When installing MIM 2016 on Windows Server 2022, you encounter an error:
The code execution cannot proceed because MSVCR120.dll was not found. Reinstalling the program may fix this problem.
Install the Visual C++ Redistributable Packages for Visual Studio 2013 from the Microsoft Download center.
Issue: when opening Outlook and afterwards on a regular intervals afterwards, Outlook keeps prompting for a password multiple times (x5 or more), even when the password is correct.
The error/connection message is sent to the desktop foreground on top of other applications.
Even when the password is ok, the message is thrown again multiple times, when the Outlook client is checking for mail, at certain intervals…
[Solution Spoiler = configure the registry to enable ExcludeExplicitO365Endpoint, but there might be other options for your case…]
In this specific situation, the products below were involved. The issue might also apply to other versions
In this case, the issue was related to connecting to a functional/shared mailbox.
Connection to the personal mailbox was working fine, at first sight.
In this particular case, the PC was not connected to the domain of the Exchange server.
But also important connection on Outlook from domain joined PC is ok, no reconnection message.
[More on this at the end of the article, as the domain client had specific GPO policies configured, …]
Outlook connected to multiple mail accounts (so removing Outlook completely, was not really an option…)
Connecting the same account on a smartphone, works fine.
No explicit error message but you get a window with
“Windows security
Microsoft Outlook
Connecting to <… mailbox …>
Remember my credentials”
WARNING:
you might end up with a locked user account if you enter the wrong credentials by accident while outlook keeps popping up the password request. Better double check your password and better NOT enter it again, or change it in the password request. But you’ll get this request multiple times in a few seconds, that it can be quite annoying to get past it.
Create a new Outlook profile (do NOT remove the existing Outlook profile) and add ONLY the problematic account. Set it to ONLINE mode (disable caching mode)
You can manage this option via Control Panel > mail
Alternatively, when reinstalling the mail account in outlook, disable the option “Use cached Exchange Mode to download email to an Outlook data file”.
When Outlook is active, you’ll find an Outlook icon in the task bar…
To check the Outlook connection status you need to hold the CTRL button and then right click on the Outlook icon.
Then click “Connection Status…”
Check if you see the personal mailbox and shared mailbox connection.
When Outlook is active, you’ll find an Outlook icon in the task bar…
To check the Outlook connection status you need to hold the CTRL button and then right click on the Outlook icon.
Then click “Test Email AutoConfiguration…”
In the menu enter the mail address of the target mailbox, in this case it’s a share mailbox with a specific mail address.
Very likely you’ll see a bunch of autodiscover failures like:
You can collect a network log with Fiddler or other network sniffer
Source: Outlook 2016 implementation of Autodiscover
This applies to 2016 2019 etc… as well.
The policy values that are defined the Autodiscover Process section can be either policy-based registry values or non–policy-based values. When they are deployed through GPO, or manual configuration of the policies key, the settings take precedence over the non-policy key.
Non-Policy Key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
Policy Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover
Each value is of type DWORD.
So to exclude Office365 checking point we add following key:
ExcludeExplicitO365Endpoint and set the value to 1.
This setting is registry for client only.
Outlook will skip checking Office365 Endpoint for Autodiscover.
If you have already configured XML autodiscover it should not affect the existing setting as the information are stored in this XML file locally anyway so Outlook will know how to connect.
Outlook as priority always prefer local XML configuration. Then in case it cannot obtain certain data goes to another check point. So apart from first two steps Outlook 2016 implementation of Autodiscover (microsoft.com) there are checking points we can configure how Outlook should obtain certain information. We can disable them or force them.
You can give it a try if this won’t work as desired you can always revert the changes.
Always make a copy of your registry before you change anything in the registry.
There is no really any other way from the client perspective.
In our case we can see many redirections and autodiscover failures. Not sure why, looks like Outlook refers to some old data or old domain URLS or cannot obtain properly Autodiscover configuration file and it is trying different combinations to guess which link for Autodiscover is working.
Once it calls for HTTPS Autodiscover of the correct link it gets timeouts… which might also indicate firewall issue or something.
Then it tries unencrypted HTTP and it succeeds. Now it redirects to Autodiscover configuration link. But it takes a few attempts to get there.
That’s why you get multiple popups of the error message / or the password prompt.
The mail administrator had following options configured already:
Setting the options for
This visio has a editable version of the PDCA cycle hosted on Wiki pedia as image.
Source: https://en.wikipedia.org/wiki/PDCA
Text is available under the Creative Commons Attribution-ShareAlike License; this license applies to this work too.
