Problems accessing Teams recordings

We’ve been seeing problems where students have trouble accessing the recordings for a class meeting even when the permissions on that recording indicate that a Microsoft unified group of which the students are members have viewing rights.

Web browser at the Microsoft Stream service showing an error message of "Hmm ... it seems you don't have access."
Error message: Hmm … it seems you don’t have access.

The Microsoft Stream Classic service appears to create a local cached copy of the group at the time of the recording, and this group appears not to get updated in a reliable fashion. This means that if a recording is made when a student is not yet a member of the class team, they may not be able to view a video.

Continue reading →

Can’t change meeting organizer

There’s no way to modify or update the organizer of an existing Microsoft Outlook or Teams meeting.

The organizer is the person (or account) that created and owns the meeting. Importantly, only that account can make changes or updates to the meeting.

But what happens when someone changes roles or leave the organization?

If you need to change who can modify a meeting, then you need to delete the old meeting and create new a meeting with the new account. I know canceling and recreating meetings is a bunch of busy work. Unfortunately, there aren’t any other solutions. Microsoft Teams adds some additional challenges (and also hope); see below.

Continue reading →

Change Modern Windows Event Log settings with PowerShell

I may be late to the party, but I just found the cmlets I need to update the properties of modern Windows event logs. The Limit-EventLog cmdlet only works with classic event logs. I want to be able to manage the size of a modern event log, the kind that lives under Applications and Services logs.

Screen clip of the Window Event Viewer window with the "Applications and Services Logs" collection circled in red.
The newer event logs require different PowerShell cmdlets for managing their settings.

To read these logs, we need to use the Get-WinEvent cmdlet, but that doesn’t let us change the properties of a log. The other cmdlet with the WinEvent noun is New-WinEvent, also not helpful.

It turns out that the cmdlets we need are in the PSDiagnostics module, Get-LogProperties and Set-LogProperties. Nice. (Available in Windows PowerShell 5.1 and later).

This will allow us to do something like:

PS C:\> Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'                                                          

Name       : Microsoft-Windows-Ntfs/Operational
Enabled    : True
Type       : Operational
Retention  : False
AutoBackup : False
MaxLogSize : 33554432


PS C:\> (Get-LogProperties 'Microsoft-Windows-Ntfs/Operational').MaxLogSize / 1MB                                       32

And you can use the Set-LogProperties cmdlet (running as admin) to change these settings. But the only two parameters are -force and -LogDetails. So first, you need to save the output of Get-LogProperties to a variable, change the properties you want to modify with the new values, and then provide this variable as input to Set-LogProperties.

Like so:

# Store Log Propertied in variable
PS C:\> $ntfslog = Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'

# Confirm the ibject type
PS C:\> $ntfslog.GetType()                                                                    
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    LogDetails                               System.Object

# Set the new desired log szie value in the variable
PS C:\> $ntfslog.MaxLogSize = 40MB

# Supply the variable with the new size as the input to the Set- cmdlet
PS C:\> Set-LogProperties -LogDetails $ntfslog

# Checking our work
PS C:\> Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'                                

Name       : Microsoft-Windows-Ntfs/Operational
Enabled    : True
Type       : Operational
Retention  : False
AutoBackup : False
MaxLogSize : 41943040

PS C:\> (Get-LogProperties 'Microsoft-Windows-Ntfs/Operational').MaxLogSize / 1MB

Convert Active Directory AccountExpires attribute

I wrote a quick function to convert the AccountExpires attribute from the Long Integer value to a DateTime object or a string object of “!! Never !!”.

function Convert-ADAccountExpires ([long] $ticks) {

    if ( ($ticks -eq 0) -or ($ticks -eq 9223372036854775807) ) {
        $expires = '!! Never !!'
    else {
        $expires = [DateTime]::FromFileTime($ticks)

    write-output $expires

Then you can create a calculated property like so:

PS > $expires = @{Label='AccountExpires';Expression={ Convert-ADAccountExpires -ticks $_.AccountExpires } }

And then you can create reports of user accounts and when they expire:

PS> Get-ADUser -filter * | Select Name,SamAccountName,$expires

Looking at this (with slightly bleary eyes), I’m already thinking that I should add CmdletBinding(), change $ticks to $AccountExpires, and add ValueFromPipelineByPropertyName. Something to sleep on.

