RBAC for Exchange Online

This post describes the details for RBAC (Role Based Access Control) for Exchange Online

The scenario is that the admin wants to create custom Exchange admin roles based on region. 

For ex. if in a MNC is spread across many cities and the global admin wants to create custom roles based on the city meaning that particular admin should be able to change the settings only for users based in his region(city). 

For applying this we need RBAC model for exchange online.

1. First Connect to Exchange Online

2. Open PowerShell Type these commands

3. Open PowerShell with Administrator Privileges

4. To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you open by selecting Run as administrator):               

• Set-ExecutionPolicy RemoteSigned
• $UserCredential = Get-Credential    //enter  the admin credentials
• $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
• Import-PSSession $Session

5. After this, your PowerShell is connected to exchange online and you can write any commands for exchange online

• Get-RoleGroup
• Get-ManagementScope
• Get-Recipient -Filter {city -eq “Riyadh”}

6. Command for assigning new management scope for people we have city "Riyadh"

• New-ManagementScope “HelpDesk for riyadh” -RecipientRestrictionFilter {city -eq “riyadh”}

   7. This command will create management scope "Helpdesk for riyadh", users having city riyadh will automatically be added to this management scope.

• New-RoleGroup -Name “HelpDesk for IT RIYADH” -Roles “Mail Recipients”, “Reset Password”, “Distribution Groups”, “Mail Recipient Creation” -Members “HelpDeskUser” -CustomRecipientWriteScope “HelpDesk for riyadh” -ManagedBy “Organization Management”

 8. This command will create new role group "HelpDesk for IT RIYADH" which will contains the following roles  “Mail Recipients”, “Reset Password”, “Distribution Groups”, “Mail Recipient Creation” and “HelpDeskUser” will be added as a member of the group. The assigned member will be able to control the selected properties of the users in “HelpDesk for riyadh” management scope. the security group will be managed by the members of the Organizational Management Role group. 

MAP Toolkit Issues

System PreRequisites for running MAP Toolkit

1. Any Physical or Virtual Machine with Windows 8 or higher, Windows server 2008 or higher Installed.
2. Joined to domain
3. Turn off Firewall
4. Install Netcat for scanning the ports on the network
5. Install Telnet/ Enable Telnet from Windows Features
6. Domain Admin Account 

Check these services in the host(in which MAPToolkit is planned to run)
        remote registry service -> automatic -> apply -> start, running
windows management intrumentation -> enabled, running
remote procedure call (RPC) -> enabled, running

remote registry -> enabled

Try to run the MAP Tool when most of the PCs in the environment are switch on, check with the System Admin and then plan accordingly.

First run MAP Toolkit and then generate report for "Active Devices Users & Computers" in Usage Tracking. (Click here to get the help for running MAP Toolkit)

Filter the Column "Days Since Last Activity" to "<=90days"

Check the Success percentage in "WMI Status" Column.

WMI Connection in Windows 

Solutions to different "WMI Status" problems in MAP toolkit

1. Machine not Found :- Machine not available in the network
2. WMI Connection Timeout :- First ping the machine, if the ping replies than check the ports,, port 135,139,445(TCP) & 137,138(UDP)
   To check the ports, Telnet for TCP ports i.e. 135,139 & 445
   Command is telnet [host] [port]
   Ex. telnet 192.168.1.5 135
   Telnet ports one by one.
   
   To check for UDP ports use the netcat tool
   Command is nc -vzu [host] [port]
   Ex. nc -vzu 192.168.1.5 137
   If the ports are open check the WMI connection by the tool "WBEMTEST", its inbuilt tool in windows.Open wbemtest, click on connect
   
   
   
   Enter the name of destination computerEnter the domain admin credentials and click on connect
   
   
   
   Click on Connect, if the successful then try to run a query 
   SELECT * FROM Win32_Processor
   If the reply comes for this query then connectivity to remote PC via the "Domain Admin" credentials which you have used is fine.
   If the connection & reply for query is fine then WMI Connectivity is fine, and the problem is with the MAP Toolkit, you need to reduce the number of connections in the MAP Toolkit, refer to this Blog for doing this.
   
   If the port 135 is blocked on the host, you can enable it manually editing Group Policy Settings on the computer or through Group Policy.
   On Computer Manually 
     1. Click Start and then click Run. In the Open box, type gpedit.msc and then click OK.
     2. Under Console Root, expand Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall and then click Domain Profile.
     3. Right-click Windows Firewall: Allow remote administration exception and then click Properties.
     4. Click Enabled and then click OK.
   
   Using Group Policy
     1. Using the Local Group Policy Editor, expand Computer Configuration\Windows Settings\Security Settings\Local Policies and then click Security Options.
     2.  In the Network access: Sharing and security model for local accounts section, click Classic – local users authenticate as themselves.
     3. Expand Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall and then click Domain Profile.
     4. In the Windows Firewall: Allow remote administration exception section, click Enabled.
     5. In the Allow unsolicited incoming messages from box, type the IP address or subnet of the computer that will perform the inventory.

