Office 365

Make Microsoft TEAMS the default IM application

Make Microsoft TEAMS the default IM application

Having multiple applications that act as chat respective IM application but you want Microsoft TEAMS to be the default Instant Messenger application especially so Outlook e.g. shows the correct online/offline as well as free and busy status for employees and so they can start a conversation directly from there, you will need to make sure that Microsoft TEAMS is the default IM Provider.

This came up especially in combination with Cisco Jabber, that is often used as the software phone client for a Cisco phone system. This application might overrule the user settings and take presence especially in Microsoft Outlook. Cisco has an article about this here that talks about various registry keys. But this is actually not the direct solution for this issue.

In order to set TEAMS, if installed, the default application for your employees, it is easiest to engage Group Policies, GPOs, for this. Simply follow the below steps. Those settings will find out if Microsoft TEAMS is available and if so set it as default IM Provider. Close Microsoft Outlook and open it again and you will see the status icons and message box being associated with Microsoft TEAMS.

Of course, you could slightly adjust the suggested GPO settings and engage e.g. Cisco Jabber or any other IM provider available instead. Just have a look at the registry path HKEY_CURRENT_USER\Software\IM Providers and see what is available and set the GPO accordingly. All you need is the name of the sub key for the DefaultIMApp value.

Steps for the user GPO

  1. Create a new GPO (or chose an existing GPO)
    1. This will be a User Configuration
  2. Navigate to User Configuration\Preferences\Windows Settings\Registry
  3. Create a new Registry Item
  4. Settings on General tab
    1. Leave the Action settings to Update
    2. Hive: HKEY_CURRENT_USER
    3. Key Path: Software\IM Providers
    4. Value name: DefaultIMApp
    5. Value type: REG_SZ
    6. Value data: Teams
  5. Settings on Common tab
    1. Check Run in logged-on user’s security contact (user policy option)
    2. Check Item-level targeting
    3. Click on Targeting and apply the following settings
      1. The following steps make sure that this is only applied if Microsoft TEAMS is available as a IM provider
      2. Click on New Item and chose Registry Match
      3. Match type: Key exists
      4. Hive: HKEY_CURRENT_USER 
      5. Key Path: Software\IM Providers\Teams
    4. It is good practice to provide a Description for this item – e.g.: This will set Microsoft TEAMS as default IM Provider for e.g. Outlook – if available as IM Provider.

 

Make sure the GPO applies to your users and you should be all set. This will make sure that even if a new application is installed and takes the IM Provider role over, that your clients will still fall back to Microsoft TEAMS. Of course, it will depend on when the GPO was reapplied and that the user actually closes and reopens Outlook.

 

Auditing network users against HR lists etc.

Auditing network users against HR lists etc.

Auditing network users against HR lists – a topic that is often overlooked or causes some headache due to e.g. name variations, while it is so important to make sure that your Active Directory is a clean and up to date as possible.

There are big paid solutions out there, but unless you have the budget, resources and processes in place, you will need a simpler approach. Having worked in various sized businesses, let me make some suggestions here. Keep in mind, not all of it might be applicable or best for you, but I hope it will at least provide you some ideas and help to improve your network security.

Structured groups and rights

Before we begin – you should always make any effort to have a very well structured rights base. Avoid cross use of e.g. groups for mail distribution and NTFS file system access. It seems like a good idea until someone needs access to the NTFS path and boom he/she receives the group based communication as well. This is of course just one example. Structure your file systems and right assignments well. All of it can make all the difference. Don’t complicate things, keep it simple.

Monitoring Active Directory activity

What you want is something that constantly looks for any changes to Active Directory, at a bare minimum new users and deleted users as well as group-membership changes. There is some software out there to do this, some is free, often with limited functionality, some you need to buy. Personally I was working on a Windows Service to monitor Active Directory changes, but my time is limited and to this day I did not finish it. Having said this, the IT-Asset Management Database on this website actually has a module that does just this, it monitors the most important activities while it does actually a compare of gathered SQL data against current Active Directory information and eventually sends you a daily report about changes.

Such reports might not be perfect, as they don’t real-time monitor such activity, rather then only send you daily summary reports. Paessler PRTG in combination with either some default sensors or custom scripts like Group Membership change and password reset monitoring or the more specific script for group-membership monitoring are more then helpful. Monitor especially e.g. Domain Admins groups and other groups that would allow access to sensitive areas and data of your network. Such active alerts due to a network monitoring solutions might give you the chance to act fast.

