– Corey Zamara Technology Guru | Country Music | I Believe In Beer Tue, 25 Jun 2019 18:10:29 +0000 en hourly 1 – Corey Zamara 32 32 153154398 Configuring Anti-Spam Protection on Exchange 2013, 2016 – RBL Providers Wed, 11 Sep 2019 15:00:35 +0000 In this article we’ll look at how to configure RBL filters on Exchange 2016 and 2013. Let’s remember what RBL is. RBL(Realtime Blackhole List) is a service that stores the database containing a list of IP addresses of mail servers marked as spammers. RBL is the most often accessed over DNS protocol so these services are also called DNSBL (DNS Block Lists).

When receiving an e-mail from an unknown sender, the email server can automatically check these lists and block the e-mail from the IP addresses listed in the RBL service database. If the sender’s address match with the value from one of the RBL lists, your Exchange server returns an SMTP error message 550 5.x.x as the response to the RCPT TO command, and the sender will receive a Non delivery report (NDR).

In Exchange 2013 and 2016, the Connection Filtering agent is responsible for blocking the connections based on the lists of IP addresses. The Connection Filtering agent includes:

  • IP Block Lists – a black list of IP addresses from which the email must not be accepted (blocked senders);
  • IP Allow Lists – a white list of IP addresses (allowed senders);
  • RBL Providers – the list of RBL providers.

The first two lists are static and configured by the Exchange administrator manually. The list of RBL providers contains the list of third-party RBL services to be checked when receiving an e-mail message.

In Exchange 2023/2010, the anti-spam filtering could be enabled using the Install-AntispamAgents.ps1 script. Both filtering agents (Connection Filtering and Content Filtering) installed on the same server with Hub Transport role. In Exchange 2013, the transport role is divided into two components: Front End Transport and Back End Transport, and the anti-spam filtering feature is divided into two parts. The Front End server performs Connection Filtering and the Back End server does the Content Filtering (including the IMF filter – Exchange Intelligent Message Filter and the virus-detecting agent – Malware Agent).

In Exchange 2013, if the CAS and Mailbox roles are installed on the same server, the Install-AntispamAgents.ps1 script installs only the Content Filtering agent. It means that the RBL filtering won’t be available.

To install the Connection Filtering agent, use the Install-TransportAgent cmdlet:

Install Connection Filtering agent on Exchange Server 2013

Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

Because in Exchange 2016, all roles (except for Edge Transport) are merged, so if you don’t have a dedicated server with the Edge Transport role, you will have to install antispam agents using the install-AntispamAgents.ps1 script on all servers. Then for the Exchange Transport service you need to specify the addresses of internal SMTP servers, which should be ignored when checking for spam:

Set-TransportConfig -InternalSMTPServers @{Add="",""}

Enable Transport Agent: "Connection Filtering Agent"

After the agent is installed, you need to enable it and restart the Front End Transport service:
Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
Restart-Service MSExchangeFrontEndTransport

Get-TransportAgent status

To make sure that the Connection Filtering agent is installed and running, do the following:
Get-TransportAgent -TransportService FrontEnd

Next you need to specify a list of RBL providers to be used.Note. Now the most popular RBL providers are Spamhaus and SpamCop.
Add-IPBlockListProvider -Name -LookupDomain -AnyMatch $true -Enabled $True
To change the text of the NDR message returned to the sender, execute this command:
Set-IPBlockListProvider -RejectionResponse "Your IP address is listed by Spamhaus Zen. You can delete it on page"
You can add multiple RBL providers at once, having studied their peculiarities and commercial use policies.
You can display the list of currently used RBL as follows:

Get-IPBlockListProvider Exchange 2013

You can check if a certain IP address is in the RBL list with the following command:
Test-IPBlockListProvider -Identity -IPAddress x.x.x.x
By default the Connection Filter agent logs are saved to the folder
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog.

You can get information about which of the RBL providers rejected the e-mail by performing a search on * .log files in this directory. To find the log file with the specified e-mail address, open the elevated cmd and run the commands:

Cd “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog”
find /c "" *.log | find ":" | find /v ": 0"

Then open the found *.log file in any text editor. Search for the rejected email address to detect the RBL provider that blocked the email and the blocking time.

This example shows that the email from was rejected on your Exchnage server by the RBL provider,,,1,Connection Filtering Agent,OnRcptCommand,RejectCommand,”550 5.7.1 Recipient not authorized, your IP has been found on a block list”,BlockLictProvider,,,,

exchange rbl filter log file
get antispam statistics exchange 2013

After the initial information is collected (it depends on the size of the SMTP traffic, and usually takes up to 2-3 days), the RBL filtering statistics can be displayed using the Get-AntispamTopRBLProviders.ps1 cmdlet:
.\get-AntispamTopRBLProviders.ps1 -location "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog"

The first time you start using RBL filtering, you need to carefully examine the filtering logs for false positives so as not to block emails from your partners. You can add such a trusted email addresses or domain names to the Exchange white list to bypass spam filtering:

Set-ContentFilterConfig -BypassedSenderDomains,,

Or add the IP address of a specific SMTP server to the trusted ones:

IPAllowListEntry -IPAddress x.x.x.x

In addition, the following pre-installed PowerShell scripts can be used to obtain email filtering statistics by the Connection Filtering Agent:

  • get-AntispamFilteringReport.ps1
  • get-AntispamSCLHistogram.ps1
  • get-AntispamTopBlockedSenderDomains.ps1
  • get-AntispamTopBlockedSenderIPs.ps1
  • get-AntispamTopBlockedSenders.ps1
  • get-AntispamTopRBLProviders.ps1
  • get-AntispamTopRecipients.ps1

To disable incoming email filtering, you need to disable the Connection Filtering Agent:

Disable-TransportAgent -TransportService FrontEnd -Identity “Connection Filtering Agent”

The RBL lists are quite effective to protect from unwanted email (spam), but in the most cases they have to be used in conjunction with other anti-spam methods to provide the robust anti-spam protection. In addition to RBL, you can manually block specific sender email addresses and domain in Exchange.

]]> 0 6705
Remote Desktop HTML5 Web Client on Windows Server 2016 RDS Wed, 28 Aug 2019 15:00:39 +0000 Despite Microsoft has been porting its RDP client to different platforms (iOS, macOS, Android, there is also a separate UWP remote desktop app for Windows 10) in the recent years, many users would like to have the remote access to RDS servers and published RemoteApps from a browser. To do it, Microsoft has been developing its HTML5-based Remote Desktop Web Client for some years. Quite recently, the first official RD Web Client version has been released. In this article we’ll look at how to install and configure the Remote Desktop Web Client, as well as use it to access RemoteApp on an RDS server running Windows Server 2016 from a browser.

Remote Desktop HTML5 Web Client Requirements

Remote Desktop Web Client is available as a feature of the RD Web Access role on RDS servers running in Windows Server 2016/2019.

Prior to RD Web Client implementation, make sure that your infrastructure meets the following requirements:

  • A deployed RDS infrastructure, including RD Gateway, RD Connection Broker and RD Web Access on Windows Server 2016/2019;
  • Per User terminal licenses (RDS CAL) are used;
  • SSL certificates issued by a trusted CA must be used on the RDS Gateway and Web Access servers (self-signed SSL certificates are not allowed);
  • Only Windows 10 or Windows Server 2008 R2 (or higher) must be used as RDP clients;
  • The update KB4025334 (July 18, 2017) or any of the subsequent cumulative update must be installed on the RDS servers.

Installing RD Web HTML5 Client on Windows Server 2016 RDS

As we have already noted, the RD Web Client version for Windows Server 2016 / 2019 is currently available, but this component is not integrated into WS 2016 distribution, and you’ll have to install it separately.

Install the PowerShellGet module on a server with the RD Web Access role:

Install-Module -Name PowerShellGet -Force

Restart the PowerShell console. Now install the RD Web Client Management module:

Install-Module -Name RDWebClientManagement

Install-Module -Name RDWebClientManagement

To accept the terms of Microsoft Licence Agreement, press A.

Then install the latest version of Web Remote Desktop:


After the RDWebClientPackage package is installed, check its properties with the following command:



As you can see, there appeared rd-html 5.0 package version 1.0.0.

Then export the SSL certificate used for SSO (Enable Single Sign On) as a .cer file (BASE64) on the server with the RDS Broker role. You can export it in the graphic snap-in of the computer certificate manager (certlm.msc). The certificate you need is located in Personal\Certificates section.

Import the certificate on your RD Web server:

Import-RDWebClientBrokerCert C:\RDBrokerCert.cer

Now you can publish the RD Web Client:

Publish-RDWebClientPackage -Type Production -Latest

Publish-RDWebClientPackage -Type Production -Latest

To test the RD Web Client, use this command:

Publish-RDWebClientPackage -Type Test -Latest

Connect to the RDWeb Access Server from a Browser with HTML5 Support

After you have deployed the Web Client on the RDS server, you can run a browser on a client computer. All latest versions of Edge, IE 11, Google Chrome, Safari and Firefox are supported (however, the RD Web Client doesn’t work on any mobile devices yet). To access RDS servers from the browser, just share the URL link to your RDWeb server with your users.

Open the URL address:

To access the test environment, use this URL address:

The server name must match the RD Web Access server name in the SSL certificate.

Sign in to the RDWeb server using your credentials.

sign in form to RD Web using web client

During sign-in you will be prompted what local resources should be available in your RD session. Only clipboard and printer redirection is available (currently the local drives and any USB devices cannot be redirected over the HTML5 RDP client, please, use the mstsc.exe client instead).

The list of published RemoteApps and RDP shortcuts appears. You can switch between them using icons at the top of the screen.

RemoteApps on RDWeb server over html5 client

You can print from the RD Web Client using the virtual PDF printer (Microsoft Print to PDF). Then you print something in the RD Web Client window, your browser prompts you to download the PDF file. You can open this PDF file and print on your local printer.

remote desktop web client - printer redirection

The dynamic changing of the RD window size and full screen mode are available in the HTML5 RD web client. You can copy only text via the clipboard to your Remote Desktop session (but not files or graphics).

It is interesting that you can see the memory size and CPU load on the RDS server in the RD Web Client. Just click the icon of a published app to view it.

rdp html5 web client resources
]]> 0 6699
Resetting Windows Update Agent Settings Wed, 14 Aug 2019 15:00:31 +0000 Resetting Windows Update Agent Settings

In this article we’ll show how to fix common Windows Update errors by resetting Windows Update components configuration. As a rule, it is the most effective and the easiest way to solve the issues with the Windows Update service if updates are not downloaded or errors occur when installing updates.

Usually, to debug Windows Update errors, an administrator needs to analyze the error codes in the log file %windir%\WindowsUpdate.log (in Windows 10, you can get WindowsUpdate.log in this way). The number of possible errors that an administrator may encounter when analyzing the Windows update log is dozens (a complete list of Windows Update errors) and the process of resolving them is non-trivial. To avoid undue efforts and waste no time, it’s much easier to completely reset Windows Update service and agent to the default state. After resetting Windows Update, you can try to check for updates.

Windows Update error

Windows Update Troubleshooter Tool

Before proceeding to reset the configuration of Windows Update, we strongly recommend that you first try a simpler and more effective tool to automatically fix problems in the Windows Update service with the help of Windows Update Troubleshooter Tool.

Download and run the Windows Update Troubleshooter for your Windows version:

  • Windows 10 – wu10.diagcab ( (or run the local version of the tool: Start -> Settings -> Updates and Security -> Troubleshoot -> Windows Updates Troubleshooter);
  • Windows 7 and Windows 8.1 — WindowsUpdate.diagcab (

Wait for the Windows Update Troubleshooter to scan your system and automatically attempt to fix all errors in the Windows Update and related components.

fix windows update errors with the wu10.diagcab
windows update troubleshooting tools - fix wndows update database corruption

In my case, a corruption in the Windows Update database was found and fixed. After that, it remains to restart the computer and try to scan for updates. If updates are not downloaded or installed, proceed to the next step.

Reset Windows Update Settings from the Command Line

The process of resetting Windows Update service and agent configuration consists of several steps. All the described operations are performed in the elevated command prompt. I added all the commands in a single bat file (to download the ready script, follow the link below).

Using this script, you can completely reset the configuration of Windows Update and clear the local update cache. The script is applicable for Windows 7, Windows 8.1, Windows 10 and Windows Server 2016/ 2012 R2/ 2008 R2. This script helps to eliminate the majority of typical Windows Update errors, when Windows Update stops downloading new updates or errors appear during update installation.

Let’s consider what this script does step by step:

  1. Stop Windows Update , BITS and cryptographic services:
    net stop bits
    net stop wuauserv
    net stop appidsvc
    net stop cryptsvc
    taskkill /im wuauclt.exe /f
  2. Delete service files qmgr*.dat from the folder %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\:
    Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
  3. Rename system folders, in which configuration files and update cache are stored (if necessary, they can be used as backups). After the WU services are restarted the folders will be automatically created again:
    Ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak
    Ren %systemroot%\system32\catroot2 catroot2.bak
  4. Delete the old windowsupdate.log file :
    del /f /s /q %windir%\windowsupdate.log
  5. Reset the permissions for BITS and Windows Update services (if service permissions have been changed):
  6. Re-register the files of system dynamic libraries (dll) related to BITS and Windows Update:
    cd /d %windir%\system32
    regsvr32.exe /U /s vbscript.dll
    regsvr32.exe /U /s mshtml.dll
    regsvr32.exe /U /s msjava.dll
    regsvr32.exe /U /s msxml.dll
    regsvr32.exe /U /s actxprxy.dll
    regsvr32.exe /U /s shdocvw.dll
    regsvr32.exe /U /s Mssip32.dll
    regsvr32.exe /U /s wintrust.dll
    regsvr32.exe /U /s initpki.dll
    regsvr32.exe /U /s dssenh.dll
    regsvr32.exe /U /s rsaenh.dll
    regsvr32.exe /U /s gpkcsp.dll
    regsvr32.exe /U /s sccbase.dll
    regsvr32.exe /U /s slbcsp.dll
    regsvr32.exe /U /s cryptdlg.dll
    regsvr32.exe /U /s Urlmon.dll
    regsvr32.exe /U /s Oleaut32.dll
    regsvr32.exe /U /s msxml2.dll
    regsvr32.exe /U /s Browseui.dll
    regsvr32.exe /U /s shell32.dll
    regsvr32.exe /U /s atl.dll
    regsvr32.exe /U /s jscript.dll
    regsvr32.exe /U /s msxml3.dll
    regsvr32.exe /U /s softpub.dll
    regsvr32.exe /U /s wuapi.dll
    regsvr32.exe /U /s wuaueng.dll
    regsvr32.exe /U /s wuaueng1.dll
    regsvr32.exe /U /s wucltui.dll
    regsvr32.exe /U /s wups.dll
    regsvr32.exe /U /s wups2.dll
    regsvr32.exe /U /s wuweb.dll
    regsvr32.exe /U /s scrrun.dll
    regsvr32.exe /U /s msxml6.dll
    regsvr32.exe /U /s ole32.dll
    regsvr32.exe /U /s qmgr.dll
    regsvr32.exe /U /s qmgrprxy.dll
    regsvr32.exe /U /s wucltux.dll
    regsvr32.exe /U /s muweb.dll
    regsvr32.exe /U /s wuwebv.dll
    regsvr32.exe /s vbscript.dll
    regsvr32.exe /s mshtml.dll
    regsvr32.exe /s msjava.dll
    regsvr32.exe /s msxml.dll
    regsvr32.exe /s actxprxy.dll
    regsvr32.exe /s shdocvw.dll
    regsvr32.exe /s Mssip32.dll
    regsvr32.exe /s wintrust.dll
    regsvr32.exe /s initpki.dll
    regsvr32.exe /s dssenh.dll
    regsvr32.exe /s rsaenh.dll
    regsvr32.exe /s gpkcsp.dll
    regsvr32.exe /s sccbase.dll
    regsvr32.exe /s slbcsp.dll
    regsvr32.exe /s cryptdlg.dll
    regsvr32.exe /s Urlmon.dll
    regsvr32.exe /s Oleaut32.dll
    regsvr32.exe /s msxml2.dll
    regsvr32.exe /s Browseui.dll
    regsvr32.exe /s shell32.dll
    regsvr32.exe /s Mssip32.dll
    regsvr32.exe /s atl.dll
    regsvr32.exe /s jscript.dll
    regsvr32.exe /s msxml3.dll
    regsvr32.exe /s softpub.dll
    regsvr32.exe /s wuapi.dll
    regsvr32.exe /s wuaueng.dll
    regsvr32.exe /s wuaueng1.dll
    regsvr32.exe /s wucltui.dll
    regsvr32.exe /s wups.dll
    regsvr32.exe /s wups2.dll
    regsvr32.exe /s wuweb.dll
    regsvr32.exe /s scrrun.dll
    regsvr32.exe /s msxml6.dll
    regsvr32.exe /s ole32.dll
    regsvr32.exe /s qmgr.dll
    regsvr32.exe /s qmgrprxy.dll
    regsvr32.exe /s wucltux.dll
    regsvr32.exe /s muweb.dll
    regsvr32.exe /s wuwebv.dll
  7. Reset Winsock settings:
    netsh winsock reset
  8. Reset system proxy settings:
    netsh winhttp reset proxy
  9. Optional. When using a local WSUS server, you can also reset the current binding of a client to the WSUS server by deleting the following parameters in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate:
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v TargetGroup /f
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer /f
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUStatusServer /f
  10. Start the previously stopped services:

    sc.exe config wuauserv start= auto
    sc.exe config bits start= delayed-auto
    sc.exe config cryptsvc start= auto
    sc.exe config TrustedInstaller start= demand
    sc.exe config DcomLaunch start= auto
    net start bits
    net start wuauserv
    net start appidsvc
    net start cryptsvc
  11. Optional. In some cases you’ll need to install/reinstall the latest version of Windows Update Agent (WUA). You can download the current version of Windows Update agent from this webpage Download the file for your Windows version.  To force reinstall of the Windows Update Agent, run the following commands: for Windows 7 x86: WindowsUpdateAgent-7.6-x86.exe /quiet /norestart /wuforce, for Windows 7 x64: WindowsUpdateAgent-7.6-x64.exe /quiet /norestart /wuforce

Tip. The current Windows Update Agent (WUA) version on your computer can be found in the properties of the %windir%\system32\Wuaueng.dll file. In our example, it is 7.6.7600.256.

Wuaueng.dll version

Now you only have to restart your computer and run synchronization with Windows Update server / WSUS.

wuauclt /resetauthorization /detectnow

Then go to the Windows Update and make sure that there are no errors while checking, downloading and installing the updates.

The script reset_windows_update_agent.bat can be downloaded following this link (options 9 and 11 are not included in the script since they are optional). Download the script, unzip it and run with the administrator privileges.

reset windows update script: run as admin

If the updates are downloaded and installed correctly, you can remove the backups:

Ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak
Ren %systemroot%\system32\catroot2 catroot2.bak

Script Reset Windows Update Agent

In the Technet script gallery there is a rather useful and simple script to reset the Windows Update components – Reset Windows Update Agent Tool. The script is universal and suitable for all versions of Windows: starting with Windows XP and ending with the latest Windows 10 builds. Consider how to use it.

  1. Download the archive here ( and unpack it;
  2. Run the ResetWUEng.cmd file with the administrator permissions;
  3. The script will detect your OS version (in my example, it is Windows 10) and will offer 18 different options. Some of them do not directly related to the reset of WU agent settings, but may be useful for fixing various Windows issues (checking the disk with the chkdsk, fixing errors in the Windows image, resetting Winsock, clearing temporary files, etc.);
  4. To reset the Windows Update settings, it is usually sufficient to use the option 2 – Resets the Windows Update Components. Press 2 and Enter;
  5. The script will automatically perform all the actions that we described above when performing a manual reset of the Windows Update Agent from the command prompt;You can see the script performed action does by opening the ResetWUEng.cmd file in any text editor and examining its contents. For example, option 2 sends you to the :components function. 
  6. After the completion of the Reset Windows Update Agent script, restart your computer and run scan for new updates.
]]> 0 6691
How to Automatically Turn Off Wi-Fi When an Ethernet Cable is Connected? Wed, 31 Jul 2019 15:00:58 +0000 If several Wi-Fi networks are available, Windows 10 automatically selects a wireless network with the strongest signal (no matter what the speed of this connection is and how many devices are connected to it). However, when you connect your computer (laptop) to a wired Ethernet network, Windows keeps on using Wi-Fi network, though Ethernet connection speed is significantly higher, and the connection is more stable and not subject to interference. To switch to the cable Ethernet connection, a Windows user has to manually disable the Wi-Fi connection each time. Let’s consider how to automatically turn off Wi-Fi when the Ethernet LAN cable is connected.Contents:

WLAN Switching Options in the BIOS/UEFI

Many computer vendors have their own implementations of the LAN/WLAN Switching technology (they can be named differently). This technology suggests that on a user computer only one network adapter can simultaneously transmit data. If while using a Wi-Fi network, a higher priority Ethernet connection appears on a device, the Wi-Fi adapter should automatically go into the standby mode. Thus, the battery resource is saved and the wireless Wi-Fi network load is reduced.

You can enable LAN/WLAN Switching option in the BIOS/UEFI settings or in the properties of your wireless network adapter driver (it depends on your hardware manufacturer).

Restart your computer to enter the UEFI/BIOS settings, then find and enable the LAN/WLAN Switching option (on HP devices) or Wireless Radio Control (on Dell devices).

enable LAN/WLAN Switching in BIOS

This feature may be called differently or be absent in BIOS/UEFI from other manufacturers.

“Disable Upon Wired Connect” in the Wi-Fi Adapter Properties

In the settings of some Wi-Fi adapter drivers, there is an option to automatically turn off the Wi-Fi if the high speed Ethernet connection is available.

Open the Network and Sharing Center in Windows 10 and open the properties of your Wi-Fi adapter. Click Configure.

wireless network adapter properties

In the network adapter properties go to the Advanced tab and find the Disabled Upon Wired Connect item in the list of Wi-Fi adapter options. Change its value to Enabled and save the changes.

Disabled Upon Wired Connect - 802.11n wireless adapter option

Due to this option, the driver will be disconnected from a Wi-Fi network if an active Ethernet connection is detected.

This option is not supported on all models of Wi-Fi card drivers. If you don’t have one, the automatic switch to Ethernet connection can still be implemented using a PowerShell script.

Use PowerShell to Disable Wi-Fi when an Ethernet Connection Exists

To automatically enable or disable the WLAN adapter, you can write your own script and make it trigger at the event of the link appearing on the wired LAN interface (Event-ID: 32 — Network link is established) and (Event-ID: 27 – Network link is disconnected) using event triggers, but there is a ready solution for PowerShell.

To automatically turn off the Wi-Fi adapter when a computer is connected to a wired Ethernet network, you can use a ready PowerShell script — WLAN Manager (the original version is available here: You can find a newer WLAN Manager version with enhanced Windows 10 support and correct detection of virtual adapters on GitHub:

This PowerShell script creates a new Scheduler task that runs another script at the system boot. The script regularly checks for active network adapters. If the script detects any LAN (Ethernet) connection, WLAN interface is automatically disabled. If the Ethernet network cable is disconnected, the script enables the wireless Wi-Fi adapter.

The script consists of 2 files:

  • PSModule-WLANManager.psm1
  • WLANManager.ps1

Let’s see how to install WLAN Manager script in Windows 10. Open the elevated PowerShell prompt and allow to run the PS1 scripts:

Set-ExecutionPolicy RemoteSigned

Install the script in your system using the following command:

.\WLANManager.ps1 -Install:System

The script may be installed to be run as from a user account (Install:User) or as a local system (Install:System).

installing WLANManager powershell script

Verifying WLAN Manager version information… Missing
Writing WLAN Manager version information… Done
Verify WLAN Manager Files… Missing
Installing WLAN Manager Files… Done
Verify WLAN Manager Scheduled Task… Missing
Installing WLAN Manager Scheduled Task… Done

You can make the script notify a user when switching between Wi-Fi and LAN networks:

.\WLANManager.ps1 -Install:User -BalloonTip:$true

Make sure that a new WLAN Manager task has appeared in the Task Scheduler.

WLAN Manager task in windows 10

Restart your computer. After the startup, the Scheduler will start the C:\Program Files\WLANManager\WLANManager.ps1 script that checks network connections every second, and if a LAN connection is detected, all available Wi-Fi adapters will be disabled. If the LAN cable is disconnected, the script will automatically enable wireless Wi-Fi adapters.

WLAN Manager script works well on Windows 10, Windows 8.1 and 7.Tip. To remove the WLAN Manager script, run this command:

.\WLANManager.ps1 Remove:System

GPO to Disable Non-Domain Wireless Networks When Connected to LAN

In the GPO there are a separate setting that allows you to disable the Wi-Fi connections when a computer is connected to a corporate domain network via LAN. This policy is located in the GPO section Computer Configuration -> Policies ->Administrative Templates -> Network ->Windows Connection Manager and called “Prohibit connection to non-domain networks when connected to domain authenticated network”. The policy appeared in Windows 8 / Windows Server 2012 or higher.

The policy prevents a computer from being connected to both domain and non-domain networks at once.

gpo: Prohibit connection to non-domain networks when connected to domain authenticated network

However, if this policy is enabled, you may experience some problems when connecting to a Wi-Fi network if the additional interfaces are present on your computer (for example, loopback or virtualization software created).

]]> 0 6266
Windows Server Licensing for Virtual Environments Wed, 17 Jul 2019 15:00:00 +0000 In this article, we’ll look on licensing features of the Windows Server 2019, 2016 and 2012 R2 operating systems from the point of view of new Microsoft licensing model. Also, we’ll tell about the rules and licensing procedures when using Windows Server as a guest OS in a virtual machines, including the HA clusters with the ability to migrate virtual machines between hypervisors (VMWare VMotion, Hyper-V Live Migration, etc).

Beginning with Windows Server 2012, Microsoft has changed and simplified the licensing model of its server platform. Now it meets the modern tendencies to extensive use of virtualization technologies.Contents:

Windows Server Editions

In most cases, when considering the Windows Server licensing model, it is advisable to consider the Standard and Datacenter Windows Server editions.

The features of the Standard and Datacenter editions of Windows Server 2012 R2 is almost identical except for the license rights to run virtual machines. It means that you choose the edition depending only on the number of virtual machines on the physical host  instead the availability of the required features.

  • Windows Server 2012 R2 Standard – the license allows to run only up to two virtual machines;
  • In Windows Server 2012 R2 Datacenter – you can run an unlimited number of virtual machines on a single physical host (recall that such virtual machines can be easily activated using the AVMA – Automatic Virtual Machine Activation).

In fact, when choosing Windows Server 2012 R2 Edition you need to decide whether you will use virtualization or not.

The Windows Server 2016/2019 Standard license also allows you to run up to two VMs with Windows Server on the same physical host.

Windows Server 2016 and 2019 Datacenter support a number of new technologies that are useful in a virtualization and the Azure cloud environment. For example, the Windows Server 2016 Datacenter supports:

  • Storage Spaces Direct
  • Storage Replica
  • Shielded Virtual Machines
  • Host Guardian Service
  • Network Fabric
  • Microsoft Azure Stack

Note. We don’t consider Essentials and Foundation Windows Server editions, since they are designed for small businesses. These OSs have a number of specific limitations and no rights for virtualization. It should be noted that Web Server edition has been eliminated completely.

Per-Socket Licensing in Windows Server 2012 R2

One license of Windows Server 2012 R2 allows you to run the OS on one single- or dual-processor server. I.e. one license covers up to two processors (sockets) located in one physical server (cores are not processors!). You cannot split one license for two single-processor servers (in this case you will have to purchase two Windows Server licenses). If a physical server has more than two processors, you will have to buy one license for each pair of processors. For example, for a 4-processor server you will need 2 Windows Server 2012 R2 licenses.

Windows Server 2012 R2 CPU licensing model

Windows Server 2016 and 2019: Per-Core Licensing

Microsoft switched from the licensing model of physical processors to the core licensing model (Core-based) in Windows Server 2016 and Windows Server 2019. This is due to the tendency of CPU and server manufacturers to increase not the number of processors, but the number of cores on a single socket (Microsoft doesn’t want to lose profits when customers start to mass use multi-core servers). Note the main points:

  • 1 license of Windows Server 2016 allows you to license 2 physical cores on a single server (i.e., Microsoft ships two core licenses);
  • The cost of one 2-x core license is 8 times reduced compared to a one single processor license for Windows Server 2012 R. However, you need to buy at least 8 such a licenses (for 16 cores) – this is the minimum package for 1 physical host. Thus, the licensing cost for one physical 2-processor server with up to 8 cores per socket has not changed. The following licensing rule is true: 1 * Windows Server 2012 R2 (2 CPU) = 8 * Windows Server 2019 (2 Core);
  • Now also available 16-core WinSvr licenses, allowing you to quickly license 1 standard physical host (for example, WinSvrSTDCore 2019 SNGL OLP 16Lic NL CoreLic);
  • All enabled cores on a physical server must be licensed.

Understanding Windows Server Virtual Machine Licensing

If you plan to use your physical server as a hypervisor on which several VMs with the Windows Server are running, you need to choose the OS edition depending on the number of VMs that will be running on your server.

For example, you have a dual processor server with total 16 cores. If you purchased 8 licenses of Windows Server 2019 Standard and licensed all the physical server cores, you are allowed to run up to 2 VMs with a Windows Server on a licensed physical host. The Datacenter license allows you to run an unlimited number of virtual OSes on a licensed host.You do not need to consider licenses for virtual machines with non-Microsoft operating systems.

What if you need to run more than two virtual machines on a server with a Standard license? You will have to buy the required number of licenses based on the following consideration: one Standard license allows you to run 2 virtual machines.

For example, you want to license a dual-processor (8 cores per CPU) server with four virtual machines. According to the Windows Server 2016 Standard licensing model, you need to buy 16 dual-core Window Server Standard licenses (2 sets of licenses closing all physical cores) or 8 dual-core Datacenter licenses (you can upgrade Windows Server 2016 edition without reinstalling).

windows server 2019 hyper-v vms licensing

Note that the licensing procedure is as follows: first the physical cores are covered, and then the virtual machine instances.

According to the current Microsoft prices, it is worth to buy the Windows Server Datacenter edition if you are going to run 14or more virtual machines on one physical host. If the number of VMs is less, it’s better to get several Standard licenses to suit your cores and VMs demands.

If you use virtualization on your physical server with Windows Server 2019, you can use the host OS only to maintain and manage the Hyper-V role and virtual machines. You cannot install Windows Server 2019 on a physical server, run two VMs on it and get three full-fledged Windows server instances for your tasks. In Microsoft terminology, the physical OS instance is called POSE (physical operating system environment), and virtual – VOSE (virtual operating system environment).

Windows Server Licensing and VMs Migration between Physical Hosts

Further we’ll consider licensing peculiarities if the Windows Server virtual machine can move between physical servers in a virtualization farm (using VMotion, Live Migration, etc.).Note. According to the Microsoft licensing policy, virtual machines can be run not only on Hyper-V, but also on any other platform that you choose, like VMWare, XEN, etc. Thus if you licensed a physical server (8x WS-Standard dual-core licenses) and install VMWare ESXi/ Free Hypervisor, you can run 2 virtual machines running guest Windows Server 2019.

Software Assurance (SA) provides the right to transfer the product license between physical hosts for most Microsoft server products. But Windows Server is an exception to this rule. According to the licensing agreement, the license can be migrated between the hosts once in 90 days.

How to license a virtualization farm, in which VMs can move between hypervisors (host OSs)? In this scenario, you will have to buy that number of licenses for each physical server covering the maximum number of virtual machines that can be run on it at any time (including the high availability scenarios when all virtual machines of the farm are moved to the one of the hosts). I.e., the virtual machine licenses are linked to a physical host and do not move between the hosts together with the VMs.

For example, for two separate single processor physical servers with two virtual machines on each of them, we’ll need 2×8 Windows Server Standard licenses.

windows server 2019 licenses for vms for two standalone hosts

However, if the virtual machines can move between these servers, we’ll need another set of 2×8 licenses (providing that 4 VMs can be run simultaneously on each server).

windows server standard license withe the HA vms migration

In the case of the Datacenter edition, one set of licenses will be sufficient for each physical host, covering all cores (in the minimum configuration, 8 Datacenter dual-core licenses). Since this license allows you to run an unlimited number of VMs.

Therefore, you should choose the Windows Server license depending on the maximum number of VMs on a single host.

Calculating Windows Server Licenses for Virtualization

Below are some examples of calculating Windows Server licenses for physical hosts when using virtualization.

Example 1. There is a Hyper-V cluster of 5 hosts. Each server has 2 processors with 20 cores. Each will run 10 virtual machines.

Because 5 servers are united into HA Hyper-V cluster, which means that up to 50 virtual machines can be running potentially on each host during VM migration (failover). Accordingly, it is more profitable to purchase the Datacenter licenses.

Number of licenses for 1 host:

  • Total number of cores – 40
  • Number of 2-core licenses (WinSvrDCCore 2019 SNGL OLP 2Lic NL CoreLic) – 20

Total number of 2-core licenses (WinSvrDCCore) for 5 servers – 100.

Example 2. The branch office has 1 server with 2 sockets with 4 cores each, on which 4 virtual machines are running. How many Windows Server licenses do I need to purchase?

The server has 8 cores. Under the terms of licensing – you need to cover at least 16 cores. So you need to buy 8 licenses of Windows Server 2016 (WinSvrSTDCore 2 Core). This will allow you to run 2 VMs. To run additional 2 VMs, you need to buy another set of core licenses.

So, to license such a server you need 16 2-core Windows Server licenses (WinSvrSTDCore 2019 SNGL OLP 2Lic NL CoreLic) or 2 16-core licenses (WinSvrSTDCore 2019 SNGL OLP 16Lic NL CoreLic).

]]> 0 6241
Configuring Distributed Scan Server on Windows Server 2012 R2 Wed, 03 Jul 2019 15:00:03 +0000 Network scanning is one of the services that is rarely managed centrally even in large infrastructures. In Windows Server 2008 R2 or higher there is a separate role of distributed network scanning (Distributed Scan Server — DSM) that enables to simplify document workflow and processing of scanned documents in the Active Directory domain. In this article we’ll look on how to configure the distributed network scanning service on Windows Server 2012 R2.

The Distributed Scan Server is a separate service of the Print and Document Service role that allows you to receive scanned documents from the network scanners and saving them to the specific network shared folders on the file servers and SharePoint sites or sending them to certain recipients via SMTP according to the configured policies.

The distributed network scanning allows to organize a single point to manage network scanners supporting WSD — Web Services on Devices (TCP/IP or local USB scanners are not supported as scanning devices). As a rule, network scanners with WSD support are large enterprise-level devices.

To install the network scanning service, select Print and Document Service role. Then select Print Server and Distributed Scan Server services in it.

install Distributed Scan Server role

You can also install this role using this PowerShell command:

Install-WindowsFeature -Name Print-Scan-Server -IncludeAllSubFeature

Install-WindowsFeature -Name Print-Scan-Server

As you can see, you must restart the server.

After the role has been installed, a new scanning service appears in the system — Distributed Scan Server service (ScanServer): C:\Windows\System32\svchost.exe -k WSDScanServer.

To manage Distributed Scan Server, a separate mmc snap-in is used: Scan Management — ScanManagement.msc, which manages network scanners, settings and scanning tasks.

Scan Management mmc snap-in

Run the Scan Management snap-in. As you can see, there are three sections:

  • Managed Scanners;
  • Scan Processes;
  • Scan Servers.

First of all, you must configure your scan server. To do it, right-click Scan Servers section and select Configure local scan server.

Configure local scan server

In the configuration wizard, specify the account under which the scan server will run (this account is used to access local and shared folders on other servers) By default, the LocalSystem account is used, however, it is recommended to create a separate service account for convenient access management in your AD domain and specify it here.

specify service account to run scan server

Then you must specify the location and maximum size of user temporary folders for scanned documents.

DSM scan temporary folder limit per user

After that specify your email server address and an SSL certificate for network traffic encryption (a self-signed SSL certificate is suitable for test environment).

select Distributed Scan Server SSL certificate

Then select the type of user authentication. You can enable user authentication (using Kerberos or client certificates) or disable it (anonymous access to the scan server).

scan server configuration - authentication settings

If you enable the authentication, make sure that you are a member of Scan Operators local group and you are allowed writing to a computer object of your server in the AD.

local group Scan Operators

If during scan server configuration the following error appears:
Scan Server Configuration Wizard failed to apply setting, error code 0x800706fc, make sure that you have specified the account under which the distributed scan service is running (with sufficient privileges), the path to the default scan folder and have granted the write privilege for the folder to this account.

Scan Server Configuration Wizard failed to apply setting, error code 0x800706fc

Now you need to add your scan server to the console. To do it, right-click the Scan Servers, select Add a Scan server and enter the name of your server. If you are using a self-signed certificate, the name of the server must match its name in the certificate, but it must be typed UPPERCASE (strange…). You must also add the self-signed certificate to the trusted root certificates, or errors will appear when trying to add the server:Windows failed to contact the scan server you specified. This can be caused when the server name you specified does not match the name in the server certificate. If the server name from the certificate matches the server you want to connect to and you trust the network you are on, click Retry to restart the search with the certificate name.

andThe following devices could not be accessed because they are offline, there is a network issue, the names are incorrect, or the certificate needed to contact the device has not been selected: tor-scandsm1.

In order your scan server can find printers and scanners supporting Web Services on Devices (WSD) in your network, do the following:

  1. Turn on network discovery;
  2. Run the Device Association Service.
Turn on network discovery

Now you can add the network scanners. Right-click Managed Scanners and select Manage. Specify the IP address or a DNS name of a network scanner. WSD support (Microsoft Services for Devices or Web Services Print) must be enabled in the scanner settings.

add network scanner device

Now you can create a new scan process – PSP. Select Scan Processes -> Add a Scan Process.

Add a Scan Process

Specify the name and description of the scan process, select scanning settings and specify the name of the Distributed Scan server.

Then enter the document prefix and select where it will be saved. It can be one or more network shares (UNC paths are used), URLs on the SharePoint site or email addresses.

create scan process task - PSP

In the last step, you need to select users and the groups allowed to access this PSP and configure the access permissions.

Now we still have AD integration to be configured on the network scanners side (depends on the vendor). Users may use a password or a smartcard to authenticate on the scanners.

DSM operation scheme is shown below.

ditributed scan management service on windows server 2012 r2

After a user has authenticated on the scanner, they can select a suitable PSP available for their accounts (according to their privileges). PSPs are stored in the Active Directory, and contain the rules with scan settings and document routing. The network scanner scans a document and sends it to the server for processing. The Distributed Scan Server processes the task and send the scanned document along the route specified in the PSP job.

Scan and task processing logs are located on the DSM server, and you can check the information on the completed tasks any time.

]]> 0 6234
LAPS: Manage Local Administrator Passwords on a Domain Computers Wed, 26 Jun 2019 14:00:13 +0000 In this article, we’ll look at how to manage local administrator passwords on a domain joined computers using the official Microsoft tool – LAPS (Local Administrator Password Solution).

The issue of password managing for the built-in accounts on domain computers is one of the most important security aspects requiring attention of a system administrator. Indeed, you shouldn’t allow using the same local administrator passwords on all domain computers. There are many approaches to the management of local administrator accounts in a domain, from disabling them completely (not too convenient) to managing them using GPO logon scripts, or creating your own password management systems.

Earlier, the Group Policy Preferences (GPP) were often used to change local administrator passwords on a domain joined computers. However, later a serious vulnerability was found in the GPP, which allows any domain user to decrypt a password stored in the text file in the SYSVOL directory on the AD domain controllers. In May, 2014, Microsoft released a security update (MS14-025 – KB 2962486), which completely disabled the feature of setting local user password using GPP.

LAPS Tool: Local Administrator Password Solution

Important. Previously, the LAPS utility was called AdmPwd, but in May 2015, Microsoft released an official AdmPwd version named LAPS, thus transferring it from a third party script to officially supported solution.

The LAPS (Local Administrator Password Solution) tool allows you to centrally control and manage administrator passwords on all domain computers and store the local admin password and its change date directly in the Computer type Active Directory objects.

LAPS features is based on the Group Policy Client Side Extension (CSE) and a small module that is installed on workstations. This tool is used to generate a unique local administrator password (for SID – 500) on each domain computer. An administrator password is automatically changed in a certain period of time (by default, every 30 days). The value of the current local admin password is stored in the confidential attribute of the computer accounts in the Active Directory, and the access permissions to view this attribute value are regulated by the AD security groups.

You can download LAPS and its documentation here:

The LAPS distribution is available in two versions of installation MSI files: for 32-bit (LAPS.x86.msi) and 64-bit (LAPS.x64.msi) systems.

The LAPS architecture consists of 2 parts. The management module is installed on the administrator’s computer, and the client part is installed on servers and PCs on which you need to regularly change the local administrator password. Before deploying LAPS in the production domain, we recommend that you try it in a test environment, since at least you’ll need to extend the AD schema (irreversible).

LAPS setup

Run the MSI utility file on the administrator’s computer, select all components to be installed (at least .Net Framework 4.0 is required. The package consists of two parts:

  • AdmPwd GPO Extension – LAPS executable, which is installed on the client computers, generates and saves the admin password to the AD according to the configured policy;
  • LAPS Management Tools:
    1. Fat client UI – tool to view the administrator password;
    2. PowerShell module to manage LAPS;
    3. GPO Editor templates – administrative templates for the GPO editor.
LAPS features

LAPS setup is very easy and shouldn’t cause any problems.

Preparing Active Directory Schema for LAPS Implementation

Prior to deploying LAPS, you have to extend the Active Directory schema to add two new attributes of Computer class.

  • ms—MCS—AdmPwd – contains the local administrator password in a plain text;
  • ms—MCS—AdmPwdExpirationTime — stores the date when the password expire.

To extend the AD schema, open the PowerShell and import the module:



Then extend the Active Directory schema (you’ll need Schema Admin privileges):



As a result, two new attributes are added to the Computer objects.

Setting Permissions for AD LAPS Attributes

The administrator password is stored in Active Directory attributes as plain text, the access to it is restricted by the confidential AD attributes mechanism (supported since Windows 2003). MS-MCS-AdmPwd attribute can be read by any domain user with the “All Extended Rights” privilege. Users and groups with this permission can read any confidential AD attributes, including the ms-MCS-AdmPwd. Since we don’t want anyone other than domain admin (and/or HelpDesk Support team) to view computer passwords, we have to limit the list of groups with read permissions on these attributes.

Using the Find-AdmPwdExtendedRights cmdlet, you can get the list of accounts and groups having these permissions on the OU with the name Desktops:

Find-AdmPwdExtendedRights -Identity Desktops | Format-Table ExtendedRightHolders


As you can see, only the Domain Admins group has the read permissions on the confidential attributes.

If you need to deny access to read these attribute values for certain groups or users, do the following:

  • Open the ADSIEdit tool and connect to Default naming context;
  • Expand the domain tree, find the necessary OU (in our example, it is Desktops), right-click it and select Properties;
  • Then go to the Security tab, and click the Advanced -> Add button. In the Select Principal section, specify the name of the group/user, you want to restrict the permissions (e.g., domain\Support Team); 
  • Uncheck the “All extended rights” and save the changes.

Do the same for all groups, for which you want to restrict the local admin password viewing. You will have to restrict read permissions on all OUs, computer passwords in which will be managed by LAPS.

Then you need to grant permissions for the computer accounts to modify their own attributes (SELF), because the values of ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime are changed under the computer account itself. Use another cmdlet Set-AdmPwdComputerSelfPermission.

To grant permission for the computers in the Desktops OU to update the extended attributes, run this command:


Set-AdmPwdComputerSelfPermission -OrgUnit Desktops 
New LAPS computer attributes by default are not replicated to the RODC domain controllers.

Granting Permissions to View LAPS Password

The next step is to grant users and groups the permissions to read local administrator passwords, stored in Active Directory. For example, you want to grant the members of AdmPwd group read password permissions:

Set-AdmPwdReadPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd


In addition, you can allow a certain group of users  to reset computer passwords (in this example, we give it to the same group — AdmPwd):

Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd


How to Configure LAPS Group Policy Settings?

Then you have to create a new GPO object and link it to the OU containing the computers, on which you want to manage local administrator passwords.For easy GPO management, you can copy the LAPS administrative template files. (%WINDIR%\PolicyDefinitions\AdmPwd.admx and %WINDIR%\PolicyDefinitions\en-US\AdmPwd.adml) to the Group Policy Central Store — \\\Sysvol\Policies\PolicyDefinition.

Create a policy with the name Password_Administrador_Local using the following command:

Register-AdmPwdWithGPO -GpoIdentity: Password_Administrador_Local


Open this policy in the Domain Policy Management Console (gpmc.msc) and go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS.

LAPS GPO settings

As we can see, there are 4 customizable settings. Configure them as shown below:

  • Enable local admin password managementEnabled (enable the LAPS password management policy);
  • Password SettingsEnabled – the policy sets the password complexity, length and age;
    • Complexity: Large letters, small letters, numbers, specials
    • Length: 12 characters
    • Age: 30 day
  • Name of administrator account to manageNot Configured (here you can specify the name of the administrator account to change password. By default, the password of the built-in administrator accounts with SID-500 is changed.);
  • Do not allow password expiration time longer than required by policyEnabled
LAPS admin password GPO settings

Assign the Password_Administrador_Local policy to the Desktops OU.

Installing LAPS Agent on a Domain Computers via GPO

After you configured the GPO, it’s time to install LAPS client part on the domain computers. The LAPS client can be distributed in different ways: manually, via the SCCM task, a logon script, etc. In our example, we’ll install the MSI file using the feature of MSI package installation in the group policies (GPSI).

  1. Create a shared network folder on a file server (or use the SYSVOL folder on the domain controller) and copy the LAPS distribution msi files into it;
  2. Create a new GPO and in the Computer Configuration ->Policies ->Software Settings -> Software Installation section create a task to install the LAPS MSI package.
install LAPS.msi via GPO

Please note that there are x86 and x64 versions of LAPS. To install the package on the appropriate Windows version, you can make 2 separate LAPS policies with WMI GPO filters for x86 and x64 editions of Windows.

You only have to assign a policy to the necessary OU, and after the restart, the LAPS client should be installed on all computers in the target OU.

Make sure that the record Local admin password management solution appeared in Programs and Features in the Control Panel.

Local admin password management solution

When the LAPS utility changes the password of the local administrator, it is registered the event in the Application log (Event ID:12, Source: AdmPwd).

EventID 12 AdmPwd - password change

The event of saving the password to the AD is also registered (Event ID:13, Source: AdmPwd).

Event ID13 AdmPwd - save password in AD

This is how new attributes look in the Attribute Editor tab in the AD computer properties.

Local admin password store in Active Directory

Tip. The time of password expiration is stored in the “Win32 FILETIME” format .

Using LAPS to View Administrator Password

LAPS graphic interface (GUI) to view LAPS passwords must to be installed on the administrator computers.


If you start the tool and specify the computer name, you can view the local administrator password and its expiration date.


Password expiration date can be set manually, or leave this field empty, and by clicking Set specify that the password has already expired.

Also, you can get the computer password using PowerShell:

Get-AdmPwdPassword -ComputerName <computername>


If you think that local administrators’ passwords on all computers in some OU are compromised, you can generate new unique local admin passwords for all computers in the OU with a single PowerShell command. To do this, use the the Get-ADComputer cmdlet:

Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Reset-AdmPwdPassword -ComputerName {$_.Name}

Similarly, you can display a list of current passwords for all computers in the OU:

Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Get-AdmPwdPassword -ComputerName {$_.Name}

LAPS can be recommended as a convenient solution for organizing a secure password management for a domain computers with the possibility of granular access control to passwords for computers in a different OUs. The passwords are stored in the Active Directory computer attributes a in plain text, but the built-in AD tools allow you to securely restrict access to them.

]]> 0 6186
Adding USB 3.0 Drivers to Windows 7 Install Media Wed, 12 Jun 2019 05:00:45 +0000 The Windows 7 RTM distribution doesn’t support USB 3.0 out-of-the-box, and you can encounter some problems with the installation of Windows 7 on a computer/laptop having USB 3.0 ports only (most modern devices released after 2015 have only USB3 ports). For example, USB keyboard and mouse may not work in Windows 7 Setup wizard, or the installer may require to load drivers for your CD/DVD drive :A required CD/DVD drive device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.
Note: If the Windows installation media is in the CD/DVD drive, you can safely remove it for this step.

A required CD/DVD drive device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.

Accordingly, you cannot install Windows 7 (or Windows Server 2008 R2) from a USB drive to a computer on which all peripheral devices are connected via USB 3.0 ports.The Enhanced Host Controller Interface is not supported in the Intel chipsets starting from 100 and 200 series (B150, H110, H170, Q150, Q170, Z170, Intel Apollo Lake), similar AMD chipsets and chipsets from other vendors. Therefore USB 3.0 ports are simply not detected by the Windows 7 installer.

To install Windows 7 correctly on some computer models, you can disable USB 3.0 mode in BIOS settings by switching to USB 2.0 compatibility mode (Legacy USB 2.0). In all other cases, you will have to modify Windows 7 install distro and integrate USB 3.0 drivers for your motherboard chipset to the boot and install WIM images. Some motherboard vendors released special tools to integrate their USB drivers into your Windows 7 installation image. For example, ASRock (Win 7 USB Patcher), MSI (MSI Smart Tool), Intel (Windows USB Installation Tool for Windows 7), Gigabyte (Windows USB Installation Tool) and etc. But in this article we will show you how to manually integrate USB drivers into the Windows 7 Install image without using third-party utilities.

All the operations of modifying of the Windows 7 ISO image, described below, are performed on a computer running Windows 10.

First of all, find USB 3.0 drivers for your chipset and download them from the vendor website (in our example, it is Intel® USB 3.0 eXtensible Host Controller Driver for Intel® 7 Series/C216 Chipset Family). Create a new directory c:\tmp, and create two subfolders inside it: mount and USB3. Unpack the archive with drivers to the USB3 folder. Inside the USB3 catalog you can create several subfolders with different USB 3.0 drivers for popular chipset models.

Next, you need to update the Windows 7 install image (it may an ISO file or a ready image copied to the installation USB stick). You’ll need two WIM files to be copied to the c:\tmp directory from the Windows 7 ISO image or the installation disk:

  • sources\boot.wim – WinPE boot image used to install Windows on your device;
  • sources\install.wim – Windows 7 image that will be installed on your computer.
Windows 7 boot.wim and install.wim

Run a command prompt with the administrator privileges, and use the DISM tool to mount WinPE boot image (boot.wim) and integrate the USB 3.0 drivers into it:

dism /mount-wim /wimfile:c:\tmp\boot.wim /index:2 /mountdir:c:\tmp\mount
dism /image:c:\tmp\mount /add-driver:"c:\tmp\usb3" /recurse

dism /image:c:\tmp\mount /add-driver usb

The following message indicates that the specified USB3 driver was successfully added to the boot.wim image of the Windows 7 installation environment:Installing 1 of 6 — c:\tmp\usb3\Drivers\HCSwitch\x64\iusb3hcs.inf: The driver package was successfully installed.

Save the changes in the image and unmount the boot.wim file (to avoid DISM errors, make sure that you close all File Explorer windows and the file managers, which has the c:\tmp\mount directory open):

dism /unmount-wim /mountdir:c:\tmp\mount /commit
dism /cleanup-wim

Similarly, you need to update the operating system installation image in the install.wim file. Here the main difference is that the install.wim image can contain several Windows 7 editions with different indexes. So, you will have to add drivers to that Windows edition you are going to install (or to all available Windows 7 editions in turn).

You can list the available Windows 7 editions in the install.wim image as follows:

dism /Get-WimInfo /WimFile:c:\tmp\install.wim

dism Get-WimInfo

In our example, there are 4 different Windows editions in the install.wim image. We’ll add the USB 3.0 driver to Windows 7 PROFESSIONAL with the index 3 (this number will be used to address the edition using DISM).

Then add the USB 3.0 drivers to the Windows image like we did it above:

dism /mount-wim /wimfile:c:\tmp\install.wim /index:3 /mountdir:c:\tmp\mount
dism /image:c:\tmp\mount /add-driver:"c:\tmp\usb3" /recurse
dism /unmount-wim /mountdir:c:\tmp\mount /commit
dism /cleanup-wim

It remains to replace the updated install.wim and boot.wim files on the installation USB flash drive or update the ISO file, and you can use this image to install Windows 7 on computers with a USB 3.0 controller.

]]> 0 6175
How to Import and Export Mailbox to PST in Exchange 2016/2013/2010? Wed, 29 May 2019 05:00:06 +0000 In the Exchange Server 2010 SP1 (and newer), special PowerShell cmdlets appeared: New-MailboxImportRequest and New-MailboxExportRequest that allow you to import or export the contents of the Exchange mailbox from / to PST file. In the previous Exchange versions, to import/export data from Exchange to PST file you had to use third party utilities (most often, the ExMerge utility was used).

In Exchange 2016, 2013 and Office 365, the Exchange development team continued to develop Exchange cmdlets for importing / exporting to PST files, slightly expanding the functionality and increasing their performance. In this article, we’ll cover typical examples of import/export data from Exchange mailboxes to personal folders files (PST).

Mailbox Import and Export Permissions in Exchange

The RBAC role “Mailbox Import Export” must be assigned to the admin account under which you want to import or export an Exchange mailboxes to PST (by default, even the Exchange administrators doesn’t have these permissions). You can assign this role to your account using the Exchange Management Shell:
New-ManagementRoleAssignment –Role “Mailbox Import Export” –User fr_exchange_admin
where fr_exchange_admin – is the name of the account that gains the “Mailbox Import Export” role permissions.Tip. To make the administration easier, the “Mailbox Import Export” role is usually assigned to the AD security group. Later, if this right has to be given to another user, it will be enough to add the user account to this domain group. In this case, the command syntax is a bit different (suppose, the name of the AD group is ExchangeAdmGroup):

New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup ExchangeAdmGroup

The same can be dome from the EAC (Exchange Admin Center) graphic interface by assigning the Mailbox Import Export to the desired user or group.

"Mailbox Import Export" role in Exchange 2013

After granting RBAC permissions, restart the EAC or Management Shell console.