Tip:
1. If you are not able to connect to Remote VMs, check the "computer browser" service and start it.
2. Make filter <=90  only for not machines that are not successful.
3. Add "Enterprise Admin" privileges to the account which you are using so as to allow greater permissions to access the machines in the organization.
4. If the inventory is not successful, check for the connectivity of Domain Controller from the pc running the map toolkit, check for the VLAN connectivity, if the DC's VLAN is accessible from the other computers

Exchange Online Backup and E-Mail Restore

Exchange Online Backup and Email Restore

1. Microsoft does not provide backup of Exchange Online Database, however the user can take backup of their account individually using export functionality in Outlook.
2. There are 3rd party solution for taking backup of Exchange Database like ”Code Two Backup for Office 365” but you have to buy that separately.

The deletion of the e-mail in Exchange Online goes like this:

1. As the user deletes the email it goes into “Deleted Items” folder, It remains there until it is manually removed by the user, or automatically removed by retention policies.
2. After an item has been removed from the archive’s Deleted Items folder, the item is kept in the archive’s Recoverable Items folder for an additional 14 days before being permanently removed. Users can recover these items using the Recover Deleted Items feature in Microsoft Outlook or Outlook Web App.
3. If the user deletes it from there also then it is permanently deleted however if the “Single Item Recovery” or “Legal Hold” feature is enabled then it can be recovered by the administrator.
4. "Single Item Recovery" holds email for 14 days by default however it can be customized, "Legal Hold" stores the email for unlimited time until the legal hold feature has been released.

The following illustration shows the sub-folders in the Recoverable Items folders. It also shows the deleted item retention, single item recovery, and hold workflow processes that are described in the following sections.

Office 2007,2010,2013 Uninstallation & Office ProPlus Installation using Single Script

We will split this process in two parts for explanation and then we are going to combine these two into one.

1. Uninstalling Old version of Office (2007, 2010, 2013, 2016)

Click on the link below to download the scripts for uninstalling office.

Click Here to Download Office Un-Installation Scripts

Place these Un-Installation Script on a Network Share

Now to test these Un-Installation script

1. Mount the path of the script on the cmd prompt(Admin Priviledge)
2. pushd <Network_Path>
3. Ex. pushd \\network_share\uninstall_script\
4. Command for running the Script- cscript .\OffScrub_O2013uninstallmsi.vbs All /Q /NoCancel

Mounting the local network share path

Running the script

As the script runs this process starts in the task manager(marked in yellow)

Along with the above process this process also starts

This will take sometime to uninstall
After you finish the steps the old Office version should be uninstalled. :)

2. Install Office ProPlus on the machine now

For installing Office ProPlus we will use Office Deployment Tool.

Download Office 2013 ProPlus Deployment Tool

Download Office 2016 ProPlus Deployment Tool

Download and unzip the Office Deployment Tool. 

You will see two files 

      1. setup.exe 

      2. configuration.xml

Configuration file is the xml file in which you can edit the configuration of the Office you want to download and install i.e. 32 or 64 bit, language, add or remove individual products etc.

For editing this configuration file go to this site, edit and your download your customized xml file.

This xml file will be used to download the Office ProPlus package using the Office Deployment Tool.

Keep both these setup and configuration files in same folder.

Setups for downloading the package using Office Deployment Tool.

1. Open cmd(Admin privileges)
2. Navigate to the path where the files are kept.
3. Use the command setup.exe /download configuration.xml
4. The package will start downloading & and a folder will be created by the name Office in the same path where the setup and configuration files are kept.

Now we have Office ProPlus package.

For pushing this package to the clients we need to save all the files(i.e. setup.exe, configuration.xml, and Office folder) in a network location.

Once we save this on a network location we need to change something in the configuration.xml file.

Open configuration xml file and add SourcePath in the Add tag as shown below(blue part).

You have to add this location in your configuration file

Edit the configuration file with the network address where you have stored the office files.

<Add OfficeClientEdition="32" Channel="Current" SourcePath="\\Network_Share\Office_Deployment\" OfficeMgmtCOM="TRUE"> 

In the blue part give the path where "Office" package folder is located on the Network Share.

Once all this is set you are ready to push Office ProPlus remotely.

To install Office ProPlus on a remote computer which has access to network share you need to run this command on that computer.(Admin Priviledges)

\\<Network_Path>\setup.exe /configure "<Network_Path>\configuration.xml"

Ex. \\Network_Share\Office_Deployment\setup.exe /configure "\\Network_Share\Office_Deployment\configuration.xml" 

You can also save this command as batch file by copy and paste it on notepad and save as .bat file.

Now to install Office ProPlus navigate to this path in any PC(which has access to Network Share) and run this bat file with admin priviledges.

Office Installation started.

3.Combining the last two steps

Now if we combine the last two steps into one we can create one batch file which will contain the script to uninstall the old office and then install the new one.

The script will look like:

pushd \\Network_Share\uninstall_script\

cscript .\OffScrub_O2013uninstallmsi.vbs All /Q /NoCancel

\\Network_Share\Office_Deployment\setup.exe /configure "\\Network_Share\Office_Deployment\configuration.xml"

Copy this and save it as a bat file and run it.

Now if we want to push this script remotely we can use Active Directory Group Policy to do that.

Or we can even use a free tool called PDQ Deploy which runs on top of Active Directory to push applications and script on remote computers.

Download PDQ Deploy

If you face any problem feel free to comment below.