Quoted from source:
“PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products.[1] It is also known as the Deming circle/cycle/wheel, the Shewhart cycle, the control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA.[2] The added “O” stands for observation or as some versions say: “Observe the current condition.” This emphasis on observation and current condition has currency with the literature on lean manufacturing and the Toyota Production System.[3] The PDCA cycle, with Ishikawa’s changes, can be traced back to S. Mizuno of the Tokyo Institute of Technology in 1959.[4] ”
Download available on my Github library: Visio – PDCA cycle graphics
Did you ever got a mail from yourself, but you’re sure you did not send it?
This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…
But if you got this message from a native mailbox, it does sound scary, isn’t it?
I already had some similar symptoms on other mail addresses in the same domain.
You get a mail from your own mail address… which is called mail spoofing.
And it looks like:
Hi!
As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.If I find that you have shared this message with someone else, the video will be immediately distributed.
Best regards!
The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…
When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….
Add an SPF record to your domain DNS settings.
To get started, look up your mail provider or hosting provider’s name + SFP.
FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.
When you buy a domain, but host your mail on O365, there are some additional settings to configure. But Office 365 will explain.
The easy part, logon to your O365 tenant, and check your domain health (see video below)
For more info, check these documents:
Other security options
Hotmail/Outlook.com Solving Mass Mailing Delivery Issues
Short URL: Http://aka.ms/outlook.com/help
While SPF is the first step, you should also consider DMARC and DKIM.
Latest update: 2020-12-28
On TNWiki you’ll find my latest article on MIM 2016 troubleshooting.
MIM 2016 Troubleshooting: SQL Connection issues
This week I got (dragged into/) involved in a MIM 2016 performance troubleshooting, on a test / dev server, facing a large bunch of errors.
The first detection happened on the sync server, but apparently rather it’s twin brother was causing the issues.
It became pretty quickly obvious that MIM was not able to connect to (one of) it’s databases on the SQL server, so the sync engine was unable to pull information from the MIM service.
Also bizar, we could still work on the MIM sync GUI, but almost any MA action in the GUI failed…
Furthermore the Portal did not respond and finally the “MIM Service” service, didn’t behave as expected, not willing to start.
The event viewer contained the obvious amount of errors…
Finally, the SQL DBA to the rescue.
I’ve added a lot of significant technical event info into the article, to make it easy to search for you, for later reference.
Read the tech details in: MIM 2016 Troubleshooting: SQL Connection issues
Updated: 2020-12-29
Freshly posted for you on TNWiki: Active Directory PowerShell: List items with “Protect object from accidental deletion” setting
Ever got in a situation where you as AD domain admin were blocked from deleting items?
Or did you ever receive an “Access denied” when you tried to delete items from AD, even with full admin rights?
Then you better check if AD has the “protect from accidental deletion” activated on the object, container or OU…
In case you want to check a larger collection of items for this setting, it quickly becomes complicated.
This article helps you to get an overview by using Powershell, and an export of the impacted items to a CSV file.
As explained by : James ONeill (Windows Server 2008 Protection from Accidental Deletion)
“The functionality to prevent accidental deletion is not based on a new attribute in Active Directory. It is enabled by ticking a check box on the Object tab of the particular object you wish to protect. The Object tab is only visible when the Advanced Features option is selected from the View menu of Active Directory Users and Computers. When the tick box is checked the permissions on the object are changed. A “Deny” permission is created which stops deletion of the object. “
This script finds all AD objects protected from accidental deletions.
This script uses logic that has been developed by:
Active Directory OU Permissions Report: Free PowerShell Script Download
Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory
Windows Server 2008 Protection from Accidental Deletion
This script only runs if you can load the AD PS module eg. run the analysis
on a DC.
|
001002
003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
<##############################################################################Author: Peter Geelen
Quest For Security October 2016 This script finds all AD objects protected by accidental deletions. Credits: This script uses logic that has been developed by: – Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE – Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989 LEGAL DISCLAIMER This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys fees, that arise or result from the use or distribution of the Sample Code.
