Author Archive

Detect and uninstall hotfixes

There seem to be a broken patch KB3159398 which was released this Tuesday, it breaks GPO processing which can cause a lot of headache!


I’ve made a script which lets you check if this hotfix is installed and also let’s you uninstall it. Replace the KBxxxxxxx with the KB number and run from elevated Powershell to see if it is installed. If you want the script to uninstall the hotfix silently, set $uninstall to $true.

$uninstall = $false # change to $true to uninstall hotfix
$hotfixID = ‘KBxxxxxxx’ #Hotfix KB-number to check, use ‘ quotation marks
Get-HotFix $hotfixID
if ($uninstall -eq $true)
Invoke-Command -ScriptBlock {wusa.exe /uninstall /KB:($hotfixID -replace ‘KB’,”) /quiet /norestart} #Uninstall quietly and does not prompt for reboot


Enable/disable Office 365 serviceplans

I was asked today how you can disable and enable individual features included in an Office 365 license (like Exchange Online, Yammer.. etc) from Powershell

Launch Powershell and log on to your tenant (connect-msolservice)

To see which features which is included in a license use the following code:

$lic = Get-MsolAccountSku | Out-GridView -OutputMode Single -Title “Select SKU to look up”

This will show a list of features and their status

Next, if you want to disable Exchange online for one specific user:

$skuid = Get-MsolAccountSku | Out-GridView -OutputMode Single -Title “Select SKU to edit”
$user = Get-MsolUser | ? {$_.isLicensed -EQ $true} | Out-GridView -title “Select user to modify” -OutputMode Single
$Disable_ExchangeOnine = New-MsolLicenseOptions -AccountSkuId $skuid.AccountSkuId -DisabledPlans “EXCHANGE_S_ENTERPRISE”
$Enable_ExchangeOnline = New-MsolLicenseOptions -AccountSkuId $skuid.AccountSkuId -DisabledPlans $null
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $Disable_ExchangeOnine

The sku must match the sku assigned to the user you want to change.


Then run this line in the same script to re-enable Exchange Online

Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $Enable_ExchangeOnline

Delegate “logoff” permission RDS 2012

Recently I had a challenge with delegating the permission to logoff sessions to a group of users on a RDS solution based on 2012 R2, but without giving them local administrator permissions. Microsoft has removed the RDSH console in Windows Server 2012, which means we have no place to set permissions for the sessions on a RDSH based on 2012 or later. After a quite bit a research I found a solution.

Step 1: Assign permissions

Some googling led me here where I found this command which does the job if you replace “domain\group”with correct values.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName =”RDP-Tcp”) CALL AddAccount “domain\group”,2

However if you have an existing 2008 R2 server you can install the RSAT for RDSH and connect to the 2012 R2 session host and set the needed permissions there.


Step 2: Enable logoff

Now when the users have permission to logoff sessions, they still can’t use task manager because the options there are very limited when you’re not an administrator:


And Powershell can’t query the RDS deployment without administrator rights, so for once I couldn’t user Powershell to save the day.

However we have command line tools to get the job done. To make this more user friendly I made a batch-file and put it on the desktop for the delegated users. Here the user can list all sessions on the server and select which one to logoff. It boils down to a combination of “query session” and “logoff” commands. This is the batch file, feel free to use if needed.

@echo off
REM List sessions and log off users
REM Written by Per-Torben Sørensen
ECHO ………………………………………..
ECHO PRESS 1 or 2 to select your task, or 3 to EXIT.
ECHO ………………………………………..
ECHO 1 – List current sessions only
ECHO 2 – List and log off a session
SET /P T=”Type 1, 2, or 3 then press ENTER: ”
query session
query session
SET /P ID=”Type the ID of the session to log off, or C to cancel: ”
logoff %ID%


Deselect “automatically detect settings” in IE using GPP

Lately I struggled with finding a way to deselect “automatically detect settings” in IE for all users of a customer.


There are no GPO settings for this and the GPP IE settings doesn’t allow to set this for any IE versions before IE10 and the customer needs IE9 for compatibility issues with their SharePoint sites.

After much searching I found a way to set this  using GPP to set a registry setting.

  1. Create a new GPO or edit an existing one
  2. Navigate to User configuration – Preferences – Windows Settings – Registry
  3. Create a new registry item with the following values
    1. Name: DefaultConnectionSettings
    2. Action: Update
    4. Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    5. Value Name: DefaultConnectionSettings
    6. Type: REG_BINARY
    7. Data: (make sure you copy the entire line below, it’s several hundred digits)


It should look like this then


This will always clear the “Automatically detect settings” on next logon or gpupdate

Removing mail stuck in retry queue in Exchange

Per-Torben Sørensen

Everyone working with mail has seen this, messages and NDRs stuck in retry queues mostly thanks to spam and malware.

These fine lines of Powershell will remove all messages from retry queues without sending NDR for each message.

# Empty Exchange retry queues without NDR
# Written by Per-Torben Sørensen (
# Version: 1.0
# Change the settings below
$Servers = "CAS01","CAS02" # Enter the name of all CAS servers
# Variables below
add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
foreach ($server in $servers)
$retryqueues = get-queue -Server $server -filter {Status -eq "Retry"}
foreach ($queue in $retryqueues)
Get-Message -Queue $queue.identity | Remove-Message -WithNDR $false -Confirm:$false

View original post

CAWeb Enrollment error 403.14

The Certification Authority Web Enrollment is the webpage where you can logon to request certificated or download crls from your CA. One of my challenges today was that a newly installed issuing CA was unable to configure the Web enrollment webpage correctly. No matter what I did I always got the “403.14 – Forbidden” error.

After quite a bit of troubleshooting, including removing and re-adding roles using both Server Manager and powershell and reboots between the steps I was no closer to a solution. One of my Google-searches lead me to where he suggests to check that default.asp is located in the path C:\Windows\System32\CertSrv\en-US.

I had the file and everything there was correct, but that lead the to check the path of the website itself. For some reason IIS kept linking the /certsrv site to C:\Windows\System32\CertSrv which is the parent folder, so as soon as I changed the path from C:\Windows\System32\CertSrv to C:\Windows\System32\CertSrv\en-US in IIS everything was ok.


Find unlinked GPOs in your domain

Have you ever wondered if your domain has any GPO without a link and which GPO that would be? This is how you find out with Powershell with output to the screen.

$unlinkedGPOs = (Get-GPO -all | where {([xml]($_ | Get-GPOReport -ReportType XML)).gpo.LinksTo.Length -eq 0})
Write-Host "The following GPO has no link:"
$unlinkedGPOs| ft DisplayName -HideTableHeaders
Write-Host "Total: $($unlinkedGPOs.Count)"

%d bloggers like this: