Convert Server 2016 Standard to Datacenter

I needed to do this today because I had setup a pair of servers and it turns out they needed to be Datacenter edition instead of Standard edition. What used to mean you would need to rebuild, is really now just another command to run.

dism /online /Set-Edition:ServerDatacenter /ProductKey:CB7KF-BWN84-R7R2Y-793K2-8XDDG /AcceptEula

It took about 20 minutes or so but Before you tell me I posted my keys … sorry but it’s the KMS client key from Microsoft.

I found this command from ITechLounge.

Remove a single user’s permissions from all mailboxes in Office 365

Longest title in history?

A while back we were doing some troubleshooting and we added an administrator’s account to have read permissions on all of our mailboxes. Mailboxes permissions came up as a topic yesterday in a conversation I was having and I remembered I had meant to clean this up. I could have gone about this a bunch of different ways, but ultimately I wanted to create a script in case I ever needed it again. Continue reading “Remove a single user’s permissions from all mailboxes in Office 365”

Outlook 2016 – Stop Displaying Mailboxes for Other Users

As an admin occasionally you’ll give yourself permissions to a mailbox. And then you’ll remember Outlook conveniently auto-maps that mailbox for you. Easy fix.
Close Outlook. Open Powershell.

Add-MailboxPermission -Identity targetuser@foo -User youradmin@foo -AccessRights FullAccess -AutoMapping:$false

Open Outlook. Enjoy the emptiness of the side bar.

You can/should also (once the mailbox disappears from Outlook) remove the permissions completely.

Remove-MailboxPermission -Identity targetuser@foo -User youradmin@foo -AccessRights FullAccess -InheritanceType All

Delete an email from all mailboxes in O365



Shamelessly borrowed from:


# Get login credentials 
$UserCredential = Get-Credential 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -AllowClobber -DisableNameChecking $Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Office 365 Security & Compliance Center):"
# search for the email in all mailboxes
New-ComplianceSearch -Name "Easy-To-Identify-Name" -ExchangeLocation all -ContentMatchQuery 'sent>=12/01/2017 AND sent<=12/30/2017 AND subject:"announcement" AND from:""'
Start-ComplianceSearch -Identity "Easy-To-Identify-Name"

# wait a minute and view the results
Get-ComplianceSearch -Identity "Easy-To-Identify-Name"
Get-ComplianceSearch -Identity "Easy-To-Identify-Name" | Format-List

# delete the messages if the results look right
New-ComplianceSearchAction -SearchName "Easy-To-Identify-Name" -Purge -PurgeType SoftDelete

# check when it is completed
Get-ComplianceSearchAction -Identity "Easy-To-Identify-Name_Purge"

Converting a Password to Secure String


I forget this every time I reset my password…

(Get-Credential).Password | ConvertFrom-SecureString | Out-File "C:\Scripts\365SecureString.txt"

Using it:

$pass = cat "C:\Scripts\365securestring.txt" | convertto-securestring
$mycred_online = new-object -typename System.Management.Automation.PSCredential -argumentlist "",$pass
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "UserAccount",$pass


Setting DNS Server addresses on a remote server via PowerShell


Storing this one for later…

$cred = Get-Credential

Enter-PSSession -Credential $cred -Computername <hostname>

Get-NetAdapter -Physical

Get-DNSClientServerAddress –interfaceIndex XX  (Just making sure this is the interface I want to change).

Set-DNSClientServerAddress –interfaceIndex XX –ServerAddresses (“x.x.x.x”,”x.x.x.x”)


Script to Compare List of Email Addresses in Exchange

I was provided a list of email addresses of employees in a system that doesn’t interface with AD/Exchange and asked to validate those email addresses exist within our Exchange server. I figured the easiest way was to just script it (the list was close to 1000 people).  Total run time to compare the list was just a few seconds.

Here’s the (quite simplistic) script to accomplish the task.

$logFile = 'c:\scripts\IsAccountValid.log'

# Uncomment the entry below if not running from the EMS
# Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin

# Import the email addresses from text file
$Import=Get-Content "c:\Scripts\emailaddresses.txt"

ForEach ($address in $import) {
     $valid = get-mailbox -an $address
          If ($valid) {
          "$address is Valid" &gt;&gt; $logFile
          } else {
          "$address is Not Valid" &gt;&gt; $logFile

Bulk Migrate User Home Directory in Active Directory

This summer I’m decommissioning an old file server that is no longer under warranty, and we have plans for it along with the iSCSI SAN it’s connected to. Slight problem though – even though I’ve configured our user shares to replicate around using DFS, for years the user creation script that was used for creating accounts hard coded the user home directory to this file server. With thousands of accounts – I’m not about to go and do all this by hand.

Enter Quest ActiveRoles Management Shell (free). Sure I could have used other tools – but I’ve got this one and I like it. Anyway, here’s the script I wrote to do this. Note:  It is likely not perfect, maybe not the most efficient way to handle this (definitely a bit slow), but it works and was ran against a few thousand user accounts.
Continue reading “Bulk Migrate User Home Directory in Active Directory”

Forcing an Update of the Exchange 2007 GAL

Some things should be simple. Like just right clicking the GAL in the EMC and selecting update. Then updating Outlook. But Nooooooo… do you think that actually works when you need it to?! Of course not.

So, fire up the Exchange Management Shell —

PS> Get-OfflineAddressBook | Update-OfflineAddressBook

PS> Update-FileDistributionService -Identity YourCASServer

Head on over to Outlook and download the address book and your changes should be there.

Exchange 2007 Quick Tip: Find disabled AD users with active mailboxes and stop their email

Doing a little cleanup today and needed to check who was “disabled” in AD but still had mailboxes on our Exchange server. In case you weren’t aware, Exchange mailboxes remain active even if the user is disabled. As part of how we do things, we keep mailboxes around for a looooong time because people tend to leave/retire then come back on a temp basis. So when they return, they have all their old emails available. So, first let’s compare AD w/ Exchange and get a list of folks… (source for the code below)

Download Quest powershell.
Run the PS query below
> get-qaduser -includedproperties altrecipient, homeMDB -disabled | select-object -property “name”, “description” , “altrecipient”, “homeMDB” > c:\mailboxes.csv
Then sort by HomeMDB.

Now you have a list of folks to work with. The next step if you want to stop email flowing to that mailbox is to do one of a couple things ( there’s some other options too) -you can either restrict who can send email to that address (say a dummy account in your organization only) which will prevent anyone else sending to that mailbox or you can change the primary SMTP address to something else and the original address will cause a non-deliverable.

What’s the difference? Not much. If you restrict who can email you will get the following NDR:

Your message wasn’t delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator. #550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized ##

If you change the primary address to something else you will get this:

The recipient’s e-mail address was not found in the recipient’s e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##

I personally prefer the address not found. That to me is a little more definitive and doesn’t say oops you can’t do that, please call me and ask for permission to do it. It says oops, that address is wrong, check it and make sure you’re sending to someone who is still here.  My standard format for changing addresses is to leave the username and add in _DISABLED. So the new address looks like:

Then if you want to easily find everyone who has a disabled email… the search is like this:

> Get-Recipient -ResultSize Unlimited -Filter “EmailAddresses -like ‘*_DISABLED@domain.local’ -And RecipientType -eq ‘UserMailbox'”