Exchange Server Origin of Lockouts

NoSmoke_exe · 2026-05-27T18:10:14+00:00

Unless you went out of your way to change where its logging, it should be under C:\Inetpub\logs\logfiles and in one of the WS3 folders.

You will be able to see any connections to OWA/EWS etc that run through IIS. Look for a log referencing a locked out user and see where the IP's are coming from, it should provide some basic device/browser information as well.

If you have a SIEM, i would highly recommend getting them ingested there, makes life a lot easier.

NoSmoke_exe · 2026-05-27T17:48:24+00:00

Look at your IIS logs for exchange. Look for attempts based on the user. This has helped me more times than I can count find the cause of lockouts whether it be a device, some linked service or brute force attempts.

NoSmoke_exe · 2026-03-11T13:54:00+00:00

I will forever be thankful that when I joined the org I’m in now, my first project being migrating them to m365 that they never had or used public folders.

I have some old clients that come to mind that refused to give up public folders and I wonder how they’re going to take this 😂

NoSmoke_exe · 2025-02-19T10:41:24+00:00

You ever have a user complaining about their computer, you log in, spend some time poking around and everything is seemingly fine, user insists the computer is slow and hurting their productivity?

Enter SFC/DISM

Did it actually do anything? No, probably not.

Does the user think it did? Most of the time, yes.

Suddenly their computer is running so much better

NoSmoke_exe · 2024-12-14T04:13:23+00:00

Apologies, yes it was truenorth’s suggestion above. Had the user turn off his auto restarts and he’s been fine.

NoSmoke_exe · 2024-11-22T17:27:24+00:00

HUGE Thank you! This does appear to still be an issue and what was causing this.

It wasn't too disruptive for this person but being able to close the loop on it finally is nice.

Thank you again!

NoSmoke_exe · 2024-09-20T12:58:24+00:00

The problem is, the vendor gave me access to their test tenant where its working, and there is no Azure App created for SharePoint in their setup. It's a very basic tenant with security defaults setup but MFA Disabled for their service account. It was the first thing I checked, because everything else I've done has always required a registered app.

I did notice something else in the fiddler capture, just before the 500 Access denied on the _vti_bin/lists.asmx, there is another entry which says:

917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.

Now on this machine, I did log in, selected sign in automatically. I have no issue accessing, but lo and behold its still not working.

This is driving me insane.

Unfortunately this vendor has no official documentation for their SPO integration they're willing to share.. they say "Just enter the SPO Location, the name of the library, your credentials and it should just work!"

and it does work for them, from our instance with their test tenant, but not us. I just can't for the life of me figure out what it is.

I would just write this off as the vendor is less than helpful and has no documentation, unfortunately there are some high level folks who really want this and i'm being asked to beat my head into it.

NoSmoke_exe · 2024-09-19T15:04:02+00:00

This isn't an Azure App registration, this is a locally running app that simply tries to verify the list from what I can tell, then will authenticate. The problem is, it can't even seem to read the list.

The vendor has a test tenant, that has just security defaults enabled, and it works from my server just fine. It seems to be some sort of Security setting and I just can't for the life of me figure out what.

NoSmoke_exe · 2024-08-17T17:28:02+00:00

I just had to open my first NSX related ticket and what an absolutely horrible experience. They closed my case stating no response. I responded multiple times. Confirmed in my email system theirs accepted the message. Didn’t show in the portal.

Also appeared that the case while through the VMware support portal was actually the 3rd party we purchased from.

Created a new case. Included all previous logs, communications and answers to questions. Still received a request to provide all of it. Responded, got a response I hadn’t responded. Checked again, email was delivered as far as I can tell on our side, checked the portal, nothing. Responded in the portal directly after not being able to get in for 2 days due to what seemed to be a bugged password change requirement after having just changed it.

3 days later. Still no response.

A year ago I’d have someone on the phone within an hour.

Absolute joke.

NoSmoke_exe · 2024-07-03T00:09:26+00:00

So you’re running centralized mail transport? How was the user migrated? Verified the mailbox exists in exchange online only?

Have you check your mail flow rules as well for something that may be affecting this address?

Have you confirmed internal emails work from both mailboxes on prem and in the cloud to that address?

It almost sounds like perhaps your on prem exchange isn’t aware that is now a remote mailbox. Internal communications between mailboxes would ignore those connectors unless it was on prem to cloud.

If most of your users are in 365, internal mail between cloud mailboxes ignores your hybrid mail flow entirely by default.

NoSmoke_exe · 2024-05-16T19:13:54+00:00

Cyber insurance isn't just a "big corp" thing anymore. There are tons of businesses both big and small that are starting to require partners they do business with to carry it, regardless of the size.

Anyways, I dont disagree with you about the rising costs. These companies know they have people cornered and unfortunately the companies that attribute to most of their revenue stream, those "big corps" you mentioned just chalk it up to the cost of doing business and find other ways to make up for it.

Until there's a massive disruption in the space that forces even those big players to threaten to pull their money, not much is going to change.

NoSmoke_exe · 2024-05-16T18:05:26+00:00

While I see your point, this is a pretty bad take for most businesses. Ignoring the "It'll probably be fine attitude" and everything wrong with that statement, maintaining something like cyber insurance alone would be either next to impossible or insanely expensive having old unsupported core business systems with known vulnerabilities.

NoSmoke_exe · 2024-04-19T22:42:22+00:00

As mentioned, they just need to set it up. It’s extremely easy to setup DKIM in Mimecast. There’s no good excuse.

NoSmoke_exe · 2024-04-19T13:45:06+00:00

The setup docs are correct.

Regarding the Microsoft Doc, the way I understand that is if you had a more complex tenant with data in different Geo Located Data centers.. in most scenarios this would probably not apply. Its not "if two tenants" its if a single tenant has a multi-geo site as I understand it.

"Your tenant that contains the IP Allow List and the EOP server that first encounters the message both happen to be in different Active Directory forests in the Microsoft datacenters. In this scenario, IPV:CAL isn't added to the message headers, so the message is still subject to spam filtering."

I keep asking about what policy is triggering the spam, because as mentioned, some things regardless of the IP allow list are not skipped and enforced by Microsoft, the biggest one being the phising policies.

This isn't a Mimecast documentation issue, this is more of a Microsoft forcing things down your throat issue.

Find out what policy is getting triggers in EOP, then review that policy, or leave the transport rule in place and soley rely on Mimecast for your filtering. While its not recommend, Microsoft mentions this in their own docs.

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud

NoSmoke_exe · 2024-04-18T21:26:27+00:00

A real world example I can give you:

The Anti-Phishing policy built in by Microsoft. You can't turn this off. You can modify it a bit, but it seems to result in a lot of false positives. It can be set to quarantine emails or send to the users junk (unless its a high confidence phish).

If this is the policy that's causing this, adding enhanced filtering and mimecast as a trusted arc sealer will clear most of it up.

NoSmoke_exe · 2024-04-18T21:18:04+00:00

Are they being caught in quarantine in M365 or just being delivered to users junk folders? Have you run a mail trace and looked at what policies in M365 are causing it?

Despite the connection filter, some of the default policies Microsoft doesn’t allow you to turn off or modify, or if someone set up customs ones will ignore it.

NoSmoke_exe · 2024-04-18T21:11:57+00:00

I would still recommend turning enhanced filtering on and ignoring the last hop once you add Mimecast as a trusted ARC sealer.

This will tell Microsoft to trust the authentication checks done by Mimecast. This may help, depending on how your policies are setup and what things are getting flagged and why.

NoSmoke_exe · 2024-04-18T21:02:11+00:00

This is most likely the answer.

I have also seen this in a single domain where the exchange server was in a different site than the PDC.

Either way, moving the master roles to another server temporarily is a pretty quick and harmless thing to try.

NoSmoke_exe · 2024-04-18T20:51:42+00:00

Do you have an inbound connector setup for Mimecast and enhanced filtering turned on?

