Find out who deleted an email in Office 365 Shared Mailbox
paul | Thursday, 01 August 2019 | Office365 | Powershell

To find out which user has deleted an email in a shared mailbox you can query the audit log with powershell. Connect to Exchange Online powershell session and the change the mailbox name and dates as appropriate.

Search-MailboxAuditLog -Identity [email protected] -LogonTypes Delegate -ShowDetails -StartDate 7/30/2019 -EndDate 8/1/2019 | select lastaccessed,operation,logonuserdisplayname,folderpathname,itemsubject | ft

You will then get back result in the format below:

LastAccessed        Operation          LogonUserDisplayName FolderPathName ItemSubject
------------        ---------          -------------------- -------------- -----------
01/08/2019 15:33:22 MoveToDeletedItems Paul Farris          \Inbox
01/08/2019 14:49:51 SoftDelete         Paul Farris          \Inbox
01/08/2019 14:22:53 SoftDelete         Paul Farris          \Deleted Items
01/08/2019 14:22:53 SoftDelete         Paul Farris          \Deleted Items
01/08/2019 14:22:52 SoftDelete         Paul Farris          \Deleted Items
01/08/2019 14:22:23 SoftDelete         Paul Farris          \Deleted Items
01/08/2019 14:17:52 SoftDelete         Paul Farris          \Inbox
01/08/2019 14:16:23 SoftDelete         Paul Farris          \Inbox
01/08/2019 14:16:23 SoftDelete         Paul Farris          \Inbox

Most operations should be returned but there may be a delay after the operations have been carried out before they can be queried in the audit log.

When executing Sharepoint Powershell commands it displays the error message below:

Cannot contact web site '' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'. The response headers are 'X-SharePointHealthScore=4, X-MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically., SPRequestGuid=15fef29e-9097-9000-086c-cbec360878c3, request-id=15fef29e-9097-9000-086c-cbec360878c3, MS-CV=nvL+FZeQAJAIbMvsNgh4ww.0, Strict-Transport-Security=max-age=31536000, SPRequestDuration=35, SPIisLatency=1, MicrosoftSharePointTeamServices=, X-Content-Type-Options=nosniff, X-MS-InvokeApp=1; RequireReadOnly, X-MSEdge-Ref=Ref A: B47BA0545E5149FFB5EC06EF89F8A484 Ref B: LON21EDGE1418 Ref C: 2019-07-23T07:21:04Z, Content-Length=0, Content-Type=text/plain; charset=utf-8, Date=Tue, 23 Jul 2019 07:21:03 GMT, P3P=CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI", X-Powered-By=ASP.NET'.

This can be fixed by enabling legacy authentication in the tenant using the script below:

# Enable Legacy Auth for Sharepoint
Connect-SPOService -Url ""
$TenantSettings = Get-SPOTenant
Set-SPOTenant -LegacyAuthProtocolsEnabled $True


Powershell to disable Office 365 user who leaves
paul | Thursday, 18 July 2019 | Office365 | Powershell

The script below can be ran against an Office 365 synced user to disable their access immediately before ADconnect removes them when their onprem AD account is disabled.

# Disable Leaver
# Pass AD account username

param (
    [string]$user1 = $( Read-Host "Input user email address" )

Write-host "Looking up user "$user1" in AD..."
$user = Get-ADUser -Filter {EmailAddress -eq $user1} -ErrorAction SilentlyContinue -property mail,enabled
if($user -ne $Null) {
	Write-host "User $user1 found - "$user.DistinguishedName
else {
	Write-host "User $user1 not found. Aborting script." -foregroundcolor red
If($user.Enabled -eq 1) {
	Write-host "Disabling AD user $user1."
	Disable-ADAccount -Identity $user.UserPrincipalName
else {
	Write-host "AD User $user1 already disabled."
Write-host "Remove from Office 365 licensing AD group."
Remove-ADGroupMember -Identity "Licensing_Office365" -Members $user.DistinguishedName -ErrorAction SilentlyContinue -Confirm:$false

