Puttyq.com

For any of you that have configured the FIM Self-Service Password Reset, you will know that you need to get the DCOM permission and services accounts just right. Brad Turner, another long time MVP, Karl Mitschke and a few helpers have created a Powershell script to assist.

Check out the article on TechNet or Brad’s Blog or Karl’s Post.

PARAM(
    [string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"),
    $Computers = $(throw "`nMissing -Computers (‘fimnode01′,’fimnode02′)"))

# USAGE:
#
# .\Set-FIM-DCOM.ps1 -Principal "DOMAIN\<group or username>" -Computers (‘<server1>’, ‘<server2>’,…)
#
# EXAMPLE:
# .\Set-FIM-DCOM.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers (‘fimsyncprimary’, ‘fimsyncstandby’)
#
# Inspired by Karl Mitschke’s post:
# http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Write-Host "Set-FIM-DCOM – Updates DCOM Permissions for FIM Password Reset"
Write-Host "`tWritten by Brad Turner (bturner@ensynch.com)"
Write-Host "`tBlog: http://www.identitychaos.com"

function get-sid
{
PARAM ($DSIdentity)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

$sid = get-sid $Principal

#MachineLaunchRestriction – Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLMachineLaunchRestriction = "A;;CCDCLCSWRP;;;$sid"

#MachineAccessRestriction – Local Access, Remote Access
$DCOMSDDLMachineAccessRestriction = "A;;CCDCLC;;;$sid"

#DefaultLaunchPermission – Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLDefaultLaunchPermission = "A;;CCDCLCSWRP;;;$sid"

#DefaultAccessPermision – Local Access, Remote Access
$DCOMSDDLDefaultAccessPermision = "A;;CCDCLC;;;$sid"

#PartialMatch
$DCOMSDDLPartialMatch = "A;;\w+;;;$sid"

foreach ($strcomputer in $computers)
{
write-host "`nWorking on $strcomputer with principal $Principal ($sid):"
# Get the respective binary values of the DCOM registry entries
$Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
$DCOMMachineLaunchRestriction = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
$DCOMMachineAccessRestriction = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineAccessRestriction").uValue
$DCOMDefaultLaunchPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission").uValue
$DCOMDefaultAccessPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission").uValue

# Convert the current permissions to SDDL
write-host "`tConverting current permissions to SDDL format…"
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$CurrentDCOMSDDLMachineLaunchRestriction = $converter.BinarySDToSDDL($DCOMMachineLaunchRestriction)
$CurrentDCOMSDDLMachineAccessRestriction = $converter.BinarySDToSDDL($DCOMMachineAccessRestriction)
$CurrentDCOMSDDLDefaultLaunchPermission = $converter.BinarySDToSDDL($DCOMDefaultLaunchPermission)
$CurrentDCOMSDDLDefaultAccessPermission = $converter.BinarySDToSDDL($DCOMDefaultAccessPermission)

# Build the new permissions
write-host "`tBuilding the new permissions…"
if (($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -notmatch $DCOMSDDLMachineLaunchRestriction))
{
   $NewDCOMSDDLMachineLaunchRestriction = $CurrentDCOMSDDLMachineLaunchRestriction.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLMachineLaunchRestriction
}
else
{
   $NewDCOMSDDLMachineLaunchRestriction = $CurrentDCOMSDDLMachineLaunchRestriction.SDDL += "(" + $DCOMSDDLMachineLaunchRestriction + ")"
}
if (($CurrentDCOMSDDLMachineAccessRestriction.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLMachineAccessRestriction.SDDL -notmatch $DCOMSDDLMachineAccessRestriction))
{
  $NewDCOMSDDLMachineAccessRestriction = $CurrentDCOMSDDLMachineAccessRestriction.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLMachineLaunchRestriction
}
else
{
   $NewDCOMSDDLMachineAccessRestriction = $CurrentDCOMSDDLMachineAccessRestriction.SDDL += "(" + $DCOMSDDLMachineAccessRestriction + ")"
}

if (($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -notmatch $DCOMSDDLDefaultLaunchPermission))
{
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultLaunchPermission
}
else
{
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL += "(" + $DCOMSDDLDefaultLaunchPermission + ")"
}

if (($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -notmatch $DCOMSDDLDefaultAccessPermision))
{
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultAccessPermision
}
else
{
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL += "(" + $DCOMSDDLDefaultAccessPermision + ")"
}

# Convert SDDL back to Binary
write-host "`tConverting SDDL back into binary form…"
$DCOMbinarySDMachineLaunchRestriction = $converter.SDDLToBinarySD($NewDCOMSDDLMachineLaunchRestriction)
$DCOMconvertedPermissionsMachineLaunchRestriction = ,$DCOMbinarySDMachineLaunchRestriction.BinarySD

$DCOMbinarySDMachineAccessRestriction = $converter.SDDLToBinarySD($NewDCOMSDDLMachineAccessRestriction)
$DCOMconvertedPermissionsMachineAccessRestriction = ,$DCOMbinarySDMachineAccessRestriction.BinarySD

$DCOMbinarySDDefaultLaunchPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultLaunchPermission)
$DCOMconvertedPermissionDefaultLaunchPermission = ,$DCOMbinarySDDefaultLaunchPermission.BinarySD

$DCOMbinarySDDefaultAccessPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultAccessPermission)
$DCOMconvertedPermissionsDefaultAccessPermission = ,$DCOMbinarySDDefaultAccessPermission.BinarySD

# Apply the changes
write-host "`tApplying changes…"
if ($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -match $DCOMSDDLMachineLaunchRestriction)
{
   write-host "`t`tCurrent MachineLaunchRestriction matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySDMachineLaunchRestriction.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied MachineLaunchRestricition complete."}
}

if ($CurrentDCOMSDDLMachineAccessRestriction.SDDL -match $DCOMSDDLMachineAccessRestriction)
{
   write-host "`t`tCurrent MachineAccessRestriction matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineAccessRestriction", $DCOMbinarySDMachineAccessRestriction.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied MachineAccessRestricition complete."}
}

if ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLDefaultLaunchPermission)
{
   write-host "`t`tCurrent DefaultLaunchPermission matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission", $DCOMbinarySDDefaultLaunchPermission.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied DefaultLaunchPermission complete."}
}

if ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLDefaultAccessPermision)
{
   write-host "`t`tCurrent DefaultAccessPermission matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission", $DCOMbinarySDDefaultAccessPermission.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied DefaultAccessPermission complete."}

}
}
#———————————————————————————————————-
trap
{
$exMessage = $_.Exception.Message
if($exMessage.StartsWith("L:"))
{write-host "`n" $exMessage.substring(2) "`n" -foregroundcolor white -backgroundcolor darkblue}
else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred}
Exit
}
#———————————————————————————————————-

With the launch of Outlook Live (ExchangeLabs R3) the ability to us instant messenger has been added to Outlook Web Access. For schools that do not wish to use this feature, administrators now have the ability to set attributes via PowerShell (requires Vista or WS2008) to disable Instant Messenger in OWA.  To do so, simply use the following cmdlets:

Get-OwaMailboxPolicy -Identity:"OwaMailboxPolicy-DefaultMailboxPlan" | Set-OwaMailboxPolicy -InstantMessagingEnabled:$false

One of the ways to manipulate a group on your tenant on ExchangeLabs is through the use of Powershell. If however you need to update a large amount of members into a specific group this is also quite simple using Powershell (and some built in cmdlets). In future we will look at using ILM to do the same, but we’ll need to check it the GROUP object type can be manipulated 

Have a look at the following:

I have created a file that contains all my members that should be added to my group. In this example I have already created by group called “testGroup”.

Import file format

Name : StudentNumber
Name : 33809771
Name : 7990529
Name : 44940750

Parameters or required fields
Group Identity: the group you want to add the member to
Input file: the members you wish to add to the group

Require components:

Windows PowerShell V2 Community Technology Preview 2 (CTP2)
WinRM 2.0 CTP 

$LiveCred = Get-Credential
$rs = New-Runspace -Shell Microsoft.Exchange
      -ConnectionUri https://ps.exchangelabs.com/powershell/
      -Credential $LiveCred -Authentication Basic

Script to execute command
To read you text file of members into memory and add each member into the specified group (testGroup) execute the following command (all in one line.

Import-Csv C:names.txt -delimiter ":" |
foreach {Invoke-Command -r $rs { param($User)
add-distributiongroupmember -identity testGroup
-member $User.StudentNumber} -Arg $_}

Additional Reading
Remote PowerShell with Exchange Labs
Create Dynamic Distribution Groups in Exchange Labs

In some cases during provisioning of Exchangelabs accounts using the ExchangeLabs Management Agent (ELMA) you will get instances where the MA can not get the password set on the account in question. In this case you will get an exception stating that “The Password could not be set”.

Note that the LiveID and mailbox has been created, but there is just no password set on the account. For small deployment there is no issue just quickly logging onto the Windows Live Admin Centre and resetting the password from there; but when you have hundreds of thousands of email accounts this is not very practical.

In this case the best option is to use the “set-mailbox” powershell command.

set-mailbox -identity user@domain.blah -password PassWord

Note that if you want to set a password with special characters if might be a good idea to enclose the password in single quotes.

Just a quick note. When setting up email forwarding or redirection on the client side (using rules) it is important to note that forwarding is disabled by default on ExchangeLabs tenants. You will be able to create rules, but these will never work until you enable forwarding for your domain.

Log onto your tenant using the normal runspace creation methods and execution the following:

set-remotedomain * -autoforwardenabled $true