A unique problem

At my CPLS, Auldhouse Computer Training, we have a huge blend of applications courses, and technical courses. With everything from Microsoft, Cisco, Citrix, VMWare, CompTIA, Pink Elephant, Linux and Unix, through to Office, Adobe Creative suite, the list goes on and on and on...

One problem that is faced by our Apps trainers, is teaching Outlook today, then tomorrow having to clean up the Outlook inboxes and rules etc. before the next course. This is a bit of a pain in the butt, and of course, it's not a useful use of time.  Honestly, some of the things that people from the work place send to each other, just because they are on a training course.... SHEESH!
 
Today, I whipped up a script that will take care of that, and I was really quite surprised at how simple it was.

The problem. Destroy and recreate all the mailboxes without destroying the AD User accounts, as they're used for many other NTFS permissions all over the show. If it wasn't for that, I'd just as happily delete the AD accounts, and import-csv to fix it. Easy. But alas, I need those SIDs to remain.

As a solution, I came up with the below.  Now, as with all problems, there are more than likely a million other ways, but this is fit for purpose and does the trick.

Essentially there are four steps:

1. Select all the users matching a criteria and disable their mailboxes
2. Clean the database to make sure the disabled boxes are now in the Disconnected Mailboxes container in Exchange
3. Wipe out all the disconnected mailboxes
4. Re-create the mailboxes, essentially doing the opposite of step 1

It looks a little like this:

get-user | where-object {$_.name -like "wlg*" } | disable-mailbox

clean-mailboxdatabase "Wellington Mailbox Database"

$(Get-MailboxStatistics -Database "Wellington Mailbox Database")|where{$_.disconnectreason -eq "disabled"} | foreach {remove-storemailbox -database $_.database -Identity $_.mailboxguid -mailboxstate disabled -Confirm:$false}

get-user | where-object {$_.name -like "wlg*"} | Enable-Mailbox

I am pretty tickled with this, as I am not an Exchange hound. I should add that this is all done on an older Exchange 2010 box. Why Exchange 2010? Just the way it is.....one day I'll get around to updating that. Then I could setup a nice wee template to stop the naughty words anyway!

Cheers,

Malc.

InTune and management of different phones

Hey there all,

So the past wee while has seen me tooling around with some cool things. I have been exploring my musings with InTune a whole lot more, and now I am the proud owner of a couple of different phones. One is an older Apple iPhone 4s, the other is a Samsung Galaxy 4.  iOS and Android! Me! A bona fide Windows Fan Boi.

What can I report?

Adding both the new guys to my InTune management was a piece of cake. Simply adding my domain's email account to the phones was a piece of cake.

After doing that, I started to mess around with the remote wipes, each was done and each of the phones was totally factory reset with little or no surprise.

Once I had that all nice and stabilised, it was time to get into the process of applying apps to each of the devices. This has perhaps been the bigger learning curve for now, and I am still having a play. I'll write more when I have this properly nailed down, but I have learnt that while all free apps in Google Play are free apps, it would appear to not be the same with the Apple Store. In fact, so far (admittedly without much deep investigation) the only app I have deployed was Age of Empire, a game!  AND in order to get the iOS device managed properly, I had to create and import some certificates into InTune to progress. Apparently, I also have to learn about wrapping some apps in App policies (.xml) in order to have them apply.

As for the 'droid, I now have all the necessary tools that I have for my world. Strava, FitBit, and Training Peaks are all loaded against my phone. Plus a few worky things too.

This little post is just a teaser for now, but I am thoroughly enjoying all that InTune can offer.  At this point though, I would add that my current feel is that anyone looking to refresh their phone fleet, with a mind to managing the devices through InTune MDM, I would lean towards Windows Phone and Android.

Cheers,

Malc.

A funny couple of things happened recently...

...and I thought that I'd share.  Mainly as I am just now teaching a Network+ course, and one of the topics in here is Security.  And in that, Social Engineering is seen as a risk, as is misdirection of information.

So here's me.

For the last year, I have been receiving email from a medical insurer in South Africa, for, well, me. Not me, me, but a guy there, born in a different month, 6 years before me. Yup, I know LOTS about him.  It's been kind of funny, but there is a very serious side to this misdirection of data. I have his bank details, the South African equivalent of his Social Security number. And I know his health history, and his wife’s.

Today, I wrote him a letter, and attached one of his health statements.  I hope that it reaches him, and that he takes action with his provider. But what's the lesson here? The lesson is, double check your details with any organisation that you have your financials with. Make sure that all those details are correct. I even did a double check of the handful I have today.  This was an innocent enough mistake on the face of it, but with the information that I have, it could have been a lot worse for this guy.

The second funny thing, was Gmail. So there is a lady in the US of A. She lost her job in RIDICULOUS circumstances and rather publically.  And I really felt for her, mainly because I have an innate sense of fairness. She writes rather well, and has a great sense of humour. I have been a Twitter follower of hers, since. We have never had email contact. We have never communicated outside of a few tweets on Twitter. Anyhow, I have her home number, and her personal email account, showing up in my Gmail phone concats. What the? I did a lookup on Google and some crazy Russian website showed me that it is in fact a US based number, down to state and town. The rest of the location I won't say.