Auditing your user base against HR (Human Resources) data

Again, there is software and solutions out there that can do this automatically or help you with your efforts. But often HR is simply using their Payroll platforms and depending on what they have, it won’t have the functionality you need or they are reluctant to implement such processes or possibly provide you access after all.

The main issue I came across is that there is a difference between the HR data and what the full name in your Active Directory (e.g.) is. You can’t further not just automate user name prediction based on any HR export data you have, cause there likely will be duplicate names as well, depending on how you create user names.

HR normally has an employee number, they should be able to provide this in any employee export to you. Now, Active Directory has actually some attributes that you easily can engage: EmployeeID, employeeNumber and employeeType. PowerShell is your friend, if you want to set them. I highly recommend to use PowerShell to some extend if you create new users. Look at the CheckLists in combination with employees in the IT-Asset Management Database as well for some hints and automation. Microsoft’s Set-ADUser PowerShell command will be helpful as well.

Eventually use a tool like the IT-Admins tool to read your users from your Active Directory and export to Excel. Once you have this, you compare the HR list against the Active Directory export. Don’t bother with VLOOKUP – research the use of INDEX/MATCH in Excel. Format both tables as tables in Excel and document your process, as this might depend a bit on what tools you engaged and how the eventual data looks like. You should end up comparing the HR employee number against the HR employee number stored and exported from Active Directory. This should give you a quick and clean overview. What you should be on the lookout for are those N/A error in Excel in the compare column, as well as possibly HR data that indicates a termination or change. You can go as far as compare the department information, again there are Active Directory attributes for this as well. Department names and department IDs.

If you want to go another step, start comparing group-membership as well. Export all the groups and members, again the IT-Admins Tool can help you here. View it possibly from both sides, the group and members view as well as user is member of groups view. Have the department owners take a look at it as well, they might want to see this.

And step three will be an NTFS rights review. Never ever should there be a user account directly used to assign rights in NTFS. This always should be done via groups. How ever, to review this I again recommend using the IT-Admins Tool, as this is actually designed to help you with the process and is able to export the needed data rather quick and simple.

Don’t forget your ERP systems and systems with Active Directory independent user bases

It is not always possible to rely on Active Directory as only source for your user base. Even if you can, the right assignment in e.g. your ERP system to functions likely is independent from Active Directory. Look in to any possibility of your ERP, either API’s or possibly dig in to the database (or where ever the data is stored), to find out about right changes (groups) and review those lists as well against HR information periodically.

Office 365

Oh – it is synchronized with Active Directory, right? Well – review it anyways. There might be a user object that is not synchronized and exists only in Office 365, groups as well. Review the rights to access certain administrative areas within Office 365.

You should definitive review third party users – especially Microsoft TEAMS and sharing e.g. SharePoint or OneDrive files and folders with outside of the organization will likely create some guest accounts. Keep an eye on those.

And then the third party applications – you need to keep an eye on those, as they can cause possible harm or gain access to sensible data. Users/Employees often will install them without reviewing them thoroughly, or they simply don’t realize they might have been there and share confidential data.

Account breach / compromise and API keys in Office 365 should also be something you want to keep a good eye on. Clicking on the wrong link (it will happen!), entering the password and it is to late. Don’t think a simple password reset will solve the issue. Don’t only rely on your MFA. Review does API keys especially in Office 365. What can happen is that the password is used right away to install an API based access to Office 365 that will then independently from password changes have access to the data. Keep an eye on those things as well!

 

Office 365 licenses and activated features per user

Office 365 licenses and activated features per user

Ever wondered which user has what license activated and e.g. which specific feature is activated? Recently I was challenged to see who has the Exchange mailbox feature enabled and who not out of the active user base. Due to the huge user-base this would have taken hours to review manually. Using PowerShell for this, connecting to Office 365, exporting the data eventually to a CSV file and filtering it in Microsoft Excel made this way easier.

The challenge here is that Microsoft uses SKU’s – or licenses – that again can have various features enabled or disabled. Let’s say you have a E5 Plan (license) assigned to your user, you still can disabled various features within this plan, e.g. Microsoft Exchange.

If you take a look at the following website, you find a whole list of GUIDs / IDs of all those various features.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

In case of the Microsoft Exchange Mailbox feature – we are talking about this GUID: efb87545-963c-4e0d-99df-69c6916d9eb0

Once I had identified the GUID the next step was to grab users from a specific on premise Active Directory OU and query them against Microsoft Azure on the Office 365 environment as for their assigned licenses/features. The results then are collected in a PowerShell object and eventually saved in a defined file name in a CSV format that you easily can filter in Excel afterwards.

