PassCode ”

$DialInUsers | Add-Member -MemberType NoteProperty Provider ”

$DialInUsers | Add-Member -MemberType NoteProperty Domain ”

# Populate Attributes

foreach($DialInUser in $DialInUsers)

{

$DialInUser.UserPrincipalName

[xml]$DialInInfo = $DialInUser.AcpInfo

$DialInUser.TollNumber = $DialInInfo.acpInformation.tollNumber

$DialInUser.TollFreeNumber = $DialInInfo.acpInformation.tollFreeNumber

$DialInUser.PassCode = $DialInInfo.acpInformation.participantPassCode

$DialInUser.Provider = $DialInInfo.acpInformation.name

$DialInUser.Domain = $DialInInfo.acpInformation.domain

#[xml]$DialInInfo = $null

}

$FilteredData = $DialInUsers | `

select FirstName, LastName, DisplayName, UserPrincipalName, SIPAddress, HostingProvider,Office,CountryAbbreviation,CountryOrRegionDisplayName,TollNumber,TollFreeNumber,PassCode,Provider,Domain

$$FilteredData | Export-Csv C:\Script\InterCallUsers_Report.csv -NoTypeInformation

Posted in Mix & Match | Leave a Comment »

Change Exchange 2013 Transport Database Path

Posted by Brajesh Panda on November 25, 2015

è Open Exchange Shell as Administrator

è cd $exscripts

è Determine the new Log drive’s Drive letter & change drive letters in below script. Here I consider “L” drive is my new location. I always prefer to keep the same folder path as it is in C drive.

.\Move-TransportDatabase.ps1 –queueDatabasePath "L:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue" –queueDatabaseLoggingPath "L:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue" –iPFilterDatabasePath "L:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\IpFilter" –iPFilterDatabaseLoggingPath "L:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\IpFilter" –temporaryStoragePath "L:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Temp"

Cheers

Posted in Mix & Match | Leave a Comment »

Dell Hardware Info thru Powershell

Posted by Brajesh Panda on November 13, 2015

http://en.community.dell.com/techcenter/os-applications/w/wiki/4145.agentless-management-with-powershell-3-0-cim-cmdlets-and-idraclifecycle-controller?utm_content=buffere803b&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Posted in Mix & Match | Leave a Comment »

Work

Posted by Brajesh Panda on October 13, 2015

Posted in Mix & Match | Leave a Comment »

Windows Azure is currently performing an operation on this deployment that requires exclusive access.

Posted by Brajesh Panda on June 23, 2015

Here is an error I have encountered when trying to do some parallel operation on the same Cloud Service like Start-AzureVM or Stop-AzureVM –force.

ConflictError: Windows Azure is currently performing an operation with x-ms-requestid 2fdae353bba7bd40831b50eda73a2547 on this deployment that requires exclusive access.

This is a limitation in Azure right now. It happens due to some kind of locking at the backend on Cloud Services’s Network Provisioning.

Posted in Mix & Match | Leave a Comment »

When sending email with Send As Permission, store Sent Emails in Original Mailbox’s Sent Items folder

Posted by Brajesh Panda on June 16, 2015

By default they get stored in Sender’s Sent Item. Put this registry key and restart outlook.

DelegateSentItemsStyle Registry Value

To move sent messages to the correct sent items folder in Outlook 2010, 2007, or 2003, you need to enable a registry setting. (If you have the latest service pack for your version of Outlook, the hofix may be installed.)

Outlook 2013

Open the registry editor and browse to:

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Preferences

DWORD: DelegateSentItemsStyle

Data Value: 1

Outlook 2010

In Outlook 2010, you need to have SP1 (or greater) installed. Open the registry editor and browse to:

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Preferences

DWORD: DelegateSentItemsStyle

Data Value: 1

Outlook 2007

In Outlook 2007, install the June 30, 2009 hotfix, described in KB article 970944. Then open the registry editor and browse to

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Preferences

DWORD: DelegateSentItemsStyle

Data Value: 1

Outlook 2003

For Outlook 2003, you need this hotfix package. Once its installed, open the registry editor and browse to

HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Preferences

DWORD: DelegateSentItemsStyle

Data Value: 1

Posted in Mix & Match | Leave a Comment »

Pick a word from excel cell after/before a character

Posted by Brajesh Panda on May 29, 2015

Pick word(s) from excel after/before a character. Assuming b.panda@abc.com is in A1 cell.

