www.youracclaim.com – now that’s dodgey

I, like many of the readers of this blog, have been getting messages constantly from “www.youracclaim.com” to get “badges” from the Microsoft exams they have sat over the past years.

I have ignored these up until recently, but when I went to update my linkedin profile, to include some recent university results, and thought “there must be an easy way to add my Microsoft certs, ill try this youracclaim.com thingy…. its from pearsonvue – how dodgey could it be?”

My question was soon answered with this (below) when trying to link my newly created “youracclaim.com” account and linkedin.

 

Post updates, make comments and like posts as me… are you fucking serious?!!?! Does anyone fall for that? (rhetorical question – someone must….)

The disappointment of lack of Direct Access development

<rant mode: on>

Direct Access (or DA) is awesome. Much like TMG before it, it fits into a segment of the market that nothing else covers in quite the same way.

DA is fully supported in 2016, but has had no new features added. I read somewhere that while it is still supported, it is no longer under active development (but I have no credible references to back that up).

DA could go from awesome (where it is now) to super-awesome (yes, that is my technical term for it) by:

  • Allowing network control based on group at the server side (i.e. if member of this group, users are only allowed to 10.10.10.x subnet etc.)
  • Allowing more control on the client side (i.e. a group policy to optionally allow the user to enable/disable multiple optional DA entries <or just the one>)
  • Allowing creation of a DA “package” that could be sent to non-domain machines to still allow DA connections (in conjunction with the above)

Outside of that, we also had a client recently pass on that their Microsoft TAM was ragging on DA, claiming that its out-dated technology… I can only assume because “everything should be in the cloud”. Organisations aren’t going (and technically cannot in many cases) to move everything to the cloud overnight….. even if they did, clients still need to be able to get onto the corporate network – and some things companies may not wish to make some apps/data available publically – even with MFA/certs etc.

 

Anyway, this is my plea…. MS, don’t fuck up with DA like you did with TMG. Its a good product, develop it.

<rant mode: off>

Importing AD powershell module into Windows PE and then using encrypted creds

Powershell makes life much easier than vbscript…. however it does have its downsides…  signing policy can sometimes be a bit of pain and the modules you need have to be available…. which is an issue in particular for Windows PE.

Mick (good aussie name there) was nice enough to write a blog on how to import powershell into PE – without having to add it statically to the boot wim – http://mickitblog.blogspot.com.au/2016/04/import-active-directory-module-into.html

I was a little lazy here and copied both x86 and x64 required directories via robocopy rather than determining the version via powershell like Mick did.

The next step however is the more important one…. a task sequence doesn’t allow us to run a powershell command in PE with credentials, we need a secure way of running the command. In my case, I want to delete a computer object….

Step 1 – Generate a key file (perform on any full OS)

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.key

$Key = New-Object Byte[] 16

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)

$Key | out-file $KeyFile

 

Step 2 – Encrypt a password using the key

$PasswordFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.txt

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\\DeleteComputer.key

$Key = Get-Content $KeyFile

$Password = “Your password here” | ConvertTo-SecureString -AsPlainText -Force

$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

 

Step 3 – Create your script utilising the creds – (Below is the one I use to delete a computer object)

Import-module ActiveDirectory

#SCCM TS Object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

#SCCM Variables
$CompName = $tsenv.Value(“_SMSTSMachineName”)

# Get current path in order to get encrypted password
$MyDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition)
$User = “Domain\Account”
$PasswordFile = “$MyDir\DeleteComputer.txt”
$KeyFile = “$MyDir\DeleteComputer.key”
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

# Remove the computer from AD
Remove-ADComputer -Identity $CompName -server <DC name required> -Credential $MyCredential -confirm:$false

 

Now before you say it…. yes, this is not very secure. It will stop a random snooper type person from seeing a plain text password…. but it will not stop someone who has 1/2 an idea about pressing F8 to get into the running TS (if you have it enabled) and then grabbing the key and txt and being able to use them…. so use (or don’t use) appropriately for your environment.

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s recent desire to destroy anything and everything that isn’t cloud – irrelevant of its ability to fill gaps that cloud services don’t currently service well, or their ability to facilitate migration to cloud – it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, in standard Microsoft fashion, the documentation is not good.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a few, quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

Migration of public folders to exchange 2013/2016

I’ve done a few of these…. but most corporates (at least that I’ve dealt with) use public folders quite lightly – if at all…. so the migrations have been quite simple.

 

Recently, I was tasked with moving a smaller business (through a partner) from 2007 to 2013 then 2016.

The mailbox move from 2007 to 2013 went flawlessly.

Then we came to their public folders…. approx. 400GB – from which they apparently run a lot of their business.

Ran through the (painful) process of removing trailing spaces, backslashes, dead permissions etc… not hard – just slow, manual and annoying.