Here the lesson is to make sure that whatever tools you're using on the internet, make sure they are locked to hide any private data. Check what services are sharing that information, and be very careful with the apps installed on your phone that say “We need access to your details here, and here.” And, where you can, avoid putting those private details online when registering on a website. It's amazing how much people are will to put online for some app or the other. With the current trend in fitness tracking that seems to be all the rage, through to online shopping, minimal is best. Hell, it might sound obvious, but pseudonyms can help a fair bit.

As a last one, PLEASE STOP using your email/password combo as the login/password combo on this that and every website! It's just plain silly.

Cheers,

Malc.

 

A re-boot of the blog

Been a while since I posted things, and I know that now it is time to really kick myself into gear.

This was an interesting week in the classroom..... the first 3 days were SQL 2014 query writing, and the last two days of the week was a Crystal Reports course. These two topics are so very close to each other, and yet with enough differences that you can really make a mess of things if you don't have your wits about you!

So anyway, what's been happening.  A whole lot, and I'll be turning this into a very regular posting from now on.
Here is the highlights package:

• Continuing running of the Wellington Windows Infrastructure and Azure Users Group
• Aquisition of a iPhone and Android for the furthering of my InTune learning
• Delivery of InTune user session to Singapore User Group
• Taking of, and learning SCCM
• Discovering new and exciting things in Azure and InTune
• Delivery of InTune session to CodeCamp Wellington

I'll fill in more details later, but in the next couple of weeks expect some writeups on the above, and new things to keep you interested.

Cheers,
Malc.

Ignite NZ 2015

Well, here we are. A new year, a new name, and a bunch of sessions for me to deliver!

It probably goes without saying that there has been a wee bit of pressure this time around preparing the sessions that I am delivering. It came to a total of 5 sessions which when I said yup, I guess I hadn't really thought about all the time involved to do a professional job. It's not just me I am representing. It's Auldhouse and Microsoft. 3 are exam crams, and present an interesting challenge in their own right, and 2 are the traditional "Break-Out" sessions.

Within the next couple of weeks I will publish the build guides for the demos that I used this week in both my solo AD-RMS session, conveniently linked here (so that you can access the PowerPoints) and also the joint session with the amazing Daniel Bowbyes (co-runner of the WWIAUG meet-up in Wellington).

In getting ready for each session, we presenters always go through the hoops and loops. Did I do enough? Did I do too much? Will that meet the session level? WHY IS THE CLOCK GOING SO FAST/SLOW! (depending on your state of mind, of course!) I think my weakness is wanting to know too much, and deliver it all as fast as I can.

Anyway, as a loose outline for now, here is how I built each of the Labs.

AD-RMS and Azure RMS

AD-RMS
In order for this to work, and for things to move smoothly, I went through the following steps (loosely)
Built 4 virtual machines. Two were Server 2012R2, two were Windows 10. The servers were configured as a DC and a member. I created a number of OUs, users, and security groups, as well as user accounts for the ADRMS service.  Oh, and let's not forget the SuperUsers group.
On the DC I also created a preference to map drives to all users for the a file share to place IRM protected content.
After that, I joined all the computers to the domain. I made sure that for Client 1 I had logged in two users from the Design group, and on the other client, two users who were not in Design.
I then pre-staged the ADRMS install on the member server, created the shares for the users and the certificates.
At that point, I then create a checkpoint for each VM and spent a good week going back and forth, rolling forward and back through the demos that I have written for Ignite, making sure that I knew where all the sticking points may or may not be.
Azure-RMS
For the Azure RMS, I have had to sort out that "Here's one I prepared earlier" solution. There is a good reason for this. Activating Azure RMS, and getting it to a state where it can be demonstrated would take far longer than the 15mins that I have for that part of the session. SO... before I demoed this, I have already activated RMS in my Office 365 subscription, and imported and run the necessary PowerShell scripts to make RMS work for my region (AP).
From there, I simply made a couple of emails out to myself at work, and sent them. One was Do Not Forward, one was Confidential - internal only.   Then it's onto my work email account to see the results (and I have a couple of those emails saved in my inbox, just in case)


Windows 10 + Azure AD + Intune

This was a doozy to prepare for, and while I think the steps will seem pretty minimal, believe you me, there was a lot of work in learning the technology before even starting this. AND there is a lot to learn, and like my baby, Office 365, this is an entirely greenfield developmental area and when the session was suggested, some of the technology hadn't yet been fully released.

