by lunarg on February 19th 2021, at 09:54

You can enforce a password change for Office 365 (Azure AD) users without having to reset the password through Powershell.

For a single user:

Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

You can also use filters ? {} to limit the password change enforcement to specific groups of users.

Note that it is recommended to also use Revoke-AzureADUserAllRefreshToken to end all current open sessions, and immediately enforcing the user(s) to log in again and change their passwords.

by lunarg on February 18th 2021, at 17:35
Offline installation of PowerCLI module is possible by following these easy steps:Uninstall all older PowerCLI software (6.5R1 or earlier).

Download the PowerCLI offline bundle (ZIP-file) from the PowerCLI home page.

Transfer the ZIP to the machine on which PowerCLI is to be installed.

Open Powershell on the target machine.

To determine the modules folder paths, run this:$env:PSModulePath

The modules will have to be extracted in one of the folders from the output of the above command. Both user-based and machine-based installation is possible (e.g. C:\Windows\System32\WindowsPowerShell\v1.0\Modules).

Extract the contents of the ZIP file directly into the folder.

For Windows, run this   ...
by lunarg on January 25th 2021, at 09:34
When using credentials in Powershell, you usually use Get-Credential, which essentially creates PSCredential objects. Creating such an object prompts the user to enter a username and password, which is not really usable in unattended scripts. There's a method where you can specify an unencrypted password but this is not secure. Fortunately, there's also a method where you can store the encrypted password in a file and use it to set the password.

Note
Note that the password is stored in the file using a computer-based encryption key. This means that the file would only work on the computer it was generated on. Trying to use it elsewhere would invalidate the password file.

To create a passwo  ...
by lunarg on December 9th 2020, at 11:02
I had an issue where a forwarder service would not work even though all settings were correctly configured (firewall/LM/real server). When troubleshooting using on the LM itself (using tcpdump), I noticed that forwarded requests (from the LB to the real server) were been sent out using the right interface but with the wrong source IP, causing return traffic not to work. As it was a migration from an older Kemp LM, I established the configuration was indeed correct but there was another reason why it was not working.

After some more troubleshooting and comparing against the backup from the original LM (backup files are in fact TGZ-archives and can be unpacked), and found these settings to be  ...
by lunarg on December 9th 2020, at 10:27
To backup Microsoft SQL Server, the account used for VM-side processing (application aware processing) requires certain permissions. Veeam recommends assigning the sysadmin role on the SQL Server but it is also possible to assign minimal permissions on the databases it needs to backup, which is the preferred method for security hardening.

The User Guide for VMware vSphere outlines the required permissions as well but for convenience, I've listed them here as well.

Instance-level roles:

Assign these roles:public

dbcreator

Database-level roles:

Assign these roles:

System databases master and model:db_backupoperator

db_datareader

public



System database msdb:db_backupoperator

db_dat  ...
by lunarg on December 8th 2020, at 11:52
If the SSL-certificate on your VMware Horizon View Composer server is about to expire, it will have to be replaced. The process is pretty straight forward.

Import the new certificate (in PFX-format) in the Computer certificate store. You can use the MMC snap-in or certutil to accomplish the task. If it's not a publicly signed certificate, you will also need to make sure the intermediate and trusted root CA is imported.

Open an elevated command prompt.

Stop the VMware Horizon Composer service:net stop svid



Navigate to the install location of View Composer. The default location is C:\Program Files (x86)\VMware\VMware View Composer. On a 32-bit machine, leave out "(x86)".

Run t  ...
by lunarg on December 3rd 2020, at 21:21
When downloading files from the internet or copying them from a (foreign) server, these files will be marked as blocked by default.



Each file can be unblocked by right-clicking the file and manually selecting unblock, but what if you have a whole bunch of files to unblock? In that case you can use Powershell:

Get-Item -Path "$env:windir\Fonts\*" -Stream "Zone.Identifier" -ErrorAction SilentlyContinue | % { Unblock-File -Path $_.FileName }

The oneliner above consists of two parts:

The flag that says whether or not a file is blocked is stored in a hidden NTFS-stream called Zone.Identifier, which is stored for each individual file. By looking for those hidden streams,   ...
by lunarg on November 30th 2020, at 16:45
A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

You are able to succesfully log on using a domain account you'  ...
 
 
« February 2021»
SunMonTueWedThuFriSat
 123456
78910111213
14151617181920
21222324252627
28      
 
Links
 
Quote
« You only find out who is swimming naked when the tide goes out. »
Warren Buffett