Tuesday, July 26, 2016

Auditing administrators granting “Full Access” permissions to mailboxes in Exchange 2016

One of the most common questions I’ve been asked by clients is whether there is a way to audit administrators granting Full Access permissions to mailboxes in Exchange and the answer to that is yes because every action made within the Exchange Admin Center or Exchange Management Console can be logged by a feature named Administrator Audit Logging which basically logs every mirror Exchange cmdlet executed that isn’t a Get-.

Enable Administrator Audit Logging

The first step in the process of providing auditing logs is to execute the following cmdlet to ensure that logging is turned on:

Get-AdminAuditLogConfig | FL

image

Notice that the AdminAuditLogEnabled is set to True while the LogLevel is set to Verbose.  If the configuration is set to any other setting, execute the following to change it:

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Set-AdminAuditLogConfig -LogLevel Verbose

More information about the Set-AdminAuditLogConfig can found at the following TechNet article: https://technet.microsoft.com/en-us/library/dd298169(v=exchg.160).aspx

Audit Option #1 - Review Admin Audit Log Report

Once administrator audit logging is enabled, we can review the Compliance Management > auditing > Admin Audit Log Report from within the Exchange Admin Center:

image

… configure a Start date and End date to narrow the return results:

image

Then sort the CMDLET column by alphabetical order and look for the cmdlet:

Add-MailboxPermission

or

Remove-MailboxPermission

… to review when and which administrator made the changes:

image

Audit Option #2 – Using PowerShell to search admin audit log

Another method for reviewing the admin audit log is to use PowerShell to search it and the cmdlet that allows us to accomplish this is Search-AdminAuditLog (TechNet: https://technet.microsoft.com/en-us/library/ff459250(v=exchg.160).aspx). The following cmdlets searches for either Add or Remove of mailbox permissions:

Search-AdminAuditLog -cmdlets Add-MailboxPermission

Search-AdminAuditLog -cmdlets Remove-MailboxPermission

image

Note that executing Search-AdminAuditLog without any parameters will only parse through 1,000 entries which may not cover a wide range of days so to ensure that specific dates are covered, include the StartDate and EndDate switches as such:

Search-AdminAuditLog -cmdlets Add-MailboxPermission -StartDate 01/24/2016 –EndDate 07/26/2016

image

Audit Option #3 - Review Admin Audit Log Report

The last option available is to review the event logs Applications and Services Logs > MSExchange Management logs in the Event Viewer:

image

Simply right click on MSExchange Management select Find…:

image

Then search for Add-MailboxPermission:

image

image

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Hope this helps anyone out there looking for a way to audit actions performed within Exchange.

Friday, July 8, 2016

Attempting to connect to a wireless network requiring machine certificate authentication fails with: “Can’t connect to this network”

Problem

You’ve configured a new Network Policies policy on your Microsoft NPS server:

image

… with the following settings that will authenticate devices with machine certificates:

imageimage

imageimage

image

You configure the SSID on the wireless client with the certificate with the following settings:

imageimage

… but notice that you receive the following error when attempting to connect:

image

Reviewing the INXXXX.log file in the directory C:\Windows\System32\LogFiles on the NPS server show that the wireless client authentication makes the connection attempt and the policy is matched:

"DC03","IAS",07/07/2016,20:32:46,3,,"contoso.internal/contoso/Computers/Desktops/Victoria_Place/IT/WKS-MXL2451S3K",,,,,,,,9,"10.80.9.249","contosobm-wlc2500-1",,,,,,,5,"Secure Wireless Connections Machine Authentication",262,"311 1 10.70.1.3 07/07/2016 23:09:55 79",,,,"Microsoft: Smart Card or other certificate",,,,,"577ee697/60:57:18:a7:ea:18/70380",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

image

Reviewing the Security event logs on the NPS server show the following event ID 6273 Audit Failure event from the Microsoft Windows security auditing source:

image

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            contoso\WKS-MXL2451S3K$
    Account Name:            host/WKS-MXL2451S3K.contoso.internal
    Account Domain:            contoso
    Fully Qualified Account Name:    contoso.internal/contoso/Computers/Desktops/Victoria_Place/IT/WKS-MXL2451S3K

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d8-b1-90-d0-6c-b0:corp-data
    Calling Station Identifier:        60-57-18-a7-ea-18

NAS:
    NAS IPv4 Address:        10.80.9.249
    NAS IPv6 Address:        -
    NAS Identifier:            contosobm-wlc2500-1
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:        contosobm-wlc2500-1
    Client IP Address:            10.80.9.249

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Secure Wireless Connections Machine Authentication
    Authentication Provider:        Windows
    Authentication Server:        SVRARDC03.contoso.internal
    Authentication Type:        EAP
    EAP Type:            Microsoft: Smart Card or other certificate
    Account Session Identifier:        35373765653762652F36303A35373A31383A61373A65613A31382F3730333831
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            262
    Reason:                The supplied message is incomplete.  The signature was not verified.

image

Solution

The key indicator of what would be causing this issue is the following line in the security event entry:

Reason:                The supplied message is incomplete.  The signature was not verified.

This usually indicates that the certificate presented by the NPS (RADIUS) server is not trusted by the wireless client.  The wireless client in this situation was not joined to the domain and since the certificate used by the server to verify its identity:

imageimage

… is signed by an internal Microsoft CA, the wireless client did not trust it.  To correct the issue, simply export the Root and any intermediate CA certificates and import it onto the wireless client’s local computer store.

Attempting to configure email server settings in Citrix Command Center throws the error: “Connection to mail server failed, provide accurate mail settings”

Problem

You’re attempting to configure the email server settings in Citrix Command Center but notice that you receive the following error when you save the configuration:

Error

Connection to mail server failed, provide accurate mail settings

image

Solution

While there could be several reasons why this error is thrown, one of the more common causes I’ve seen at clients is that they’ve configured their anonymous receive connector correct to receive mail but had forgotten to uncheck the Require that all senders are authenticated option:

imageimage

… for the Microsoft Exchange distribution group they’ve specified in the To Address:

image

If Require that all senders are authenticated option for the distribution group is required to be enabled then a receive connector that requires authentication should be created and user credentials should be filled in for the Configure Email Server Settings.

Wednesday, July 6, 2016

Using Group Policy to configure UAC (User Account Control) on a Windows 7 desktop

One of the more common questions I get asked by clients and colleagues is how to use group policy to configure UAC settings for Windows clients that mirror the 4 level presets that is available from within a Windows 7 desktop.  While I don’t have the configuration for levels 1 and 2, I do have the settings for 3 and 4 so I thought I’d write this quick blog post for others and my self to reference.

Level 3 UAC

To configure a Windows 7 desktop with level 3 UAC settings as shown in the following screenshot:

clip_image002

Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:

Policy Setting
User Account Control: Admin Approval Mode for the built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Disabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

image

Level 4 UAC

To configure a Windows 7 desktop with level 4 UAC settings as shown in the following screenshot:

clip_image002[6]

Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:

Policy Setting
User Account Control: Admin Approval Mode for the built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

image

Hope this helps anyone who may be looking for this information.

Saturday, July 2, 2016

Attempting to use Windows Azure Active Directory Module for Windows PowerShell "Connect-MsolService" to connect to Azure throws the error: "Connect-MsolService : Method not found: 'Void"

Problem

You attempt to use the cmdlet Connect-MsolService in Windows Azure Active Directory Module for Windows PowerShell to connect to Azure but receive the following error:

PS C:\> Connect-MsolService
Connect-MsolService : Method not found: 'Void
System.Runtime.InteropServices.Marshal.PtrToStructure(IntPtr, !!0)'.
At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], Mis
   singMethodException
    + FullyQualifiedErrorId : System.MissingMethodException,Microsoft.Online.A
   dministration.Automation.ConnectMsolService

PS C:\>

image

Solution

One of the reasons why this error would be thrown is if you have an outdated Microsoft .NET Framework 4.5 on the operating system you are trying to connect from. If you are using Microsoft .NET Framework 4.5 as shown in the screenshot below then proceed by downloading Microsoft .NET Framework 4.5.2 and install it to correct the problem:

image

image

Wednesday, June 15, 2016

Attempting to add NetScaler device to Citrix Command Center fails with: “Discovery failed for | Error: Unable to Ping using SNMP after enabling SNMP”

Problem

You’ve just completed deploying Citrix Command Center 5.2 45.4 and attempt to add your NetScaler pair to the device list but the process fails with the following error:

Discovery failed for <NSIP>

Error: Unable to Ping using SNMP after enabling SNMP

image

image

image

Solution

One of the reasons why this error would be thrown is if the Citrix Command Center server is unable to access the NetScaler via UDP Port 161 as shown in the following firewall log capture:

image

To correct the issue, simply allow UDP port 161 from the Citrix Command Center to the NetScaler and initiate the add device process again:

image

Tuesday, June 14, 2016

Workaround for addressing display size when connecting to VMware Horizon View desktops with 3K or 4K devices

One of the frequent issues I’ve noticed the clients I work are coming across is the use of devices that have 3K or 4K resolution. These devices look great when running the native operating system but render connections to VMware Horizon View desktops unusable due to the small display size of the virtual desktop. Most administrators who have come across this issue most likely would have made an attempt to change the DPI of the virtual desktop only to find that the configuration screen is locked:

image

The way I got around this with my 3K display Mac a few years ago was to simply change the Windows virtual desktop resolution back to a lower setting then connect to the VDI but this defeats the purpose of having a high resolution display. Fast forward to a few years later when a client asked me to look into this again, it looks like VMware has included an experimental (unsupported) registry key addition for VMware Horizon View Client 3.4 or newer that allows DPI scaling so that the display is sized appropriately to the 3K or 4K device connecting to the desktop.

I’ve noticed that there appears to be several places where this registry key should be added depending on the operating system so I’ve included the 3 paths to check:

32-Bit Operating System:

HKCU\Software\VMware, Inc.\VMware VDM\Client

REG ADD "HKCU\Software\VMware, Inc.\VMware VDM\Client" /v EnableSessionDPIScaling /t REG_DWORD /d 1

64-Bit Operating System:

HKCU\Software\Wow6432Node\VMware, Inc.\VMware VDM\Client\

REG ADD "HKCU\Software\Wow6432Node\VMware, Inc.\VMware VDM\Client\" /v EnableSessionDPIScaling /t REG_DWORD /d 1

Surface Pro 3 64-Bit Operating System:

HKCU\Software\Policies\VMware, Inc.\VMware VDM\Client

REG ADD "HKCU\Software\Policies\VMware, Inc.\VMware VDM\Client" /v EnableSessionDPIScaling /t REG_DWORD /d 1

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Hope this helps anyone who may be experiencing this issue.