Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

icacls “{GPO UID}” /remove:g “<localdomain>\Domain Admins”

Then the following command to add a single Domain Admin account back to the GPO

icacls “{GPO UID}” /grant “<localdomain>\Domain Admins”:(OI)(CI)(F)

We then we forced replication again with these two commands

repadmin /syncall

repadmin /syncall /AdePq

After that we re-ran the Detect Now on the server 2016 and all servers were green.

IMPORTANT NOTE:

If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

• No Comments

After enabling Mimecast for Inbound routing , Threat Protection Re-Writes the URLs for Safety. When this is enabled with the following 365 Spam Check : Image links to remote sites

Which : Messages that contain <Img> HTML tag links to remote sites (for example, using http) are marked as spam.

All Inbound emails with Images with Hyperlinks get marked as Spam by Office365. Make sure this is turned off!

• No Comments

The compact is the recommendation from iManage Support. Ideally, you can stop connector and the ingestion due to it not being used anymore and start the services after DRECOMPACT

You will need 30% free disk space to run DRECompact Successfully.

STEPS TO RESOLVE

1. Stop Worksite Connector and Work Ingestion Server services
2. Expand Content Engine disks to a point that there is more than 30% capacity free 
3. Run a DRECOMPACT task against both engines
   
   http://127.0.0.1:11001/DRECOMPACT
   http://127.0.0.1:12001/DRECOMPACT
   
   Make a note of the INDEXID number returned to your browser.
4. Wait until completed
   
   YOU CANNOT STOP THIS PROCESS AND IT MAY TAKE A CONSIDERABLE AMOUNT OF TIME
   
   
5. You can monitor the status from the IndexerBrowser
   
   “The compaction is complete when the IndexerGetStatus action reports that the job (INDEXID number) is finished (status=-1, description = Finished).”
   

1. Restart the Connector and Ingestion Server services once the job has completed and the content engine disks are looking a little emptier

To set up a schedule for compaction

1. Open the Content server configuration file in a text editor.
2. Find the [Schedule] section. If the configuration file does not contain a [Schedule] section, add one.
3. Set the following parameters in the [Schedule] section:

Compact:                         

Type true to enable a compacting schedule.

CompactTime:                

The time (hh:mm) when you want the Compact operation to start.

CompactInterval:           

The number of hours between DRECOMPACT operations. Specify the time in the 24-hour clock and the format hh:mm. When you start WorkSite Indexer, the specified CompactInterval must elapse (after the specified CompactTime) before the first  DRECOMPACT

operation takes place. Type 0 to schedule daily compactions.

For example:

[Schedule]

Compact=true

CompactTime=01:00

CompactInterval=168

This configures a compaction every 168 hours (once a week) at 1:00 a.m.

1. 1. 4. Save and close the configuration file.
      5. Restart the Content server for your changes to take effect.
      6. Repeat Step 1 to Step 5 for all your Content servers.

• No Comments

Check these recommended Enterprise Cloud Resources and Neutral Resources network settings

Also : 

Exempting the App means the app will allow to be able to access and share company data 

Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"

Name : Firefox

Product Name : O=MOZILLA CORPORATION, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US

Publisher : *

File : firefox.exe

Min Verison : *

Max Version : *

Name : Chrome

Product Name : O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US

Publisher : *

File : chrome.exe

Min Verison : *

Max Version : *

• No Comments

Currently, there is no way to use the Regex filter to capture “Everything” is not allowed in Microsoft 365 environment. This is by design.

A bit annoying when you want to tag a sensitivity label to all files

• No Comments

Something went wrong. Here are some possible reasons.
Device already connected to org
Couldnt auto discover a management endpoint assigned to username. If you know your endpoint please enter it.\
mdm server URL: blank     > https://wip.mam.manage.microsoft.com/Enroll didnt work

1. Checked existing connections, if so disconnect and reconnect again.  There wasn’t.
2. Backup and delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
3. Try again.. existing connection popped up, disconnect and reconnect working now

• No Comments

• Needs a specific PDF Reader

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers

Nitro PDF at the time of writing this does not work! Remember this will be for Internal and External People reading a protected document

• Deployment of Microsoft Azure Information Protection Viewer ( There is no Mac OSX client for Azure Information Protection.)
  To read-protected Txt files and image files, think of files that will be protected without a reader.
  
  
• Authorized Workflow or Users to Remove the Sensitivity Label
  If you want the send the document out of the organization to a user who is not setup in your company’s Azure AD ( e.g Guess Access ) you will need a Workflow that automates and logs this removal for Compliance/Auditing of a User with these permissions
• Sensitivity Labelling

1. Enable Sensitivity on a Teams or Sharepoint Library  Does not set Files underneath it
2. You can set a Default Document Label however you will still need to encrypt old documents ( see below ) 
3. Auto-Labelling Technology to do this needs License and is still in Preview License needed ( Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling. ) 
4. Use the Microsoft Cloud App Security dashboard with File Policy to Tag the files ( still needs above license ) 

• Breaks CoAuthoring
  Can only use the web version of Office for Document CoAuthorign
  
  
• Needs the latest version of Office 365 for Client-Side Labelling Modifications 
  Remember any external people you are sharing with will need this as well to open

• No Comments

A WNDAP360 can be in Standalone mode , or it can be managed by a Wireless Controller. 

If you want to change the type ( Managed to Standalone mode ) you need to flash the device firmware. Performing a Factory Reset ( Holding down Reset Button ) just resets the WebGui Login password.

 Firmware upgrade sequence for WNDAP360 from 2.x:
  V2.1.11 -> V2.1.12 -> V3.5.20.0 – Correct sequence.

Download the Firmwares from here : 

https://www.netgear.com/support/product/WNDAP360.aspx#download

See – View Previous Versions

Once Download . UnZip the .tar files !

Login to the webportal of the managed WNDAP360 and upload the first  V2.1.11 Firmware (.tar )  ( I used Chrome ) 

What you will see in the console serial cable connection , is the device restart straight away then wait on the below , Leave the webbrowser open

######################### Start SysMon Entity [30] #########################
# Name=RFID Mgr, Path=/ft/bin/rfid_mgr, Type=0
######################### Start SysMon Entity [31] #########################
# Name=RFID Serial Comm, Path=/ft/bin/rfid_serial_comm, Type=0
Executing file /FT_CONF/prepare_upgrade
********* Waiting for Upgrade file *********

Wait on this screen for a few minutes 

Netgear mips #1 Tue Dec 6 11:52:49 IST 2016 (none)
Netgear login: 
FACDEF_DRV: Disabling watchdog
TERM

You should then see it formating the file system and rebooting again

Once ready you can go upload V2.1.12 ( takes a while as it has to encrypt the filesystem ) 

Then V3.5.20.0 and whatever’s the latest!

• No Comments

https://techcommunity.microsoft.com/t5/outlook-global-customer-service/how-outlook-2016-utilizes-exchange-server-2016-fast-search/ba-p/381195#

Secondary mailboxes

When Outlook 2016 released, the plan was to only support FAST search on your primary mailbox. However, starting in the Fall of 2017, you should see that any Exchange email account added through File | Account Settings (also known as MultiEx or multiple Exchange accounts) now fully supports FAST search.

If you are limited to using an older build of Outlook 2016 and search in a MultiEx mailbox, the FAST query may be submitted in the context of the logged on user (you). This causes the search results to be pulled from your own mailbox, not the secondary mailbox that currently has the focus in your Outlook client. If you are unable to upgrade your Outlook 2016 client to the November 2017 Monthly Channel Build, you can temporarily work around this limitation by using one of the following options:

• Change the search scope to All Outlook Items, Subfolders, or All Mailboxes
• Disable Outlook 2016’s use of FAST search via policy or local user registry setting (see the next section)

Note Other types of secondary stores, such as those added via Open these additional mailboxes or those that are automatically configured via AutoMapping, are still limited to WDS.

HOWEVER

I’ve found users report searching still sucks in their shared and/or secconday mbxs. So per document set the below DWORD key to 1 if a user reports this – though I’m still waiting to hear if there are negative connotations to this change

• No Comments

 Report % Rate of change from the last Backup Job Run

Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue

Disconnect-VBRServer | out-null

connect-vbrserver -server localhost

$JobsOutput = @()

Foreach ($JobObject in Get-VBRJob | ?{$_.JobType -eq "Backup"})

{

$LastSession = $JobObject.FindLastSession()

$ChangeRate = ($LastSession.Info.Progress.TransferedSize/$LastSession.Info.Progress.TotalUsedSize)*100

$JobOutput = New-Object -TypeName PSObject

$JobOutput | Add-Member -Name "Jobname" -MemberType Noteproperty -Value $JobObject.Name

$JobOutput | Add-Member -Name "Endtime" -MemberType Noteproperty -Value $LastSession.endtime

$JobOutput | Add-Member -Name "TotalUsedSize" -MemberType Noteproperty -Value $LastSession.Info.Progress.TotalUsedSize

$JobOutput | Add-Member -Name "ReadSize" -MemberType Noteproperty -Value $LastSession.Info.Progress.ReadSize

$JobOutput | Add-Member -Name "TransferedSize" -MemberType Noteproperty -Value $LastSession.Info.Progress.TransferedSize

$JobOutput | Add-Member -Name "ChangeRate" -MemberType Noteproperty -Value $ChangeRate

$JobsOutput += $JobOutput

}

$JobsOutput | Out-GridView

Disconnect-VBRServer | out-null

However one result is not a fair estimate of rate of change , and I don’t have a Veeam One license so I decided to Average Stuff

You can run on One VM or all the VM’s in a Backup Job

Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue

connect-vbrserver -server localhost

#Query to get all jobs in the time period in hours that have processed data (Data ne 0 ) and have completed

$vbrtasksessions = (Get-VBRBackupSession |

Where-Object {($_.EndTime -ge (Get-Date).addhours(-168) -or $_.CreationTime -ge (Get-Date).AddHours(-168) -or $_.State -eq "Working")}) | Get-VBRTaskSession | Where-Object {$_.Status -notmatch "Idle|InProgress|Pending|Fail"-and $_.Info.Progress.TotalSize -ne "0"}

#Get Backup Job and VM

#$getOne = $vbrtasksessions | ? {$_.JobName -eq "%Veeam Backup or Backup Copy Name%" -and $_.Name -eq "%Name of Server%"}

#Or Get Whole Backup Job and average between all the machines

#$getOne = $vbrtasksessions | ? {$_.JobName -eq "%Veeam Backup or Backup Copy Name%"}

#Cannot Get Total usedSize in Backup

Echo ListofAllFullSizesInBytes $getOne.Info.Progress.TotalSize

#Echo AverageTotalFullBackupSizeInGB $([Math]::Round([Decimal]($getOne.Info.Progress.TotalSize | Measure-Object -Average).Average/1GB, 2))

Echo ListofIntcrementalSizeinBytess $getOne.Info.Progress.TransferedSize

#Echo AverageIntSizeinGB $([Math]::Round([Decimal]($getOne.Info.Progress.TransferedSize | Measure-Object -Average).Average/1GB, 2))

Echo RateofChangein% ((($getOne.Info.Progress.TransferedSize | Measure-Object -Average).Average/($getOne.Info.Progress.TotalSize | Measure-Object -Average).Average)*100)

Disconnect-VBRServer | out-null

• No Comments