After joining a computer to AzureAD you will login with a user and will be automatically added as a local admin. The trouble is when logging with other users. These users will automatically set as users to the computer. From the Computer Management Console there is no way to add an AzureAD as when you click on Add and Locations, there is no location for the AzureAD. If you look at the current AAD user in the Computer Management and Local Users and Groups you will find the current user as AZUREAD\noel.pulis.

Luckily there is a way to add an additional AzureAD user as a local admin.

– Open CMD (Command Prompt) as Admin
– Type NET Localgroup Administrators AzureAD\additionaluser /add

Once this is ready, open the Local Users and Groups and you will find the AzureAD user part of the local Administrators Group.

When you have a situation of a user having full access and send as access on a shared mailbox and the user sends an email send-as or on behalf of a Shared Mailbox, the sent item will be saved in the user’s mailbox and not in the Shared Mailbox.

To fix this, there is not option in the GUI so far so you would need to connect via Poweshell as the Global Admin. Note: If you are using Multi-Factor Authentication use the App Password to login instead of the password.

Open PowerShell as Administrator and type the following

$Cred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $Cred -Authentication Basic -AllowRedirection

Import-PSSession $Session

set-mailbox "<mailboxemailaddress>" -MessageCopyForSentAsEnabled $True

set-mailbox "<mailboxemailaddress>" -MessageCopyForSendOnBehalfEnabled $True

This will still save a copy in the user’s mailbox but will also save it in the Shared Mailbox

I have been having problems with one particular user in Office 365 who could not send or receive emails and he was always getting the error that the email was not delivered due to the below error.

Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send messages outside of your organization. Contact your email admin for assistance.

Diagnostic information for administrators:
Generating server: --------------.eurprd02.prod.outlook.com
Remote Server returned '550 5.1.8 Access denied, bad outbound sender'

The problem is that the email was being blocked by Microsoft due that 5000 emails have been sent by the mailbox. The problem is not that your mailbox was hacked, but that the email header was spoofed by someone. To check that the mailbox is being blocked, open the Exchange Admin Center in your Office 365 portal, click on Protection and on Action Center.

You will see the user listed there with an unblock. Do not unblock the user for now.

In the Protection screen, click on dkim and highlight your external domain. Click on Enable. You will get an error message that CNAME records required are not found.

 

Open your domain DNS management portal on your hosting company and add the following CNAME entries

Host name: selector1._domainkey.<domain>
Points to : selector1-<domainGUID>._domainkey.<initialDomain>
TTL: 3600

Host name: selector2._domainkey.<domain>
Points to : selector2-<domainGUID>._domainkey.<initialDomain>
TTL: 3600

Once your DNS records have propagated, click on the Enable button on the dkim section.

Once enabled you can go under the Action Center and unblock the user. The process may take up to 2 hours to be cleared.

This will protect you from email message header spoofing. On another note to know immediately if a user has been blocked, you need to setup a notification as below.

Under the Exchange Admin Center open the Protection/ Outbound Spam section. Double click on default. Click on Outbound Spam preferences and tick send a notification when a sender is blocked as below and enter the admin email address. Click Save.

 

When accessing ECP or OWA on your Exchange server you will be the below Server Error saying that No Suitable Directory Servers Found in Site and connected Sites. On the Event Viewer you will get the error 0x80040a02 (DSC_E_NO_SUITABLE_CDC).

The below solution if for Exchange 2003, 2007, 2010 and 2013. Open the Domain’s Group Policy Management and edit the Default Domain Controllers Policy or your server policy as below.

Computer Configuration
Policies
Windows Settings
Security Settings
Local Policies
User Rights Assignment
Mange auditing and security log
Add ‘Exchange Servers‘ or ‘Exchange Enterprise Servers‘ to that policy.

Restart the Exchange server to apply the computer configuration.

When demoting a server from an existent Active Directory you will be prompted for the credentials with an error saying

The Operation failed because: The attempt at remote directory server to remove directory server was unsuccessful. “Access Denied”.

This issue is due to the fact that the object is set with Protect object against Accidental Deletion

To fix this open Active Directory Sites and Services. Find the server which you are trying to demote and expand it. Right click on NTDS Settings and click on Properties. Click on the Object tab and un-tick the Protect object from Accidental Deletion.

Retry the demotion and it will work. If it doesn’t then check the Active Directory Users and Computers and check if the computer account has the Protect object from Accidental Deletion enabled. Make sure to click on Advanced Features.

You will notice that the AzureAD Sync tool stopped synchronizing and in the Office 365 portal under Health Directory Sync Status you will notice the error message Warning: no recent synchronization  under Password Sync.

In Powershell when you run the Start-ADSyncSyncCycle you will get the below error

Warning: no recent synchronization 

Start-ADSyncSyncCycle : System.InvalidOperationException: Scheduler is already
suspended via global parameters.


To fix this, simply open Powershell and run the below command.

Set-ADSyncScheduler -SchedulerSuspended $false

After it completes, re-run Start-ADSyncSyncCycle and it will work.

When you open a specific attachment in Outlook you might get the error saying Outlook blocked access to the following potentially unsafe attachments. Here’s a some solutions to help you unblock attachments in Outlook

Make sure that Outlook is closed. Open Registry and go to the below area depending on your office application version

Microsoft Office Outlook 2010
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
Microsoft Office Outlook 2007
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
Microsoft Office Outlook 2003
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security
Microsoft Outlook 2002
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Microsoft Outlook 2000
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security

Create a new String Value and enter Level1Remove
As the value enter the extension of the file example .pptx, if you want to add multiple extensions, seperate them with a semicolon like this, .pptx;.docx

Close regedit and open Outlook

If this doesn’t work then you might have an update that blocks as Microsoft have released a patch which blocks safe files.

If you do have the below updates according to the Office version, remove them.

Outlook 2007: KB3191898
Outlook 2010: KB3203467
Outlook 2013: KB3191938
Outlook 2016: KB3191932

Sometimes you would create some scripts to work with files and for example SQL creates backup files and it adds _backup_timestamp so it’s not easy to work with them in a script.

The below script will crop how much characters you want from the back. Simply change the $location (location of files) $extnsion (file extension) and $characterstoremove (number of characters to remove). This will crop the files to the length you need using Powershell.

$location = "C:\test"
$extension = ".bak"
$characterstoremove = -37
$filelist = (get-childitem $location | Where-Object {$_.mode -match "a"} | foreach-object {$_.name})
foreach ($file in $filelist)
{
$len = $file.length
$len = $len+" "+$characterstoremove
$newname = $file.substring(0,$len)
$newname = $newname + $extension
$newfilename = $location+"\"+$file
Rename-Item $newfilename $newname
clear-variable newname, len
}

After a number of exports or imports, you might need to clean up the failed, completed or other status when running the get-mailboxexportrequest report in PowerShell. To clean these open the Exchange PowerShell and run the below.

Clean Export requests
Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest
Get-MailboxExportRequest -Status Failed | Remove-MailboxExportRequest

Clean Import requests
Get-MailboxImportRequest -Status Completed | Remove-MailboxExportRequest
Get-MailboxImportRequest -Status Failed | Remove-MailboxExportRequest

When having a local setup of Exchange and you want to migrate to Office 365 while leaving the local Exchange in place, you will have problems with autodiscover still pointing users to the local Exchange setup. If you don’t do the below, Outlook will still try to connect to the old Exchange server.

To stop the Autodiscover, open ADSIEDIT.MSC from the Active Directory server and delete the below entry so that the local SCP entry is skipped.

Select the “Configuration” naming context
CN=Services\
CN=Microsoft Exchange\
CN=\
CN=Administrative Groups\
CN=Exchange Administrative Groups\
CN=Servers\
CN=\
CN=Protcols\
CN=Autodiscover\
And delete the CN= of class serviceConnectionPoint

Since Outlook uses SCP as well, you might want to run this registry update on the local machines.

(The version number varies depending on your Office application version)
– Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
– Create new DWord ExcludeScpLookup
– Set the DWord as 1

After this, try to ping autodiscover.mydomain.com to ensure that it’s pointing to the Office 365

Update:

You can also do the following maybe it will help more. These should be created under the AutoDiscover Key

“ExcludeScpLookup”=dword:00000001
“ExcludeHttpsAutodiscoverDomain”=dword:00000001
“ExcludeHttpsRootDomain”=dword:00000001
“ExcludeSrvLookup”=dword:00000001
“ExcludeHttpRedirect”=dword:00000000
“ExcludeSrvRecord”=dword:00000001