Pick the domain name after @

abc.com =MID(A1,FIND(“@”,A1)+1,256)

Pick the user ID before @

b.panda =LEFT(A1,(FIND(“@”,A1,1)-1))

Posted in Mix & Match | Leave a Comment »

Windows Storage Performance Measurement with DiskSPD

Posted by Brajesh Panda on May 5, 2015

http://blogs.technet.com/b/josebda/archive/2014/10/13/diskspd-powershell-and-storage-performance-measuring-iops-throughput-and-latency-for-both-local-disks-and-smb-file-shares.aspx

Demo1: https://youtu.be/l2QBvNwJx64

Demo2: https://youtu.be/u8ZYhUjSUoI

Posted in Mix & Match | Leave a Comment »

Powershell: Networking Commands

Posted by Brajesh Panda on April 22, 2015

http://blogs.technet.com/b/josebda/archive/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup.aspx

http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-3813-00-00-03-64-82-43/Windows-PowerShell-equivalents-for-common-networking-commands.pdf

My favorites

1. Test-NetConnection -ComputerName http://www.microsoft.com | Select -ExpandProperty PingReplyDetails | fl

2. Test-NetConnectionwww.microsoft.com–TraceRoute

3. Resolve-DnsName microsoft.com -Server 8.8.8.8 -Type MX

Posted in Mix & Match | Leave a Comment »

Get Public IP using Powershell

Posted by Brajesh Panda on April 3, 2015

http://www.telize.com/

Invoke-WebRequest -URI http://ip.telize.com

Invoke-WebRequest -URI http://www.telize.com/jsonip

Invoke-WebRequest -URI http://www.telize.com/geoip

Invoke-RestMethod -URI http://ip.telize.com

Invoke-RestMethod -URI http://www.telize.com/jsonip

Invoke-RestMethod -URI http://www.telize.com/geoip

Posted in Mix & Match | Leave a Comment »

Powershell# HTML Report with Multiple Tables

Posted by Brajesh Panda on January 8, 2015

## ConvertTo-Html –Fragment is used.

## Reference http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/01/working-with-html-fragments-and-files.aspx

## Execution ## save the script as html-fragment.ps1 and run as “.\html-fragment.ps1 > html-fragment.htm”

$computername Read-Host “Type computername”

function Get-CSInfo {

param($computername)

$os Get-WmiObject -Class Win32_OperatingSystem -ComputerName $computername

$cs =Get-WmiObject -Class Win32_ComputerSystem -ComputerName $computername

$bios =Get-WmiObject -Class Win32_BIOS -ComputerName $computername

$props = @{

‘ComputerName’=$computername

‘OS Version’=$os.version

‘OS Build’=$os.buildnumber

‘Service Pack’=$os.sevicepackmajorversion

‘RAM’=$cs.totalphysicalmemory

‘Processors’=$cs.numberofprocessors

‘BIOS Serial’=$bios.serialnumber }

$obj New-Object -TypeName PSObject -Property $props

Write-Output $obj

}

$frag1 Get-CSInfo –computername $computername ConvertTo-Html -As LIST -Fragment -PreContent ‘<h2>Computer Info</h2>’
Out-String

$frag2 Get-WmiObject -Class Win32_LogicalDisk -Filter ‘DriveType=3’ -ComputerName $computername Select DeviceID, Freespace, Size
ConvertTo-Html -Fragment -PreContent ‘<h2>Disk Info</h2>’ Out-String

$head @’

<style>

body { background-color:#dddddd;

font-family:Tahoma;

font-size:12pt; }

td, th { border:1px solid black;

border-collapse:collapse; }

th { color:white;

background-color:black; }

table, tr, td, th { padding: 2px; margin: 0px }

table { margin-left:50px; }

</style>

‘@

ConvertTo-HTML -head $head -PostContent $frag1,$frag2 -PreContent “<h1>Hardware Inventory for SERVER2</h1>”

# Output Screenshot



Posted in Mix & Match | Leave a Comment »

New Office 365 Admin Roles

Posted by Brajesh Panda on December 31, 2014

I think these are the new Office 365 (Azure AD) Admin roles. They are accessible thru powershell. Portal still shows old default ones. Yet to see any documents around them.

Name : Exchange Service Administrator

Description : Exchange Service Administrator.

Name : Partner Tier1 Support

Description : Allows ability to perform tier1 support tasks.

Name : Company Administrator

Description : Company Administrator role has full access to perform any operation in the company scope.

Name : Helpdesk Administrator

Description : Helpdesk Administrator has access to perform common helpdesk related tasks.

Name : Lync Service Administrator

Description : Lync Service Administrator.

Name : Directory Readers

Description : Allows access to various read only tasks in the directory.

Name : Directory Writers

Description : Allows access read tasks and a subset of write tasks in the directory.

Name : Billing Administrator

Description : Billing Administrator has access to perform common billing related tasks.

Name : Email Verified User Creator

Description : Allows creation of new email verified users.

Name : Partner Tier2 Support

Description : Allows ability to perform tier2 support tasks.

Name : AdHoc License Administrator

Description : Allows access manage AdHoc license.

Name : Service Support Administrator

Description : Service Support Administrator has access to perform common support tasks.

Name : SharePoint Service Administrator

Description : SharePoint Service Administrator.

Name : User Account Administrator

Description : User Account Administrator has access to perform common user management related tasks.

Posted in Mix & Match | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.

Join 101 other followers

%d bloggers like this: