We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

Distinguished Name
by

Everything in AD (Active Directory) has a Distinguished Name. A Distinguished Name can be used in many situations such as setting up an application to use a service account or adding AD groups or users into applications and so much more.

A Distinguished Name is also known as a DN. A benefit of an using a DN is that no two objects in Active Directory can ever have the same DN.

In this post I’ll show step-by-step how to get the Distinguished Name for the various items in Active Directory via the GUI and PowerShell.

GUI Way

  • Open Active Directory Users and Computers
  • Click on View > Advanced Features
  • Right click on anything in AD and click on Properties
  • Click on the Attribute Editor tab.
Read more
IT
Active DirectoryHow ToMicrosoftPowerShell

Microsoft 365 Audit Logging
by

For whatever reason the default fresh setup of Microsoft 365 has no audit logging turned on. Audit logging is very useful for IT troubleshooting and auditors love logs.

Microsoft says that it is enabled by default for Microsoft 365 and Office 365 enterprise organizations. I suspect that means only if you have E1 or higher. The new tenants I’ve made recently are not E1 or higher, that could be why I didn’t see it already on.

Someone asked for clarification about this on GitHub however the replies all say that it is on by default for everything but that isn’t true based on my experience. You can read the GitHub issue here.

Microsoft’s documentation also says to double check that audit logging is enabled which you 100% should be doing as if it’s on or not seems inconcistant.

In this post I will detail how to check if audit logging is enabled and how to enable it via the Web UI or PowerShell.

Prerequisites

The Web UI Way

  • Login to Microsoft 365 Admin center.
  • Click on Security or Compliance (you can get to auditing from either one)
  • From the Security or Compliance admin centers click on Audit

If audit logging isn’t enable the page will look something like this.

  • Click on Start recording user and admin activity

Audit Logging is now enabled it may take a bit for it to actually start working.

The PowerShell Way

  • Connect to Exchange Online with PowerShell
  • Run the following command to check if Audit Logging is enabled Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

In my example the returned result is false so audit logging isn’t enabled and we want to turn that on.

Read more
IT
AuditingComplianceExchange OnlineHow ToLogsMicrosoftMicrosoft 365Office 365PowerShellSecure Score

Lenovo Update TPM 1.2 to 2.0
by

If you have an older Lenovo server with a TPM (Trusted Platform Module) it may be running with TPM version 1.2 and not TPM version 2.0. One of many reasons to upgrade your TPM is because TPM 2.0 is needed to install ESXi 8.

In this post I will show you how to update the Lenovo TPM from version 1.2 to version 2.0.

Prerequisites

You will need to know how to assert physical presence on the Lenovo server. If you don’t know how to do that I detail the process in a post called Lenovo Remote Physical Presence.

I would also make sure all your firmware is fully up to date as you may not see this option if it is super old and you should be keeping your firmware up to date.

Make sure you understand that anything stored in TPM will be lost. This likely isn’t an issue if you are doing a fresh setup.

The Process

  • Login to the XClarity Controller
  • Enter the BIOS setup
  • Assert your physical presence over the Lenovo server.
  • Click on UEFI Setup
  • Click on System Settings
Read more
IT
FirmwareHow ToLenovoThinkServerTPMXClarity

Palo Alto Predefined IP Commit Error Fix
by

In this post I will detail how to resolve the Palo Alto commit error when trying to commit a predefined IP list.

Below is an example of the error

Validation Error:
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url 'panw-torexit-ip-list' is not a valid reference
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url is invalid

I’ve commonly ran into the issue on a fresh Palo Alto setup right after loading the day 1 configuration and trying to make that commit.

Here is step-by-step how to fix the predefined IP list error.

  • Login to the Palo Alto firewall.
  • Click on Device
  • Click on Dynamic Updates
Read more
FixesIT
FirewallFixHow ToNetworkingPalo Alto NetworksPAN-OS

Onyx (MLNX-OS) Upgrade
by

In this post I will show you how to upgrade your switch running Onyx (MLNX-OS). I will detail how to do it via command line and via the web interface.

The best way to make sure your upgrade is a success is to plan your upgrade path. I recommend following the upgrade paths as sometimes jumping from an old version to the newest version isn’t supported and could lead to issues.

When Nvidia purchased Mellanox some of the upgrade path planning resources became locked away behind a login/pay wall. One of the items behind the wall are the detailed release notes.

The release notes are the documents that will tell you exactly which versions are supported on which switches and what your upgrade path should be as sometimes direct upgrades skipping version can cause issues.

You get access to the release notes on your switch directly but only for the version you are currently running. I tried to see if I could extract the release notes from the upgrade image but they seem to be stored as blobs and I couldn’t figure out a way to open them.

Fortunately Onyx is used by other OEMs like Hewlett Packard Enterprise for example. You can find a public version of the upgrade path the HPE documentation here.

My SN2410 switch was originally running version 3.6.6102 my upgrade path was the following

  • 3.7.1134
  • 3.8.2204
  • 3.9.1020
  • 3.9.3302
  • 3.10.2102
  • 3.10.4006

With the upgrade path planning out of the way I will now show you step-by-step how to upgrade Onyx (MLNX-OS) via CLI or the Web UI.

The CLI Way

  • SSH into the switch.
  • Run the show version command to see what version you are currently running.
Read more
IT
FirmwareHow ToMellanoxMLNX-OSNetwork OSNetworkingNvidiaOnyxSwitchUpdateUpgrade

Create Active Directory Central Store
by

The default setup of Windows Active Directory is no central store. A central store is a central place to store your group policy definitions. If you only have one domain controller and make all your GPOs (Group Policy Objects) on that domain controller this likely wouldn’t be much of a problem.

The limitations start to show their faces when you have a second domain controller or you use a different system to make your GPOs. They also show up if you import GPOs that were build using newer group policy definitions. If you want to know how to import GPOs from another system I detailed the full process in a post called GPO Export and Import.

When you create or edit a GPO with the Group Policy Management Editor it checks to see if it can find a central store, if it can’t find one or if none exist it uses the group policy definitions from your computer which are stored in C:\Windows\PolicyDefinitions.

GPO not using the central store

Here’s how to create an Active Directory Central Store for all your group policy definitions on your domain.

Read more
IT
Active DirectoryCentral StoreGPOHow ToMicrosoft

Moving Windows Recovery Partition Correctly
by

Recently I needed to expand a disk on a Windows 10 VM and a Windows Server 2022 VM, but I couldn’t because the Recovery Partition was in the way.

When searching for a way to do this I discovered that the internet is full of posts about simply deleting the Windows Recovery Partition. I am not a fan of simply deleting a recovery tool. On numerous occasions the recovery partition has been instrumental in helping me to fix a system.

If you search for how to move the Windows Recovery Partition the internet has many posts of fake ways to do it or ways to do it with third-party tools like GParted. I have nothing against third-party tools or GParted and I don’t doubt some of those methods do work. The issue I have with those methods is that you have to take the system offline in order to do them or the tools cost money.

Now yes you could just delete the Windows Recovery partition, but before you do that make sure you understand that you will lose a bunch of recovery options. You can read more about the recovery options you’ll lose in an earlier post I made about the Windows Recovery Partition.

Here’s how to correctly move the Windows Recovery Partition on a Windows server or a normal Windows system.

This is what my partitions look like in Disk Management.

We will move the 1 GB recovery partition to the end of the disk allowing us to add the 50 GB of unallocated space to the C drive.

The Process

  • Make sure you have a backup of the system you are going to edit the partitions on.
  • Open Command Prompt as admin
Run CMD as admin
Read more
IT
EUCHow ToMicrosoftRabbit HoleRecoveryServersVirtual MachinesWindowsWindows Server

Microsoft 365 Enable Organization Customization
by

Right out of the box the initial configuration of Microsoft 365 (aka Office 365) isn’t bad, but there’s a lot more you can do to harden it and to make it fully yours.

By default all Microsoft 365 tenants are in a state that is called dehydrated. Microsoft places all the tenants in this state in order to save space, as there are likely many Microsoft 365 tenants that will never change anything past the defaults, but that’s no fun.

In order to rehydrate our Microsoft 365 tenant to allow for a whole number of customizations we need to enable something that is called organization customizations.

Once we have enabled organization customizations we will be able to customize a lot more things in our Microsoft 365 tenant.

Here’s how to do that.

The Process

  • Connect to Exchange Online with PowerShell
  • Double check the hydration status of your Microsoft 365 tenant by running the following command Get-OrganizationConfig | FL isDehydrated
Read more
IT
CustomizeExchange OnlineHow ToMicrosoftMicrosoft 365Office 365PowerShell

Intune Silently Enable BitLocker
by

When you are managing devices with Microsoft Intune aka Microsoft Endpoint Manager it’s great to control BitLocker but silently enabling BitLocker for all devices is even better.

Here is everything you need to know to silently enable BitLocker with Intune.

Disk Encryption Policy Profile

First up we need to create a disk encryption policy profile that we can use later on with our configuration profile. The Disk Encryption Policy Profile by itself really does nothing other than defining the settings that will apply when referenced by a configuration profile.

  • Login to Microsoft Intune admin center
  • Click on Endpoint Security
  • Click on Disk encryption
  • Click on Create Policy
Read more
IT
BitLockerEUCHow ToIntuneMicrosoftMicrosoft Endpoint ManagerWindows

VMware Horizon Customize Web Portal
by

VMware Horizon’s web portal has a decent appearance out of the box. However, I wanted to customize it to make it look like my own.

If you have a customized login background on your Microsoft 365, it could be beneficial to create a consistent end-user experience by making them look similar.

I couldn’t find any official documentation from VMware about this. I suspect the customizations might break when you upgrade to a new version of VMware Horizon. With all of that aside altering the images on the HTML portal is actually really straightforward.

Here’s how to change the default background and the default logo on the VMware Horizon HTML web portal.

  • Go to your current VMware Horizon web portal and right click on the VMware Horizon logo and select Open image in new tab
  • You will now have a new tab that has a URL that looks something like this horizon.yourwebsite.com/portal/webclient/icons-21414280/logo.png
Read more
IT
CustomizeEUCHow ToOmnissaOmnissa HorizonVMwareVMware Horizon
theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube