Tuesday, September 16, 2014
  • Home

“Insufficient Permission” shown in DirSync’s MIISClient.exe

June 24th, 2014 by Jabez Gan [MVP]

Lately, I had an issue with Office 365′s MIISClient.exe


MIISClient.exe shows that a bunch of user accounts failed to sync with the error “Insufficient Permission”.


Certain permissions needed by MSOL Service Account went missing (for whatever reason!). All we had to do is to recheck back the permissions.

Step 1: Run the Azure Active Directory Sync tool Configuration Wizard

Make sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.

Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.

Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissions

If step 1 doesn’t resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:

  • msExchSafeSendersHash
  • msExchBlockedSendersHash
  • msExchSafeRecipientHash
  • msExchArchiveStatus
  • msExchUCVoiceMailSettings
  • ProxyAddresses

To do this, follow these steps:

  1. In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
  2. In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
  3. On the Security tab, click Advanced.

    You must enable advanced features to complete step 3.
  4. Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it’s not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.

Note Step 2 may be required if the object does not inherit permissions from the parent. This issue may be resolved by making sure that the object inherits permissions from the parent object.


Source: Microsoft KB 2406830

Hope this helps! :)

Posted in Office365 | 21 Comments »

Enable Legal Hold by using PowerShell

June 23rd, 2014 by Jabez Gan [MVP]


You have purchased some Office 365 E3 plans and have assigned the Office 365 E3 licenses to the users.

You would like to activate Legal Hold for these users in bulk, using PowerShell.

Script to Activate:

  1. # First you need to be connected to the Exchange PowerShell.
  2. $pagesize = 100# The number of mailboxes per loop
  3. $inc = 0# Start increment value
  4. # Continue until all mailboxes are litigation hold enabled
  5. do {
  6.     Write-Output “Getting mailboxes”
  7.     # Get UserMailboxes that does not have litigation hold enabled
  8.     $mailboxes = Get-Mailbox -Filter {LitigationHoldEnabled -eq $false -andRecipientTypeDetails -eq “UserMailbox”} -ResultSize $pagesize -WarningAction SilentlyContinue
  9.     if($mailboxes) { Write-Output (“Current mailbox count: {0}” -f ($inc += $mailboxes.Count))}
  10.     # Enable litigation hold
  11.     $mailboxes | Set-Mailbox -LitigationHoldEnabled $true -WarningAction SilentlyContinue
  12. } while($mailboxes);

Source: Goodworkaround.com

Posted in Office365 | 1 Comment »

Free/busy not working in Hybrid

June 16th, 2014 by Jabez Gan [MVP]

In a Hybrid deployment, lately I had experienced that:

1. On-premise users can see cloud users’ free/busy

2. Cloud users cant see on-premise users free/busy


Note: the below may not solve your problem, but it should lead you to the right way to brute force your way to solve the problem lol


1. Try out the Hybrid Free/Busy Troubleshooting Tool.

2. Check out: User can’t view free/busy information for a remote user in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365

3. Did an IISRESET as recommended: http://jesperstahle.azurewebsites.net/?p=242

4. Update/Refresh the Federation Metadata. See this blog for more information.

  •  Connect to Exchange Online in PoweShell
  • Execute:
  • Get-FederationTrust | Set-FederationTrust -RefreshMetadata

5. Execute the free/busy test from Microsoft Remote Analyzer

6. Ensure that in all Exchange Servers (including the inactive ones located in the DR sites), the Get-WebServicesVirtualDirectory has the correct ExternalURL: https://mail.contoso.com/ews/exchange.asmx (and is routable from the internet)

Get-WebServicesVirtualDirectory -Identity “ServerName\EWS (Default Web Site)”


Leave a comment if it’s still not working. No promise that I can help you fix, but I’ll try :)

Posted in Office365 | Comments Off

Office 365 – Unable to remove verified Domain name

June 25th, 2013 by Jabez Gan [MVP]


When you are trying to delete a verified domain name in Office 365, an error pops up saying that some users or Office365 services are still attached to the domain.

Root Cause:

Just like what the error said, some of the Office 365 services or users are still attached/assigned to the domain name that you are trying to remove.


Things to check:

  1. Ensure that no users are associated with the domain that you are trying to delete. You can verify this by going into Users And Groups, and Edit a user. Ensure that the domain you are trying to delete, eg, abc.com, is not listed there.
  2. Ensure that no security groups/distribution groups have the accounts attached to abc.com. Security groups/distribution groups can be access by logging into Office 365, click on Users And Groups, and click on Security Groups.
  3. If you have just deleted the users, or changed the domain for each individual users, you will need to wait for a while (1 min?) as it will need to sync the changes to the different Office365 service settings.
  4. If the accounts are uploaded to Dirsync, you will need to stop the Dirsync synchronization to change the accounts to a Cloud Only account. Then, you will need to do step 1-3 above to delete the Security groups; and/or manually modify the e-mail addresses fields in Office 365, Exchange Online.

Posted in Office365 | Comments Off

Implementing Office 365 with Exchange Hybrid

May 25th, 2013 by Jabez Gan [MVP]


You have a customer. They are on Exchange on-premise. You want to implement Office 365 with Exchange hybrid. What is the Exchange Server versions that is supported in a Hybrid mode?


On-premises environment Exchange 2010-based hybrid with tenant version v14 Exchange 2010-based hybrid with tenant version v15 Exchange 2013-based hybrid with tenant version v15
Exchange 2013 (CU1) Not supported1 Not applicable Supported
Exchange 2010 SP3 Supported Supported Supported5
Exchange 2010 SP2 Supported Not supported2 Not supported
Exchange 2010 SP1 Supported Not supported2 Not supported
Exchange 2007 SP3 RU10 Supported3 Supported4 Supported5
Exchange 2007 SP3 Supported3 Not Supported Not supported
Exchange 2003 SP2 Supported3 Supported4 Not supported
1 Blocked in Exchange 2013 setup
2 Tenant upgrade notification provided in Exchange Management Console
3 Requires at least one on-premises Exchange 2010 SP2 server
4 Requires at least one on-premises Exchange 2010 SP3 server
5 Requires at least one on-premises Exchange 2013 CU1 or greater server

Posted in MS News | Comments Off

Bing with video background?

May 24th, 2013 by Jabez Gan [MVP]

Bing is famous for having a different background picture whenever someone browses to Bing. However today onwards, when browsing to Bing using a HTML5 supported browser, it will show a video in the background.

What do you think? Waste of bandwidth?

Source: Bing Blog at http://www.bing.com/community/site_blogs/b/search/archive/2011/09/23/something-new-on-the-homepage.aspx?form=pgbar1

Final Fantasy XIV: Realm Reborn

Posted in Microsoft | Comments Off

Office365 – Dirsync not synchronizing fully

April 19th, 2013 by Jabez Gan [MVP]


Directory sync is located in the internal network and is behind a TMG proxy. TMG Proxy has been configured to allow Directory Sync to access HTTPS of the internet.


With Directory Sync installed, the synchronization fails from time to time after a few hours of sync (we have >10,000 objects to be synced to the cloud).

Root Cause:

Directory sync should have direct connection to the internet. It is known to create issues if it is behind a TMG Proxy.

Posted in Office365 | Comments Off

PowerShell to create Distribution Group in Exchange 2010/Office365

April 14th, 2013 by Jabez Gan [MVP]

When setting up Office365/Exchange 2010, it is very common to assist the customer to create distribution groups.


This is my way to script it to speed up the creation of the distribution groups:.

1. Create a CSV file for each distribution group. For my case, I have _AllStaff.CSV created. See below link for the sample of the file.



2. Use Powershell and run the following:


(The above should be the filename of your CSV file).


New-DistributionGroup -Name “_All Staff” -alias $name -primarysmtpaddress $name@abc.com -memberdepartrestriction closed

(Modify the bold items to the right Distribution Group name and domain name)


Import-csv “D:\$name.csv” | foreach {add-distributiongroupmember -identity $name@abc.com -member $_.EmailAddress}

(Point the location to the CSV file, and also specify the correct distribution group name)


What’s your way in creating the distribution group?

Новости и Обзоры Онлайн Игр

Posted in Office365 | Comments Off

Creating X500 addresses in Office365/Exchange Online using PowerShell

March 4th, 2013 by Jabez Gan [MVP]

Recently I was doing an email migration from Exchange On-premise to Office365, and the customer’s environment is not suitable to use Dirsync.

This means that I will need to export the X500 address from my local Active Directory and import it into Office365.

Here is the brief steps if you are facing this issue:

Export the LegacyExchangeDN and mail field in your AD:
1. In your DC server, run Command Prompt
2. Run the command:
csvde -f c:\sample.csv -l legacyexchangedn,mail

Now, with that .csv file, make sure that it has a “mail” and “legacyexchangedn” under the heading. See my attached sample file: sample CSV with LegacyExchangeDN

Import the legacyexchangedn/X500 into Office365/Exchange Online using PowerShell:

1. Connect to Exchange Online. using PowerShell
2. Run the command:


Import-CSV C:\sample.csv | foreach {

$user=Get-Mailbox $_.mail

Set-Mailbox $_.mail -EmailAddresses $user.EmailAddresses



To check if the address has been added:
Get-Mailbox $user | FL emailaddresses

Posted in MS News | Comments Off

IIS in Workgroup, Clustered File Server in a Domain – Access Denied

February 28th, 2013 by Jabez Gan [MVP]


IIS Servers in a DMZ Zone, configured in a Workgroup.

Clustered File Servers in the corporate network, in a Domain environment.

All servers are running Windows Server 2008 R2.



When IIS web app tries to access the clustered file server hosted in the domain, it shows Access Denied.


Path to Solution:

On running Procmon.exe, w3wp.exe shows that it is trying to authenticate using whichever account. So I check my IIS Config and make sure that it is using an account which has rights to access the cluster file server in the domain.

Solution 1 – Ensure that your IIS is configured correctly with a user account that has the access rights to the cluster file server.

Specify the correct user account under Identity in the Advanced Setting









Select the Application Pool that this web application should use.

If the above does not solve the problem, please continue with Solution 2.


Solution 2 – Ensure that the username and password is the same between the domain server and the Workgroup IIS Server

If my clustered file server is using the following name:

User: domain\webapp
Password: Pa$$w0rd

Then my Workgroup IIS Server should have a local user created with the following name:

User: IISSERVER\webapp
Password: Pa$$w0rd

(IISSERVER is the name of the IIS Server)

(Make sure that all of your IIS Servers have the same username and password created as well)


Solution 3 – Use ICACLS.EXE to provide the rights to the clustered files

Now that you have the same user created on both server (Domain and Workgroup), we will have to use ICACLS.exe to provide the permission (No, using the GUI does not work):

1. Map the shared cluster to Y: Drive

2. Open Command Prompt and execute the following:


(Replace the SHAREDFOLDER to the folder that your web application needs to access; Replace the WEBAPP with the username that you created in Solution 2)


Hope this helps someone out there!

Posted in MS News | Comments Off

Want to use MS Exchange without burning your company’s pocket? Try Microsoft Online

January 23rd, 2013 by Jabez Gan [MVP]

Microsoft Online Services launched in Malaysia for quite a while. This means that Malaysia companies can finally use Exchange Online, Sharepoint Online, Live Meeting and Office Communicator hosted on Microsoft’s data center.

Before we talk further, it’s always about the cost which entices the readers/bosses. Let me do a quick $$ breakdown:

(Sorry – the following will be in Ringgit Malaysia.)