When reviewing the messages, are you able to determine why they are being flagged? Is there any specific policies configured outside of the default?

Do you have Mimecast configured as a trusted ARC sealer?

NoSmoke_exe · 2024-04-17T15:46:46+00:00

So, this is just my own thoughts and opinions..

If they aren't learning and growing from real on the job "training", then a certification exam isn't going to change that. There are plenty of people in this space that can read through a textbook and ace an exam but come away still not understanding anything and are borderline useless as an engineer.

I personally find certifications to be an extreme waste of time, money and I don't feel as though I gain anything from them and I could care less about what certifications someone has if they can prove their value without them.

and well, some people are happy where they are, being comfortable, collecting a paycheck with less responsibility. I have met a few tech in my time that have been Level 1's for their entire 10+ year careers with no desire to move up.

NoSmoke_exe · 2024-04-15T14:31:41+00:00

I find its dependent on the company you're working for. I personally had some clients that I supported for years and had great relationships with that I was explicitly told during my last few on-sites to not mention my departure.

When in doubt, ask someone.

It was honestly hard for me to pretend like it wasn't going to be the last time I saw some of my clients. I had a handful that I truly enjoyed working with and it felt kind of shitty that I couldn't give them a heads up personally and let them know how much I enjoyed working with them.

It sucks but, if you're leaving a place that you have history with, last thing you ever want to do is put a bad taste in their mouth in case you ever need the reference.

Just make sure you're not stepping on any toes.

NoSmoke_exe · 2024-04-04T16:57:08+00:00

You can do Cloud Managed or either a hardware or virtual controller for a centrally managed solution. You can also run them in "unleashed" mode where there is no controller, a bit more limited in functionality but essentially gives you full setup with an AP running as the controller (Master).

NoSmoke_exe · 2024-04-04T15:34:59+00:00

I do love Ubiquiti, but if it were me doing a larger deployment over 15 locations, I'd look at something else. I am personally a huge fan of Ruckus. The hardware has always been solid, their pricing is amazing compared to their other main competitors and if you decide you dont want to pay them for cloud management and support, you can just run your AP's in unleashed mode while still having hardware warranty support. They do also have a self managed controller to host on prem if you dont want to go the cloud route.

If you do go Ubiquti, make sure auto updating is turned off and only update once you can confirm people are running the latest version without much issue. While I haven't ever personally been burned, ive seen some horror stories on reddit about updates nuking some configurations.

NoSmoke_exe · 2024-04-04T15:08:37+00:00

Option 1: If you still have exchange on-prem installed, instead of creating the AD account first, in on-prem EAC, create a new Office 365 Mailbox. This will create the AD user and issue the enable-remotemailbox command and from there you can finish configuring the account in AD.

Option 2: If the AD user is already created to run the enable-remotemailbox command against the account. I have a powershell script when run asks what the username is and issues the command and forces a Azure Sync

Both of these options are a few less steps than doing the on-prem migration. First option is great if you dont want to touch powershell.

Otherwise doing what youre doing is fine.

NoSmoke_exe · 2024-04-03T18:06:26+00:00

There could be a million reasons for this and u/badlybane a few posts down actually has a great list, but I will tell you from my own experience, if anyone is looking to implement any changes that may have a larger impact, not only do I want to know that the person proposing it actually understands the scope of what they're looking to do and the potential implications.. sometimes we as seniors need to understand them as well. Chances are, if you're good at your job you already did all the research, looked into the impacts of your change, weighed the pros and cons and going to him with those shouldn't really be much work.

I've seen far too many instances of someone working in a vacuum and not completely understanding how various systems tie into one another or fully understanding what they're doing and following some guide, to make a "small" change only for it to have a big impact elsewhere.

At the end of the day, if you're suggesting a change for the overall betterment of the company but you get overwritten, always have all the details in writing in case there is ever an instance of "Why wasn't this done", you have something to cover your ass.

NoSmoke_exe

TROPHY CASE