What is Group Policy Loopback Processing in Active Directory?

Or, How to enable Group Policy Loopback Processing for a Group Policy Object?

Or, In what situation, you should think of using Group Policy Loopback Processing?

Descriptions:

Guys, Group Policy Loopback Processing is one of the cool feature of Active Directory Group Policy Management but you must be conscious and understand it very well while playing with this feature. Please note that Group Policy Loopback Processing is only supported in Active Directory Environment. There may be some case where you may need to apply a User Based Policy on Computers OU or a Computer based policy on Users OU.

In this kind of scenario, you can use Group Policy Loopback Processing to achieve your goals.

How to enable Group Policy Loopback Processing for a GPO?

Steps: Open Group Policy Management Console (gpmc.msc) > Locate the GPO on which you want to enable “Group Policy Loopback Processing” > Right Click on the GPO and Select Edit > Navigate to Computer Configuration\Policies\Administrative Templates\System\Group Policy > Select Configure User Group Policy Loopback Processing Mode and Open it.

Select Enable > Now Choose the options as per your requirement “Merge” or “Replace” > Click OK.

Note: if you are not sure choosing replace mode, you may go ahead with Merge option. Make sure you understand the risk before applying these settings to any production GPO.

Understanding Merge and Replace Modes in Group Policy Loopback Processing.

Merge Mode
In this mode, when the user logon process initiated, the user's list of GPO is gathered by using the function GetGPOList. The GetGPOList function is then processed by using the computer's location based OUs in AD.

Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

There are some good stuffs related to this concept written well on MS TechNet. You may refer the below TechNet article for more.

https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

How to export all mailboxes with usage size details in Office365 Server?

Or, PowerShell command to export all user’s mailboxes with used size details in Office365 server.

Descriptions:  Guys, I am going to show you the way of exporting all mailboxes from your Office365 server containing used size details of all mailboxes. You may need to do some formatting in excel/csv file after exporting the details as per your requirement and convenient.

First of all, you need to connect to Office365 server PowerShell Admin Console. Once you are connected, you can run the below command on PowerShell window to get the results you need as explained above.

Don’t know how to connect to the Office365 Server PowerShell window, please read my another article to know “How to connect Office 365 Server PowerShell admin console?".

Steps (Exporting Mailboxes):

Login to Office365 Server Admin PowerShell Console with administrative rights. Click here for steps of connecting to Office365 PowerShell.

Once you are connected to Office365 PowerShell console, Run below command to get the mailbox size details.

-----------------------------------------------------------------------------------------------------------------------

get-mailbox | get-mailboxstatistics | select DisplayName,ItemCount,TotalItemSize | export-csv "D:\temp\MailboxSizes.csv"

-----------------------------------------------------------------------------------------------------------------------

Reference Screenshot of command execution:

How to connect Office365 Server PowerShell admin console?

Or, Connecting Office365 Server PowerShell admin console.

Steps:

1. Open Windows PowerShell (Run as Administrator)

2. Run below command sequentially (one by one).

-----------------------------------------------------------------------------------------------------------------

 Set-ExecutionPolicy RemoteSigned
---------------------------------------------------------------------------------------------------------------
 $LiveCred = Get-Credential
----------------------------------------------------------------------------------------------------------------
 Note:  (in the pop-up window, please enter Office365 global admin credentials, preferably administrator@yourdomain.com)  
-----------------------------------------------------------------------------------------------------------------
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri  https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
-----------------------------------------------------------------------------------------------------------------
Import-PSSession $Session
 ----------------------------------------------------------------------------------------------------------------

(All above mentioned commands are highlighted in below screenshot sequentially)

Now you can execute any administrative command from here as you are connected to your Office365 Server successfully.

Applying Group policy specifically on selected security groups of users or computers in Active Directory.

Or, How to apply a group policy on a Security Group in AD?

Or, What is group policy security filtering in Active Directory? 

Descriptions:

In real world, this is very genuine requirement when someone in your company can ask you to apply a Desktop Wallpaper or some other controls on some specific users or computers. You know it well that you can apply group policy on Users or Computers based on OU in which they are. Means, your group policy became very specific to OU or OU oriented.

You can’t move any user or computer to any other OU as their existing Group Policies may go away or will be messed and may cause lots of issues.

But there is some way to achieve the above stated requirement:

1. Group Policy Security Filtering

2. Group Policy Loopback Processing

There are some technical concepts and understandings that you should understand well before playing with these features else you may make blunders instead of doing things right.

Here in this article, I will explain about first option “Group Policy Security Filtering”. We will discuss about GPO Loopback processing in next article.

Additionally, I will suggest not to go with Group Policy Loopback Processing option if your requirement is being achieved by using Group Policy Security Filtering.

What is Group Policy Security Filter?

Group Policy Security Filter allows you to apply a group policy on a specific user, computer or security group. E.g. If in case you have applied a Group Policy on a OU which is having 10 users and you have added only two users in security filter of the applied GPO, the settings defined under specified GPO will be applied on only those two users which are added there in security filter option.

Steps: How to apply group policy on a Security Group in AD or on a specific user?

Select your group policy > Go to Scope option > Under Security Filtering, click on Add button > Select your Security Group and add here.

Now, go to Delegation tab > make sure the security group you added in above step is appearing here > Now Click on Advanced

Set the Authenticated Users Permission Level for the specified Group Policy as shown in below screenshot. Authenticated Users should be having Read only rights and must not be allowed to Apply group policy.

Select Authenticated Users > Enable Check Mark on Read > Uncheck the option Apply Group Policy > Click OK to save the changes

Set the Security Group Permission Level for the specified Group Policy as shown in below screenshot. Your Security Group should be having Read and must be allowed to Apply group policy.

Select Your Security Group > Enable Check Mark on Read > Enable check mark on Apply Group Policy > Click OK to save the changes.

That’s all my friends. Now you can check your client machines if they are having applicable GPOs applied on them. Run gpupdate /force on Server and Client both to get the result quickly or try logging off. 

How to create NIC Team in Windows Server 2012 R2 ?

Or, Understanding NIC Teaming in Windows Servers.

Or, Step by step guide for configuring NIC Teaming in windows servers with detailed explanation of available features and prerequisites.

Or, Understanding “Additional Properties” and “Load Balancing Modes” of NIC Teaming in Windows Servers.

Prerequisites:

There are few prerequisites you must be considering before going to implement the NIC Teaming for your server, below are few of them:

You should plan for a downtime for at least 10-15 minutes. Because, when you create a NIC Team, the IP configuration of the server is required to be configured again on the logical NIC Team adapter and your server might get inaccessible just after creating the NIC Team because it has not IP configurations on the newly created NIC Team adapter.

If you are doing for a Physical Server, you must be having physical access of the server. Because, when NIC Team creation wizard completes, the IP configuration of the server get erased from the Ethernet adapter and the newly created NIC Team adapter has no IP configurations at that time. So, its simple you don’t have any method to connect to the server if you don’t have any IP configurations inside. 

Yes, you are lucky if you have something like Management IP separately for this server which can allow you to access your server KVM console remotely, else it better you have physical access of the server.

Descriptions:

NIC Teaming is one of the cool feature of Windows Serves which allows you to achieve high speed, redundant Ethernet card requirements when your some specific applications or servers deadly needs it.

Once you are ready with the above explained prerequisites, please proceed with below steps to get it configured as per your requirements:

Steps:

Open Server Manager console > Go to Local Server option > On the NIC Teaming option, Click on Disabled highlighted Hyperlink (as shown in the below screenshot).

Click on Network Adapter tab

Select your Active Adapters (hold Ctrl key and Click on active adapters you need), in my case my two Active Ethernet Adapters are LAN-Primary and LAN-Secondary > Right Click on Selected Active Ethernet Adapters > Click on Add to New Team

Give a friendly logical name for your NIC Team > make sure that the check mark is enabled on NIC Adapters you are going to add in a Team > Click OK

Wait for configurations to be completed

You may see below pop-up (connection has been lost) window. You remember the perquisites I explained above?

Now try to gain access of the server console locally (I accessed it using KVM console in my case).

Open Network Control Panel ( Go to RUN > type ncpa.cpl > Hit enter) > Select your NIC Team > Go to Properties > Select Internet Protocol Version 4(TCP/IPv4) > Click on Properties > do the IP configurations as per your network design > Click OK to save the changes

Please Note: the IP address you will configure here for your NIC Team Logical Network Adapter, the same IP will be used as Server IP going forward for this particular server.

That’s it, you are done. But, if you want to do/check some more configuration settings, you can navigate through NIC Team properties from the Server Manager console.

As you can see in the below screenshot, I have used my both NIC adapters in Active-Active mode.

To understand more about this features, please see below descriptions.

Understanding Additional Properties (NIC Teaming Modes):-

Teaming Modes:

Switch Independent: The very first option on the list is the teaming mode. The default option is Switch Independent mode which lets you build a NIC team without having to be worried about your network switches capability and compatibilities.

Static Teaming:  This teaming mode is a switch dependent mode. This mode requires you to configure both computer and the network switch in order to identify the links that help to build a team.

Switch Dependent: This is known as LACP, and it is based on link aggregation fundamentals. By using this type of NIC teaming you can dynamically reconfigure the NIC team by adding or removing NICs as your requirements.

Understanding Load Balancing Modes:

There are two type of Load balancing mode are available a) Address Hash and b) Hyper-V port. The Address Hash option is the most commonly used load balancing option as it allows traffic to be load balanced across all of the NICs in the team.

The Hyper-V Port option balances traffic per virtual machine basis method. This load balancing feature helps dedicating each virtual machine’s traffic to a specific NIC.

Standby Adapter

The name of the feature is self-explanatory; this feature allows you to decide which network you want to be acting as a load balancing network adapter in the logical NIC Team you have created. Choosing this option, keeps your one NIC in standby mode and another in active mode. The Standby NIC comes in active mode automatically when the primary active NIC fails due to any reason.

Cheers, Please write me back if you have any query, feedback or suggestion on this..

How to update or modify SPF records in Office365 managed DNS Management portal?

Or, Modifying SPF records in Office365 DNS Management portal.

Or, Adding DKIM records in Office365 managed DNS management control panel.

Descriptions:

I must say, it was one of the easiest and completed task for me to find it out where are the SPF and DKIM records of my Office365 server. After reading too many articles and many calls follow-ups with MS Support guys, I decided to put it on my blog in better and easy way so that the one who is even not aware of these features of MS Office365 can navigate these options easily.

Guys one thing to note here is, it’s always best to have a separate DNS Management Control Panel for managing your all DNS records. If you are still running your domain/email domain or Office365 online exchange server with all DNS records created inside Office365 portal itself, you must try to take a downtime and point your NS record to your DNS management control panel portal keeping your manageability and administrative future a peaceful journey.

You may check with MS Support and your DNS service providers also on this to plan it in a better way to reduce overall downtime.

If I am taking about Downtime, it’s not that your email services are going to be down for next 24 hrs.. but it may take approx. 24 hrs to replicate and update your DNS records across the globe. Because, when you migrate your DNS records from Office365 Server to your DNS service provider, you may need to delete all the required records at MS Office365 portal and re-create it at your DNS Service provider’s DNS control panel.

I realized it’s good to explain about the technical background what we are going to do, where we are staying and what should be the next plan of action. Let’s come to the point now.

Please follow the below steps for navigating or modifying the SPF records created under Office365 DNS management Portal.

Steps:

Login to Office365 Portal with Administrative privilege > Go to Settings > Click on Domains

Click on Default highlighted your email domain, in my case it is techiessphere.com (default)

Click on Exchange Online to expand it

Here you have your SPF(TXT) record > to modify or update it, Click on Edit option

Once you Click on Edit option, the next pop-up windows will appear like below

Update your required SPF record here. In my case I had added mailcot.org in my exiting SPF record. Please make sure you do enter additional entries behind < -all > sign and in the format

< include:yourSPFrecord.xyz > etc…

Click on Save after you are done with modifying the SPF record.

Upon successful completion of the SPF record update, the below message will appear, saying “Custom Record Saved Successfully”.

For creating DKIM records, you just need to create a CNAME record with the value and key ID that you may have already received from your service provider.

Stay tuned, will post another article specially for adding DKIM record under Office365 DNS management Portal.

Cheers Guys, please write me back for any feedback, suggestion or corrections. 

How to add a custom field or attribute in user’s mailbox in Office365 server?

Or, Adding additional custom fields in email mailbox’s properties hosted on Office365 server.

Or, Office365 mailbox additional custom field in mailbox properties.

Or, Exporting custom attribute of all User mailboxes in Office365.

Or, Export all user’s mailbox list of Office365 server with custom attributes.

Descriptions: 

If you are an Office365 online exchange server administrator, you may have faced this query or may face in future. This situation typically arises when you have your AD domain completely separate and your email Office365 server domain is not integrated with your AD domain.

For example: Your AD domain may be yourcompanydomain.net and your Email domain of Office365 server is yourcompanydomain.com.

Scenario:

Your management team wants you to put Employee ID of every user for reference purpose as a unique identifier of AD accounts as well as for email accounts so that it can be easily tracked which user ID or email ID belongs to which users when performing reconciliation of AD or Email accounts to get them in sync (Ideally you should be having equal number of AD and Email accounts always except Service accounts and DLs).

There may be situation where you may have multiple users with same Display Name (login ID can be different), in this case it will be tough for you to identify who is the actual user you are targeting for any specific purpose. Now if you have had the employee ID written for all users somewhere in AD account’s and email account’s properties, it could have been easy to identify the actual users and map them accordingly.

Options available in AD and Office365(may be considered if suited best for your need):

AD (Active Directory): You have Description field where you can specify the Employee ID if all other relevant AD fields you are already using for some purpose.

Now when you want to export the AD users accounts with description fields and other required fields, you can read my another article “Exporting AD Users”.

Office365: You can go to mailbox properties and specify the custom attribute and values with Employee ID.

Now to export the all Email mailboxes with defined custom attributes in mailbox’s properties, you may use/run below command on Office365 PowerShell:

--------------------------------------------------------------------------------------------------------------------------

Get-Mailbox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Select RecipientTypeDetails,Name,Alias,CustomAttribute1 | Export-Csv -Path D:\CAT.csv

--------------------------------------------------------------------------------------------------------------------------

To know how to connect to Office365 PowerShell, please see my another article:

How to connect Office365 PowerShell?

You can refer below screenshot for more details in graphical view.

Now you have the CAT.CSV report with all mailboxes and custom attributes in your D:\ drive. Yes, off-course the Custom attributes will be having the employee IDs that you had already entered there in the user’s mailbox properties.

Cheers, Please write me back if you have any query or feedback..