blog cloud howto

Enable or disable password expiration for Office365 users using Powershell

You can change the general password expiration policies in the online GUI but for individual users and to check the state you need to use powershell.

  1. First make sure you have installed the required module for powershell.
    – Azure Active Directory Module for Windows Powershell.
    On Windows 10 you can open powershell with run as administrator and run the command: Install-Module -Name MSOnline
    Or you can download the installer from:
    You need the AdministrationConfig-V1.1.166.0-GA.msi file.
    – For this to install you need to have the Microsoft Online services sign-in assistant > 7.
    If you don’t have it you can download it from:
  2. Now that we have the necessary software we can connect, start powershell for windows azure ad and execute:

  3. Check if password expiration is set for any of the users:
    Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
  4. Change password expiration for all users:
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $false
  5. Change password expiration for just one user:
    Set-MsolUser -UserPrincipalName u1@dm.tld -PasswordNeverExpires $true
    Set-MsolUser -UserPrincipalName u1@dm.tld -PasswordNeverExpires $false
blog howto server windows

Can’t find script engine “VBScript” for script …

I recently came across this error while trying to execute a VBscript.

Can’t find script engine “VBScript” for script …

After some troubleshooting this was related to the uninstall of McAfee antivirus software.
McAfee antivirus intercepts all VBscript execution by changing the executable that runs the scripts.
After uninstallation, this change was not rolled back and VBscript execution would faill unless explicitely called by wscript.exe or cscript.exe.

Solution is to revert he change in the Windows registry.
In the following registry key:
Find the value named (Default) of type REG_SZ and change the data back to:
instead of:
c:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110218083735.dll

You have the adjust the permissions on the key InprocServer32 to give write permission to Administrator (or your user).

If your problem is unrelated to McAfee and the registry value is correct you might have to re-register the DLL’s.
Open a CMD with elevated privileges (run as administrator) and execute the following commands:

cd "%systemroot%\system32"
regsvr32 jscript.dll
regsvr32 vbscript.dll
cd "%systemroot%\SysWow64"
regsvr32 jscript.dll
regsvr32 vbscript.dll

More information and information that i used to troubleshoot this issue:

blog howto windows

Windows 2012 Server Manager refresh failed, requires a restart

The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.

Role and feature refresh failed with the following error: The Request to list features available on the specific server failed. The operation cannot be completed, because the server that you specified requires a restart.

Restarting the server does not help.

Check the eventlog for an error from Service Control Manager ID 7041 that reads:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.


This service account does not have the required user right “Log on as a service.”

Check the “Windows Internal Database” service is running, it probably is not and can’t start.

If this is a domain controller you can assign the logon as service right for the account using the “Default Domain Controllers Policy” GPO.

  1. Open gpmc.msc
  2. Select the “Default Domain Controllers Policy” under the “Domain Controllers” OU in the left tree.
  3. Right click on it and select edit.
  4. In the editor navigate to “Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments”.
  5. Open the properties of the “Log on as a service” item.
  6. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button.
  7. Close the window with OK. Close the GPO editor.
  8. Run gpupdate and restart the computer.

If this is a normal member or standalone server you can assign the logon as service right for the account using the “Local Security Policy”.

  1. Open secpol.msc
  2. Navigate to” Local Policies, User Rights Assignments”.
  3. Open the properties of the “Log on as a service” item.
  4. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button. If this is greyed out, than the item is set using Domain Group Policies (see above).
  5. Close the window with OK. Close the local security policy editor.
  6. Run gpupdate and restart the computer.
blog howto windows

Uninstall Sophos Antivirus tamper protection lost password

How to uninstall Sophos Antivirus when the Tamper Protection doesn’t let you, and you don’t know the Tamper password.

  1. Stop the Sophos Anti-Virus service if possible. Open services.msc and stop the service.
  2. Open notepad with UAC elevation, run as Administrator.
  3. In notepad open the file “C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml”
  4. Find the configuration section for TamperProtectionManagement


  5. Change the password string (123456789ABCD… above is just an example, yours will be different.) to the new value: E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73
  6. Start Sophos Antivirus or restart the computer.
  7. Disable tamper protection using the new password: “password” (without the quotes).
  8. Uninstall Sophos Antivirus.
blog howto server virtualization

MONITOR PANIC: Unable to decompress PPN from swap slot for VM


My VM would power off without apparent reason.
Looking in to the logs this error appears.

MONITOR PANIC: Unable to decompress PPN from swap slot for VM

I believe the underlying storage (a single SATA disk in my case) to be at fault, or almost dying I guess.
I storage vmotion’ed the VM to another disk.

blog howto network server windows

Backup domain controller sync issues KRB_AP_ERR_MODIFIED 0x80090322 target principal name incorrect

My case:
1x Windows 2008 Small Business Server (named: SBS2008)
1x Windows 2008 R2 standard on off-site location (named: TS2008) BACKUP DOMAIN CONTROLLER & GC
Connection between the 2 servers was lost for nearly 3 months.
Replication would only work from SBS2008 to TS2008 but not from TS2008 to SBS2008.
I couldn’t view the shares on \\SBS2008 from the console on TS2008, i received the error “The target principal name is incorrect”. On SBS2008 I could view the shares on TS2008.
In the eventlog there were errors:

The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.