This posting is provided “AS IS” with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm. ##############################################################################>
#Source references
#abizer_hazratJune 9, 2009
#James ONeill, October 31, 2007
#Prerequisites:
#eg. run the analysis on a DC
cls import-module activedirectory
#initialisation
$csvFile = $MyInvocation.MyCommand.Definition -replace ‘ps1’,‘csv’ $report = @() #(*) Credits $schemaIDGUID = @{}
$ErrorActionPreference = ‘SilentlyContinue’ Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)} Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)} $ErrorActionPreference = ‘Continue’ #(*)
#Functions
function CheckProtection { param($obj) $path = “AD:\” + $obj Get-Acl -Path $path | ` Select-Object -ExpandProperty Access | ` Where-Object {($_.ActiveDirectoryRights -like “*DeleteTree*”) -AND ($_.AccessControlType -eq “Deny”)} | ` #(*) Select-Object @{name=‘Object’;expression={$obj}}, ` @{name=‘objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’} Else {$schemaIDGUID.Item($_.objectType)}}}, ` @{name=‘inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, ` #(*) ActiveDirectoryRights, ObjectFlags, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags }
#MAIN
#add the top domain $OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) #add the OUs $OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName #add other containers $OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(|(objectClass=container)(objectClass=builtinDomain))’ | Select-Object -ExpandProperty DistinguishedName
$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))’
$iSeqNo = 0 $OUCount = $OUs.Count ForEach ($OU in $OUs) { $iSeqNo++ $pct = ([int]($iSeqNo/$OUCount * 100)) $activity = “Analyzing container: “+ $OU Write-Progress -activity $activity -status “Please wait” -percentcomplete $pct -currentoperation “now processing container $iSeqNo of $OUCount” -id 1 #check the protection of the parent container $isProtected = ” $isProtected = CheckProtection $OU if ($isProtected -ne $null) {$report += $isProtected}
#Lookup the child target objects in the parent container $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName $iSubSeqNo = 0 $ObjCount = $objects.Count
#check the protection of the child objects ForEach ($object in $objects) { $iSubSeqNo++ $iSubpct = ([int]($iSubSeqNo/$ObjCount * 100)) $SubActivity = “Analyzing object: “+ $object Write-Progress -activity $SubActivity -status “Please wait” -percentcomplete $iSubpct -currentoperation “now processing object $iSubSeqNo of $ObjCount” -ParentId 1 -id 2
$isProtected = ” $isProtected = CheckProtection $object if ($isProtected -ne $null) {$report += $isProtected} } Write-Progress -activity “Analyzing object completed.” -status “Proceeding” -Completed -ParentId 1 -id 2 } $report | Format-Table -Wrap $report | Export-Csv -Path $csvFile -NoTypeInformation |
|
001002
003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 |
<##############################################################################Author: Peter Geelen Quest For Security October 2016
https://identityunderground.wordpress.com This script finds all AD objects protected by accidental deletions. Credits: This script uses logic that has been developed by: – Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE – Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989 LEGAL DISCLAIMER This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys fees, that arise or result from the use or distribution of the Sample Code.
This posting is provided “AS IS” with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm. ##############################################################################>
#Source references
#abizer_hazratJune 9, 2009
#James ONeill, October 31, 2007
#Prerequisites:
#eg. run the analysis on a DC
cls import-module activedirectory
#initialisation
$csvFile = $MyInvocation.MyCommand.Definition -replace ‘ps1’,‘csv’ $report = @() #(*) Credits $schemaIDGUID = @{}
$ErrorActionPreference = ‘SilentlyContinue’ Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)} Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)} $ErrorActionPreference = ‘Continue’ #(*)
#Functions
function CheckProtection { param($obj) $path = “AD:\” + $obj Get-Acl -Path $path | ` Select-Object -ExpandProperty Access | ` Where-Object {($_.ActiveDirectoryRights -like “*DeleteTree*”) -AND ($_.AccessControlType -eq “Deny”)} | ` #(*) Select-Object @{name=‘Object’;expression={$obj}}, ` @{name=‘objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’} Else {$schemaIDGUID.Item($_.objectType)}}}, ` @{name=‘inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, ` #(*) ActiveDirectoryRights, ObjectFlags, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags }
#MAIN
#add the top domain $OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) #add the OUs $OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName #add other containers $OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(|(objectClass=container)(objectClass=builtinDomain))’ | Select-Object -ExpandProperty DistinguishedName
$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))’
ForEach ($OU in $OUs) { #check the protection of the parent container $isProtected = ” $isProtected = CheckProtection $OU if ($isProtected -ne $null) {$report += $isProtected}
#Lookup the child target objects in the parent container $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName #check the protection of the child objects ForEach ($object in $objects) { $isProtected = ” $isProtected = CheckProtection $object if ($isProtected -ne $null) {$report += $isProtected} } } $report | Format-Table -Wrap $report | Export-Csv -Path $csvFile -NoTypeInformation |
LEGAL DISCLAIMER
This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that You agree:
(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;
(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and
(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the Sample Code.
This posting is provided “AS IS” with no warranties, and confers no rights.
(Latest update: 2020-12-31)
This post has been published on TNWiki too, and waiting for your input at: MIM 2016 Troubleshooting: FIM MA Full import error 0x80070002
When you try to run an Full import run profile on the MIMMA, you get an error message in the MIM GUI.
Unable to run the management agent.
The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
Log Name: ApplicationSource: FIMSynchronizationServiceDate: 10/17/2016 5:38:58 PMEvent ID: 6309Task Category: ServerLevel: ErrorKeywords: ClassicUser: N/AComputer: SERVER.SUBDOMAIN.AD.ACCEPT.ROOTDescription:The server encountered an unexpected error while performing an operation for a management agent."BAIL: MMS(39888): ..\ma.cpp(3781): 0x80070002 (The system cannot find the file specified.)Forefront Identity Manager 4.3.1935.0"Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="FIMSynchronizationService" /><EventID Qualifiers="49152">6309</EventID><Level>2</Level><Task>3</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2016-10-17T15:38:58.000000000Z" /><EventRecordID>409902</EventRecordID><Channel>Application</Channel><Computer>SERVER.SUBDOMAIN.AD.ACCEPT.ROOT</Computer><Security /></System><EventData><Data>BAIL: MMS(39888): ..\ma.cpp(3781): 0x80070002 (The system cannot find the file specified.)Forefront Identity Manager 4.3.1935.0</Data></EventData></Event>
When you try to stop the run of the MIM MA you get an error.
The option “run the management agent in a separate process” is activated.
Uncheck the option “Run this management agent in a separate process” from the “Configure extensions” item in the management agent properties.
Updated: 2020-12-30
During FIM health checks we need to have a good overview of the event viewer on the FIM Servers.
In almost any case the event viewer is a good measure of the server’s health.
The more red and yellow you see, the more errors and warnings, the more work you’ll have to get your server in a healthy state.
First goal is to have a general temperature of the health.
Second goal is to have the details to fix the issues.
I’ve created a Powershell to analyse the event viewer logs.
Instead of posting the Powershell in this blog, I’ve published it on TechNet Gallery, over here:
https://gallery.technet.microsoft.com/Powershell-Event-log-ab0ded45
There is a companion Wiki article with some guidance and configuration manual.
In short, the Powerscript below is a modular script that offers following functions:
You can configure the script:
I’m more than happy if you would test the script and provide me feedback to improve the script.
Source: http://www.microsoft.com/licensing/products/products.aspx
Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488 In short, prior to 1st of april 2015, you required
| Functionality | Covered by |
| FIM Server Components (FIM Sync, FIM Services, FIM portal, …) | FIM Server SKU |
| CAL | Standalone FIM CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, orEnterprise Cloud Suite (ECS) User SL |
| External Users | FIM External Connector license (per server) |
After 1st of april 2015:
| Functionality | Covered by |
| FIM Server Components (FIM Sync, FIM Services, FIM portal, …) | Windows Server license (Standard & Datacenter) will include FIM server entitlement |
| CAL | Standalone (FIM) CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, or Enterprise Cloud Suite (ECS) User SL |
| External Users | Windows Connector license |
Certificate and Identity Management
Synchronization Service
From the PUR:
FIM / MIM is using a user CAL. The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software. Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required. Still it’s important to understand that you still need FIM/MIM CALs to manage identities with FIM/MIM (unless you only use the FIM/MIM Sync). Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS) or a additive FIM CAL will also entitle users to access FIM. MIM will have the same licensing model. All current FIM customers with active SA on the underlying Windows Server, (since the right to install FIM server is now granted with a Windows Server license), will have rights to upgrade to MIM when it launches. And for my Dutch speaking followers… Tous la même chose:
PS: The FIM licensing page on TechNet Wiki will be updated ASAP (http://aka.ms/LicenseToFIM)
[ADD-ON, Jan 2016]
https://identityunderground.wordpress.com/2016/01/06/fimmim-licensing-clarification-on-the-requirement-to-use-cals/
Bookmark:
The International TechNet Wiki Summit 2015 aka TNWiki Summit15 will be a landmark in the TechNet Wiki history!
This Summit edition will be a unique conference to be held by Community members, based only on TechNet Wiki articles created to share problems and solutions, providing the opportunity to acquire knowledge and strengthen contacts between IT Professionals and Developers, to improve their professional growth.
Let’s thank what has been accomplished on TechNet Wiki and encourage Attendees to share ideas and knowledge about different articles.
All About Identity And Security On-Premises And In The Cloud - It's Just Like An Addiction, The More You Have, The More You Want To Have!
Complete Identity Orchestration for Microsoft Entra and On Premises Identity and Access
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
My connector space to the internet metaverse (also my external memory, so I can easily share what I learn)
Identity Underground 
You must be logged in to post a comment.