HOW TO - Copy NTFS Permissions

q: On a windows system, how can we copy permissions from one folder to another?

a: With PowerShell using the Get-ACL / Set-ACL commands.  
Get-Acl C:\Windows\System32\LogFiles | Set-Acl D:\Windows\System32\LogFiles

Disable Prompts to migrate to use Outlook (new)

Q: Customer called about having to close 4 windows prompting them to migrate to Outlook (new).  

A: We uninstalled the Outlook (new) app from Installed Apps, created a new key in the registry, rebooted, and then Outlook (classic) seemed to open just fine.  Either manually create this key, or save the 4 lines to a file name DisableNewOutlook.reg and run it on the computer.

Hide the Try the new Outlook toggle in classic Outlook:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\General]
"HideNewOutlookToggle"=dword:00000001

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/enable-disable-employee-access-new-outlook

Bulk Update IIS SSL Bindings Certificate update

Q: The customer called with a server with multiple IIS sites each with secure bindings using an SSL Certificate that will expire soon. How can they automate updating the bindings on each site?

A: Using this Powershell script, found online, they can run it locally from an elevated Powershell window / or remote script utility.  Identify the SSL Thumbprint of the expiring certificate as well as the new certificate.  Update lines 2 & 3 accordingly then run it.

# Define Variables
$OldThumbprint = "########################################"
$NewThumbprint = "########################################"

# Search all bindings for old thumprint and replace with newthumbprint
Get-WebBinding | Where-Object { $_.certificateHash -eq $OldThumbprint} | ForEach-Object {
Write-Host "Replacing Cert For " $_
$_.RemoveSslCertificate()
$_.AddSslCertificate($NewThumbprint, 'My')
}

Charter Spectrum SMTP Sending fails

Error: Customer reported they could not send emails from their charter.net email address through mobile.charter.net over 587 SSL when they were on their Clearwave wireless network.  If they turned off wifi, emails would send.

Answer: We configured Mozilla Thunderbird on their Clearwave network to use Charter, it immediately threw this error when we tried to send:

An error occurred while sending mail: Outgoing server (SMTP) error. The server responded:  impout004.msg.chrl.nc.charter.net cmsmtp *.*.*.* blocked. Please see https://www.spectrum.net/support/internet/understanding-email-error-codes  for more information. AUP#Out-1130.

1100 - 1150
The IP address you’re trying to connect from has an issue with the Domain Name System. Spectrum requires a full circle DNS for emails to be allowed through. Verify the IP you’re connecting from, and check the IP address to ensure a reverse DNS entry exists for the IP. If the IP address is a Spectrum-provided email address, contact us.

Summary: It seems, as a security measure, Spectrum will not let your IP connect to their outbound email relay servers if your public IP does not have a PTR / reverse lookup DNS record, of any kind. It just needs to exist, it does not have to match your company name or domain name or anything.  

We contacted Clearwave support and requested a DHCP PTR record be created.  They obliged and created it.  Mozilla was able to send emails and their phone worked too.  NOTE, with a dynamic address, if their IP changes, they will have to contact support again, but it works for now.

HOW TO - Share a password

 q: With password complexity on the rise, what is a quick way to securely share a password without trying to spell it over the phone?

a: Password Pusher - https://pwpush.com/
You can provide your own data to share, or let the site generate a string for you.
You can control expiration by Day and View count.
You can even require a password, to access this string.
You can also share files & URLs securely. 

WINRM cannot process the request | Kerberos authentication | unknown security error

q: A user tries to send a command to SERVER1 via PowerShell over WinRM and gets an error.

 PS > Invoke-Command -ComputerName SERVER1 -ScriptBlock {net localgroup administrators}

*[SERVER1] Connecting to remote server SERVER1 failed with the

following error message : WinRM cannot process the request. The following

error with errorcode 0x80090322 occurred while using Kerberos

authentication: An unknown*security error occurred.

Possible causes are:

-The user name or password specified are invalid.

-Kerberos is used when no authentication method and no user name are

specified.

-Kerberos accepts domain user names, but not local user names.

-The Service Principal Name (SPN) for the remote computer name and port

does not exist.

-The client and remote computers are in different domains and there is no

trust between the two domains.

After checking for the above issues, try the following:

-Check the Event Viewer for events related to authentication.

-Change the authentication method; add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport.

Note that computers in the TrustedHosts list might not be authenticated.

-For more information about WinRM configuration, run the following

command: winrm help config. For more information, see the

about_Remote_Troubleshooting Help topic.

+ CategoryInfo : OpenError: (SERVER1:String) [],

PSRemotingTransportException

+ FullyQualifiedErrorId : -2144108387,PSSessionStateBroken

a: From the client machine, create this Reg Key and try again.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client

Value type: REG_SZ (string)

Value name: spn_prefix

Value data: WSMAN

Google Workspace - We couldn’t verify it’s you

q: Customer called with Google Workspace blocking their access to log into a user account via webmail.
    Google
    We couldn’t verify it’s you
    We want to make sure it’s really you trying to complete this action.
    To help us verify it’s really you
    Use a device and browser you’ve signed in on before
    Use a familiar Wi-Fi network, such as at home or work

a: Simply disable login challenge and it will let you through.
    Log into Google Workspace Admin https://admin.google.com/
    Click users
    Click the user / username affected
    Click the ‘Security’ section
    Click ‘Login challenge’ - Turn off identity questions for 10 minutes after a suspicious attempt to sign in
    Click <TURN OFF FOR 10 MIN>
    Then try to log in as that user again.