March 2017

How to Self-Elevate a PowerShell Script

Friday, March 31, 2017

Update: I updated the code below so it works correctly when there are spaces in the path or script name. Thanks to Pat Richard for performance and deprecation improvements.

Most of the scripts I write require elevation -- they must be run from an elevated PowerShell prompt because they make changes to Windows that require Administrator access. The following code snippet will self-elevate a PowerShell script with this added to the beginning of the script. I honestly can't remember where I found the original code, but I updated it to work with Windows 10 and Windows Server 2016 and later build numbers.

Of course, you should ALWAYS confirm that your script is running properly before allowing it to self-elevate. I take no responsibility for the scripts that run using this code.

# Self-elevate the script if required
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
$CommandLine = "-File `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
Exit
}
}

Simply add this snippet at the beginning of a script that requires elevation to run properly. It works by starting a new elevated PowerShell window and then re-executes the script in this new window, if necessary. If User Account Control (UAC) is enabled, you will get a UAC prompt. If the script is already running in an elevated PowerShell session or UAC is disabled, the script will run normally. This code also allows you to right-click the script in File Explorer and select "Run with PowerShell".

Here's how it works:

The first line checks to see if the script is already running in an elevated environment. This would occur if PowerShell is running as Administrator or UAC is disabled. If it is, the script will continue to run normally in that process.

The second line checks to see if the Windows operating system build number is 6000 (Windows Vista) or greater. Earlier builds did not support Run As elevation.

The third line retrieves the command line used to run the original script, including any arguments.

Finally, the fourth line starts a new elevated PowerShell process where the script runs again. Once the script terminates, the elevated PowerShell window closes.

Pretty slick!

How to Secure Your Data on Docs.com

Tuesday, March 28, 2017

According to Microsoft,

Docs.com is a Microsoft online platform where you can publish and discover Word, Excel, PowerPoint, OneNote, Sway, and PDF documents, among others. With Docs.com, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing.

The SEO and discoverability features of Docs.com are powerful and make it imperative that you secure the data you store on Docs.com. I was easily able to search for and view public documents with sensitive and private information in Docs.com. See the following Ars Technica article to scare the bejeebus out of you: Doxed by Microsoft’s Docs.com: Users unwittingly shared sensitive docs publicly.

Whenever you publish a document to Docs.com the default visibility setting is Public, meaning that anyone can find it on the web using the Docs.com search form or from search engines like Bing or Google. When you publish a document, Docs.com warns you,

You are making your document publicly available on the web so search engines can find it. Make sure it doesn't contain private information that you don't want to share.

But it also gives you the option to remember this setting and not warn you again. This makes it all too easy to forget that all your future publications will be public by default.

Docs.com is meant to be a service for sharing documents, either publicly (to everyone), or limited (only to those who have the URL). A third option, Organization, allows access to your docs only from users who sign in using organizational credentials for your Office 365 tenant, but this visibility setting is currently only available for schools.

If you're using Docs.com to store sensitive data you're doing it wrong. You should probably be storing it locally, on a secure network drive, or on OneDrive with the correct security settings configured.

There are virtually no administrators controls that can be placed on users' data. All visibility changes and deletions must be performed by the end-user.

To change the visibility settings on a currently published document, sign into your Docs.com profile page. Select the document(s) you want to update and click Edit. Here, you can change the visibility from Public to Limited, or possibly to Organization, if you're a school. Of course, you can always just delete the document, as well.

Keep in mind that changing the visibility of a document or collection from Public to Organization doesn’t immediately remove the index even after the indexed link no longer works. It typically takes several days until links are fully removed from search engine listings.

If you wish to delete your Docs.com account be aware your page on the site and all associated content will be permanently deleted. Make sure you download and save any data you wish to keep from Docs.com first, then go to the Docs.com setup page and click Delete Account at the bottom.

The only administrator control available to your Office 365 tenant is to disable allowing end-users to publish documents to Docs.com using their Office 365 credentials for your tenant. It will not prevent them from publishing data with another credential (Hotmail, Facebook, etc.)

To disable Docs.com in your tenant (it's not enabled by default), log into the Office 365 portal as a tenant administrator and go to the Admin portal. Click Settings > Services and Add-Ins > Docs.com and then turn it off.

This will disallow end-users from publishing additional documents to Docs.com going forward, but it will not delete any published data or accounts.

Do you need additional help with Office 365 or your on-premises environment? Contact EXPTA Consulting today for a free consultation. Visit www.expta.com or on Skype for Business.

How to Uninstall Antispam Agents on Exchange Servers

Friday, March 17, 2017

UPDATE: The Exchange Team posted an article about this issue today. See Exchange Server Edge Support on Windows Server 2016 Update.

