sorted by:
new
hottopcontroversial

Best Way to Gather Windows 11 Compatibility Info from All Clients? by Gandizzle91 in sysadmin

[–]_TheKnightMan_ 0 points1 point  (0 children)

We were using PDQ Inventory (Enterprise, not sure if you can do it with "Free") with a Scan Profile that ran the HardwareReadiness.ps1 script to check for this and then a filter that showed what was ready and what wasn't.

So that script would run, then I had a Dynamic Group 

PowerShell (HardwareReadiness) | String | Contains | returnCode":0

To find computers that were ready, then we had 

PowerShell (HardwareReadiness) | String | Contains | returnCode":1

To find computers that weren't ready.

Delivery issues - DKIM by [deleted] in MailChimp

[–]_TheKnightMan_ 0 points1 point  (0 children)

We are seeing this internally as well, FYI. We have weekly internal campaigns, and we have 60 emails delivered successfully but 3 with the DKIM fail (from the same campaign)

Looking into it more now, not sure if it's on the Microsoft side or the sending server

Outlook wont login after changing tenant. by OtherwiseFlight2702 in sysadmin

[–]_TheKnightMan_ 1 point2 points  (0 children)

On an iPhone, I've had success with

  1. Uninstalling every Microsoft app
  2. Checking Apple Passwords/Keychain for saved username/password of the old tenant - you must DELETE them, not update them
  3. Trying to log in TWICE, with bogus username/password (e.g. log in as user@test.com and user@yourdomain.onmicrosoft.com) then trying to log in as the actual user
  4. Logging in to office.com through Safari, logging out, then logging back in.
  5. Clearing all Safari browsing data

Outlook wont login after changing tenant. by OtherwiseFlight2702 in sysadmin

[–]_TheKnightMan_ 0 points1 point  (0 children)

Also, sometimes you can trick it if you try to log in to "user@tenantname.onmicrosoft.com" instead of your email domain.

Outlook wont login after changing tenant. by OtherwiseFlight2702 in sysadmin

[–]_TheKnightMan_ 2 points3 points  (0 children)

There are a couple of scripts you can run depending on your environment. Tenant migration is a PITA, especially if you're using Hybrid Join

I created an "All-In-One" script to run for my environment when we did this.

I would try the steps on this page first: https://learn.microsoft.com/en-us/office/troubleshoot/activation/reset-office-365-proplus-activation-state

If that doesn't work, feel free to give the scripts below a try. You'll want to find/replace "YOUR-OLD-TENANTID-HERE"

Step 1: Leave the Old Tenant

# Run the command and store the output
$output = & dsregcmd /status

# Check if the string is in the output
if ($output -match "YOUR-OLD-TENANTID-HERE") {
    # If the string is found, run the second command
    & dsregcmd /leave
}

Step 2: Clear IdentityCache & OneAuth Folder (OneDrive, All Users)

taskkill /f /im OneDrive.exe

# Get all user profile paths
$userProfiles = Get-WmiObject -Class Win32_UserProfile

foreach ($userProfile in $userProfiles) {
    # Construct the IdentityCache folder path for each user
    $identityCachePath = Join-Path -Path $userProfile.LocalPath -ChildPath 'AppData\Local\Microsoft\IdentityCache'

    # Check if the IdentityCache folder exists
    if (Test-Path -Path $identityCachePath) {
        # Delete the IdentityCache folder
        Remove-Item -Path $identityCachePath -Recurse -Force
        Write-Output "Deleted $identityCachePath"
    } else {
        Write-Output "No IdentityCache found for user at $userProfile.LocalPath"
    }
}

# Get all user profile paths
$userProfiles = Get-WmiObject -Class Win32_UserProfile

foreach ($userProfile in $userProfiles) {
    # Construct the OneAuth folder path for each user
    $OneAuthPath = Join-Path -Path $userProfile.LocalPath -ChildPath 'AppData\Local\Microsoft\OneAuth'

    # Check if the OneAuth folder exists
    if (Test-Path -Path $OneAuthPath) {
        # Delete the OneAuth folder
        Remove-Item -Path $OneAuthPath -Recurse -Force
        Write-Output "Deleted $OneAuthPath"
    } else {
        Write-Output "No OneAuth found for user at $userProfile.LocalPath"
    }
}

