Entra ID Set User Account Password to Never Expire

 I ran into this one recently as a user account for Cisco CUC had been created in Entra ID only and not on-premise and allowed to sync.  It's just a few PS commands and you can set the password to never expire.

NOTE:  You must be a global admin or password administrator to perform these changes.

I ran all of these commands from an Exchange 2019 on-premise server running in hybrid mode.

1. Connect to Exchange Online

Connect-ExchangeOnline

2. Connect to Microsoft Graph PowerShell and to the required scopes.

Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"

3. To check a user's account to see if the password expiration is set run this command: 

Get-MGuser -UserId <user id or UPN> -Property UserPrincipalName, PasswordPolicies | Select-object UserPrincipalName,@{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

4. To set the password of one user to never expire, run this command:

Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration

These commands will allow you to set the password policy to never expire for just a single user account as needed.  For more details on how to change it for all users and check for all users, you can reference the official Microsoft Learn article HERE.

Good luck!

"The namespace cannot be queried. Access is denied" error when you try to create a domain-based DFS namespace

Working on setting up a new DFS Namespace today.  Ran directly into this issue.  When you sign in to Windows by using an account that belongs to the Domain Admins group, and then you try to create a domain-based namespace on any Distributed File System (DFS) namespace server, the operation fails. Windows returns an error message that resembles the following:

\\domainname.com\Public The namespace cannot be queried. Access is denied.

However, when this error occurs, you can still successfully create a standalone namespace.

The fix is to remove your account from the Protected Users group.

If you're curious, here's why it doesn't work:  When you create a new domain-based namespace, the computer queries the Domain Name System (DNS) server for domain information. The DNS server responds by sending a list of the A records of the domain controllers for that domain. The computer then contacts one of the domain controllers and tries to use your account credentials to authenticate by using NTLM authentication.

If your account belongs to the Protected Users group, your account can't use NTLM authentication. In this situation, authentication fails and generates a STATUS_ACCOUNT_RESTRICTION error.

Is Port 80 Needed for On-Premise Exchange?

 Simply put...NO! 

Now if you go digging you will see the official Microsoft documentation stating that it is needed for failback for some HTTPS services.  From a security standpoint if the HTTPS services aren't working then I will refuse to go back to an unencrypted service just to keep it working.

Some will say if you're keeping Exchange patched and updated then having port 80 open to Exchange is no big deal.  While that may be true why risk it?

I had a customer recently that was asking why their Exchange server was showing C&C callbacks being blocked from the outside, why are there other items being blocked from the outside.  Each thing in the endpoint protection logs showed this server was being attacked on port 80.

I connected to their Cisco ASA and disabled the rule allowing port 80 to the Exchange server.  Guess what, a week went by with no further attacks being blocked.  Even though the endpoint protection was stopping them, it would only be a matter of time before an exploit is found via port 80 and then there goes the server's security posture.

I don't see a need to expose this port in 2023 on the modern Internet with all of the risks we already face daily.

Just be smart and disable port 80.  If your application won't work without it then it's time to update the application or get one that is more focused on security.  Don't compromise your network security to accommodate old software.

My $.02.  

Good luck!

Start All Exchange Services Automatically

One Command to Rule Them All!

Little joke there....this command will start all Exchange services on a server in the event they do not start automatically as they should after a restart.

Get-Service -DisplayName "Microsoft Exchange*" | Where-Object {$_.Starttype -eq "Automatic" -and $_.Status -ne "Running"} | Start-Service

The process waits for each service to start before moving to the next one.  Really handy when you've got a lot going on and don't want to start them all by hand.

Good luck!

How to Configure a Startup Script to Map a Network Printer

A Windows startup script can be used to map a network printer at logon. Here is an example of a simple script that maps a network printer using the "net use" command:

net use LPT1: \\printserver\printer /persistent:yes

This script maps the network printer located at "\printserver\printer" to the local LPT1 port, and the "/persistent:yes" flag ensures that the mapping will remain after a reboot.

You can also use the rundll32 printui.dll,PrintUIEntry command to map network printers at logon. Here is an example of the command to map a network printer with IP address 192.168.1.100 and share name printer:

rundll32 printui.dll,PrintUIEntry /in /n\\192.168.1.100\printer

You can also use a batch file that contains the above commands, and then schedule it to run at startup using the Task Scheduler.

It is important to note that you need to have the necessary permissions to map the network printer and that the printer should be shared and available on the network.