Archive for the ‘ Uncategorized ’ Category

TEC 2012 in San Diego, CA

I am heading to San Diego to present on Quest’s annual “The Expects Conference” 2012 (TEC 1212). I’ll be speaking about deployments of Office 365 in large enterprises this Tuesday, May 1, 2012.

I’ll dedicate entire hour to “notes from the field” topics about Office 365 architectural and deployment details that large customers likely to touch. Thanks to very early exposure form inside of Microsoft to the BPOS, Live@edu and Office 365 I’ve collected plenty of experiences that I’ll be sharing with public. I hope that my firsthand “field” exposure to Office 365 deployments for the last couple of years will help you down the road.

Looking forward to see few of my readers in person!


Live@edu has grown 100% year over year and topped 22M user mark!

I wanted to re-share exciting news on my blog. Live@edu has grown 100% year over year and topped 22M user mark!

Disabling Forwarding for an Outlook Live domain and Removing Forwarding Options from the OWA

Note: Good friend and colleague of mine Jim Muir wrote an article on how to disable forwarding in Live@edu. I’ve volunteered to re-publish it, so all credits for this content are going to Jim!

User Driven Options

Users can create inbox rules to automatically forward messages to e-mail addresses
outside an organization. Depending on an customer’s policies, they may choose
to prevent the forwarding of all such messages or to prevent the delivery of a
subset of auto-forwarded messages.

Administrator Driven Options

Disabling Forwarding for an Outlook Live domain

To accomplish this, IT Admins must first disable forwarding in the domain using Powershell. For instructions to install Powershell and connect it to the Outlook Live service, follow the online
Once connected, use the -AutoForwardEnabled parameter which controls automatic message forwarding to remote domains.

Set-RemoteDomain Default -AutoForwardEnabled $false

If a rollback is required, use the same Powershell command with the parameter for –AutoForwardEnabled to $true.

Removing Forwarding Options from the OWA UI

There are three locations in the OWA UI that pertain to forwarding e-mail.

The first location

for forwarding appears in the OWA UI in the account section under the section called Shortcuts to other things you can do as shown here:

The second location

is within the “My Account” options page. When a user clicks on the “Forward your e-mail” link, the “My Account” options appear with the Forwarding section enabled. In the Forwarding section, there is a field to enter the address to forward the e-mail to and a tick box to enable a user to keep a copy of the forwarded message in the Outlook Web App.

The third location

appears as in the Organize E-Mail section when a user clicks the New drop down menu and selects the option Create a new rule for arriving messages which creates a new inbox rule. In the New Inbox Rule window, an option appears for Redirect the message to…

In order to remove these options from the user interface, IT Admins need to use Windows Powershell. IT Admins should remove the forwarding options from all three locations. If an IT admin wishes to turn off forwarding for all users in their domain, they should edit the DefaultMailboxPlan policy. If an IT admin wishes to apply this role to a small number of users, they will need to explicitly create a role assignment policy instead of using the default assignment policy.

In the example provided below, the default mailbox plan policy is used to turn off the forwarding features for all users. Assuming that the IT admin is connected to the service with Windows Powershell , follow these instructions:

  1. Create a new custom role name and base it off the default mailbox plan
    New-ManagementRole -Parent MyBaseOptions_DefaultMailboxPlan -Name
  2. Remove the DeliverToMailboxAndForward, ForwardingAddress and ForwardingSmtpAddress parameters from the mailboxes for the role Set-ManagementRoleEntry \Set-Mailbox -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
    NOTE: Outlook Live administrators have additional RBAC roles assigned. If you need to turn off the forwarding feature for an administrator account, you will need to clean up the DeliverToMailboxAndForward, ForwardingAddress and ForwardingSmtpAddress parameters for each role assignment.
  3. Remove the ForwardAsAttachementTo, ForwardTo and RedirectTo parameters from the inbox rules for the role
    Set-ManagementRoleEntry \New-InboxRule -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter
    NOTE: Removing the ForwardAsAttachementTo, ForwardTo and RedirectTo parameters from the inbox rules also removes the option to set an inbox rule to forward the message as a text message.
  4. Assign the role to the default mailbox plan policy
    New-ManagementRoleAssignment -Policy RoleAssignmentPolicy-DefaultMailboxPlan -Role
  5. Remove the previous management role assignment
    Remove-ManagementRoleAssignment MyBaseOptions_DefaultMailboxPlan-RoleAssignmentPolicy-DefaultMail
  6. The administrator is asked to confirm the removal. Type Y to remove.