SME (50 users)

- Decent System Administrator: RM3000 (monthly), or RM36,000 (yearly)
- Server hardware (with server redundancy, with license for 50 users): Rm15,000 (one time)
Total: RM51,000

For Microsoft Online Services (with Exchange, OCS, Live Meeting and Sharepoint)

- Rm33/user/month x 50 users x 12 months = Total: RM19,800

As you can see, Microsoft Online is a cheaper alternative to maintain your own IT infrastructure.

This is just a rough estimation.

What do you think?

For more information about Microsoft Online Services, you can click on this link.

Note: This calculation is very subjective and may not reflect everybody’s opinion.

Posted in Microsoft | Comments Off

Windows 8 – To come integrated with Anti Virus

January 18th, 2013 by Jabez Gan [MVP]

Folks! Good news for the consumers of Windows, and bad news for anti virus vendors.

In the next version of Windows 8, anti virus application will be integrated together with Windows Defender, which is used to block spyware and protect from slow performance due to certain applications. However, Windows Defender will be extended to include anti virus in Windows 8.

This would potentially means that, there is not necessary to purchase and install a third party anti virus software like Norton, McAfee or Sophos anti virus.

In the Windows XP and older era, consumers and businesses would purchase firewall applications for all PCs, until Windows XP SP2 introduces both incoming and outgoing monitoring, purchasing firewall application becomes an optional item for enterprise customers.

With integrated anti virus in Windows 8, would this further decrease the profit and growth of major security vendors out there?

What’s your thoughts?

Merc Elite

Posted in MS News | Comments Off

Lync for Android or iOS not able to sign in? But Lync client works?

January 3rd, 2013 by Jabez Gan [MVP]

Lync for Android and iOS were launched recently. However, automatic sign in does not work for Lync/Lync Online (Office365).

Using Lync client on PC and Mac, it signs in fine; however, when trying to sign onto Lync using Lync Server or Lync Online, it fails to sign on.

As part of setting up the domain in Office365, it is missing a few CNAME records for Lync.

Add the following 2 more CNAME records into the DNS of your domain:



Posted in MS News | Comments Off

Creating Users in Bulk without Dirsync on Office365

January 1st, 2013 by Jabez Gan [MVP]

If your customer has an environment that can’t setup Dirsync (perhaps they are not on Windows Server 2003 DC and above), and you would want to create users manually, here is what you should do:

1. Create a CSV and use Administrative Portal | Users | Add Bulk Users to import the users.

2. Export the X500 addresses from Exchange 2003 server (You can refer to this link on how to do it).

3. Import the X500 addresses that you have exported from your local Exchange 2003 to Office365. You will have to do the following in Exchange Online Powershell:

$foo = get-mailbox jabez
$foo.emailaddresses += “X400:C=Malaysia;DC=domain;DC=com”
$foo | set-mailbox


If you are doing a temporary co-existence without using the recommended approach (Exchange 2010 Hybrid), you may also want to:

1. Create mail-enabled users with external email addresses to @tenant.onmicrosoft.com. If you have 100 Exchange on-premise users, then you will have to create 100 extra mail-enabled users that points to the @tenant.onmicrosoft.com email account.

2. Create a forwarding from the Exchange on-premise to Office365

Posted in MS News | Comments Off

Additional Microsoft Online Speed Test Links

November 1st, 2012 by Jabez Gan [MVP]

Again, with the importance of having a fast connectivity speed to cloud offerings, there are extra links for you to have a more accurate speed details to the cloud.

Use the following appropriate links to do your own speed test based on your Office365 service location:

APAC: http://speedtest.apac.microsoftonline.com/

EMEA: http://speedtest.emea.microsoftonline.com/

US: http://speedtest.microsoftonline.com/


For Lync:

Let me know if this helps!

Posted in Office365 | Comments Off

« Previous Entries