Microsoft announced that they were deprecating support for the SmartScreen spam content filter for Exchange Server in September 2016. See the article, Deprecating support for SmartScreen in Outlook and Exchange for full details.

All that is supposed to mean is that Microsoft is no longer producing anti-spam signatures for Exchange, but I discovered today that the Microsoft Exchange Transport service would not start on my Exchange 2016 Edge Transport servers after a servicing reboot. These Edge servers are running on Windows Server 2016. The Application event log shows the following error:

Log Name: Application
Source: MSExchangeTransport
Date: 3/17/2017 2:59:07 PM
Event ID: 16023
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer: mail.contoso.com
Description:
Microsoft Exchange couldn't start transport agents. The Microsoft Exchange Transport service will be stopped. Exception details: Failed to create type 'Microsoft.Exchange.Transport.Agent.ContentFilter.ContentFilterAgentFactory' from assembly 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll' due to error 'Exception from HRESULT: 0xC0630005'...

The highlighted section in the error log indicates the problem is with the content filter, which is one of the antispam agents installed with the Install-AntispamAgents.ps1 PowerShell script. Whenever the MSExchangeTransport service is started, the service stops again within a minute and this event is logged.

The fix for me is to remove the content filter transport agent on the Exchange server(s) where the antispam agents are installed. Run the Get-TransportAgent cmdlet from the Exchange Management Shell to see if the antispam agents are installed. These transport agents include the Content Filter Agent, Sender Filter Agent, Sender ID Agent, and Protocol Analysis Agent.

To uninstall these agents use the Uninstall-TransportAgent cmdlet. For example,

Uninstall-TransportAgent -Identity "Content Filter Agent"
Uninstall-TransportAgent -Identity "Sender Id Agent"
Uninstall-TransportAgent -Identity "Content Filter Agent"
Uninstall-TransportAgent -Identity "Protocol Analysis Agent"

For me, all I really needed to uninstall as the Content Filter Agent to get the Transport Service to start.

Once you've uninstalled them you need to restart the Transport Service:

Restart-Service MSExchangeTransport

This will start the Microsoft Exchange Transport Service if it was already stopped and you're back in business. Of course, you still need a good antispam service for on-prem. I use Exchange Online Protection (EOP) which works very well for me and most of my customers.

Office 365 Begins Force-Feeding Groups to Tenants

Thursday, March 16, 2017

Beginning March 2017, Microsoft will begin creating Office 365 Groups for certain managers unless you opt out.

According to the support article, "Manage automatic creation of direct reports group - Admin help":

"Managers who have 2-20 direct reports, do not already have a direct reports group, and have permissions to create groups in Outlook, will automatically have a private group created for them with their direct reports. The manager will be added as an owner, and the direct reports of the manager will be added as members by default. The group will be named '<Manager's Name>'s direct reports', but that can be edited."

The article goes on to explain how to opt-out and how to identify Groups that have already been automatically created. Not to be a Luddite or anything, but I prefer that I make my own changes in my environment, thankyouverymuch.

It's important to note that these new auto-created groups are not dynamic. That means that if a manager's direct reports change for any reason (hires, fires, promotions, etc.) the direct reports group membership will not change automatically. Clearly, this new "feature" was only added to hit some metric Microsoft is measuring for Groups "adoption".

To opt-out of automatic Group creation you'll need to run some remote PowerShell. Connect to Exchange Online PowerShell and run the following cmdlet:

Set-OrganizationConfig -DirectReportsGroupAutoCreationEnabled $false

All automatically created groups have a property called Groupsona populated. To find the Groups that have been automatically created, run the following cmdlet in remote PowerShell:

Get-UnifiedGroup -ResultSize Unlimited | Where-Object {$_.GroupPersonification -eq 'Groupsona:AutoDirectReports'}

Microsoft is all about consumption these days, which is why you can expect an opt-out model as opposed to opt-in for new features. I'm interested to know how you feel about that. Use the comments section below.

Important AD FS Update for Azure AD Connect

Wednesday, March 8, 2017

Microsoft has released Azure Active Directory Connect 1.1.443.0 which includes several bug fixes and new features that your environment will need, especially if you use AD FS:

Added support for updating AD FS Farm SSL Certificate
Added support for managing AD FS 2016
You can now specify existing gMSA (Group Managed Service Account) during AD FS installation
You can now configure SHA-256 as the signature hash algorithm for Azure AD relying party trust.

That last bullet point is very important now that the SHA1 algorithm has been cracked, as I wrote last month.

Azure AD Connect makes on-premises and Office 365 directory integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

EXPTA Consulting can help your organization move to the Microsoft cloud or upgrade your existing hybrid infrastructure. Contact us today!