Hiding Users from Exchange Online Address Book

This is assuming DirSync is syncing users from on-premises AD to 365/Azure AD.

First thing to try for all users:

Set-ADUser <Active Directory username> -Add @{msExchHideFromAddressLists=”TRUE”}

There are a variety of issues that might prevent this from working. You’ll have to customize these steps to suit your environment.

Stage 1 is to try to set the “hide from address book” flag in Exchange, if these are old users who weren’t DirSync’ed.

First, I get a list of all users in a specific OU (where all disabled users are placed) and filter on UserPrincipalName – for me, all actual user UPNs (as opposed to service/temporary accounts) end with the company’s email domain, not <the AD domain.local>, so I filter out the .local users.

$DisabledUsers = Get-ADUser -filter * -SearchBase “OU=Archived,OU=Users,OU=Paramount-NYC,DC=paramount,DC=local” | Select-Object name,samaccountname,userprincipalname | where -NotLike userprincipalname “*local”

Now, I get the mailboxes for those users, but select only those that don’t have the “hide from address book” flag set in 365.

$nothidden = foreach ($i in $DisabledUsers.Name) {Get-Mailbox $i -ErrorAction ignore | select Name, PrimarySmtpAddress, HiddenFromAddressListsEnabled | where -NotMatch HiddenFromAddressListsEnabled -Value True }

Then, set the flag. In my case, this worked for some users (who weren’t dirsync’ed), and for the others, I couldn’t set this flag here.

foreach ($i in $nothidden.Name) {
Set-Mailbox -Identity $i -HiddenFromAddressListsEnabled $True -Confirm
}

For some users, the AD “msExchHideFromAddressLists” attribute was set, but it didn’t sync to 365. 365 ECP wouldn’t allow me to check the box.
This is because the disabled users are moved into a separate OU which DirSync ignored, so the attribute was never synced and the user was stuck in a limbo state.
I had to put those users back into the normal OU so DirSync would push the changes.

Move the users:
foreach ($i in $nothidden.Name) {Get-ADUser -Filter “(Name -eq ‘$i’)” | Move-ADObject -TargetPath ‘OU=Users,OU=MyCompany,DC=Company,DC=local’ -Verbose }

# List the properties
foreach ($i in $nothidden.Name) {Get-ADUser -Filter “(Name -eq ‘$i’)” -Properties *| select name, msExchHideFromAddressLists }

# Enable the flag:
foreach ($i in $nothidden.Name) {Get-ADUser -Filter “(Name -eq ‘$i’)” -Properties *| Set-ADObject -replace @{msExchHideFromAddressLists=$true}}

### Stage 2: After all of this, some users STILL aren’t syncing properly. This is because of issues with litigation hold being enabled and mismatched archive GUIDs.
https://blogs.technet.microsoft.com/exovoice/2016/11/07/how-to-fix-office365-user-provisioning-issues-that-are-generated-by-faulty-exchange-attributes/

# Get the users that still have the flag NOT set to true.
$stillnothidden = $nothidden | select * | where -NotMatch HiddenFromAddressListsEnabled -Value True
$usererrors = foreach ($i in $stillnothidden.PrimarySmtpAddress) { (Get-MsolUser -UserPrincipalName $i ).errors.errordetail.objecterrors.errorrecord| fl}

# get the archive guids from Exchange
$archiveguids = foreach ($i in $stillnothidden.PrimarySmtpAddress) { Get-Mailbox $i | select Name, PrimarySmtpAddress,ArchiveGuid }

# get the current archive guids before changing anything:
foreach ($i in $archiveguids.Name) { Get-ADUser -Filter “(Name -eq ‘$i’)” -Properties * | select name, msExchArchiveguid}

Find the user on the Office 365 admin portal. You will get an error like this (I’m sure this can be done from PowerShell as well). P.S. Make sure the user principal name is set properly! P.P.S. make sure the MailNickName is also set!

###### I’m not 100% sure what’s below this line works. If not, skip down to the bottom section.

Get the CloudArchiveGuid and create a new PowerShell variable using that as the value.

[System.Guid]$guid = ‘8ca06e84-b159-42a7-a380-acb5fcfe676e’

Then, set the archive attribute in the user’s AD account.

