Enable PowerShell remotely on all PCs in a domain

Enable PowerShell remotely on all PCs in a domain

First from the DC I’ll get all the PCs list in the forest/domain and add them to a text file called “Servers.txt” in C root drive.

Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter “(name=*)” -SearchBase “DC=moh10ly,DC=com” | Select -expand Name | Out-File -Encoding utf8 “C:\Servers.txt” -append

Next I will add those servers list to the syntax $PC

$PC = Get-content “c:\servers.txt”

Then I will get the list of the PCs in the $PC (server.txt file) to get ready for processing commands with a domain admin credentials.

Invoke-Command -ComputerName $PC -ScriptBlock { hostname } -Credential moh10ly\administrator

Enable powershell access remotely on all clients in the text file.

Get-Content C:\Servers.txt | ForEach-Object {Enable-PSRemoting -Force} –Verbose

This should do the job and now you ‘ll be able to access powershell remotely on all your domain clients.

https://technet.microsoft.com/en-us/library/hh847893.aspx

https://technet.microsoft.com/en-us/magazine/ff700227.aspx

The Application encountered an error while attempting to change the state of "VM"

clip_image001[10]

3- EXCHANGE_OI on HASIMI NODE2 – Action Media Clipboard View Help Virtual Machine Connection The application encountered an error while attempting to change the state of •g- EXCHANGE 01

•3- EXCHANGE_OI’ could not initialize. Could not initiallze machine remoting system. Error. •Element not found.’ (000070490). not find a usable cetificate. Element not found.’ (0000704″).

•3- EXCHANGE_OI’ could not initialize. (Virtual machine 10 B967FUc-20A2-43BD.83EE.99R321DCD55) •3- EXCHANGE_OI’ could not initialize machine remoting system. Error: ‘Element not found.'(Ox8D070490). (Virtual machine ID g967FUc.20A2-43gD.B3EE.g9A2321DCD55)

•3- EXCHANGE_OI’ could not find a usable certificate. Error: ‘Element not Status: Off found.’ (oxeoc70490). machine B967FUc-20A2-a3BD-B3EE-99A2321DCD55) @ Hide details Close Symptoms

If the Hyper-V Host Server doesn’t have internet and you have configured it after creating a VM then the server date will change and the self-signed certificate date will change as it won’t be verified by Hyper V manager and will cause launching the VM to fail to start.

Solution:

Delete old certificate and Create a new Self signed certificate.

To do so open MMC

Navigate to Certificates

clip_image002[15]

In Certificates select Service Account

clip_image003[10]

Choose local computer and click next

clip_image004[10]

Then select the Hyper-V Virtual Machine Management Service account and open

clip_image005[10]

Under the Personal, check the date of the certificate there ..

Delete the certificate

clip_image006[10]

Open Service Console and restart all Hyper-V Services

clip_image007[10]

Once the service is restarted, you’ll see a new certificate that has been automatically created

clip_image008[10]

Now if you try to open the VM console again, it should work.

For any questions. please leave a comment

Deploying Azure RMS with Exchange 2010 and Exchange 2013 on-premises and in Hybrid Environment with Exchange online

In this post I am going to demonstrate how to integrate Office 365 RMS (Basic) with Office 365 Exchange online in Hybrid Environment with Exchange 2013 and Exchange 2010 in the same organization and then I’ll activate Azure RMS to deploy a new template and apply it on my on-premises Exchange servers.

To do this, you will need

1- an active Office 365 subscription with Exchange online.

2- Azure Subscription.

3- One Public IP to publish RMS URL.

4- Access to your public domain’s DNS to create the RMS A record.

5- Public Certificate that includes the RMS SAN in order to work with Azure RMS.

 

Starting with the deployment I will start by Introducing a small summary of what’s RMS from MS KB article.

 

1- AZURE RMS in Exchange Hybrid deployment:

Overview of the Microsoft Rights Management connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations. You can use this connector even if some of your users are connecting to online services, in a hybrid scenario. For example, some users’ mailboxes use Exchange Online and some users’ mailboxes use Exchange Server. After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Applications that support Azure RMS

From <https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications>

Requirements for Azure Rights Management

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Prerequisites for the RMS connector

  1. The Rights Management (RMS) service is activated

clip_image001[4]

Click Manage

clip_image002[4]

Click Activate

clip_image003[4]

Click Activate

clip_image004[4]

clip_image005[4]

Activated

2. Second Requirement: Organization must have Azure AD and AADSync enabled with local AD.

clip_image001[6]

I’ll activate Azure AD in order to support user authentication for RMS.

clip_image002[6]

Azure RMS templates

clip_image003[6]

3. Third Requirement: Clients must support RMS (Windows)

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedDevices

clip_image004[6]

4. Users must run applications that support RMS.

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications

5. Firewall must be enabled for RMS

Check ports and IPs

https://support.office.com/en-US/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Note:

The following deployment scenario is not supported:

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

6. RMS Licenses:

Cloud subscriptions that support Azure RMS

To use Azure RMS, you must have at least one of the following subscriptions:

  • Office 365
  • Azure RMS Standalone
  • Enterprise Mobility Suite
  • RMS for individuals

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Note: In Enterprise Plan 3 RMS already exists with basic access

clip_image001[8]

Subscription to use (Office 365 or Azure RMS) and control RMS templates

Azure AD

If you want to manage and control RMS templates you’ll need to have Azure Subscription where you can manage the templates of your Azure AD.

Office 365

If you only have Office 365 subscription and you don’t want to activate your azure AD then you won’t have access to the templates to configure new templates.

clip_image002[8]

 

7. Integration of Azure RMS with Exchange 2013 On-premises (With Exchange 2010) and Hybrid integration with Exchange online

Windows Requirements

You will also need to install on these servers, a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Exchange Requirements

Note:

To Use RMS with Exchange 2010 you will need Exchange 2010 SP3 RU6 installed and for Exchange 2013 you’ll need CU3 or Later (Build 15.00.0775.038).

  • Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 6

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

My Servers

My Exchange 2010 server (Exch01) has SP3 but no RU installed. So I’ll install the latest RU since it includes all the previous rollups already.

http://go.microsoft.com/fwlink/p/?LinkId=616365

clip_image001[10]

Exchange 2013 Server has CU8 installed so I don’t need to install anything on it.

clip_image002[10]

Requirements to Install RMS connector

A- A minimum of two member computers on which to install the RMS connector:

  • A 64-bit physical or virtual computer running one of the following operating systems:
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
  • At least 1 GB of RAM
  • A minimum of 64 GB of disk space
  • At least one network interface
  • Access to the Internet via a firewall (or web proxy) that does not require authentication
  • Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector

From <https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs>

B- Download the RMS connector tool from http://go.microsoft.com/fwlink/?LinkId=314106

clip_image003[8]

clip_image004[8]

clip_image005[6]

clip_image006[4]

clip_image007[4]

clip_image008[4]

clip_image009[4]

Validating installation if successful or not by navigating to the below link on the server where RMS connector is installed.

A successful installation will show the below screenshot.

http://localhost/_wmcs/certification/servercertification.asmx

clip_image001[12]

clip_image002[12]

clip_image003[10]

clip_image004[10]

clip_image005[8]

Configuring DNS for the URL

Configure the Exchange servers on premises to use Windows Azure Active Directory via the newly installed connector.

clip_image006[6]

In order to setup the URL on Exchange 2013, you must download the script GenConnectorConfig.ps1 on Exchange 2013 Server and run it as following

Download Link

http://go.microsoft.com/fwlink/?LinkId=314106

clip_image007[6]

I have published the RMS on my Pfsense Firewall (Reverse proxy) and I am able to browse to the page… (not able to authenticate though because I selected only Exchange servers group for authentication.

clip_image008[6]

Now I will run the same script on Exchange 2010 but will change the parameter

.\GenConnectorConfig.ps1 -ConnectorUri http://rms.adeo-office365.ga -SetExchange2010

clip_image009[6]

Now Enable Information Rights Management on Exchange on-premises Servers

In Microsoft Exchange Server 2013, Information Rights Management (IRM) is enabled by default for internal messages.

From <https://technet.microsoft.com/en-us/library/bb124077(v=exchg.150).aspx>

(NOTE: Seems that Microsoft is wrong about the IRM enabled by default for Internal messages as the InternalLicensingEnabled is set to False on my Exchange 2013 server).

clip_image010[4]

Now On Exchange 2013 ECP I’ll check if the RMS is there or not!

clip_image011[4]

I will create a new transport rule as following

clip_image012[4]

If I am the recipient, I will be allowed to only view the email … let’s see this after we apply it

I have sent an email and it seems that the email has been encrypted and is asking me for my email confirmation or Phone number.

clip_image013[4]

Trying to take a screenshot of the Email, It seems that the RMS is working perfectly since part of the view only permission is not taking screenshots of Outlook while the RMS is enabled.

clip_image014[4]

Azure RMS Client for Windows

http://go.microsoft.com/fwlink/?LinkId=313954

clip_image001[14]

clip_image002[14]

clip_image003[12]

REF

https://technet.microsoft.com/en-us/library/dn375964.aspx

https://technet.microsoft.com/en-us/library/dd638140(v=exchg.150).aspx#irm

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_ExchangeServer

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs

https://fazarsusanto.wordpress.com/2015/05/02/azure-rms-rms-connector/

To open a RMS encrypted PDF you’ll need to download the following:

  1. RMS Client Download

http://download.microsoft.com/download/3/C/F/3CF781F5-7D29-4035-9265-C34FF2369FA2/setup_msipc_x64.exe

  1. Microsoft Online Service Assistant

http://www.microsoft.com/en-us/download/details.aspx?id=28177

Once Signed in, you’ll get the following protection

clip_image004[12]

Note:

If you try and share protected documents with any other mail service like Gmail or Hotmail you will get the following error.

Coming Soon

We can’t yet share protected files with some of your recipients.

clip_image005[10]

-WORD documents

clip_image006[8]

 

NOTES

Monday, September 14, 2015

1:56 PM

NOTEs:

  1. If a user is activated in a transport role with RMS protection role (Office 365 RMS). Then the user won’t be allowed to use Azure RMS rules (Configure specific rule).

During this time the permission to use RMs will show up as following “Loading permissions…”

clip_image001[16]

  1. Transport rule may take 15 minutes to take affect after being created or deleted.
  2. Sending email with Exchange online (Azure RMS Rule) with (View online rule) to another Office 365 tenant mail gives the following

clip_image002[16]

clip_image003[14]

clip_image004[14]

In order to access e-mails that are sent to users from different tenants or business e-mails. You’ll have to get a free Microsoft RMS account from here

https://portal.aadrm.com/

Once you are signed up , you will get an e-mail like the following

clip_image005[12]

After you sign in you’ll be able to access the protected document as in the below snapshot. And you can also view your permissions or whether you can edit/modify the document or not

clip_image006[10]

The person who sent an email will also get a notification e-mail telling him that you’ve got access to the document if he has ticked the option that allow him to track the email that he sent along.

clip_image007[8]

 

To compare between Azure RMS and AD RMS please navigate to the following link

Azure RMS comparison

 

If you have any question please don’t hesitate to contact me or leave a comment.