SCENARIO
You’re managing a SharePoint Online environment and you want to know where external sharing is enabled.
PROBLEM
The problem is that Microsoft hasn’t fully launched a way of getting a good overview of this where you can change it. When you first enable sharing for example alot of sites will have it turned on by default etc. The new SharePoint Admin center has the ability to add the “external sharing on/off” column in the list of sites but that is very limited and you can’t enable or disabled it.
SOLUTION
Fortunately there is a very good attribute that you can retrive to get this and alter the external sharing setting called “SharingCapability”.
So using that you can get a list of all sites and what the status is of them, or you can filter for all that have it enabled or disabled:
get-sposite | select url, SharingCapability # All sites with their URL and SharingCapability
get-sposite | Where-Object{$_.SharingCapability -eq "ExternalUserSharingOnly"} # External user sharing (share by email) is enabled, but guest link sharing is disabled.
get-sposite | Where-Object{$_.SharingCapability -eq "ExistingExternalUserSharingOnly"} # External user sharing to existing Azure AD Guest users
get-sposite | Where-Object{$_.SharingCapability -eq "ExternalUserAndGuestSharing"} # External user sharing (share by email) and guest link sharing are both enabled
get-sposite | Where-Object{$_.SharingCapability -eq "Disabled"} # External user sharing disabled
Once you have that you can script it so you can disabled external sharing on all sites by doing this:
$allsites = get-sposite | Where-Object{$_.SharingCapability -ne "Disabled"}
foreach($specificsite in $allsites) { Set-SPOSite $specificsite.url -SharingCapability Disabled }
The reason you want to do this in a “foreach” is there will be a site or two you may get an error that you can’t change the setting, so that would exit the command on that error.
How can I make that statement this of all years, when the best Assasins Creed “in years” launched, best “Star Wars” game ever, sequal to “Shadow of Mordor”, a WWII “Call of Duty” and oh so many other great titles come out!? Well, bare with me…
You know I’ve always been a gamer, right? Ever since my dad dragged home the first “portable” computer in the 80’s and we were playing that terrible olympic Decathlon game, through the Commodore series (VIC20 -> C64 -> Amiga) all the way up till now, I’ve always played computer games. Never been much for consoles though but that’s a different story. And playing games have been pretty much the same for most of that time. But when “World of Warcraft” launched back in 2004 it was… a subscription!? $60 to buy the game plus $10 per month!? Well they pushed out content on content so I thought that was ok. Think I paid about $1300 for “World of Warcraft” all in all. That was for over 10 years of entertainment, pretty sweet deal if you ask me!
And being a Blizzard fanboy I’ve gone through their “Heroes of the Storm” and “Overwatch” too. One thing I never really liked about those games was the lootboxes. I didn’t mind it much, I even bought a HotS lootbox pack once, but I can’t say I liked it. But in Overwatch it was always just skins which made it more ok than in HotS when it was actual characters you needed. But I never actually bought HotS for $60 so still fine (I’ll give them a pass on the D3 AH because they took it down and said “our bad”). Then there’s been “gold edition” of games and DLC packs and stuff like that that ads value over time, but it’s always been optional.
But now it’s just getting a bit much. Like most other gamers out there I am so very frustrated at the new schemes coming out of Ubisoft, Activision and most of all EA. Ubisoft has had “cosmetic” items for purchase a while for both “Assasins Creed” and “Division” but nothing more than that. Now it’s changing and it’s affecting gameplay! The most recent and extreme example of this is Battlefront II. With their way of pushing lootboxes on consumers I absolutely won’t be paying $60 for that game! Maybe I’ll pick it up next year on Black Friday sale, I dunno, but paying $60 for game where I have to grind grind and grind to even play characters that should be there out of the box?! Or you can buy lootboxes for more money! Really!? And then EA releases Need for Speed with… “speedcards” that you can fast-progress by buying lootboxes! Another game I was absolutely planning to already be playing was the new Mordor game (“Shadow of War”). But oh no, they had to go ruin that game too with in game store to buy Orcs. Yeah, buy Orcs in a game for real money!
And they even have the balls to call it “microtransaction”, you know like the “micrtransaction” for a Android app that cost like $1? No, because here we’re talking about getting 20 lootboxes for $60 – as much as the f*cking game costs! And don’t come with any “but games have been $60 for ages now!” because yeah, they have, and have the profit of any publisher gone down because of that? No, they’ve made more and more money every year! Look at “Cuphead” that cost like $20 which is turning out to be one of the best games all year! No, games don’t have to cost $100 million to make! You don’t have the PR push it that bad if it’s good enough, you don’t have to have 1000 song in the music library like GTA!!