Set-ADUser <username> -Replace @{msExchArchiveGuid=$guid.ToByteArray()}

###### (End of section I’m not sure about)

I couldn’t figure out how to set this with PowerShell, but to get the value to enter manually, type these commands into PowerShell:

[system.guid]$guid = “bb7518b8-537e-4321-b658-8728059894f9”

($Guid.ToByteArray() | foreach { $_.ToString('x2') }) -Join ' '

Open Active Directory Users and Computers, open the user’s properties, then go to the Attribute Editor. (Go to View > Advanced Features if you don’t see the editor)

Find the msExchArchiveGUID, double click it, and copy/paste the output from PowerShell into that attribute. Value format should be Hexadecimal.

Advertisements

Identifying and removing a defective driver / Windows can’t verify the publisher of this driver software

When receiving the error Windows can’t verify the publisher of this driver software:

Open C:\windows\inf\setupapi.dev.log

Search for the word FAILURE. You will find a section like this:

>> [Setup Import Driver Package – C:\Program Files\Dell\DellDataVault\Drivers\DellePSASysWin10\dddriver64Dcsa.inf]
>>> Section start 2019/04/30 07:46:02.002
cmd: C:\Windows\System32\MsiExec.exe -Embedding 7E4BACD9B4CD6B3FB70D782C28D28191 E Global\MSI0000
inf: Provider: Dell Technologies
inf: Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
inf: Driver Version: 02/27/2019,16.22.7.657
inf: Catalog File: dddriver64Dcsa.cat
pol: {Driver package policy check} 07:46:02.104
pol: {Driver package policy check – exit(0x00000000)} 07:46:02.104
sto: {Stage Driver Package: C:\Program Files\Dell\DellDataVault\Drivers\DellePSASysWin10\dddriver64Dcsa.inf} 07:46:02.119
inf: {Query Configurability: C:\Program Files\Dell\DellDataVault\Drivers\DellePSASysWin10\dddriver64Dcsa.inf} 07:46:02.119
inf: Driver package ‘dddriver64Dcsa.inf’ is configurable.
inf: {Query Configurability: exit(0x00000000)} 07:46:02.119
flq: Copying ‘C:\Program Files\Dell\DellDataVault\Drivers\DellePSASysWin10\dddriver64Dcsa.cat’ to ‘C:\Windows\System32\DriverStore\Temp\{8bbc32d0-21d9-6842-83b7-48cbdf75cbcf}\dddriver64Dcsa.cat’.
flq: Copying ‘C:\Program Files\Dell\DellDataVault\Drivers\DellePSASysWin10\dddriver64Dcsa.inf’ to ‘C:\Windows\System32\DriverStore\Temp\{8bbc32d0-21d9-6842-83b7-48cbdf75cbcf}\dddriver64Dcsa.inf’.
flq: Copying ‘C:\Program Files\Dell\DellDataVault\Drivers\DellePSASysWin10\dddriver64Dcsa.sys’ to ‘C:\Windows\System32\DriverStore\Temp\{8bbc32d0-21d9-6842-83b7-48cbdf75cbcf}\dddriver64Dcsa.sys’.
sto: {DRIVERSTORE IMPORT VALIDATE} 07:46:02.150
sig: {_VERIFY_FILE_SIGNATURE} 07:46:02.182
sig: Key = dddriver64Dcsa.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp\{8bbc32d0-21d9-6842-83b7-48cbdf75cbcf}\dddriver64Dcsa.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp\{8bbc32d0-21d9-6842-83b7-48cbdf75cbcf}\dddriver64Dcsa.cat
sig: Success: File is signed in catalog.
sig: {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 07:46:02.202
!!! sig: Failed to verify file ‘dddriver64Dcsa.sys’ against catalog ‘dddriver64Dcsa.cat’. Error = 0xE000024B
!!! sig: Catalog did not contain file hash. File is likely corrupt or a victim of tampering.
!!! sig: Driver package appears to be tampered. Filename = dddriver64Dcsa.inf, Error = 0xE000024B
!!! sig: Driver package appears to be tampered, and user does not want to install it.
!!! sig: Driver package failed signature validation. Error = 0xE000024B
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe000024b)} 07:50:44.184
!!! sig: Driver package failed signature verification. Error = 0xE000024B
!!! sto: Failed to import driver package into Driver Store. Error = 0xE000024B
sto: {Stage Driver Package: exit(0xe000024b)} 07:50:44.189
<<< Section end 2019/04/30 07:50:44.193
<<< [Exit status: FAILURE(0xe000024b)]

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax

Run pnputil /enum-drivers to list third party drivers, so you can find the filename in the driver store:

Published Name: oem9.inf
Original Name: dddriver64dcsa.inf
Provider Name: Dell Technologies
Class Name: System devices
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Driver Version: 10/05/2018 2.0.1.0
Signer Name: Microsoft Windows Hardware Compatibility Publisher

In this case, run pnputil /delete-driver oem9.inf /uninstall and this is the result:

Microsoft PnP Utility

Driver package uninstalled.
Driver package deleted successfully.

