Today I wanted to talk a older topic, but still up to date, as I had to do it lately 🙂
If you want to delegate the control to an group / user to disable some Active Directory user you must delegate control to the user to read/write on the userAccountControl field.
That field is used there inside that windows (first pic took from there);
To be more exact, the filed control those options;
In the Active Directory User and Computer’s applet you can click to delegate;
After you click to enable the delegation only for users account;
After we click on read/write userAccountControl;
And that’s all, it should work after 🙂
For reference the field hold these values; (reference)
Property flag
Value in hexadecimal
Value in decimal
SCRIPT
0x0001
1
ACCOUNTDISABLE
0x0002
2
HOMEDIR_REQUIRED
0x0008
8
LOCKOUT
0x0010
16
PASSWD_NOTREQD
0x0020
32
PASSWD_CANT_CHANGE
You can’t assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the Property flag descriptions section.
Today I wanted to two useful GPO if you migrate your file server to SharePoint online.
The GPO are to create automatically the OneDrive Sync to the document library, the some useful setting to push and a settings for the delay for applying the configuration.
The first GPO to apply is to create the Mount point for the selected user. I suggest to use the same security group as the mapped drive was.
It’s in HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive\TenantAutoMount (REG_SZ)
Value Name = Text for the mount point to be created.
Value = Site URL
The site url can be obtained by navigating to the site, and click to Sync the site, it will offer an option to copy the link. The link must be un-escaped.
The link format is; tenantId=xxx&siteId=xxx&webId=xxx&listId=xxx&webUrl=httpsxxx&version=1
To un-escape use PowerShell, it’s the easiest to do;
[uri]::UnescapeDataString(“Copied String”)
To that GPO can be added one more registry setting; its tagged as it will make the change appear more fast, but it’s to test. On Reddit its a value that is tagged to be working for some, and not for other. On my side I seen a difference, maybe 10-20min and not near 8 hours, but it’s maybe just the GPO time to apply.
If you have Conditional Access rule inside your Entra tenant please make sure to see that roadmap;
The roadmap will force admin user to enable MFA on their account. Which is a good new to securing all the admin login out there.
Starting in November 2023, Microsoft will begin automatically protecting customers with Microsoft managed Conditional Access policies. These are policies that Microsoft creates and enables in customer tenants.
The following Conditional Access policies will be rolled out to all eligible tenants:
1. MFA for admin portals
This policy covers privileged admin roles and requires MFA when an admin signs into a Microsoft admin portal.
2. MFA for per user MFA users
This policy covers users with per-user MFA and requires MFA for all cloud apps.
3. MFA for high-risk sign-in
This policy covers all users and requires MFA and re authentication for high-risk sign-ins.
I wanted to warn that on 1 November 2023 a new requirement will be there for SMTP relay inside Exchange Online.
Nov 1, 2023 – New Requirements for SMTP Relay through Exchange Online
Effective from November 1, 2023, the matching condition for the SMTP P2 sender domain will be removed. This means that relaying email through Exchange Online will require meeting the following criteria:
Accepted domain: The SMTP certificate domain on the SMTP connection or the SMTP envelope sender domain in the MAIL FROM command (P1 sender domain) must be one of your organization’s accepted domains.
Inbound Connector: The sending host’s IP address or certificate domain on the SMTP connection must match your organization’s Inbound Connector of on-premises type.
Failure to meet either of these conditions after November 1, 2023, will result in the rejection of relay attempts from your on-premises environment to Exchange Online
Solution: It is necessary to modify your Inbound Connector of the on-premises type and switch from using IP addresses to a certificate domain. Furthermore, you need to ensure that the certificate domain is included as an accepted domain of your organization.
Today I wanted to share a method to be able to map network drive from Intune / Endpoint Manager.
The method is useful if you are in a hybrid setup, where some ressource are in the cloud and some other on premise.
If you have azure ad sync with a domain controller and your cloud, the SSO will work out of the box with the mapping. A exception to the SSO, if your users use PIN with Windows HELLO you will have other integration to do.
To start please go download the drive mapping custom ADMX.
Today I wanted to share a small tip if you got HHCTRL filling your event log like crazy.
Findind the culprit can be done, but in case it’s know and it dont impact anything you can disable the event log for the event that way with these registries key;