What makes this even worse is that in some of these cases you’re not even buying the thing you want – your paying FOR A CHANCE at the thing you want! You may get the Orc you want, but you may end up with nothing. You may get the power up for your Heavy stormtrooper, or you might get a silly emote! It’s gambling and feeding on addiction and it’s loathsome and everyone should be ashamed of it. I know I am and I’m not even buying or playing those games! The irony is that Battlefront 2 is made by DICE – a Swedish studio. And the government in Sweden are pretty strict when it comes to gambling. Pretty strict as in “only government run gambling is allowed!”. Yeah, someone should maybe look into this! (and not the ESRB, that’s like Donald Trump saying his son is a good person!)
The last game I bought was Assasins Creed Origin which came out a few weeks ago. And so far I haven’t run into much lootboxes or “pay to get this über gear” yet, if you don’t count the gold edition addons. But looking at the horizon, I have no idea what I’m actually willing to buy even though there are plenty of games I should love to buy and play but my moral compass really gets in the way.
Fortunately people are rising up and raging against the machine. Just youtube “lootboxes” and you’ll find tons of videos on the topic. Or you may have seen the news that EA’s reply on reddit regarding Battlefront 2 progression is the most “thumbs down” comment ever on reddit?
SCENARIO
You’re asked how many users has what storage quota/limit in Exchange
PROBLEM
The problem originates from MS saying that the standard Exchange Online mailbox is 100GB in size. But some of our users are reporting they “only” have 50. I thought this was a minority if people so not a big thing. My manager disagrees.
SOLUTION
I began writing quite a complicated powershell for this but when I looked at it after a coffee break I said to myself “there’s gotta be a better way”. And sure enough it is. I’ve simply never used the “group-objects” function before! But now I can clearly get a report that’s just 3 lines long!
get-mailbox -resultsize Unlimited | Group-Object -property ProhibitSendReceiveQuota
And it really was fortunate that we were the ones to go since sooooo many of the sessions and talk was about Office 365, Azure and the cloud! It was really hard to find sessions that talked about on premises stuff but I managed to go to a few! The event started officially on Monday morning with a vision keynote by Satya, the CEO of Microsoft and had a bit of this and that in it.
After that it was a technical keynote of the digital workplace and then it was just one “breakout” session after another. I think I attended a total of 20 sessions in total and almost got overloaded with information. I used my cellphone to take photos of some presentation slides to remember what that session was about and what we’d covered in what sessions!Another great thing about these events is that you meet the people who are actually working on the other side – when I’m freaking out over the bad SharePoint Online admin center “well that guy right over there is the program manager of that, go talk to him”. Which I did. “Well you’ll glad to know we’re working on version 2, mail us and we’ll get you into the preview”. Done and done! And seeing some really pros at doing presentations, like Anne Michels who constantly made jokes on her expense (and sometimes even Mr. Michels).
And on Thursday evening Microsoft had “rented” the entire Universal Studios Orlando theme park for us! All you can eat, drink and ride all evening long! That was certainly an experience since we don’t have anything close to these theme parks in Sweden! We have plenty of amusement parks, but no theme parks, certainly not like this where you can walk into Jurassic Park and have a dinoburger!
Then friday was kind of winding down and collecting thoughts and writing reports on what I’ve learnt and then on Saturday the long trek back to Stockholm began. I checked in at the airport at about 2pm on Saturday and passed through customs in Stockholm at about 1pm on the Sunday.
But all in all it was an absolutely awesome experience and conference to attend for me. The downside was of course being away from my family for 8 days, that really felt long in the end. My and the wife have never been away from each other for that long since we moved in together 8 years ago!
After that 2 hour ride we were dropped of a the Saturn station (or whatever it was called) which was just this huge museum for the Apollo program! I completely geeked out there, running around photographing every mission banner there was and every little thing! After a quick lunch we set off back to the Visitor center where they had a Atlantis museum which was an awesome 3-stage display climaxing in a reveal of the actual space shuttle Atlantis! Completely geeked out again! Like a kid in a candy store on Christmas!! Then it got really emotional! I still don’t know why I get all somber up and even tear up at it, but at the end of the exhibit was the Challenger and Columbia memorials.
We spent a total of 7 hours there and I could’ve stayed a while longer! Absolutely one of the best experiences of my life. My only regret is that my wife and son wasn’t there to share it or see me get that excited about it.
Then we went to what these IT nerds who have been here a few times before thought was the greatest steakhouse ever – Morton’s. To sum it up and as my wife could say – I could’ve done more for less. I mean, it wasn’t bad, it just wasn’t all that and it was a pretty pretentious restaurant. But at least the company was good.
All in all a really great day!!
If you’ve followed this blog long enough or have heard me ranting you may know I’m not that big of a fan of US of A. And not only because of their most recent choice of president although that hasn’t helped. But a few months ago my supervisor asked me if I wanted to go to Microsoft Ignite. If you don’t know what it is, it’s a huge convention that Microsoft holds once a year in USA. It’s their greatest week of the year when they release a lot of new stuff for our techies and declares their visions for the future.
At first I didn’t know if I even wanted to go since it would mean actually going to the US. The only time I’ve been here before was when I went to Guatemala and had to pass security when going from one international terminal to another so I’ve never actually sat foot on their soil. But much like 14 years ago when I was asked to work on the project for the state department my initial feeling was “I don’t want to leave my comfort zone”. But realizing that.. I had to accept! After making sure my wife was OK with it I signed up. Fortunately a colleague of mine is also attending so I won’t be alone. And he has a lot of friends in the consultancy business so we’ll be hanging out with them. And there’s always the big “Swedes only” party to go to.
Then hurricane season began and when I saw the footage on CNN from Orlando, where the convention is happening, it made me doubt they could pull it off, getting all stuff ready for a convention of this size in less than 2 weeks. Fortunately that wasn’t a problem and MS announced well in time that everything was good to go.So on Saturday my wife dropped me off at Arlanda, we kissed good bye and I went off through security checkpoint to start my journey… and flight delayed!! Some part of the plane broke and they had to fly in a new one from Copenhagen (which I believe is airliner talk for “the crew wasn’t allowed to fly anymore because if union rules and we had to fly in a replacement crew). So about 3 hours later (plus one free beer!) we lifted of for Newark airport at New York. After passing through security, customs, security, passport check, customs, security and a tram between the terminals we arrived at the new gate with about 2 hours to spare. We were supposed to have a 6 hour wait, but 3 hours late departure plus all those lines meant we only got 2. And that was plenty because unfortunately Newark airport is something out of the 70’s. It really does need a fix up! Then we went for a bite to eat but when I went to the food court I got this familiar smell of deep fry oil from my days working at a fast food restaurant so my heart told my body I don’t want to eat here. So I didn’t. Fortunately my metabolism goes down, way down, on airplanes to it really wasn’t a problem!
Then onto that airplane that was gonna take us to Orlando in Florida. And when we were supposed to lift off we hadn’t even left the gate yet. The captain announced they had to reboot the plane! I shit you not, it was a literal “have you tried turning it off and on again”-moment!! But it actually worked and off we went. Slept all the way!
After arriving something happened that has never happened in all my travels – my luggage was already waiting for me!! I think there was a mixup in Newark and the flew my baggage out on the flight 2 hours before ours, which goes totally against international regulations of not allowing a bag onto the plane without it’s owner! But I didn’t complain, we went out to grab a cab… and no! Not a cab in sight! Another first for all of my travels, an airport with no cabs! We only had to wait 15-20 minutes for one but they are usually lined up!
So, off to the hotel and sleep ahead of the new days travel to Kennedy Space Center. I’m hoping I’ll get to post about that soon, but I’m actually here to work so not sure when I’ll have the time for that!
SCENARIO
You’re trying to install SharePoint 2016 on a Windows 2016 server and thinks just aren’t going well.
PROBLEM
To be honest I don’t know how else to explain the problem in any other way than Microsoft’s Windows Server 2016 team was in a feud over lunchboxes with the SharePoint 2016 devs because there is no other way to describe the complete incompatibility between the two!
SOLUTION
I’d say “Google it!” but that’s probably what got you here in the first place!
The first problem is the prerequisite installer that can’t configure Windows IIS role or download things. Fret not for there is plenty of help to find. When first running the prereq you’ll probably get this error: “Web Server (IIS) Role: configuration error”. To configure the IIS use this Powershell :
Add-WindowsFeature Web-Server,windows-identity-foundation,`NET-Framework-45-ASPNET,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Web-Lgcy-Mgmt-Console,Web-Lgcy-Scripting,Web-Mgmt-Tools,Web-WMI,Web-Common-HTTP,NET-HTTP-Activation,NET-Non-HTTP-Activ,NET-WCF-HTTP-Activation45 -Source 'Q:\sources\sxs'
Make sure to edit the source file to the Windows Server 2016 ISO!
The next place you should look at is this blog by the Microsoft Field Engineer Nik. Although be careful about some of his links as those are outdated and replaced with new versions, although downloading the version he’s linking will still work. He even provides a script that will run the Powershell to configure everything. Why this isn’t on the SharePoint 2016 ISO is beyond me!
But even when downloading all of that and installing it properly I was still faced with this error when trying to setup the farm: “New-SPConfigurationDatabase : One or more types failed to load. Please refer to the upgrade log for more details.“. Going through the install log I found this: “SharePoint Foundation Upgrade SPSiteWssSequence ajywy ERROR Exception: Could not load file or assembly ‘Microsoft.Data.OData, Version=5.6.0.0, Culture=neutral, PublicKeyToken=31bc3856cd365e35’ or one of its dependencies. The system cannot find the file specified.“
It seems that the WCF prerequisite file when installed using the Powershell method of manually downloading and installing it! Fortunately the quick fix is to find the file “WcfDataServices.exe” in your profile directory (i.e NOT the one you downloaded!), running it and choosing “Repair”. Only then did SharePoint 2016 install properly!
SCENARIO
You’re managing a large O365 tenant and you want to make sure there are no users that have multiple licenses assigned.
PROBLEM
The original problem is that you actually can assign a user with a F1, E1 and E3 license and end up paying three times for a user! Next problem comes with how license information is stored and retrieved with Powershell.
SOLUTION
Here is little code that will read out all your users and go through each one to make sure they don’t have more than one of the licenses assigned. It should work as long as Microsoft doesn’t change the _actual_ names for licenses!
$allusers = Get-MsolUser -All foreach($msoluser in $allusers) { $userpn = $msoluser.userprincipalname $userlicense = Get-MsolUser -UserPrincipalName $userpn | select Licenses if($userlicense.Licenses.AccountSkuId -like "*ENTERPRISEPACK*" -and $userlicense.Licenses.AccountSkuId -like "*DESKLESSPACK*" -and $userlicense.Licenses.AccountSkuId -like "*STANDARDPACK*") { write-host -Foregroundcolor Red "$userpn has both E1 and E3 and F1" } elseif($userlicense.Licenses.AccountSkuId -like "*ENTERPRISEPACK*" -and $userlicense.Licenses.AccountSkuId -like "*STANDARDPACK*") { write-host -Foregroundcolor Yellow "$userpn has both E3 and E1" } elseif($userlicense.Licenses.AccountSkuId -like "*STANDARDPACK*" -and $userlicense.Licenses.AccountSkuId -like "*DESKLESSPACK*") { write-host -Foregroundcolor Yellow "$userpn has both E1 and F1" } elseif($userlicense.Licenses.AccountSkuId -like "*ENTERPRISEPACK*" -and $userlicense.Licenses.AccountSkuId -like "*DESKLESSPACK*") { write-host -Foregroundcolor Yellow "$userpn has both E3 and F1" } }
The script can ofcourse be enhanced to write a log or even mail a log to an admin if you want.
SCENARIO
You’re handed a list of e-mail address for mass mailing from HR and they need to verify that all e-mail addresses are valid and won’t bounce “like last time”.
PROBLEM
There are a few problems with this. One is the fact that not all e-mail addresses are the primary e-mail address and won’t show up in a normal search.
SOLUTION
I put this little script together that will first connect to your MS Online tenant, then read all MSOL users into an array, import the CSV file containing the employees, go through each row and check that the e-mail address from the file in the column “employeeemailaddress” exists as a proxy address on at least one user. If not it writes out the e-mail to a log in c:\temp. Nothing too advanced, just a few things put together to achieve a very, VERY tedious task when you get a list of 10.000 e-mail addresses!
This can also be modified to check if any other attribute exists or not on users if you want to, it was just for this scenario that I had to check e-mail addresses! It can also be modified to read out the local AD and not the Azure AD, ofcourse.
Please comment out the first two lines if you run this more than once in a Powershell window since the list of users is already in the variable and reading out all MSOLUsers can take a very long time!
connect-msolservice $allusers = Get-MsolUser -All #Prepping the logg $DateStamp = Get-Date -Format "yyyy-MM-dd-HH-mm" $LogFile = ("C:\temp\invalid_emailaddresses-" + $DateStamp + ".log") # Defining the log function Function LogWrite { Param ([string]$logstring) Add-content $Logfile -value $logstring } $csv = import-csv C:\temp\emailaddresses.csv foreach($csvobject in $csv) { $emailuser = "" $emailaddress = $csvobject.employeeemailaddress Write-Host -ForegroundColor Yellow "Looking up user with e-mail $emailaddress" $emailuser = $allusers | where {$_.proxyaddresses -like "*$emailaddress*"} | select DisplayName if(!$emailuser.displayname) { LogWrite ("Could not find user with e-mail address $emailaddress") write-host -ForegroundColor Red "Could not find user with e-mail address $emailaddress" } else { write-host -ForegroundColor Green "User found, e-mail address is good" } }
I’m a huge fan of Luc Besson. Big fan! “Léon” is one of my favorite movies of all time! “Fifth Element” is right up there too. “Metro” is a classic, Nikita, Taxi, Big Blue, Transporter, Taken, Jean D’Arc, so many damn great movies! But he’s also done a few that I wasn’t a big fan of but can’t blame him for that 🙂
So when I saw the first trailer for “Valerian” I got really stoked! I mean really stoked. Like so stoked that I can’t even talk myself out of it, which I usually do because I hate going out of the movies disappointed.
I was not disappointed. It was awesome! I would like to give it all 5 elements but there were two things that put me off. 1) The translation to Sweden was bad. Yeah I know, I can’t hold Luc Besson responsible for that but I do hold the movie company responsible! Not that I need Swedish subtitles – but if you’re going to do it do it right, because this was terrible. 2) Dane DeHaan that plays the lead character didn’t feel right for the role. The character was supposed to have been in the military and seen stuff, like Korben Dallas in Fifth Element. Instead he looks and even acts like he’s the one that makes the other guys say “was I that young when I joined”! But apart from that – awesome! And yeah, SF Filmstaden Scandinavia delivers in VIP again!
What I was mostly impressed with was the CG and the visuals! They were absolutely amazing! It even got to the point were I didn’t know if it’s computer generated or if it was makeup or what was going on, I love that! Music was awesome, although missing that kick ass diva song!
So here’s hoping for more and judging by the amount of source material that shouldn’t be too hard 🙂
SCENARIO
You’re getting some error that a specific e-mail address can’t be or send mails. But you have no clue about which user/mailbox is the owner of this specific e-mail address
PROBLEM
Most of the times this isn’t a problem, the Exchange Management Console or EOL Admin Center will do the trick. But sometimes it can be a bit tricky if the e-mail address is to say a public folder, which isn’t scoped in the search.
SOLUTION
This quick little powershell will do the trick for you to find it:
Get-Recipient -resultSize unlimited | select name -expand emailAddresses | where {$_.smtpAddress -match "*EmailAddressToSearchFor*"} | Format-Table name, smtpaddress
Credit goes to Fulgan @ ArsTechnia for the post here.
SCENARIO
For some reason, probably money, you can’t use a proper backup solution for your farm. So you want to use versioning as a cheap mans backup.
PROBLEM
Going through every document library in every site in every site collection in every application to enable versioning isn’t possible. And there is no way to specify in Central Administration or declare a policy to enforce this.
SOLUTION
This powershell script will do the trick for you. It’s written to enabling versioning for an entire web application (with easy alteration it can be scoped to a specific site/site collection). What’s neat about this is that it will not change settings on the document libraries that already have it enabled! It will not enable minor versioning, but you can just enable that if you want.
As always, use on your own risk and test in a test environment first and then scope it to a test site collection in production farm!!
Add-PSSnapin Microsoft.SharePoint.PowerShell -erroraction SilentlyContinue $webapp = "ENTER URL TO WEB APPLICATION" $site = get-spsite -Limit All -WebApplication $WebApp foreach($web in $site.AllWebs) { Write-Host "Inspecting " $web.Title foreach ($list in $web.Lists) { if($list.BaseType -eq "DocumentLibrary") { $liburl = $webapp + $list.DefaultViewUrl Write-Host "Library: " $liburl Write-Host "Versioning enabled: " $list.EnableVersioning Write-Host "MinorVersioning Enabled: " $list.EnableMinorVersions Write-Host "EnableModeration: " $list.EnableModeration Write-Host "Major Versions: " $list.MajorVersionLimit Write-Host "Minor Versions: " $list.MajorWithMinorVersionsLimit $host.UI.WriteLine() if(!$list.EnableVersioning) { $list.EnableVersioning = $true $list.EnableMinorVersions = $false # Set this to true if you want to enable minor versioning #$list.MajorVersionLimit = 10 # Remove comment hashtag and set this to the max amount of major versions you want #$list.MajorWithMinorVersionsLimit = 5 # Remove comment hashtag and set this to the max amount of minor versions you want $list.Update() } } } }
Credit goes to Amrita Talreja @ HCL for this post which is the basis for this Powershell script.
This is a small little script I wrote for going through all administrator roles in your O365 tenant and listing out the members of each. This can be handy if you feel like you’re losing control over who has what permission in the tenant or someone says the classic “I want what he has”.
$DateStamp = Get-Date -Format "yyyy-MM-dd-HH-mm" $LogFile = ("C:\temp\get_all_msolrolemembers-" + $DateStamp + ".csv") # Defining the log function Function LogWrite { Param ([string]$logstring) Add-content $Logfile -value $logstring } LogWrite ("msolrole;email;displayname;islicensed") $msolroles = get-msolrole foreach($role in $msolroles) { $rolemembers = get-msolrolemember -roleobjectid $role.objectid foreach($rolemember in $rolemembers) { LogWrite ($role.name + ";" + $rolemember.emailaddress + ";" + $rolemember.DisplayName + ";" + $rolemember.islicensed +";") } }
SCENARIO
You’re managing Office 365 for a company. You start seeing those licenses count down and you don’t know where they are going. Then it’s time to check if you have “Shared mailboxes” that are licensed!
PROBLEM
The problem here is that sometimes user mailboxes are converted to a shared mailbox. Maybe it’s an employee that left but you still want to access the mailbox, or maybe the mailbox was accidentally created as a user mailbox to begin with. And Microsoft even has a button in Exchange Online for converting to Shared mailboxes! But the problem is that button does indeed convert it – but it’s not deactivating the license! This is probably working as intended as deactivating the license has some other affects like legal hold and other services.
SOLUTION
This little command will list the mailboxes that are tagged as Shared mailboxes and lookup if their Azure AD object is licensed or not. It requires you to already have a remote PS session with Exchange Online as well as a connecting to MSOL service:
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MsolUser | Where-Object { $_.isLicensed -eq "TRUE" }
Then you may want to write something like this to automatically remove the licenses. Change “yourlicenseplan” to.. well, your license plan 🙂
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MsolUser | Where-Object { $_.isLicensed -eq "TRUE" } | foreach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses "yourlicenseplan:ENTERPRISEPACK"}
Credit goes to Mohammed Wasay (https://www.mowasay.com/2016/03/office365-get-a-list-of-shared-mailboxes-that-are-accidentally-licensed/).
SCENARIO
After patching a SharePoint server with normal OS patches and reboot you are no longer able to browse to the applications or Central Admin. When looking at the log you see this error from C2WTS:
“An exception occurred when trying to issue security token: Loading this assembly would produce a different grant set from other instances. (Exception from HRESULT: 0x80131401).”
This was on a normal SharePoint Foundation 2013 server (build 15.0.4569.1506)
PROBLEM
If you check this TechNet forum post it seems to be related to “third party monitoring tools”. Unfortunately, SCOM is considered a third party tool in this case. And as it happens, we have just upgraded to SCOM2016!
SOLUTION
According to the TechNet forum post (and this official MS post) you should update or disable any third party monitoring tool. So, uninstalling the SCOM monitoring agent, rebooting, reinstalling it with “NOAPM=1” parameter will solve the issue (atleast it did for me).
However, if that it not an option (sometimes you can’t just reboot a critical server!), disabling Load Optimization does work, even if means your SharePoint is now unsupported. So I’m posting this for all us “it needs to be fixed now and I can’t find, update or disable whatever DLL is causing this!”-techies! So setting these registry keys works:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, create a new ‘DWORD (32-bit) Value’ named “LoaderOptimization” with a value of “1”.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework, create a new ‘DWORD (32-bit) Value’ named “LoaderOptimization” with a value of “1”.
But as those MS people will tell you, it really isn’t a recommended solution (which is weird since it originated from MS support!).
SCENARIO
You’re changing the e-mail domain of a user or even a bunch of users. After that you also need to set their UPN’s to reflect the change.
PROBLEM
The problem is that Azure AD Connect service doesn’t currently support changing domain of a UPN of an object that is already synced! So you have to run a powershell command to change it. But it get’s even more complicated because you can’t change the UPN from one federated domain to another without making it “unfederated” first.
SOLUTION
Enter New-MSOLUserPrincipalName, which is a function that will take the user with the current UPN ($UserPrincipalName), change it to a temporary UPN with the domain extension “@[your tenant].onmicrosoft.com” and change it to the new UPN ($NewUserPrincipalName).
function New-MSOLUserPrincipalName { param ( $UserPrincipalName, $NewUserPrincipalName ) $TempUPN = "{0}@[your tenantname].onmicrosoft.com" -f $UserPrincipalName.split("@") Set-MsolUserPrincipalName -UserPrincipalName $UserPrincipalName -NewUserPrincipalName $TempUPN | Out-Null Set-MsolUserPrincipalName -UserPrincipalName $TempUPN -NewUserPrincipalName $NewUserPrincipalName Write-Output -InputObject "Successfully changed UPN from $UserPrincipalName to $NewUserPrincipalName" }
Thanx to Johan Dahlbom for this one!
I finally did it! I finally saw “Star Wars Rogue One”. Or “Star Wars Episode 3.9” as I’d call it! As a huge fan of the original triology I was definitely looking forward to seeing it but for one reason or another (one being my son’s refusal to see a movie he wasn’t allowed by the authorities to see!) it never happened when it was playing in the cinemas. And I certainly didn’t want to see a low quality “grabbed from the internet” version of the movie.
First off – spoiler warning! There are some spoilers below so don’t go there unless you’ve already seen the movie or don’t care about having it spoilt!
All in all – I was positively surprised at how good it was! I don’t know why but my expectations weren’t that great, probably because Episode VII was such a disappointment. But this one was really, really good.
And if you know me well enough you know one thing I love is continuity! Screwing up, or even ignoring continuity, can get me to dislike an otherwise good movie or TV show. Or in the case of Babylon 5 absolutely love a TV show that really isn’t that great once you remove the 5 story arc. And in this case most continuity I felt was acceptable, as expected there were tons of great references to Episode IV – one of the smaller ones being Bail Organa saying he’s going back to Alderaan and I spontaneously scream “don’t do it!!”. The other thing being the lengths they went to to have Tarkin and Leia in this movie when neither was actually in it! (there were ofcourse other characters that were “brought back” from the original triology, like Mon Mothma)
But another pitfall of trying to adhere to continuity is you can’t create characters or major plots without.. well, killing them before the end of the movie. And I’m sorry if this spoils it for the people that haven’t seen it but when they have a rebel meeting about wether to extract the Death Stars plan you can just go around the table and you know, based on who’s in Episode IV, who’s going to make it back alive! So in that way you kind of knew how the ending was going to be. And to my surprise they did the un-Hollywoodian (is that even a word!) thing and stuck with it!
And regarding Tarkin and Leia who were both computer generated faces superimposed on other actors.. I don’t know why the brain is so god damn good at it but you definitely saw that there some something “off” about their faces. Most notably Leia, even though it was just a few seconds and one line you saw that it wasn’t quite right. Great that they tried but it seems like an impossible task because the brain is just too good at face recognition for it to work.
Now – Darth Vader… well what can you say about Darth Vader… the problem with this movie is that the “original trilogy Darth Vader” was tall, imposing but not one for the front lines and certainly not a killing machine. That would have been more a Darth Vader from Episode 3.2 or something. But this movie ends a few days, maybe even hours, ahead of the first scene in Episode IV. But the original Darth Vader sent in his troops and never went in first himself, both the boarding in Episode IV and invasion of Hoth showed that. So ending it with a Darth Vader killing machine, even though it was cool as hell, didn’t really line up with the first scene of Episode IV. And it felt just .. misplaced somehow. But even though I’m a sucker for continuity I have to say that it was so damn cool that I’m gonna forgive that because sometimes rule of cool wins 🙂
SCENARIO
You have a working ADFS farm running version 3 on Windows 2012R2 and want to upgrade to ADFS 2016 delivered in Windows Server 2016.
PROBLEM
The problem is that this is, if you ask Microsoft, a very straight forward “next-next-finish” process to do as the only TechNet article I found about it makes it look pretty straight forward. But that article was written for Windows Internal Database (there is now also one for SQL cluster backend. Also you’ll notice at the bottom that it’s written for Technical Preview of Windows Server 2016 and also assumed you have no AD group policies that may break stuff! So there are still alot of things that can, and will, go wrong if you follow that procedure.
SOLUTION
There really isn’t one solution since there are so many issues you may run into but I managed to work through them all. But here are my comments to the TechNet article and where things went wrong for me:
2) It’s never showing in a screenshot but it is shown in the next – you have to chose to join an existing farm, the default option is creating a new farm which is a totally different thing!
But even after going through the setup process succesfully after patching and rebooting I got the error 1297 “A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration“. As it turns out, this is a policy issue with the Windows Server 2016 baseline that limits who and what can “Log on as a service” and “Generate a security audit”. Creating an override policy for this and adding the service account running the AD FS service solved this issue for me! (thanks to https://blogs.technet.microsoft.com/pie/2015/09/04/adfs-refuses-to-start-error-1297/)
3) This is actually very important later on knowing which server is primary and not!
4) and 5) These are confirmed as not required if you’re running a SQL cluster backend. However, you still need to check later for which server is primary and not.
6) This entire Powershell is just wrong and not accepted at all, atleast in my environment! You’re much better off starting the Remote Access Manager and starting the Wizard from there. This will allow you to chose the certificate in a dropdown without knowing the thumbprint. But this is where I ran into problems and lot’s of them!
The first problem I had when configuring the WAP was connectivity resulting in the error “An error occurred when attempting to establish a trust relationship with the federation service. Error: Unable to connect to the remote server”. This was first due to physical firewall, then the local firewall policy settings and in the end that the service itself was down! So this was basically alot network issues, not the biggest thing in the world.
Now that that was done with I ran into the next problem that caused so much headache for me – “An error occurred when attempting to establish a trust relationship with the federation service. Error: Unauthorized. Verify that the service account has administrative access on the target Federation Server.”! The account that the WAP uses to connect to the internal AD FS server with that has to be a local user and local admin account on the internal AD FS server (since the WAP server shouldn’t be a member of the same domain as the internal AD FS servers). The problem is that there is a group policy baseline for Windows Server 2016 that denies logon from the network for all local users (“Deny access to this computer from the network“)! This resulted in the error since it wasn’t allowed to login with anything but the console! Setting that to only “Guest” should be enough for this.
So after getting that problem solved I got the next error – “An error occurred when attempting to establish a trust relationship with the federation service. Error: Internal Server Error“. Looking at all logs and events and I couldn’t figure out what tha hell was causing this issue. Well, as it turns out it was related to step 4 and 5 which you shouldn’t have done if you’re running SQL backend! When you point to the internal AD FS service address (the web address sts.xxxxxxx.com) you’re supposed to use a host file to control that and point it to the load balanced IP address. Well when I did that I always ended up on a server that was NOT the primary computer and therefor I couldn’t add the WAP! When I changed the host file to point directly to the IP of a server that was Primary computer for the farm it worked! Just remember to change this back since you don’t want the WAP servers point to one specifik AD FS server.