Find all hidden network shares

I have a Windows file server with thousands of shares. Occasionally, create hidden shares for data migration or other administrative tasks. How do you find these shares?

Some websites suggest running Get-WmiObject -Class Win32_Share and piping the output of that to Where-Object to filter. That can work, but it has the computer send you all the share objects. If you want to run this command to get shares from a remote computer, this is highly inefficient.

Instead, we can specify a filter in the initial Get- cmdlet. I’m also going to switch to the Get-CimInstance cmdlet, which is optimized for remote execution.

PS Z:\> Get-CimInstance -ComputerName ServerName -ClassName Win32_Share -Filter 'Type = "0" AND Name LIKE "%$"'

The Filter parameter uses a WQL query to specific that I want regular shares (not administrative shares like C$ or IPC$; see the Win32_Share class doc for details) AND whose names end with a dollar sign. It may not return data much faster, but it sends much less data over the wire, which is important especially for remote scenarios.

Preventing Petya ransomware with Group Policy

This post and this twitter thread describe a mechanism to prevent the latest ransomware cyber attack from running. It involves creating 1 (or 3) files with a specific name(s) and with the Read-only attribute set. Although the instructions on the first post describe copying and renaming notepad.exe, any file, even an empty file, with the correct names and the Read-only attribute will suffice, if I read the twitter thread correctly.

There are numerous ways to accomplish this in a large organization, including an SCCM package that either deploys some files, or that runs a script to create the files. However, I decided to use Group Policy File Preferences to copy a small text file to the three filenames described, including setting the Read-only attribute.

Using Group Policy File Preferences to create the files that will block the Petya (NotPetya) Ransomware.

This should be executed on the affected computers at their next GP refresh, which might be sooner than a reboot for a start-up script.

Remote Desktop Gateway Service – register NPS

I struggled with getting a new Server 2016 Remote Desktop Gateway Service running. I followed the official documentation from Microsoft, configuring two servers as a farm, and creating a single CAP and RAP identically on each server. But every time I tried to connect, I received an error message from the client that my account:

Remote Desktop can't connect to the remote computer "xxxxxxxx" for one of these reasons:
I love those error messages that say “Contact your network administrator for assistance.”

I found a corresponding entry in the Microsoft-Windows-TerminalServices-Gateway/Operational log with the following text:

The user “CAMPUS\[username]”, on client computer “”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

I double-checked the groups I had added to the CAP and verified the account I was using should be authorized. I even removed everything and inserted “Domain Users”, which still failed.

I found different entries that also corresponded to each failure in the System log from the Network Policy Service (NPS) with Event ID 4402 claiming:

“There is no domain controller available for domain CAMPUS.”

I know the server has a valid connection to a domain controller (it logged me into the admin console). But I double-checked using NLTEST /SC_QUERY:CAMPUS. Yup; all good.

A few more Bingoogle searches and I found a forum post about this NPS failure. The marked solution just points to a description of the Event ID, but one of the comments contains the solution: the Network Policy Service on the gateway systems needs to be registered. This instruction is not part of the official documentation, though upon re-reading that doc, I now see that someone has mentioned this step in the comments.

In this case, registration simply means adding the computer objects to the RAS and IAS Servers AD group (requires Domain Admin privs). Once I made this change, I was able to successfully connect to a server using the new remote desktop gateway service.

Many thanks to TechNet forum user Herman Bonnie for posting the very helpful comment.


Moving OneNote notebooks to SharePoint

You may have noticed that Microsoft OneNote displays a little warning for notebooks stored in your Documents folder.

OneNote notebook warning “may not sync correctly.”

This is because Windows computers that are part of UVM’s Active Directory domain use a feature called Offline Files to make your Documents folder available to you when you’re not on the campus network. (see my Offline Files post for more info.)

The warning shows up because OneNote has its own file sync process, and having another file sync process layer under that can mess up its syncing, theoretically. In my many years of using OneNote, I’ve only seen one (maybe two) situations where this may have created problems. That said, ignoring warnings is generally a bad idea; it makes it easier to miss an issue that really does need attention.

But there is another way: SharePoint.Continue reading →