Friday, August 17, 2018

Azure synced account not logging into Skype

Situation:
Primary email set to parent company
Old company email still showing for skype.
Not all users, only old users.

Attribute msRTCSIP-PrimaryUserAddress was controlling the SIP, even though SIP was added to ProxyAddress.
After updating this, I ended up removing and adding the Skype license for the user. Prior to that I was getting DNS errors with KB2655790 and errors saying the account didn't exist.

Thursday, August 16, 2018

Syncing file servers to Office365 for free with DFS

Office 365 is here, and OneDrive has been around for a while. I use it for personal use, so I can write wherever I am and everything is backed up in the cloud.
I got to thinking, wouldn't it be great to attach this to my existing corporate files?
Originally I was thinking about creating a user and sharing that users 1tb OneDrive space with my individual offices.
Each account would need to be licensed ($$) and nothing ever came from that.
Then there were Office 365 Groups, and I considered moving everything to the group OneDrive and synching everyone. This relies heavily on bandwidth.
But then OneDrive worked the way it was supposed to, and synced only the files and folders you wanted, not all files.


On to moving the file server to the cloud.
I have DFS running.
I know how syncing folders from OneDrive work.
I know you can sync a group's OneDrive if you're a member.

Step one:
I created a service account with an E3 license and added it to a Group.
I created a new server (reason will become apparent shortly).
New Service account is added as a Backup Operator (reason will become apparent shortly).
With the Service account, log into OneDrive online and access the Groups one drive.
Sync the Group OneDrive.
(Note: I had to access the classic view to both view the Group option and to sync the one drive.)
This will kick off the install of OneDrive. (Or install from Mircrosoft https://onedrive.live.com/about/en-us/download/ )
Now, during the install, there's a brief moment where you can change the location of the sync folder. I'm not going to tell you how to do your job, but I created a folder on the C drive and all my groups will sync there.

Once the sync is done and the folder is created we're almost there.

Next step: DFS.
This is why we created a new server.
Go into the DFS management and add the server as a new member to whatever sync group you want to push to the cloud.
Add the synced OneDrive folder you just created as the target for DFS replication. DFS will put files in the one drive folder, one drive will put them in the cloud. Digital relay race.

Now, this will only run while the service account is logged in, fail, right?
Wrong.

OneDrive can be run as a service.
And I'll tell you how, but first, you'll need to be signed up to my exclusive club where you send me money and I receive it.
Just kidding.

To run OneDrive as a service, you can purchase and install this:
https://www.coretechnologies.com/products/AlwaysUp/Apps/RunOneDriveAsAService.html

OR

You can setup a scheduled task.

Which is free.
And free is better.
The last post here got me on my way
https://social.technet.microsoft.com/Forums/en-US/045eecb5-9574-48cf-a87d-7497745fa5d8/running-onedrive-for-business-as-a-windows-service?forum=saas


Create a new task and call it something cool like OneDrive as a Service.
Set it to run whether the user is logged in or not, and I have mine set to run with Highest privileges. This might not be necessary, but after messing with it a while this ended up getting checked.

Trigger Tab, select at Startup, because that's when you want it to run.

Action Tab, now this is where I think I had the most problems.
Select Start a program and browse to the service accounts\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Leave both optional fields empty. Something I read said to start in the app data folder, another had /backup as an argument, neither did what I needed.
Or maybe I wasn't patient enough.

Once you reboot, the service will run as the service account.

You can test this by logging in as the service account, you'll get an error about the OneDrive folder not being found and asking you if you want to try again or setup OneDrive.
DO NEITHER.
There is an additional OneDrive process running (from the task) that you can end and Try Again. OneDrive will connect fine.
Logging is as the service account will be useful for checking sync issues.

Some notes:
Patience is needed when setting up OneDrive as a service. After the reboot, it may take a long time to start showing up changes in OneDrive, especially if its trying to sync a large amount of files. But once it's connected, it works like normal. And once everything is synced and no changes are going on, the OneDrive as a service reconnects pretty quick after a reboot.

Let me know if this helps you.

Thursday, August 9, 2018

Outlook web app hijack

We've all seen the email (probably).
"Your document is ready, click below"
This takes you to an official looking Microsoft login page.
Many people instinctively put in their office 365 account username (email) and password.
Login fails obviously, because it's not a real page.
They call IT and ask for a password reset or complain about all the passwords they have to remember, how they're sick of having to login all the time, etc.
Anyway, now that page has their credentials.
In my org., the hijacker would log into the webmail as the user and start sending out emails.
Some emails were trying to get personal/financial info, others were spreading the login fake page.
Annoying, a password reset, initiated by me, the administrator, fixed it. If you have a system that emails them a password reset link, this could completely lock them out from getting their email for a period of time while the hijacker has complete control. Not fun.

Some other things that the hijacker was doing. On one user, they adjusted the reply address to never show up in the hijacked accounts email. They added a letter to the name, that email doesn't exist, and the sender gets a bounce back. They did this so the hijacked account wouldn't know about their account spreading this 'virus', even though its not a virus at all, just social engineering.

Later, it was found that a rule was being created, forwarding certain emails to the RSS folder, because who uses that folder? This would allow the hijacker the ability to monitor an inbox and communicate with people that could potentially give out financial or personal information.

Pretty sneaky.

Some fixes:
Limit who can access OWA.
Those that can, make them 2FA.

I haven't looked into it too much, but O365 may be able to block access by region. If they don't have that option, it would definitely help in these situations. The IP access the email was outside the US.

Pulling local admin accounts on a windows system WITH POWERSHELL

 There’s a couple ways to get them, I’m sure you’ve been around the internet looking. The Powershell scripts I use: Get-LocalGroupMember -Gr...