 

PowerShell get proxy addresses of users created in the last 30 days

$ProxyUsers = Get-ADUser -Filter * -Properties GivenName, Surname, ProxyAddresses, Created, UserPrincipalName | select GivenName, Surname, ProxyAddresses, Created, UserPrincipalName | where Created -gt (Get-Date).AddDays(-30) | where UserPrincipalName -Like “*.com”

For all I know, the where clauses can be combined and put into the Get-ADUser filter, but I couldn’t be bothered.

Can’t log into Outlook after DirSync updated password

I set up a new user’s machine with a temporary password and logged into the Windows 10 Work or School account (in addition to AD). When the user changed her password, DirSync synced it to Azure AD, but Outlook would not accept the password when setting up the Outlook profile for the first time (password dialog kept coming up and not letting us proceed).

I checked the Event Log under Applications and Services Log > Microsoft > AAD > Operational. Check for errors with even ID 1098, similar to this:

Error: 0xCAA20003 Authorization grant failed for this assertion.
Code: invalid_grant
Description: AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on ‘2019-04-12T22:05:16.5783198Z’ and the TokensValidFrom date for this user is ‘2019-04-15T13:47:47.0000000Z’.

I had set her machine up on Friday evening 4/12. What was happening? Outlook must have been sending the Work or School account with the old/temporary password, not the new password the user was entering.

Don’t disable the device like it says below. Re-add the account first (instructions at the bottom of this page) and see if that works.

I went to Manage work or school account page in Windows 10 Settings, clicked on the account, then clicked Manage:

2019-04-15 10_37_34-Settings

On the web page that opens, I clicked Disable device and then Yes on the next pop up that appears.

2019-04-15 10_39_16-Access Panel Profile

Then on the same Manage work or school account settings screen, I had her re-add the account with her new password (since there is no Delete/Remove button). The “hold on while we apply the policy” screen was still spinning when I left, but she was finally able to log into Outlook with her new password.

Moral of the story – don’t add the work or school account unless you really need it.

MSI install only certain features

Download Orca from the Windows 10 SDK (when installing, only check the MSI Tools):

https://docs.microsoft.com/en-us/windows/desktop/Msi/orca-exe

https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

If the Orca application doesn’t actually install, find the MSI here and run it:

C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/Orca-x86_en-us.msi

Open Orca, open the MSI, and go to the Feature table.

2019-03-13 11_49_41-Clipboard.png

The first column defines which features the MSI package has.

Then, run the MSI with the following command:

msiexec.exe /i “tightvnc-2.8.11-gpl-setup-64bit.msi” ALLUSERS=1 /qn /norestart /log output.log ADDLOCAL=Viewer

I don’t know how to specify multiple features because I didn’t try it.

Lenovo ThinkCentre Edge 72 BIOS recovery after failed flash

Instructions are on Page 159 of the hardware maintenance manual.

Upon installing the BIOS version 73 from Windows (using silent install switches), the PC rebooted and started beeping the CMOS checksum error beep (two short beeps). Clearing the CMOS with the jumper didn’t help.

To make a long story short, burn the BIOS update to disc or copy to a USB flash drive (download the appropriate version from the Lenovo site). Then move the BIOS reset/recovery jumper (bottom right part of the board) to the right, put in the CD or USB, and boot the system.

First, I tried burning the v74 ISO to a DVD, but the recovery process never started. Instead, I formatted a USB drive to FAT (1024 sectors, not sure if that made any difference) and extracted the ZIPped BIOS update to the drive. I inserted it into the PC, powered it on, and the normal BIOS update screen came up.

The system will power off when it’s done, then you need to move the jumper back to the original position before powering on the system.

The moral of the story: use the same version to recover that you were trying to originally flash. Using v74 to recover after trying to flash v73 didn’t work, but recovering with v73 did. The site says to use a CD/DVD, but a USB drive also works.

Windows Configuration Designer for Windows 10 automated setup/software installation

Download Windows Configuration Designer from the Microsoft Store (if using Windows 10) or from the Windows ADK.

Go for the advanced settings rather than one of the templates. If you want, you can start with the wizard to get the most common settings configured, but switch to advanced once you’re done.

Be sure to configure:

Blog at WordPress.com.

Up ↑