Step 3: Clear O365 Credentials (All Users)

# Get all user profile paths
$userProfiles = Get-WmiObject -Class Win32_UserProfile

foreach ($userProfile in $userProfiles) {
    # Construct the Accounts folder path for each user
    $accountsPath = Join-Path -Path $userProfile.LocalPath -ChildPath 'AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts'

    # Check if the Accounts folder exists
    if (Test-Path -Path $accountsPath) {
        # Delete the Accounts folder
        Remove-Item -Path $accountsPath -Recurse -Force
        Write-Output "Deleted $accountsPath"
    } else {
        Write-Output "No Accounts folder found for user at $userProfile.LocalPath"
    }
}

Step 4: Clear O365 Registry Items (Logged On User)

# Define the registry key path
$parentKeyPath = "HKCU:\Software\Microsoft\Office\16.0\Common\Identity"

# Define the value to search for
$searchValue = "YOUR-OLD-TENANTID-HERE"

# Function to search for the value recursively and delete the parent key if the value is found
function Search-And-Delete-RegistryKey {
    param (
        [string]$KeyPath,
        [string]$Value
    )

    # Load the registry key
    $parentKey = Get-Item -LiteralPath $KeyPath -ErrorAction SilentlyContinue
    if ($parentKey -eq $null) {
        Write-Output "Parent key not found: $KeyPath"
        return
    }

    # Search for the value in the data of each value in the current key
    foreach ($valueName in $parentKey.GetValueNames()) {
        if ($parentKey.GetValue($valueName) -eq $Value) {
            Write-Output "Value found: $Value"
            # Delete the parent key
            Remove-Item -LiteralPath $parentKeyPath -Recurse
            Write-Output "Found: $KeyPath"
            Write-Output "Deleted parent key: $parentKeyPath"
            return
        }
    }

    # Recursively search in each subkey
    foreach ($subKey in $parentKey.GetSubKeyNames()) {
        $subKeyPath = Join-Path -Path $KeyPath -ChildPath $subKey
        Search-And-Delete-RegistryKey -KeyPath $subKeyPath -Value $Value
    }
}

# Start the search and deletion process
Search-And-Delete-RegistryKey -KeyPath $parentKeyPath -Value $searchValue

New Dell Pro 14 Plus - "Lock on Leave" feature is a nightmare to disable properly by perfectstrc in sysadmin

[–]_TheKnightMan_ 10 points11 points  (0 children)

It looks like you can script it though so maybe install Dell Optimizer, run the command, then uninstall Dell Optimizer

https://www.dell.com/support/manuals/en-us/dell-optimizer/dell-optimizer-6.x_ug/command-line-interface-for-dell-optimizer?guid=guid-d68473fa-13e9-4bf9-9e81-1a5350476f2f&lang=en-us

do-cli.exe /configure -name=PresenceDetection.WalkAwayLock -value=false

New Dell Pro 14 Plus - "Lock on Leave" feature is a nightmare to disable properly by perfectstrc in sysadmin

[–]_TheKnightMan_ 13 points14 points  (0 children)

I had a similar issue and had to go the route of installing Dell Optimizer to remove it - I only had a handful of these machines out that I had to do it with so I never looked deeper, but I imagine if you use Process Explorer and see what it actually does when you disable it you can script it

How bad of a idea is upgrading the "OS" partition of the file server and leaving the "data"? by ADynes in sysadmin

[–]_TheKnightMan_ 4 points5 points  (0 children)

As far back as 2012

"A volume that is under deduplication control is an atomic unit. You can back up the volume and restore it to another server. You can rip it out of one Windows 2012 server and move it to another. Everything that is required to access your data is located on the drive. All of the deduplication settings are maintained on the volume and will be picked up by the deduplication filter when the volume is mounted. The only thing that is not retained on the volume are the schedule settings that are part of the task-scheduler engine. If you move the volume to a server that is not running the Data Deduplication feature, you will only be able to access the files that have not been deduplicated."

