Posts

Users cannot manage distribution groups that they are owners of in Exchange 2013

If you have recently ran across an issue where users are unable to manage a distribution group in Outlook or Exchange even though you have made them owners of this group it is by design.  By default users in Exchange 2013 are assigned to the “Default Role Assignment Policy”.  This role does not have the permissions to edit group ownership even if they are owner’s of the distribution group.  In order to fix this you must login to the ECP by going to https://servername/ecp  Once here go into the permissions on the left hand side.
distribution groups i own
Click on admin roles in my instance I just assigned my user Recipient Management rights since they are an administrator level employee.  This resolves the issue.
permissions
If all of the following hold true then you can also just download and run this Powershell script.

  • I want my users to be able to manage distribution groups they own.
  • I don’t want them to be able to create distribution groups.
  • I don’t want them to be able to remove distribution groups even if they do own them.

# Script for creating a Role that can manage distributions groups but can’t create new ones
#
#################################################################################
#
# The sample scripts are not supported under any Microsoft standard support
# program or service. The sample scripts are provided AS IS without warranty
# of any kind. Microsoft further disclaims all implied warranties including, without
# limitation, any implied warranties of merchantability or of fitness for a particular
# purpose. The entire risk arising out of the use or performance of the sample scripts
# and documentation remains with you. In no event shall Microsoft, its authors, or
# anyone else involved in the creation, production, or delivery of the scripts be liable
# for any damages whatsoever (including, without limitation, damages for loss of business
# profits, business interruption, loss of business information, or other pecuniary loss)
# arising out of the use of or inability to use the sample scripts or documentation,
# even if Microsoft has been advised of the possibility of such damages
#
#################################################################################
#
# Written by Matthew Byrd
# Matbyrd@microsoft.com
# Last Updated 10.15.09

# Parameter to get a different name than default for the new Role
Param([string]$name=”MyDistributionGroupsManagement”,[string]$policy=”Default Role Assignment Policy”,[switch]$creategroup,[switch]$removegroup)
# Help Function
Function Show-Help {

This script is will create or manage a management role designed to allow users to modify groups that they already own
but not create or remove any new distribution groups.
Switches:
-name           Name of the managment role you want to create or modify
Defaults to: `”MyDistributionGroupsManagmenet`”
-policy         Name of the Role Policy you want to assign the role to
Defaults to: `”Default Role Assignement Policy`”
-creategroup    Adds or Removes the ability of the Role to Create DLs
-removegroup    Adds or Removes the ability of the Role to Remove DLs
Examples:
——————————————–
This will Use the default names and Policy and will create a role that cannot
Create or remove groups but can still modify them.  If the role already exists
It will modify it by removing or adding the abiltity to create and remove groups
based on the current state.
Manage-GroupManagementRole -CreateGroup -RemoveGroup

}
# Function to modify a role by removing or adding Role Entries
# If no action is passed we assume remove
# $roleentry should be in the form RoleRoleentry e.g. MyRoleNew-DistributionGroup
Function ModifyRole {
Param($roleenty,$action)
Switch ($action){
Add {Add-ManagementRoleEntry $roleenty -confirm:$false}
Remove {Remove-ManagementRoleEntry $roleenty -confirm:$false}
Default {Remove-ManagementRoleEntry $roleenty -confirm:$false}
}
}
If (($creategroup -eq $false) -and ($removegroup -eq $false)){
Show-Help
exit
}
# Test if we have a role that already has that name
If (([bool](Get-Managementrole $name -erroraction Silentlycontinue)) -eq $true){
Write-Warning “Found a Role with Name: $name”
Write-Warning “Trying to Modify Existing Role”
}
Else {
# Create the new Management Role
Write-Host “Creating Managmenet Role $name”
New-ManagementRole -name $name -parent MyDistributionGroups
}
# Determine if we have the New and Remove Role Entries on the Role Already
$create = [bool](Get-managementroleentry $nameNew-DistributionGroup -erroraction Silentlycontinue)
$remove = [bool](Get-managementroleentry $nameRemove-DistributionGroup -erroraction Silentlycontinue)
# If we have the switch CreateGroup add or remove the RoleEntry for New-DistributionGroup
If ($creategroup -eq $true){
If ($create -eq $true){ModifyRole $nameNew-DistributionGroup Remove;Write-Host “Removing ability to create distribution Groups from $name”}
elseif ($create -eq $false) {ModifyRole $nameNew-DistributionGroup Add;Write-Host “Adding ability to create distribution Groups to $name”}
}
# If we have the switch RemoveGroup add or remove the RoleEntry for New-DistributionGroup
If ($removegroup -eq $true){
If ($remove -eq $true){ModifyRole $nameRemove-DistributionGroup Remove;Write-Host “Removing ability to create distribution Groups from $name”}
elseif ($remove -eq $false) {ModifyRole $nameRemove-DistributionGroup Add;Write-Host “Adding ability to create distribution Groups to $name”}
}
# Test if we have the assignment for the Role and Policy
# If we do … write a warning
# If not create a new assignment
If (([bool](get-managementroleassignment $name-$policy -erroraction SilentlyContinue)) -eq $true){
Write-Warning “Found Existing Role Assignment: $name-$policy”
Write-Warning “Making no modifications to Role Assignments”
}
Else {
# Assign the Role to the Role Policy
Write-Host “Creating Managmenet Role Assignment $name-$policy”
New-ManagementRoleAssignment -name ($name + “-” + $policy) -role $name -policy $policy
}
 

No more exmerge in Exchange 2010, using mailbox import export

First you have to give permissions to the account that needs to import/export or nothing will work. Where “MyExportAccount” is the account that needs permissions to export user mailboxes
New-ManagementRoleAssignment -Role “Mailbox Import Export” -User “MyExportAccount”
Next you must submit the request to export a mailbox(you must export to a UNC path). Where ExportMailboxuserName is the alias of the user you are exporting
New-MailboxExportRequest -Mailbox ExportMailboxUserName -FilePath “Server1PSTExportsExportMailboxUserName.pst”
You may notice if you run the command below that the export status is queued
Get-MailboxExportRequestStatistics ExportMailboxUserNamemailboxexport | fl
If it is queued run this command below
Resume-MailboxExportRequest ExportMailboxUserNamemailboxexport

Use Powershell in Exchange 2010 to give a distribution group permissions to a security group's member's calendars'

The first thing you will want to do is create and active directory security group.  In my example I create one named “calendartest”.  Now I’m going to add all the users who need to have their calendar shared with a distribution group of users to this group that I’ve created. 
Now open adsiedit.msc so you can find the location of the group in active directory.  You are going to need this.  In my example it is “CN=calendartest,OU=MyUsers,DC=TestDomain,DC=local”.
Finally open powershell and simply run these two commands:
$calendartest = Get-mailbox –Filter {(MemberOfGroup -eq “CN=calendartest,OU=MyUsers,DC=TestDomain,DC=local”)}
$calendartest | ForEach-Object {Add-MailboxFolderPermission $_”:Calendar” –User AllMySalesUsers@MyDomain.com –AccessRights Reviewer}

roku.com/facebook gives error "An error occurred. Please try again later."

To fix this you must authorize Roku.
http://www.facebook.com/l.php?u=http%3A%2F%2Froku.com%2Fphotofeed&h=7694b
You will then have an issue where Roku cannot find your photo stream.  To fix you must give it permissions again.  Click the link below.
https://graph.facebook.com/oauth/authorize?client_id=111568578699&redirect_uri=http%3A%2F%2Fshop.roku.com&scope=read_stream%2Cfriends_photos%2Cuser_photos%2Cuser_photo_video_tags%2Cfriends_photo_video_tags

Should I rename my domain administrator account?

As I open the logs files on my honeypot server I see there multiple brute force attacks on my ftp server.  They are using administrator and every possible combination of letters and characters.   I sit for a a moment and think to myself.  What if I had not renamed my administrator account?  Would my FTP server have been compromised?
This question or questions bring me ultimately to answer the question of why you should rename your domain administrator account.  There are going to be certain servers like Microsoft FTP through IIS that do not allow you to set settings based on how my incorrect attempts before a user is locked out.  Regardless how can you lock out the one account that has access to your entire network?  First I will just say I don’t believe entirely in security through obsecurity.  However, it is definitely a mechanism you can put in place to further protect your network.  When hackers try to brute force your network you can almost ensure yourself they’re going to try to use “administrator” as their user. 
You might be asking at this point.  Ok so if I rename my domain administrator account how will I access items that require this permission.  This is a good question.  Basically what I would recommend is create an account named admin-username.  Username of course being your user name or any other users who need to manage your domain.  Once you have done this I would recommend renaming your domain administrator account to something obscure.   Then set the password and make it very long and difficult to brute force attack.  When that is complete save that password somewhere secure in case the day comes when you need it.
Since I’m on this note.  There is another very important security measure administrators should take.  NEVER use your domain admin account to login on a daily basis.  You should be logging in to your network just like every other user.  With an account that has absolutely no administrator permissions.  If you need to install new hardware or software or change system settings then do a runas.  Or simply log off and log back in as administrator.  I cannot tell you how many machines or networks get infected because users are logging in as administrator when they don’t need to be.  Don’t get lazy and complacent do the right thing today.