Please keep in mind that you will need RSAT tools (PowerShell) and Azure/Office 365 connectivity, rights etc. in order for this to work.

 

Move user Documents and Desktop to OneDrive

Move user Documents and Desktop to OneDrive

The PowerShell script below was design to move Documents, Music, Videos, Pictures, Favorites and Desktop to a sub-folder in a connected OneDrive. In theory the script does not depend on OneDrive and could be adjusted to any other destination.

While it normally is wise to engage GPOs to adjust those paths to internal server resources, this is not possible easily while using OneDrive. The script therefor works better here.

What it does

  1. is the current path per folder accessible
  2. does the target path exist
    1. YES: adjust the registry respective folder targets to the target path – FINISHED
    2. NO: create the target folders – see 3.
  3. is the source path on the same volume / partition – like C:
    1. YES: see below – 4.
    2. NO: check if there is enough free space for the amount of data needed to be moved
      1. YES: see below – 4.
      2. ALMOST: YELLOW warning – see below 4.
      3. NO: RED error – you could still proceed or simply close the script
  4. move the data to the new target folder
  5. remove the old folder – if not possible rename it

The script retains the special icons for the folders and engages the Windows API to adjust the folder paths.

What you need to do

  • Adjust the target-path in the top of the script
  • If desired, adjust the minimum free space value (2 GB by default) for the warning in regards to the free space – this only matters if the source and target volume / partition aren’t the same

To start the script, either right click and say run with PowerShell or run it directly in a PowerShell. This script will need to execute in the user-context and does NOT need administrative rights.

Please be advised – the script will by default not try to move e.g. DOWNLOADS.

You can adjust this, while adding the folder to the two parameter, see sample below.

If you want more folder, the script would need some special adjustments. It can be used as a base script, if you want.

 

Office 365/Exchange Public Folders – find out if they are still in use

Office 365/Exchange Public Folders – find out if they are still in use

Public Folders in Microsoft Exchange are one of the most challenging parts in Exchange system administrators can face. Microsoft actually tried to get rid of them several times and still they are around. As from an administrative point of view, they often did grow wild and I saw environments with a huge amount of public folders and no one was able to tell if they are still in use or not.

About a year ago I faced the same challenge and had to determine for a few thousand folders if we could retire them or not. PowerShell commands seemed to be the best approach for this, but soon I found out this is actually not as easy as I hoped it would be. There is no direct command that would give me all I needed and there was no easy way to determine if the folder is in use or not, this is especially because you can’t go with attributes like ‘last accessed’ for this cause, simply because they might show you data that is not really helpful to determine whether the folder is still in use or not. The folder ‘last modified’ is not as accurate either due to a simple marked as read action could modify this attribute as well.

Drilling further down in what I could use, I decided to see when the newest object in the folder actually was created – so the last created object in the folder – whether it was an email folder or e.g. a calendar.

The script you will find below will actually export the following columns in to a CSV file that you can process further in e.g. Microsoft Excel”:

  • Public Folder Path
    • the path to this public folder
  • Mail Enabled
    • well – is direct email enabled on this folder yes or no – this can actually be quite important and might need further review or needs groups/distribution list to be created instead
  • Mail address
    • helps to determine if this might be somewhere in use on a website etc.
  • Folder Class
    • the class in most cases is either an email folder or an calendar
  • Folder Size
    • total size of the folder – some folders might be really small and this helps to determine if you will need to keep em or not
  • Number of Items
    • like size – this helps a lot to see if it is something to discard or not
  • Top 1 object creation time
    • if there are items in the folder, this is the newest created item – specifically it is the date / time the item was created, as mentioned, modified will not help you because a simple mark as read action through Outlook already would influence this – the most accurate information I was able to find is the creation time for this cause

Now to the script(s). We actually talk about two scripts here – this is simply due to the fact that I developed this against a Office 365 Exchange system that needed me to logon and load the PowerShell modules from Office 365. The script itself should work on respective against an on premise Exchange server as well.

Simply said, you need to create both script files in the same folder – the ConnectToO365.ps1 script that is called is just a central solution in a huge script folder that is called by each script if necessary. The top section of each script first determines if there is a active session against the Office 365 environment and it will reuse it if possible or call the connect script to establish a new connection.