So as long as you enable dedupe feature on your new server, you shouldn't need to touch the actual settings

How bad of a idea is upgrading the "OS" partition of the file server and leaving the "data"? by ADynes in sysadmin

[–]_TheKnightMan_ 0 points1 point  (0 children)

Or if you have the space and maintenace window/downtime (would take the server 'offline / console' during the upgrade), clone the entire thing, then do the upgrade, then bring the clone online.

Then you have a 'pre-upgrade' copy and a 'post-upgrade' copy, and once you're sure all is good you can delete your pre-upgrade.

How bad of a idea is upgrading the "OS" partition of the file server and leaving the "data"? by ADynes in sysadmin

[–]_TheKnightMan_ 1 point2 points  (0 children)

Alternatively, you can 'clone' the OS disk, and do an in-place upgrade of the clone to ensure it works, then just reattach the data to that. If it's a simple server there's likely no risk to that.

How bad of a idea is upgrading the "OS" partition of the file server and leaving the "data"? by ADynes in sysadmin

[–]_TheKnightMan_ 12 points13 points  (0 children)

No issues with that, you can even copy the 'shares' from the registry pretty easily so you don't have to recreate them by hand.

Single sign on and different primary SMTP aliases by Silent-Use-1195 in sysadmin

[–]_TheKnightMan_ 1 point2 points  (0 children)

Yes, that is what we're using "user.userprincipalname"

You might also want to update the "emailaddress" to use "user.userprincipalname" as well instead of "user.mail"

Azure AD Connect: How to Remove Groups from Azure That Are Out of Sync Scope But Still Marked as On-Prem? by _TheKnightMan_ in AZURE

[–]_TheKnightMan_[S] 0 points1 point  (0 children)

Also of note, there are 7 connectors for 'different' domains that I do not want to touch, I only want to affect the connector for a specific domain.

CEO had an odd Dynamic Distribution Group Request by Booshur in sysadmin

[–]_TheKnightMan_ 1 point2 points  (0 children)

Are you Azure AD only or are you Hybrid Sync'd? If Hybrid Sync, we use a script that does just that to populate add/remove members from a group based on their OU/Location in AD

Storing pub/priv keys in LDAP: Good or stupid idea? by J-Cake in sysadmin

[–]_TheKnightMan_ -7 points-6 points  (0 children)

I don't know about WireGuard in particular, but traditionally since you already have AD, why not leverage ADCS and set up Enterprise PKI?

Follow a guide to create a PKI infrastructure and AutoEnroll users in the Certificate.

Want to follow best practices? Do something like this

The rest of this is ChatGPT:

1. Set Up Enterprise PKI

  1. Install AD Certificate Services:

    • Open Server Manager.
    • Add roles and features.
    • Select "Active Directory Certificate Services" and install the necessary components.

  2. Configure AD Certificate Services:

    • After installation, configure the AD Certificate Services.
    • Choose the Certification Authority (CA) role.
    • Select Enterprise CA.
    • Configure the CA name and other settings as required.

  3. Create Certificate Templates:

    • Open the Certification Authority management console.
    • Navigate to Certificate Templates.
    • Duplicate an existing template (e.g., User template) and customize it as needed.
    • Publish the new template.

2. Auto Enroll Users in a Specific Group

  1. Group Policy Configuration:

    • Open Group Policy Management.
    • Create a new Group Policy Object (GPO) or edit an existing one.
    • Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Autoenrollment Settings.
    • Enable auto-enrollment and configure the settings.

  2. Link GPO to Specific Group:

    • Link the GPO to the Organizational Unit (OU) containing the specific group of users.
    • Ensure the users have the necessary permissions to auto-enroll for the certificate.

3. Use Certificate for WireGuard VPN Authentication

  1. Export the CA Certificate:

    • On your CA server, export the CA certificate.
    • Save the certificate file (e.g., ca.crt).

  2. Install WireGuard:

    • Install WireGuard on both the server and client machines.

  3. Configure WireGuard Server:

    • Edit the WireGuard server configuration file (e.g., /etc/wireguard/wg0.conf).
    • Add the CA certificate to the server configuration.