The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

Directory partition:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local

The File Replication Service is having trouble enabling replication from SBS2008 to TS2008 for c:\windows\sysvol\domain using the DNS name SBS2008.domein.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

The session setup from the computer SBS2008 failed to authenticate. The name(s) of the account(s) referenced in the security database is SBS2008$. The following error occurred:
Access is denied.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was E3514xx-xxxxxxxxxxxxxxx/yyyyyyyyyyyyyyy/domain.local@domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was DNS/sbs2008.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

Demote and the promote for TS2008 would not work without forcing and doing a lot of NTDS cleanup on the PDC. So this was my last resort.

1st reboot -> did not work.
Doing a lot of searching and looking up the SPN for SBS2008 on both DC’s did not show any differences.

Luckily I found an older KB from microsoft on how to reset the kerberos secure channel between two DC’s.

I had to disable the KDC (Kerberos Key Distribution Center) service on TS2008 and then reboot.
Immediately after reboot I noticed I could browse the shares on the SBS2008 without error.
This is because TS2008 was no longer supplied Kerberos tickets itself but requesting them from SBS2008.
Now I opened an elevated command prompt and forced a sync of all replica partitions and triggered the KCC checker.
repadmin /syncall /ade
repadmin /kcc

To check the replication backlog queue use:
repadmin /queue

After replication was succesful I put the KDC service back to automatic and started it. Problem solved.

If you can’t get replication working yet, you’ll need these extra steps.
klist /purge
netdom resetpwd /server:sbs2008 /userd:domain\Administrator /passwordd:* (the * will make it prompt for password).

Also you might need to check your DNS settings and put the IP adres of SBS2008 as primary DNS IP on the NIC of TS2008.

Other helpful information:

blog howto windows

Excel has problems with space as thousand seperator

Change the system settings to use a . instead (configuration panel, region and local settings, more settings, number).

For existing files, use search and replace to delete spaces. If still left justified multiply all with the number 1 using paste special, see link below.

blog howto windows

Acrobat X pro as part of CS6 suite does not start 30days after installation

Acrobat X pro as part of CS6 suite does not start 30days after installation

Use solution 2.

Does not work for regular standalone Adobe X problems, only when installed (and activated) as part of CS6 suite, and stops to work after 30 days.

1) Download:
2) Unzip to a convenient location
3) Open a command prompt as administrator (in start menu search for cmd and right click run as administrator)
4) go to the location where you unzipped
cd c:\temp\adobefix\
5) Execute the executable
6) Exit Code: 0 means succesfully patched!
7) Try Adobe X Pro again.

blog howto server virtualization

VMware ESXi 5.1 on USB stick won’t boot Proliant DL380 G5

Installation using the cdrom was succesful but after restarting the server won’t boot from the USB stick.
Make sure you set the correct BIOS options to allow to boot from USB.


ESXIi formatwithmbr runweasel

If still doesn’t boot than it probably has to do with GPT/MBR formatting of the USB stick done by VMWARE.
You need to boot from the ESXi install CD again and right after you press enter to choose “ESXi5.1 installer ISO …” you see in the lower righthand corner the text “Shift + o” press this key combination (shift and the letter o). Now you see the text “runweasel” remove any chars after this, type a space and then “formatwithmbr”.

Now install as normal but now VMware should format your USB stick as MBR instead of GPT and you should be able to boot from it after the install finishes.


blog exchange howto server

Exchange 2010 Outlook Anywhere proxy security certificate wildcard *

When you use a wildcard certificate on your Exchange 2007 or 2010 environment you can receive an error on outlook:
There is a problem with the proxy servers's security certificate.
The name on the security certificate is invalid or does not match the name of the target site
Outlook is unable to connect to the proxy server (Error code 0)

When using internally your outlook may connect just fine using the normal RPC-TCP method.
This happens because outlook is checking the name on the certificate for mutual authentication to ensure your are connecting to the right server. Outlook gets this information from the autodiscover service.
If you manually change the value to msstd:* it works, but the autodiscover will put the other value back in a matter of minutes. Autodiscover assumes a value equal to the external name set on your CAS server (in my case and uses this.

To override this behavior use the following exchange shell command:
Set-OutlookProvider EXPR -CertPrincipalName msstd:*
After you adjust this, you need to restart the “world wide web publishing” service, because of caching.

You could also disable this “Mutual authentication”, but it’s a good security feature, so I wouldn’t.
Set-OutlookProvider EXPR -CertPrincipalName none
Remember to restart the W3P service.

Be aware that when you set $null instead of none Exchange will go back to default behavior and use the external name from the CAS server.