I had to do this a few weeks ago, so I documented it. I had a list of usernames in a CSV file and I needed to bulk-add them to a security group.
Bulk Add Group Users Solution
Firstly you will need the usernames (sAMAccountNames) in .csv format like so, (Note: As a header Im using User-Name.) I’ve saved the file to C:\Temp on my server.
WARNING: Do not do this, if you are carrying out a Hybrid migration to Office 365!
I’ve been doing an On-Prem to Office 365 migration recently. It was a little unusual because the ‘on-prem’ Exchange was not in the clients domain. So rather than migrate all the mail to their domain, and them migrate it to Office 365 we chose to use a third party migration solution ODME (Quest On Demand Migration for Exchange).
So using their tool I could migrate the ‘DATA’ and then the plan is to use the Quest CPUU (Client Profile Update Utility) to repoint all the clients Outlook profiles to Office 365.
Thats fine but how to keep the mail ‘up to date’ in both locations while they are being migrated. I thought (incorrectly) that the Quest ODME would do this, but forwarding from on-prem Exchange deployments is not supported.
This is what I wanted to do;
Then I could migrate everyone, then move the mail flow to Office 365, by simply changing the DNS (MX) Records.
Solution
I’ve covered forwarding of mail before in this previous article (you might want to have a read though that one fist).
*Note: I’m using the ‘onmicrosoft.com‘ tennant email as it is already publicly routable, and lets me still have my live mail feed pointed to the on-prem Exchange.
Now assuming you have all your on-prem usernames and their Office 365 email address sin a CSV file like so,
And you have saved the CSV file as C:\Temp\Office-365-Users.csv, use the following script.
Why is it so difficult to remove Administrative tools! The one folder you might not want your users having access to is on everyones start menu by default? I’ve seen posts saying to change the permissions so users can’t run the snap-in’s in that folder, and other posts that suggest removing it from the ‘all users’ profile, and yet more posts that say remove it in preferences with a post Vista start menu. NONE OF THAT WORKED?
This solution is for Windows Server 2012 R2, if you’re running an earlier version then I invite you to post a decent solution a the bottom of the page.
What I did was create a Custom Start screen, then exported that to XML, then configured all my users to use that start screen.
Solution
Log in as an administrator, and tailor the start screen to how you would like if for your users.
Then open a PowerShell session and export the settings to an XML file. I’ve already setup a network share on the RDS server itself to store the XML file in, (grant users ‘read‘ rights to the share).
[box]
Export-StartLayout -Path \\{server-name}\{share=name}\{file-name.xml} -As xml
[/box]
Now on the GPO linked to your RDS Server(s) add the following;
[box]
Computer Configuration > Administrative Templates > Start Menu and Taskbar > Start Screen Layout
[/box]
Enable the policy, and point it to the file you exported above. Then either force a policy refresh or wait a while for the new policy to take effect.
Related Articles, References, Credits, or External Links
Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.
Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.
Solution
Create a “Roaming Profile” Network share with the correct permissions
1. On a network accessible server, create a folder and set the SHARE permissions as follows;
Share Permissions
Everyone = Read. Domain Users = Full Control.
Note: You may also want to DISABLE Caching on this folder.
2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;
Security / NTFS Permissions
Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.
Note: I’m using domain users, you might have a different security group that you want to substitute.
3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).
Here you will find the folders that can be redirected to a central location.
13. For example, here I’m redirecting the users “My Documents” folder.
14. And their “My Pictures” folder.
15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.
16. Now when your users connect to their View Desktops.
17. Their user profile will be persistent.
18. Because their settings are stored in your profile shared folder.
Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.
Related Articles, References, Credits, or External Links
I’ve written in the past about bulk importing users with CSVDE, but what if you want to move/migrate your users to another domain? You first need to export all the users, then import them into the new domain.
Solution
Step 1 Export Domain Users to CSV File
1. Here all my users are in one OU, if that OU has ‘nested OU’s within it that’s OK.
3. The users will be exported. If it fails at this point it will give you a descriptive error, CSVDE has been around for a while, Google the error (most fixes are pretty simple).
4. Now open the CSV File with Excel, the second line will probably be the OU, you can leave this here if you want but if your target OU is different (or Like me you prefer to create it manually), then delete row 2 (Don’t delete Row 1!).
5. You do not need all the columns, delete all the columns EXCEPT,
DN
objectClass
ou
distinguishedName
name
cn
sn
givenName
displayName
sAMAccountName
userPrincipalName
So when complete it should look like the following;
6. Change any details in the LDAP path that are different for the new domain.
7. You may also need to change the domain name that’s listed on the userPrincipleName.
Step 2 Import Domain Users from CSV File
1. On the target domain, (if you are not importing the OU’s, then make sure they already exist). The syntax for the import is;
[box]
csvde -i -f c:\filename.csv
[/box]
9. Your users should be imported.
10. By default they will be disabled, but you can bulk enable them.
11. At this point all the users have no password, this can also be bulk set.
The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).
If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.
It is a hardware device that plugs into the back of the ASA, and comes in two flavours.
1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.
2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.
In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).
Solution
Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.
1. Connect to the ASA via command line, go to enable mode and issue the following command;
From the output you should be able to get the serial number of the CSC module (write it down).
2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.
3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.
Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.
4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.
5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.
6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).
7. Open the license file (will have a .lic extension) with notepad and you should see two keys.
Step 2: Setup the CSC Module
Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.
9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.
10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.
11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.
12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.
13. Review the settings > Finish.
Note: You may get a warning if you set ‘fail open’ above that’s OK.
Connecting to and Managing the Cisco CSC Module
Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443
Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.
If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.
1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.
2. Paste in the new code > Activate.
3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.
Related Articles, References, Credits, or External Links