New-MailboxImportRequest: Importing PST Fie into Exchange Mailbox

To import a PST file to the Exchange mailbox, you need the following besides the RBAC permissions:

  • The target Exchange mailbox must exist;
  • The PST file must be located on the shared network folder and you have to know the full UNC path to it (don’t forget that the local file on a certain computer can be accessed via its network path like \\PCName111\C$\PST\tstmail.pst);
  • The user performing the import operation must have the NTFS read permission on the network folder with the PST mail archive file.

Use the following command to import the content of a PST file from a shared folder into the user’s mailbox usertest.

New-MailboxImportRequest -Mailbox usetest -FilePath \\HQ-FS01\PST\usetest.pst

When importing into the target box, the contents of existing folders are merged, and new folders are added to the existing mail folder structure.

The contents of the PST file can be imported not into the Exchange mailbox root, but into one of existing folder of the mailbox (e. g., “Old_mail”). For example, you need to import only the contents of the Inbox folder to the target mailbox folder Old_mail:

New-MailboxImportRequest -Mailbox usetest -FilePath \\HQ-FS01\PST\usetest.pst  -TargetRootFolder "Old_mail" -IncludeFolders "#Inbox#"Tip. Here is a complete list of the standard folders in the Exchange (Outlook) mailbox:

  • Inbox
  • SentItems
  • DeletedItems
  • Calendar
  • Contacts
  • Drafts
  • Journal
  • Tasks
  • Notes
  • JunkEmail
  • CommunicationHistory
  • Voicemail
  • Fax
  • Conflicts
  • SyncIssues
  • LocalFailures
  • ServerFailures

After running the import command, the import request is queued for processing by the Exchange server (processing is performed on the server with the Client Access Server role). To see the import request queue, run this command:


Get-MailboxImportRequest in Exchange Server 2013

The import request task status (InProgress, Completed, Queued) for a certain mailbox can be obtained as follows:

Get-MailboxImportRequest mailtst

To get information about the import request status (in percent), run the command below:

Get-MailboxImportRequest | Get-MailboxImportRequestStatistics


The completed import requests can be removed from the queue with this command:

Get-MailboxImportRequest -Status Completed | Remove-MailboxImportRequest

Remove-MailboxExportRequest from exchnage queue

To bulk import email items from PST files into multiple user mailboxes, you can use this command (it is assumed that the names of pst files correspond to the names of user mailboxes):

Foreach ($i in (Get-Mailbox)) { New-MailboxImportRequest -Mailbox $i -FilePath "\\HQ-FS01\PST\$($i.Alias).pst" }

If the import process fails, you can get a detailed information on its reasons from the report generated as follows:

Get-MailboxImportRequest -Status Failed | Get-MailboxImportRequestStatistics -IncludeReport | Format-List > AllImportReports.txt

In most cases, the import errors occur due to:

  • Logical damage of PST file structure.
  • If the user mailbox size exceeds the specified limit.

You can specify the number of bad items in PST file that can be skipped during the import. The following command will import the data from the PST file into the Exchange mailbox and skip the first ten failed items before generating an import error:

New-MailboxImportRequest -Mailbox mailtst -FilePath \\HQ-FS01\PST\usetest.pst -BadItemLimit 10

New-MailboxExportRequest: Exporting Exchange Mailbox Items to a PST File

The export of the contents of the Exchange mailbox is similar to import.  To export the contents of the mailbox to a PST file, use the New-MailboxExportRequest cmdlet. To export the mailbox of mailtst user to the shared network folder (this directory has to be created in advance and you must grant read&write permissions on this folder for the Exchange Trusted Subsystem domain group), run the following command:

New-MailboxExportRequest –Mailbox mailtst –FilePath \\HQ-FS01\ExportPST\mailtst.pst

New-MailboxExportRequest: export user mailbox to a pst file

If you have to export to a PST file only email items from a specific folder, e.g., Inbox, the command looks like this:

New-MailboxExportRequest –Mailbox mailtst –FilePath \\HQ-FS01\ExportPST\mailtst.pst -IncludeFolders “#Inbox#”

To exclude a folder from exporting, use the ExcludeFolders parameter. For example, you don’t need to export deleted items to a PST file:

New-MailboxExportRequest –Mailbox mailtst –FilePath \\HQ-FS01\ExportPST\mailtst.pst -ExcludeFolders “#DeletedItems#”

Let’s consider a more complex task: suppose, you have to export all emails received after January, 1, 2019, that contain keywords “Project” and “London”.

New-MailboxExportRequest –Mailbox mailtst –FilePath \\HQFS01\ExportPST\mailtst.pst –ContentFilter {(body –like “*Project*”) –and {body –like “*London*”) –and (Received –lt “01/01/2019”)}You can also export items only from a specific folder with a search mailbox search results, obtained using the Search-Mailbox cmdlet.

The export task request also is queued on the Exchange server. To see the export task status, run this command:

Get-MailboxExportRequest -Mailbox "mailtst" | Format-List

Get-MailboxExportRequest status

RunspaceId : 3233f0d3-1b4b-4610-b0a2-6f29a543cc54
FilePath : \\HQFS01\ExportPST\mailtst.pst
SourceDatabase : db1
Mailbox :
Name : MailboxExport
RequestGuid : e03de01f-3333-111a-95fa-23faaf97ebf9
RequestQueue : db1
Flags : IntraOrg, Push
BatchName :
Status : Completed
Protect : False
Suspend : False
Direction : Push
RequestStyle : IntraOrg
OrganizationId :
Identity : mailtst\MailboxExport
IsValid : True
ObjectState : New

Don’t forget to periodically clean the completed requests for the export of mailboxes to PST files:

Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequestWhen exporting the user mailbox to a PST file, the user mailbox contents on the Exchange server are not cleared.

You can export multiple user mailbox in bulk. Create a csv text file of the following format:

Username, UNCPathtoPst

Run exporting user mailboxes into a PST files:

Import-CSV "C:\ps\user_list_export_pst.csv" | ForEach {New-MailboxExportRequest -Mailbox $_.username -FilePath $_.UNCPathtoPst

]]> 0 6167
Restricting Group Policy with WMI Filtering Wed, 15 May 2019 05:00:20 +0000 WMI filters in Group Policy (GPO) allow you to more flexibly apply policies to clients by using different rules. A WMI filter is a set of WMI queries (the WMI Query Language / WQL is used) that you can use to target computers to which a specific group policy should be applied. For example, using the WMI GPO filter, you can apply a policy linked to an OU only to computers running Windows 10 (a policy with such a WMI filter won’t apply to computers with other Windows versions).

What are the WMI GPO filters used for?

Typically, group policy filtering using WMI (Windows Management Instrumentation) can be used when multiple domain objects (users or computers) are located in the flat AD structure instead of the separate OU, or if you need to apply group policies, according to the OS version, network settings, installed software or any other criteria that can be selected using WMI. When the client processes such a group policy, Windows will check its state for compliance with the specified WMI query, and if the filter conditions are met, the GPO will be applied to this computer.

WMI group policy filters first appeared in Windows XP/Server 2003, and are available up in the latest Windows versions (Windows Server 2019, 2016 and Windows 10, 8.1).

Create a New WMI Filter and Link it to a GPO

To create a new WMI filter, open the Group Policy Management console (gpmc.msc and go to Forest -> Domains -> corp.local -> WMI Filters. This section contains all WMI filters in tha AD domain. Create a new WMI filter (New).

create wmi filter in group polici managment console

Type the filter name and its description (optional). To add a WMI query code to the filter, click the Add button, specify the name of the WMI namespace (by default, root\CIMv2) and specify the WMI code.

The following WMI query format is used:

Select * from <WMI Class> WHERE <Property> = <Value>

In this example, I want to create a WMI filter that allows to apply GPO only to computers running Windows 10. The WMI query may looks like this:

Select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"

wmi code query in gpo

The created WMI filters are stored in the msWMI-Som class objects of the Active Directory domain in the section DC=…, CN=System, CN=WMIPolicy, CN=SOM, you can find and edit them using the adsiedit.msc.

msWMI-Som active directory object

After you have created a WMI filter, you can link it to a specific GPO. Find the desired policy in the GPMC console and on the Scope tab, in the WMI Filtering section drop-down list, select your WMI filter. In this example, I want to apply the printer assignment policy only to computers running Windows 10.

link a wmi filter to a gpo

Wait for this policy to apply to clients, or update it manually with the command gpupdate /force. When analyzing the applied policies on the client, use the gpresult /r command. If the policy affects the client, but doesn’t apply due to the WMI filter restrictions, such a policy will have the status Filtering: Denied (WMI Filter) in the gpresult report.

gpresult: Filtering Denied WMI Filter

GPO WMI Filtering Examples

Let’s look at various examples of WMI GPO filters that are most commonly used.

With the help of the WMI filter, you can choose the OS type:

  • ProductType=1 – any desktop Windows edition;
  • ProductType=2 – Active Directory domain controller;
  • ProductType=3 – Windows Server.

Windows versions:

  • Windows Server 2016 and Windows 10 — 10.%
  • Windows Server 2012 R2 and Windows 8.1 — 6.3%
  • Windows Server 2012 and Windows 8 — 6.2%
  • Windows Server 2008 R2 and Windows 7 — 6.1%
  • Windows Server 2008 and Windows Vista — 6.0%
  • Windows Server 2003 — 5.2%
  • Windows XP — 5.1%
  • Windows 2000 — 5.0%

You can combine conditions in a WMI query using the logical operators AND and OR. To apply the policy only to servers running Windows Server 2016, the WMI query code will be as follows:

select * from Win32_OperatingSystem WHERE Version LIKE "10.%" AND (ProductType = "2" or ProductType = "3" )

To select 32-bit versions of Windows 8.1:

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="1" AND OSArchitecture = "32-bit"

To apply the GPO to 64-bit OS only:

Select * from Win32_Processor where AddressWidth = "64"

You can select Windows 10 with a specific build number, for example Windows 10 1803:

select Version from Win32_OperatingSystem WHERE Version like “10.0.17134” AND ProductType=”1″

Apply policy to VMWare virtual machines only:

SELECT Model FROM Win32_ComputerSystem WHERE Model = “VMWare Virtual Platform”

Apply policy only to laptops:

select * from Win32_SystemEnclosure where ChassisTypes = "8" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"

WMI filter, which applies only to computers whose names begin with “lon-pc“:

SELECT Name FROM Win32_ComputerSystem WHERE Name LIKE ‘lon-pc%’

Another example of using a WMI filter for targeting GPO to an IP subnets is described below. For example, to apply a policy to clients in the multiple IP subnets, use the WMI query:

Select * FROM Win32_IP4RouteTable WHERE (Mask='' AND (Destination Like 10.1.1.%' OR Destination Like '10.1.2.%'))

To select only devices with the RAM over 1 GB:

Select * from WIN32_ComputerSystem where TotalPhysicalMemory >= 1073741824

WMI filter to verifythat Internet Explorer 11 is installed:

SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>"11.0"

Test GPO WMI Filters using PowerShell

When creating WMI queries, sometimes you need to get the values of various WMI parameters on the computer. You can get this info using the Get-WMIObject cmdlet. For example, I need to display the WMI attributes and values of the Win32_OperatingSystem class:

Get-WMIObject Win32_OperatingSystem

SystemDirectory : C:\WINDOWS\system32
Organization    :
BuildNumber     : 17134
RegisteredUser  : Windows User
SerialNumber    : 00331-10000-00001-AA146
Version         : 10.0.17134

To display all available class properties:

Get-WMIObject Win32_OperatingSystem| Select *

Get-WMIObject list all wmi class properties

You can use the PowerShell to test WMI filters on a computer. Suppose you have written a complex WMI query and want to check does the computer match this query or not. For example, you created a WMI filter to check for the IE 11 on a computer.  You can test this WMI query on the target computer using the get-wmiobject cmdlet:
get-wmiobject -query 'SELECT * FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version LIKE "11.%"'

If this command returns something, then the computer meets the query conditions. If the get-wmiobject command returns nothing, the computer doesn’t match the WMI filter query.
For example, running the specified command on a computer with Windows 10 and IE 11, the command will return:

Compressed : False
Encrypted  : False
Size       :
Hidden     : False
Name       : c:\program files\internet explorer\iexplore.exe
Readable   : True
System     : False
Version    : 11.0.17134.1
Writeable  : True

get-wmiobject: command to test wmi queries

This means that IE 11 is installed on the computer and a GPO with such a WMI filter will be applied to this computer.

So, we looked at how to use WMI filters to apply GPOs only to computers that meet the different WMI queries. It is necessary to take into account the presence of WMI filters when analyzing the reasons for which the certain GPO is not applied on the computer.

]]> 0 6156
Search-Mailbox: How to Find and Delete Email from Exchange User Mailboxes Wed, 01 May 2019 05:00:59 +0000 An Exchange server allows an administrator to search user mailboxes in the databases and delete certain emails (or other items) from the mailboxes. For example, a user has accidentally sent private data to other users in a company and couldn’t recall this email in Outlook in time. The information security department requires that you as the Exchange administrator delete this email from all user’s mailboxes in your Exchange organization. In this article we’ll show how to use PowerShell to search the Exchange user mailboxes (by different criteria) and delete certain emails from the mailbox of the specific user or all Exchange users. The techniques described below are applicable to Exchange 2016, 2013 and 2010.

How to Assign Permissions to Search through Exchange Mailboxes?

The following roles must be assigned to the administrator account who searches for and deletes mailbox items:

  • Mailbox Import Export
  • Mailbox Search

You can assign the roles using EAC or these PowerShell commands:

New-ManagementRoleAssignment -User corey -Role "Mailbox Import Export"
New-ManagementRoleAssignment -User corey -Role "Mailbox Search”

exchange roles: Mailbox Import Export, Mailbox Search

After the roles have been assigned, restart the Exchange Management Shell console.

Using the Search-Mailbox to Search & Delete Messages from Exchange User Mailboxes

You can also search for email items in the user mailboxes using the Exchange Control Panel or Exchange Admin Center, but this search method is quite slow and doesn’t allow you to remove email messages. It is much easier to search using PowerShell.

To search email items in user mailboxes, you can use the Search-Mailbox cmdlet that allows you to search items that meet certain criteria in all or specific mailboxes, copy the found items to another mailbox or remove them.

First of all, let’s consider, how to find something using the Search-Mailbox cmdlet.
To search a mailbox for items with a specific subject, run this command:
Search-Mailbox -Identity corey -SearchQuery 'Subject:"Annual Report"'
To search all mailboxes in the Exchange organization, use the following command:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery 'Subject:"Annual Report"'

To copy the search results to a certain mailbox and folder, use the TargetMailbox or TargetFolder parameters. Thus, after the search is completed, you can view the found items manually using Outlook or OWA. Suppose you need to search for email messages in list of users (given in users.txt) and copy the found items to the folder in the specific mailbox. To do it, run this command:

get-content users.txt | Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery 'Subject:"Annual Report"' -TargetMailbox sec_dept -TargetFolder "ExchSearchResult”

The –LogOnly parameter means that search results must only be estimated without copying items to a target mailbox or deleting the messages. If this argument is used, a report containing the search results will be sent to the specified target mailbox. A report is an archived CSV file that lists mailboxes meeting the search criteria.

You can estimate the search results using the –EstimateResultOnly parameter. Please, note that when using this argument you don’t need to specify a target mailbox or folder.

To remove the found email items, use the –DeleteContent parameter, and to skip confirmation requests to delete items, add the –Force parameter.

Let’s delete all email messages from the sender in all mailboxes on the specific Exchange server:

Get-Mailbox –Server berl-ex1 –ResultSize unlimited | Search-Mailbox -SearchQuery 'from:""' –DeleteContent –ForcePrior to deleting messages from mailboxes using the -DeleteContent parameter, we strongly recommend to look through the found emails using the -EstimateResultOnly or –LogOnly arguments.

Get-Mailbox: DeleteContent parameter

To search only among deleted elements, add the –SearchDumpsterOnly parameter (to exclude search among the deleted items, add the -SearchDumpster:$false argument). If you need to exclude from the search result an archive mailbox, use the –DoNotIncludeArchive parameter.

Search-Mailbox: Search Query Examples

Let’s consider the examples of search queries to find email messages using the SearchQuery parameter. The SearchQuery key processes queries in the KQL (Keyword Query Language) —

To remove all email messages containing the keyword “Secret” in the subject of the emails from all users not from your domain:

Search-Mailbox -Identity corey -SearchQuery 'Subject:"Secret" and from<>””' -DeleteContent

Find and delete all emails with the attachments exceeding 20 MB:

Search-Mailbox -Identity corey -SearchQuery 'hasattachment:true AND Size >20971520' –DeleteContentTip. The size of the email items is specified in bytes, and the size of the whole message is counted, not only the attachments. You can also specify the size in megabytes, and in this case the following syntax is used: -SearchQuery {Size -gt 30MB}.

You can simultaneously search for the text in the subject and body of the email. For example, let’s find and delete all messages containing “New Year” in the subject or “brandy” in the email body.

Search-Mailbox corey -SearchQuery {Subject:"RE:New Year" OR body:"brandy"} -DeleteContent -Force

You can search the mailboxes for certain elements using Kind argument, for example:

Meetings: -SearchQuery "Kind:meetings"
Contacts: -SearchQuery "Kind:contacts"

Or other Outlook elements:

  • Email
  • Meetings
  • Tasks
  • Notes
  • Docs
  • Journals
  • Contacts
  • IM

Searching emails by the specific recipient or sender:

-SearchQuery 'from:"" AND to:""'

You can search messages with the specific file as an attachment:

-SearchQuery 'attachment:"annual_report2018.pdf"'

Or by file type:

-SearchQuery 'attachment -like:"*.docx"'

You can search by send/receipt date, but there are some nuances. When using a date as a search criterion, you must consider the regional settings of your Exchange server. For example, April 10, 2019 may be specified in one of the following ways:

  • 10/04/2019
  • 04/10/2019
  • 10-Apr-2019
  • 10/April/2019

And if you see the error “The KQL parser threw an exception…” when running Search-Mailbox command, it means that you are using the wrong date format.

To search for emails sent on a specific day, use this query:

-SearchQuery sent:04/10/2019

If you need to specify the range of dates (you are looking for the messages received in the specified time period):

-SearchQuery {Received:04/01/2019..04/11/2019}

Here is another example. Let’s search the e-mails received before May 9:

-SearchQuery {Received:> $('05/09/2018')}

Search-Mailbox Cmdlet Restrictions

The Search-Mailbox cmdlet has a significant limitation: it can return only 10,000 elements. If this limit is exceeded it will return the error:

Sending data to a remote command failed with the following error message: The total data received from the remote client exceeded allowed maximum. Allowed maximum is 524288000.

Search-Mailbox The total data received from the remote client exceeded allowed maximum

In order to delete more email items, you will have to run Search-Mailbox cmdlet several times or split the mailboxes into groups by mailbox databases or Exchange servers.

Get-Mailbox -Database berl-ex1 | Search-Mailbox –SearchQuery '' -DeleteContent –Force

Another Search-Mailbox problem is its low performance. In case of a large company, the search may last for several days.

How to Quickly Find and Delete EMails in Exchange 2016 Using New-ComplianceSearch?

In Exchange 2016, a new way appeared that allows you to quickly find and delete email messages in user mailboxes.

Using these commands, you can significantly narrow the search area:

New-ComplianceSearch -Name FastSearch1 -ExchangeLocation all -ContentMatchQuery 'from:""'
Start-ComplianceSearch -Identity FastSearch1

These commands search through several thousand mailboxes for some minutes.

Next you need to get the list of mailboxes that meet the search criteria:

$search = Get-ComplianceSearch –Identity FastSearch1
$results = $search.SuccessResults
$mbxs = @()
$lines = $results -split '[\r\n]+'
foreach ($line in $lines)
if ($line -match 'Location: (\S+),.+Item count: (\d+)' -and $matches[2] -gt 0)
$mbxs += $matches[1]

Now you can remove emails using the Search-Mailbox cmdlet only in the found mailboxes:

$mbxs | Get-Mailbox| Search-Mailbox -SearchQuery 'from:""' -DeleteContent –Force

The total search and delete time is reduced several times, especially in large companies.

Now you can delete the search results:

Remove-ComplianceSearch –Identity FastSearch1

]]> 0 6131
Managing Local Users and Groups with PowerShell Mon, 01 Apr 2019 05:00:55 +0000 Recently Microsoft has added a standard PowerShell module to manage Windows local users and groups called Microsoft.PowerShell.LocalAccounts. Earlier you had to manually download and import this module into PowerShell. Now LocalAccounts module is available by default in Windows Server 2016 and Windows 10 as a part of PowerShell 5.1. To use it in earlier Windows versions, you must install Windows Management Framework 5.1.Contents:

LocalAccounts PowerShell Module

There are 15 cmdlets in the LocalAccounts module. You can display the full list of module cmdlets as follows:

Get-Command -Module Microsoft.PowerShell.LocalAccounts

Get-Command Module Microsoft.PowerShell.LocalAccounts
  1. Add-LocalGroupMember
  2. Disable-LocalUser – disable a local user account;
  3. Enable-LocalUser – enable (unlock) an account;
  4. Get-LocalGroup – get information about a local group;
  5. Get-LocalGroupMember – display the list of users in a local group;
  6. Get-LocalUser – show information about a local user;
  7. New-LocalGroup – create a new local group;
  8. New-LocalUser – create a local user;
  9. Remove-LocalGroup – delete a local group;
  10. Remove-LocalGroupMember – remove a member from a local group;
  11. Remove-LocalUser – delete a local user;
  12. Rename-LocalGroup – rename a local group;
  13. Rename-LocalUser – rename a user;
  14. Set-LocalGroup – modify group settings;
  15. Set-LocalUser – modify user settings.

Let’s consider some typical tasks to manage local users or groups using PowerShell cmdlets of the LocalAccounts module on a computer running Windows 10.

How to Manage Windows Local Users with PowerShell?

Display the list of existing local users in Windows:


Get-LocalUser: display a list of local accounts

As you can see, there are 6 local user accounts on the computer, and 4 of them are disabled (Enabled=False).

To display all properties of a local account (similar to Get-ADUser cmdlet used to display information about AD domain users), run this command:

Get-LocalUser -Name root | Select-Object *

AccountExpires :
Description :
Enabled : True
FullName :
PasswordChangeableDate : 3/12/2019 10:14:29 PM
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : False
PasswordLastSet : 3/11/2019 10:14:29 PM
LastLogon : 3/11/2019 4:18:17 PM
Name : root
SID : S-1-5-21-2605456602-2293283241-3832290805-1001
PrincipalSource : Local
ObjectClass : User

To get the specific user attribute, like the last password change date, run this command:

Get-LocalUser -Name root | Select-Object PasswordLastSet

Get-LocalUser info from powershell

Let’s create a new local user with the New-LocalUser cmdlet. This cmdlet allows you to create the following types of accounts:

  • Windows local accounts;
  • Microsoft accounts;
  • Azure AD accounts.

When creating a user account with the New-LocalUser cmdlet, you can’t specify the user password in plain text as the Password argument. You must request the password interactively and convert it to the secure string in advance:

$UserPassword = Read-Host –AsSecureString

Or specify the password directly in the PoSh console:

$UserPassword = ConvertTo-SecureString "H1PH0Ppa$$" -AsPlainText -Force
New-LocalUser John -Password $UserPassword -FullName "Johh Lennon" -Description "Local Account for Remote Access"
To create a user in the AD domain, use the New-ADUser cmdlet.

To change the user’s password, use the LocalUser cmdlet (we suppose that you have already converted the new password into SecureString):

Set-LocalUser -Name john -Password $UserPassword –Verbose

powershell: create local user (New-LocalUser) ans set password (Set-LocalUser )

To set “Password never expires” flag, run this command:

Set-LocalUser -Name john –PasswordNeverExpires $False

As you can see, you don’t need to convert the UserAccountControl value as when managing the AD user object properties .

As you remember, you can login Windows 10 using your Microsoft account. If you have to create a new user login to a Microsoft account, run this command. (Please, note that you don’t need to specify an account password since it is stored in Microsoft.)

New-LocalUser -Name "MicrosoftAccount\" -Description "This is a Microsoft account"

To create a local account related to your Azure AD account (for example, you are using Office 365), run the following command:

New-LocalUser -Name "AzureAD\" -Description " This is an Azure AD account"

To remove local user:

Remove-LocalUser -Name john -Verbose

How to Manage Windows Local Groups Using PowerShell?

Now display the list of local groups on your computer:


Get-LocalGroup powershell cmdlet

Create a new group:

New-LocalGroup -Name RemoteSupport -Description 'Remote Support Group'

Add some local accounts and the group of local administrators to the new group:

Add-LocalGroupMember -Group 'RemoteSupport' -Member ('john','root','Administrators') -Verbose

If your computer is join to the AD domain, you can add domain accounts and groups to your local group. To do it, specify them in the following format: DomainName\jonhl or DomainName\’domain admins’.

create New-LocalGroup and add users Add-LocalGroupMember

You can also add a user to groups using the following pipeline (we will add a user to the local administrators group):

Get-Localuser -Name john | Add-LocalGroupMember -Group 'Administrators'

Display the list of users in a local group:

Get-LocalGroupMember -Group 'RemoteSupport'

As you can see, we are using only local accounts (PrincipalSource – Local). However, domain accounts (domain), Microsoft accounts (MicrosoftAccount) or Azure accounts (AzureAD) can also be used.


To display the list of groups, a specific user is a member of, you will have to check every local group on the computer:

foreach ($LocalGroup in Get-LocalGroup)
if (Get-LocalGroupMember $LocalGroup -Member john –ErrorAction SilentlyContinue)

To remove a user from a group, run this command:

Remove-LocalGroupMember -Group 'RemoteSupport' –Member john

To manage local users on a remote computer, connect to it using WinRM and run Invoke-Command or Enter-PSSession cmdlets.

For example, you need to create a list of accounts in a local group on remote computers:

$winrm_ssn = new-pssession -computer Lon-Srv01,Lon-Srv02,Lon-Srv03
invoke-command -scriptblock {Get-LocalGroupMember -Group 'RemoteSupport'} -session $winrm_ssn -hidecomputername | select * -exclude RunspaceID | out-gridview -title "LocalAdmins"

]]> 0 6116
Collective Arts Brewing – Life In The Clouds Mon, 28 Jan 2019 05:00:54 +0000 ]]> 0 6091 Waterloo Brewing – Dark Mon, 21 Jan 2019 05:00:53 +0000 ]]> 0 6086 Ace Hill – Pilsner Mon, 14 Jan 2019 05:00:45 +0000 ]]> 0 6081 Granville Island Brewing – Lions Winter Ale Mon, 07 Jan 2019 05:00:43 +0000 ]]> 0 6073 How to Get My Public IP Address Using PowerShell Fri, 04 Jan 2019 05:00:20 +0000 Question

Hi, In one of my PowerShell scripts, I needed to determine the current external IP address of the Windows computer from the command line or (best) with some simple PowerShell function. There are quite a few websites where you can find out your public IP address, but I don’t understand how to access them from my PoSh script and return the data from the web page.


That’s right, to find out your external IP address, you can use any online service. You can get data from an external web page from PowerShell using the Invoke-WebRequest cmdlet.

You can parse the page of any of the popular sites to check the external IP address, but it is easier to use any of the services that contain only the ip address (in the form of plain-text).

You can use the following sites:


For example, to find out your current external IP address, from which you access the Internet, open the PowerShell console and run the command:

(Invoke-WebRequest -uri "").Content

As you can see, the command successfully returned to the PoSh console the external IP address from which the connection came.

Or even you can get your GeoIP data (such a country, city, region, and GPS coordinates).

Invoke-RestMethod -Uri (''+(Invoke-WebRequest -uri "").Content

You should understand that in most cases the resulting IP will not be the real static “white” IP of your computer. In most cases, this will be either the external IP address of the router (when NAT is used), the dynamic IP address issued by provider or the proxy server address.

]]> 0 6063
Install RSAT Feature on Demand on Windows 10 1809 Using PowerShell Thu, 03 Jan 2019 19:56:24 +0000 After updating Windows 10 computer on my computer from 1803 to 1809 (October Update), the installed RSAT tools (Remote Server Administration Tools) disappeared (this always happens when updating Win10 build). As always, I was going to download and install the latest version of RSAT from the Microsoft download page, but found the following message on the RSAT download page:

IMPORTANT: Starting with Windows 10 October 2018 Update, RSAT is included as a set of «Features on Demand» in Windows 10 itself.

As it turned out, Microsoft decided that starting from Windows 10 1809 (17763), it is no longer necessary to download the latest version of RSAT from Microsoft. Now, the Remote Server Administration Tools package is built into the Windows 10 image and installed as a separate feature on demand. You can now install RSAT from the Settings app.

To install RSAT in Windows 10 1809, go to Settings -> Apps -> Manage Optional Features -> Add a feature. Here you can select and install specific tools from the RSAT package.

rsat feature as demand in windows 10

However, on another corporate computer running Windows 10 Enterprise, also updated to version 1809, the list of optional features was empty. The only way to install RSAT in this case is to use PowerShell. Consider how to install RSAT in Windows 10 1809 from the PowerShell command prompt.

Using the following command you can check whether RSAT components are installed on your computer:

Get-WindowsCapability -Name RSAT* -Online

Get-WindowsCapability -Name RSAT* -Online

You can view the status of installed RSAT components in a more convenient table:

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State

As you can see, the RSAT components are not installed (NotPresent state).

RSAT components windows 10 october 2018 update

You can use the Add-WindowsCapacity cmdlet to install these Windows features.

To install a specific RSAT tool, such as AD management tools (including the ADUC console), run the command:

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~”

To install the DNS management console, run:

Add-WindowsCapability –online –Name “Rsat.Dns.Tools~~~~”

Add-WindowsCapability -Online -Name Rsat.FileServices.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.IPAM.Client.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.LLDP.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.NetworkController.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.NetworkLoadBalancing.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.BitLocker.Recovery.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.CertificateServices.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.DHCP.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.FailoverCluster.Management.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.RemoteAccess.Management.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.RemoteDesktop.Services.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.ServerManager.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.Shielded.VM.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.StorageMigrationService.Management.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.StorageReplica.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.SystemInsights.Management.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.VolumeActivation.Tools~~~~
Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~

To install all the available RSAT tools at once, run:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online

To install only disabled RSAT components, run:

Get-WindowsCapability -Online |? {$_.Name -like "*RSAT*" -and $_.State -eq "NotPresent"} | Add-WindowsCapability -Online

Add-WindowsCapability install rsat using powershell

Now make sure that all RSAT tools are installed (Installed state):

all rsat tools installed in windows 10 1809

After that, the installed RSAT tools will appear in the Manage Optional Features panel.

If installing RSAT you encounter an error Add-WindowsCapability failed. Error code = 0x800f0954, most likely your computer is configured to receive updates from the internal WSUS or SUP server.

To install RSAT components, you need to temporarily disable the update from the WSUS server in the registry (open the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU and change the UseWUServer to 0) and restart the Update Service.

You can use the following powershell script to automate this process:

$currentWU = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" | select -ExpandProperty UseWUServer
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0
Restart-Service wuauserv
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value $currentWU
Restart-Service wuauserv

]]> 0 6053
Grand River Brewing – Russian Gun Imperial Stout Sun, 30 Dec 2018 05:00:37 +0000 ]]> 0 6048 Omnipollo – Zodiak Sat, 29 Dec 2018 05:00:42 +0000 ]]> 0 6043 Black Oak Brewing Co. – Nut Brown Ale Fri, 28 Dec 2018 18:20:41 +0000 ]]> 0 5978 Great Lakes Brewery – Pompous Ass English Ale Mon, 10 Dec 2018 05:00:25 +0000 ]]> 0 6033 Molson Coors Brewing Company – Coors Banquet Fri, 07 Dec 2018 20:08:03 +0000

]]> 0 5960
Bobcaygeon Brewing Company – Dockside Sat, 01 Dec 2018 00:55:34 +0000

]]> 0 5920
I got stung by a ray in Runaway Bay Jamaica! Tue, 20 Mar 2018 23:09:42 +0000 Isn’t it just my luck that while in the ocean while on vacation I got barbed by a ray in Runaway Bay Jamaica! I guess there is some meaning to the name of the town, I should have run-a-way!  🙂

So image this, I’m just casually swimming in the ocean about neck height when I put my foot down for a moment when I suddenly feel this needle like pin come into my foot…immediately I knew that something wasn’t right and slowly started making my way towards the shore.

Fast forward 120 seconds and my leg starts to go numb and each step is painful, almost like I’ve been hit really hard and have a bone bruise, As I get out of the ocean I look down and see I’m trailing blood from my foot, I make my way back to the group of friends I went with all lounging on the beach and they could immediately tell something wasn’t right with me (my paleness must have been that much more pale).

They ask “Are you ok?”, I painfully respond with “No, I got hit by something in the ocean.” – At this point the pain was becoming so excruciating that I was having a hard time talking.

]]> 0 5879