Once confirmed

the OWA UI will not display the forwarding options in the three locations outlined above

  1. My Account user interface
  2. Connected Accounts user interface
  3. New Inbox Rule interface

If a rollback is required, use the same PowerShell commands but instead of using the -RemoveParameter switch, use –AddParameter.

Selecting predefined scope of users in BPOS

BPOS customization is a subject of conversation that I am lately having with many customers of ours. One of the most asked questions is how do we choose the subset of users that are available for BPOS synchronization and leave “administrator“, “guest” and whole bunch of system accounts behind?

Well, by popular demand (more exactly by request form my friend and co-worker Mitchell Groeneveld) I wanted to share one troublesome story of our BPOS customization. Several months ago I was taking our internal BPOS deployment and pushing all users into the cloud. As a person who is never satisfied with “default” installation I’ve dug in into BPOS sync server and took it apart, service by service, and setting by setting.
Since BPOS is running on ILM 2007 back-end it was not difficult for me to do. What I have forgotten is that BPOS is having its own scheduling service that kicks-off synchronization cycle several times a day. After scoping-out most of our Active Directory from BPOS synchronization cycle I have made one crucial change, which cost us a LOT of grief in the following weeks. I have performed one of the basic operations in AD – rename of a OU/container. It sounds trivial and simple: click-type-done. Not so fast!
Since I’ve scooped-out most of the OUs in BPOS Sync Engine rename of OU was interpreted by sync Engine as “delete” and “re-create“… Should it have been “canned” scenario, when every object in AD is included – no problems…  However in my “tweaked” configuration BPOS-configured ILM faithfully deleted all sub-OUs and all users located in it… The sync-cycle kicked-in shortly thereafter and… hold your breath… all of my user’s mailboxes for entire US branch of the company were deleted in the instant. In the second instant new set of mailboxes were created – fresh and empty. Ta-da!
Needless to say that I’ve spend rest of the night of the phone with Microsoft and rest of the week in meetings with users and management. Eventually mailboxes were restored and re-attached. In the meanwhile we have learned a valuable lesson – messing with BPOS and its pre-canned configuration can be done – with great care. And if you are ought to modify something – disable the synchronization service and pay very close attention to your pending exports.
In the meanwhile, our instance of BPOS now is clean and “selective”; GAL contains no “administrator”, no “guest”, no service accounts and no disable accounts from the past – just the accounts we consider BPOS worthy.

(re)”Hello World”

Fortunately or unfortunately Microsoft has decided to give-up Live Spaces blog engine and migrate everybody onto WordPress. I guess one can look at life as an ongoing migration. So far I am feeling good about this new site. Love all new rich features that are available. And I finally got the ‘statistics’ back (that “Live” team has removed from Live Spaces several months ago)

So here it goes!
“Hello World”

Talking about Identity and work with pre-existing LiveIDs with log parsing

Thanks to Jonny’s world-wide popularity my humble blog was viewed more times than i ever remember after his link to the log parser script. Who knew that real people are actually reading these things! LOL


Thanks Jonny 🙂



Identity and work with pre-existing LiveIDs with log parsing

My exceptionally TALL friend from Schakra, Dmitry Kazantsev, has just blogged on a rather useful topic for Live@edu customers.  He addresses the scenario of identifying and importing pre-existing LiveIDs (EASI IDs) into a managed LiveID domain.

A helper script he has written parses the log produced by CSV_Parser.PS1 and retrieves all failed mailbox creation attempts.

Check out what Dmitry has done here:!2CED76B86679A4C9!748.entry.



Starting my Blog

Ladies Gentlemen

After years of silence I’ve decided to dedicate some time for my blog. It’s new and painful experience for me… LOL

I’ll be posting some of my Identity Management related articles here. After years of working on IdM arena it’s time for me to post some of my work and make it public.

I’ve already created several projects on CodeProject server and will be referencing some of that work here.