Friday, June 15, 2018

Restored AD account is not showing in Global Address List (GAL)

Environment:
Local AD syncing with Office 365 via Azure Sync.
Situation:
User has been moved to a non syncing OU.
Cloud account was disabled, then restored as InCloud and converted to shared mailbox so it could be viewed by management.
User returns to work.
AD account moved to synching OU, reattached to Cloud account and converted back from shared to a user mailbox.

Attributes in local AD have not changed.
"Show in Global Address List" is set to No.
Edit throws an error that the account is synching and any changes have to be made locally.
Specifically:
The action 'Set-Mailbox', 'HiddenFromAddressListsEnabled', can't be performed on the object because the object is being synchronized from your on-premises organization.

Hop on over to the DC, this attribute doesn't exist. We were previously an in house Exchange Server environment.

The attribute in my case is msExchHideFromAddressLists
This attribute was already set to FALSE, but because the account was disabled and re-enabled, the attribute wasn't changing the view status in the GAL.
I changed it to <not set>, waited for sync and it updated.

This attribute was also preventing user display in distribution lists. This was driving me crazy because I could see they were part of the DL groups, but weren't showing up when I expanded the list in Outlook. Once they were showing in the GAL, they showed in the DL groups.

Thursday, June 14, 2018

Controlling PSTs through Regedit

All credit goes to the Microsoft article. Just posting here in case the post disappears.
https://support.microsoft.com/en-us/help/3058474/how-to-use-outlook-policy-to-control-pst-use-and-creation-in-the-offic

Prevent users from adding new data or content to an existing .pst file
To prevent users from adding new data or content to an existing .pst file, add the PSTDisableGrow registry entry, and then set the value to 1. To do this, follow these steps:
  1. Open Registry Editor.
  2. Locate, and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\<x>.0\Outlook\PST
    Note The <x>.0 placeholder represents the version of Outlook: for example, 15.0 is Outlook 2013, 14.0 is Outlook 2010, and 12.0 is Outlook 2007.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type PSTDisableGrow, and then press Enter.
  5. Right-click the PSTDisableGrow registry entry that you created, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
Note The PSTDisableGrow registry entry can be set to the following values:
ValueDescription
0User can add new items to an existing .pst file. This is the default value.
1Use cannot add new content or data to an existing .pst file
Prevent users from adding new .pst files
To prevent users from connecting a .pst file to Outlook, add the DisablePST registry entry, and then set the value to 1. To do this, follow these steps:
  1. Open Registry Editor.
  2. Locate, and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\<x>.0\Outlook
    Note The <x>.0 placeholder represents the version of Outlook: for example, 15.0 is Outlook 2013, 14.0 is Outlook 2010, and 12.0 is Outlook 2007.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type DisablePST, and then press Enter.
  5. Right-click the DisablePST registry entry that you created, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
Note The DisablePST registry entry can be set to the following values:
ValueDescription
0Users can add .pst files. This is the default value.
1Users cannot add .pst files.
However, in scenarios where a .pst file was connected to Outlook before this registry value was added, the existing .pst file will still be connected. No new.pst files can be added.
2Users can only add exclusive sharing .pst files, such as SharePoint .pst files.

Pulling local admin accounts on a windows system WITH POWERSHELL

 There’s a couple ways to get them, I’m sure you’ve been around the internet looking. The Powershell scripts I use: Get-LocalGroupMember -Gr...