That is as far as I’ve gotten as the rest of the upgrade involves upgrading the forest and domain schema which I’m really not ready to do.
So now that we have our new car we begin the task of selling off our old car. We’ve tried selling off old cars ourselves before and it’s never ended well. I expect too much professionalism for that when we’re talking about this much money and I’ve always ended up with the complete opposite so I didn’t want to go the private route. Even though it means getting less I wanted to sell it to a dealer who could do the work. After trying out different “what’s my car worth” sites I ended up trying out a company called “Vi Köper Din Bil” (“we buy your car”) with the website “vikoperdinbil.se”. I’m typing it there because my hopes are anyone googling it will see this and stay away!!
On their website you simply enter the model, make, year and mileage of your car and they will guestimate it’s worth. For our Seat Leon they guestimated about 112.000:- “plus any extra options” which we had plenty of on that car. That’s about half of what we paid for it three years later but sounded ok. I mean the “street value” of the car would be 130.000:- but they needed a cut of that so ofcourse I couldn’t get that. But based on that estimate I made an appointment to take my car in to get a proper go-through and evaluation. I took time off work, I cleaned the car, loaded her up with the summer tyres and coordinated with the wife to come pick me up afterwards. But at the station they went through it (and didn’t find anything wrong with it at all), sent everything off to their expert who came back with an offer. 90.000:-! That’s 22.000 less, or more accurately 22% less, than their gustimate which included the comment “plus any extra options”!
Their business strategy is pretty obvious – give customers an optimistic guestimations and then when they’ve take the time and make the effort of going into their station they can just slash 20% off that and some people will go for it. Or “lockpriser” as we say in swedish. Real estate agents are given warnings whenever they are caught using tactics like that but for cardealers this is totally acceptable?! Even going through their own “what our customers think of us” turns up a gem where a guy says that he was happy even though they slashed 20% off the initial guestimate! There are also plenty of reviews on Trustpilot against them for this tactic!
Naturually I said “get the fuck out of here!” and left on the spot. So beware of “vikoperdinbil.se” unless you’re ready to get an offer about 40.000:- less than the street value. How do I know that? Well my option B was to take it to the authorized Seat dealer in Täby. They gave us 110.000:- for it and put it up for sale for 130.000:- and in 3 days the ad was taken down!
[Previously on the blog – me and the wife wanted to buy a new car and ordered an Audi A5 for 492.000 SEK and it was delivered in late February but only after wondering if this was their first car delivery ever!]
Now that was 3 weeks ago. And in those three weeks unfortunately enough has happened to make me say “I won’t go back there again”.
Not only because of the reasons I’ve already listed (1) them telling us to go away from the business section in a rather rude manner, 2) the unprofessional way of handling the tyre situation 3) noone informed us of the deposit we had to make before we got there) but as it turns out they made even bigger mistakes – one huge mistake during the ordering process and two pretty big mistakes with the delivery.
When delivering an Audi, the representative is supposed to help you sign up to the myAudi account and tie your car to that account. Nope, didn’t happend! Fortunately I know my way around Internet and websites but it led me to the next big issue. They also failed to inform us that the little plastic badge on the set of keys we got was actually very, VERY valuable since it had a PIN to enable remote access of the car! Without this I couldn’t use the electronics I paid for and selling it would be pretty damn hard! Fortunately we hadn’t thrown that little plastic thing in the bin yet but at no point did we think it was something we needed to keep! But the major f*ck up was discovered when we were loading up the car with some kids and realised this model didn’t have 3 seatbelts in the back, only 2!!! I didn’t even know that was possible but apparently it’s an extra option for Audi that costs a mere 3.600 SEK! Had the original salesguy informed us about that we would absolutely have clicked it. But he didn’t so now we’re stuck with a car that only has 4 seatbelts! This was a dealbreaker when we started this (one of the reasons we didn’t go for a Mustang!) and we made sure to check that it did have it when we were in the showroom! I can only imagine the salesguy picked up on us only having one kid and in an attempt to keep the price below 500.000 didn’t click it but it leaves a very sour taste! Fortunately we have a cheap ass VW Polo that has 3 seatbelts in the back so if we ever need one extra seat we can use that. But still… And “we should have checked it ourselves”, yeah you could say that, but as I said in part I, it’s a freaking jungle!! Unless you work there knowing what’s included in the “2017 A5 Sportback Proline Sport Edition” from the go, it’s damn impossible! And when adding stuff BAM! you’re told that it’s not compatible with the current loadout! It’s rediculous! Sometimes I think those configurations should have a “these things are NOT included in your layout”-list, that would have spelt it out for us that it was an extra option.
So, expect a new one of these in 3 years when it’s time to buy a new car again. Maybe we’ll go for a Mustang that time around or maybe Tesla if they are affordable by then.