$test=Get-MsolDomain -ErrorAction SilentlyContinue
	Write-Host "Already connected to MSOL" -foregroundcolor green
	Write-Host "Not connected to MSOL. Connecting..." -foregroundcolor red

{ $var = Get-AzureADTenantDetail } 
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
	Write-Host "Not connected to AzureAD. Connecting..." -foregroundcolor red
	Connect-AzureAD -credential $cred

Write-Host "Getting mailbox for "$user1
{ $mailbox = Get-Mailbox -identity $user1 } 
catch  {
	Write-Host "Not connected to Exchange Online. Connecting..." -foregroundcolor red
	$LiveCred = Get-Credential
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection
	Import-PSSession $Session
	$mailbox = Get-Mailbox -identity $user1

# Disable mailbox and set litigation hold
Write-Host "Disable mailbox and set litigation hold"
Set-Mailbox $user1 -AccountDisabled $true -LitigationHoldEnabled $true

# Set Out of Office
Write-Host "Setting Out of Office"
Set-MailboxAutoReplyConfiguration -identity $user1 -AutoReplyState Enabled -InternalMessage "Out of Office. Please contact manager with any queries." -ExternalMessage "Out of Office. Please contact manager with any queries."

# Revoke tokens
Write-Host "Revoking AzureAD tokens"
Get-AzureADUser -Searchstring $user1 | Revoke-AzureADUserAllRefreshToken

# Block access
Write-Host "Blocking Office 365 User"
Set-MsolUser -UserPrincipalName $user1 -BlockCredential $true 

# Disable Activesync etc
Write-Host "Disabling Mailbox features"
Set-CasMailbox -Identity $user1 -ActiveSyncEnabled $false -ImapEnabled $false -OWAEnabled $false -MAPIEnabled $false -PopEnabled $false -OWAforDevicesEnabled $false

Write-Host "Successfully completed script." -foregroundcolor green


Adding users to an AD group using Powershell
paul | Thursday, 18 July 2019 | Powershell | AD

Adding users to an Active Directory group from an Active Directory OU using Powershell.

# Add users from an AD OU into an AD Group with email domain
Get-ADUser -SearchBase ‘OU=Users,DC=contoso,DC=local’ -Filter 'mail -like "*"' | ForEach-Object {Add-ADGroupMember -Identity ‘AD Group Name’ -Members $_ }

# List number of users in AD OU with email domain
Get-ADUser -SearchBase ‘OU=Users,DC=contoso,DC=local’ -Filter 'mail -like "*"' | measure-object

# List number of user in AD Group
Get-ADGroupMember "AD Group Name" | measure-object


PRTG Remote Probe Npcap issues
paul | Wednesday, 17 July 2019 | PRTG | Npcap

Recent versions of PRTG Network Monitor have started including the Npcap driver for packet capture. This driver is causing issues when installed onto machine with 4G connections - disabling their 4G connection until the loopback adapter is disable or uninstalled.

Paessler support have recommended removing the driver and will modify their remote probe installs in future releases of PRTG.

The batch file below will silently uninstall the Npcap drivers.


Rem Remove Npcap

IF EXIST "c:\Program Files\Npcap\uninstall.exe" goto USTART
IF EXIST "c:\Program Files\WinPcap\uninstall.exe" goto USTART

net stop prtgprobeservice

IF NOT EXIST "c:\Program Files\Npcap\uninstall.exe" goto NONPCAP
"c:\Program Files\Npcap\uninstall.exe" /S

IF NOT EXIST "c:\Program Files\WinPcap\uninstall.exe" goto NOWINPCAP
"c:\Program Files\WinPcap\uninstall.exe" /S

Ping -n 30

net start prtgprobeservice


Page 1 of 72 (362 Articles) << 1 2 3 4 5  Next >>