So here's how it went.
I bought a domain. www.malcyjmct.nz
I then added that to my Office 365 subscription.
After that, I then imported the malcyjmct.nz domain as a custom domain to Azure AD
From there, I setup a trial of Azure AD Premium to get the ability to add InTune
After that, it was a matter of twisting a few nuts and bolts to finesse it all to work together. Once that was done, it was onto the setup with the laptop, kindly loaned to Daniel and I by HP. And it is an amazing piece of kit! I installed Windows 10 Pro, and then rolled in ALL the updates. Without that effort, that initial AAD join HAS taken over an hour to progress to "Welcome to Windows, we hope you enjoy your stay." That was perhaps one of the biggest lessons learnt.
A few (ready MANY) joins, disjoins, joins, disjoins, demos, fails, demos, fails, foibles and quirks later, a smooth process has been ironed out. Essentially, a complete reset of the PC (and I have learnt that Sysprep isn't the tool for the job) and deletion of the computer account from Azure, and we're away.
SSO comes as a part of the build and start, so that is a HUGE relief, and at that stage, the certificates and user accounts all show in the right place.
I have learnt to expect a latency of between 20 and 40 minutes for this demo, meaning that I have built a SECOND laptop, that will stay constantly joined to the Azure AD. I have also installed a couple of additional pieces of software there, including the Azure Remote agent, meaning that I can demo a remote restart, and a remote device scan etc.
OK, once that was all sorted, I then created three distinctly different types of InTune policy, in order to high level demonstrate the capabilities of Azure. They are as follows:
A standard config policy to tweak Internet Explorer
A WiFi policy, which needed to importing of an XML file generated by netsh
An OMA-URI (Open Mobile Alliance Uniform Resource Identifier) policy to lock down AutoPlay
From there on in, it was a matter of demonstrating, from starting the "out of the box" laptop, through to joining it to Azure AD, accepting the incoming phone call, and then creating the pin for our new laptop.  Incidentally, that whole piece takes about 5-10 minutes, but is pretty bloody smooth to be fair.

Anyway, that is a brain dump for now. It's about 10:30pm the Monday night before Ignite launches, and I am ready for sleep now.

I will post something a little bit more detailed in the next week or so for those that need a bit more detail.

Thanks for reading, and please look forward to more posts in the very near future!

Cheers,

Malc.

The joy of setting up course 20346B: Managing Office 365 Identities and Services

Here is a nice wee tale of the nuances of setting up for this course. I am writing this mainly for others who might already teach this course, so I presume that there's a little bit of inside knowledge along the way.

Ok, so in the latest little plot twist there is a new issue with the setup scripts. It is REALLY easy to fix, but a bit of a pain.

In the setup, you have to do get-azurepublishsettingsfile, then import-publishsettingsfile and after you've got that sorted, it's time to run the configure script.  And things fall undone. Quickly. Red text EVERYWHERE!

 
So what's the deal here? When you run the script, you're asked for numbers. First, you enter your CPLS ID which you then pad out with an extra 0 if you need it. We are 4232190 so I add a 0 to the end to be 42321900. You have to, as there is a check in the script to deal with it.  And then you add a 3 digit number for the student ID. We've all done it, you know there is nothing new there. What ends up happening is that to further 'uniquify' the lab IDs, the script appends today's date to give you a long string.  Mine today was 423219000071117.

Then, it adds the name lucstorage to the beginning of the name so eventually you end up with lucstorage423219000071117, a handy dandy unique 25 character string.

Seems harmless.

To many of us that have set this course up, we're used to seeing a bit of red in the Azure Powershell window from time to time. Sometimes it's cos we forgot the firewall, or didn't raise to admin level on the window.  In this new error, that isn't the cause.

Believe it or not, the storage that is built, has to have a name with between 3 and 24 characters, of course starting with lower case letters, but can include numbers!

To solve this for myself, I opened variables.ps1. Find the line that says @storagebase = "lucstorage" and change it to @storagebase = "lucstor"

After that, no more red text and perfect success for the setup.

I don't know if anyone else has had this issue yet? I gather I discovered it today as it's the first time that I have taught the course in a double number day, double number month! :-)  It was the beginning of Oct the last time I taught this, and prior to that, months with a single digit! Ha!

Hope this helps, if you do come across it.

Cheers,
Malc.




 

 

A quick update, before making this a pretty permanent part of my life

So it has been an age since I set this blog up, and either through work pressures, pastime pressures, or just sheer laziness, I have neglected ever since starting.
And there is a TON of fantastic stuff that I have been doing work wise.  A few highlights are below, but on the whole, just wow, it has been a whirlwind time.

It was a reasonably normal year for me, the range of things that I teach always keeps me busy, from the core Server 2012 MCSA course, to the SQL Querying stuff, to the exciting world of Office 365 (more on that in a later blog), with even some oddities like recently teaching a WSS 2.0 course to a client who has an air-gapped network that hasn't changed for years!  The thing that surprised me the most with that, is that WSS 2.0 was actually a lot more sophisticated that I recalled, and really was LEAPS ahead of its time. Nice.

I also delivered a session at TechEd, well, three. 2 Exam Crams, and one 'proper' session, my first ever, which was a basic intro to Office 365 Admin.  More on that later too.

AND on top of all that, this is my first time back at the Wellington for a while, having had about 5 of the last 6 weeks travelling. Wow.

Look out for some upcoming posts.

Cheers,

Malc.