There is an article here that talks about the hassle of migrating PF’s – https://thoughtsofanidlemind.com/2013/12/13/migration-modern-public-folders/

On the first migration attempt, the extent of these corrupt items and oversize items was discovered (3000 corrupt items and hundred’s of items that were oversize) – then discussed with the business.

So here we have the first fucking boomingly huge issue with public folder migration…. there are no powershell commandlets to help you get the size of items (you can get the size of folders, but that’s not helpful) that will be considered oversize… so you cannot identify these items prior to migration. To add to that, even if you could identify them, there is no nice way to say “export these items to PST, then delete” or as part of the migration batch “migrate all large items”

The next issue here is that through the GUI, you can see a list of skipped items and why they were skipped (corruption or oversize) – there doesn’t appear to be way to get this information via powershell so you nicely export it and give it to the customer (or sort it yourself)

The business stated that corrupt PF’s weren’t vital, but the large items were needed.

Even after lifting the size limit to 500MB, there were still lots of items that were too large.

I tried to accommodate these large items and found the exchange migration mailbox (a default database which I leave in the default location) – which should only ever be used in transit, proceeded to grow, fill up the disk that logs were on and cause a dirty shutdown and corruption…  so I haven’t my lesson there…. if a client is using PF’s as a file store for items of 500mb over – refuse to migrate until these items are removed…. (unfortunately you need run a “dummy migration” then look at the skipped items list to identify these items!)

Anyway – long story short – the moral of this, very annoyed, story

Public folder migration to Exchange 2013/2016 sucks. It has clearly been put in as an after-thought to appease some organisations – and is only suitable for light users of PF’s

If a customer is a heavy public folder user, do not change the default “large item” size to accommodate them. Refuse to migrate them and notify them the items will be lost.

 

Outlook HTML…. holy shit that’s bad.

Recently, I made up a HTML template to use with some summaries we send out to clients – I thought it would look a bit more professional than our existing text with an attached PDF.

I got the HTML looking nice, plugged it into the VS project, and generated some emails…

<eyes pop from sockets> Holy shit that looks terrible! The rendering is all over the place!

After a bit of poking around the web, I found that the rendering engine for outlook since 2007 has been the word html rendering engine – and to say its an unpopular choice would be a massive understatement.

My campaign looks bad in Outlook

It’s Not You, It’s Outlook – The Complete Guide for Email Marketers

A Guide to Rendering Differences in Microsoft Outlook Clients

Microsoft defends Outlook HTML decision

 

I ended up “editing” my html with word, accepting that it was never going to look good, saving the massively increased html “template” – and using that.

It looks nowhere near as good, the HTML content has gone from 1k to 41k and I have learn the valuable lesson of checking before saying “how hard can something really basic like that be?” to coders when they cannot do something that, on the face of it, would seem incredibly basic.

Good work Microsoft – your ability to introduce absurd amounts of complexity for no benefit is second only to the Australian federal government.

Azure AD sync objects not syncing – specifically some room and equipment mailboxes

I have a client who is slowly going to O365 and has asked us to pick up where another consultancy left off.

Some objects were not syncing with O365, even though the OU was included in the AADConnect config.

First issue was easy – the UPN suffix on a number of objects had not been changed, updated that, away they went.

The next issue, took me a while to suss out.

Within the Synchronisation service manager, I could see there was 22 “disconnects”… but no details on what that meant…. took a while, but I found that the issue was caused by the mailboxes which were listed as object type “placeholder”. So…..

Open Synchronisation Service Manager

Go to connectors

Right click on your AD connector and select “Search connector space”

Optionally specify a DN to search

Find objects that have a “object type” of “placeholder”

placeholder

I tried a number of things to try and get rid of “placeholder” – in the end, it was a simple password reset…. don’t have to enable the account, just set the password to something valid, and then it will sync in AADConnect fine.

Considering the accounts are all disabled, and therefore resetting all the passwords doesn’t matter, I ran the following powershell over the top-level resources OU

Get-ADUser -Filter * -SearchScope Subtree -SearchBase “OU=Resources,OU=Contoso,DC=au” | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “ComplexPassword” -Force)

 

 

 

Parallels phone spam

Recently, my staff an I have been subjected to a bunch of phone call spam from http://www.parallels.com

I’m getting calls from a UK number, + 442033276423, asking us to partner…. the first time, it was “no thanks”, subsequent calls have been met with less friendly suggestions, and then a block.

Still, no company with decent software needs to engage in this type of activity – avoid.

*update 4/10/2016*

They still call persistently, two times a day, leaving “silence” voice mails after their number has been blocked. There doesn’t seem to be a way to block the number and prevent them from leaving voicemail…. any app developers out there want to write an app to do that? (if you can do that). Its a windows 10 phone, so you’d have to be willing to write an app for a platform that commands a whopping 0.7% of the handset market and, based on the complete lack of support from Microsoft and the rumour mill, unlikely to exist for much longer!