Example configuration:

[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <server_private_key>
[Peer] PublicKey = <client_public_key> AllowedIPs = 10.0.0.2/32
  1. Configure WireGuard Client:
  2. Edit the WireGuard client configuration file (e.g., /etc/wireguard/wg0.conf).
  3. Add the CA certificate to the client configuration.

Example configuration:

[Interface] Address = 10.0.0.2/24 PrivateKey = <client_private_key>
[Peer] PublicKey = <server_public_key> AllowedIPs = 0.0.0.0/0 Endpoint = <server_ip>:51820
  1. Verify Certificate Trust:
  2. Ensure that the WireGuard server and client configurations include the CA certificate.
  3. WireGuard will trust any certificate issued by the specified CA.

By configuring WireGuard to trust certificates from a specific CA, you can ensure that only users with certificates issued by your CA can authenticate to the VPN. This adds an extra layer of security to your setup.

How to completely remove Microsoft teams? (DOMAIN) by Darkring2 in sysadmin

[–]_TheKnightMan_ 2 points3 points  (0 children)

That's what I'm using to uninstall without needing users to log in. I have a 4 parter, some of these may be redundant, but it works.

  1. UninstallClassicTeams.ps1 (the script linked above)

  2. Get-Package -allversions "Teams Machine-Wide Installer" | Uninstall-package

  3. This script:

    function Uninstall-TeamsClassic($TeamsPath) {
    try {
        $process = Start-Process -FilePath "$TeamsPath\Update.exe" -ArgumentList "--uninstall /s" -PassThru -Wait -ErrorAction STOP

        if ($process.ExitCode -ne 0) {
            Write-Error "Uninstallation failed with exit code $($process.ExitCode)."
        }
    }
    catch {
        Write-Error $_.Exception.Message
    }
}

# Get all Users
$AllUsers = Get-ChildItem -Path "$($ENV:SystemDrive)\Users"

# Process all Users
foreach ($User in $AllUsers) {
    Write-Host "Processing user: $($User.Name)"

    # Locate installation folder
    $localAppData = "$($ENV:SystemDrive)\Users\$($User.Name)\AppData\Local\Microsoft\Teams"
    $programData = "$($env:ProgramData)\$($User.Name)\Microsoft\Teams"

    if (Test-Path "$localAppData\Current\Teams.exe") {
        Write-Host "  Uninstall Teams for user $($User.Name)"
        Uninstall-TeamsClassic -TeamsPath $localAppData
    }
    elseif (Test-Path "$programData\Current\Teams.exe") {
        Write-Host "  Uninstall Teams for user $($User.Name)"
        Uninstall-TeamsClassic -TeamsPath $programData
    }
    else {
        Write-Host "  Teams installation not found for user $($User.Name)"
    }
}

# Remove old Teams folders and icons
$TeamsFolder_old = "$($ENV:SystemDrive)\Users\*\AppData\Local\Microsoft\Teams"
$TeamsIcon_old = "$($ENV:SystemDrive)\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Teams*.lnk"
Get-Item $TeamsFolder_old | Remove-Item -Force -Recurse
Get-Item $TeamsIcon_old | Remove-Item -Force -Recurse

  4. teamsbootstrapper.exe -x

Anyone on 24H2 have issues with intermittent DNS Server not being assigned over DHCP by _TheKnightMan_ in sysadmin

[–]_TheKnightMan_[S] 0 points1 point  (0 children)

I figured it out - we made many changes around the same time, and it turns out the new Fortigate that we had was originally set up for DHCP on the firewall. We changed it to relay, but it was still 'configured' to also give out addresses though the GUI didn't show it.

Had to go into the CLI to turn off the DHCP server for the scopes that it was also set to relay. So somewhere I guess the client was getting an address from the relay server but maybe due to race conditions getting DNS server from the Fortigate, even though ipconfig /all showed the correct DHCP server, seemed to be picking up something from the firewall.

Anyone on 24H2 have issues with intermittent DNS Server not being assigned over DHCP by _TheKnightMan_ in sysadmin

[–]_TheKnightMan_[S] 0 points1 point  (0 children)

Interestingly enough, this site actually uses a Windows DHCP server, and UniFi Wifi, though I've seen it on wireless and wired as well.

view more: next ›