List all authorized DHCP servers from Active Directory

Here is PowerShell command to list all authorized DHCP servers from Active Directory. Replace the DOMAIN and COM with your domain name in the command below.

Get-ADObject -SearchBase “cn=configuration,dc=DOMAIN,dc=COM” -Filter { ObjectClass -eq ‘dhcpclass’ } | Select-Object Name  | Format-Table –Wrap

I used format-table with wrap option to display full DHCP server name if it is long name.

If you browser the same location (in SearchBase in Get-ADObject cmdlet) in AD Sites and Services (with services option enabled), you will see the DHCP servers. This command list those DHCP servers, that’s all.


How to install unsigned driver (if you have to) in Windows 10?

If you tried to install a unsigned driver in Windows 10, you would hit the wall. There is no settings to allow unsigned drivers like in old Microsoft Operating Systems. This is the guide to show you how to enable unsigned drivers (& risk making Windows 10 unstable).

Follow the stops to enable the Unsigned Drivers in Startup Options:

1. Reboot the computer with these command

SHUTDOWN.exe /R /O /F /T 00

/R is for Reboot

/O is to reboot to options menu

/F is force the reboot

/T is timer – we set to reboot right away


2. After reboot to Options screen, Choose Troubleshoot.

3. In Troubleshoot screen, Choose Advanced Options

Image result for windows 10 troubleshoot screen -8

4. in Advanced Options screen, choose Startup Settings

5. In Startup Settings, Click Restart.

Image result for windows 10 Startup Settings -8

6. After reboot, click 7 or F7 to disable driver signature enforcement.

7. Selecting option results a reboot  one last time.

Now try installing that unsigned drivers.

Active Directory: Why the protected account permissions cannot be changed? what is AdminSDHolder?

If try anyone of the things below on accounts that is member of Domain Admins or Account Operators or any other protected groups, you know it can’t be done.

  • Changing permissions (add/remove/modify perms in security tab of the account properties window)
  • Enabling Permission Inheritance (to activate a ActiveSync account on the Administrator’s device)
  • Low-level admins (Account Operators) try to modify high-level admin accounts (e.g, Domain Admins, Enterprise Admins)

If you do any one of those actions above, it will be reset in 60 minutes automatically. The third action will be denied right away. Why is that? it’s because to protect the protected accounts from hacked. This feature first introduced in Active Directory in Windows 2000 Server. Here is detailed explanation from Microsoft.

Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. This functionality was introduced in the inaugural release of Active Directory in Windows 2000 Server and it’s fairly well known. However, virtually all IT administrators have been negatively impacted by this functionality, and that will to continue unless they fully understand how AdminSDHolder, protected groups and SDPROP work.
Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call “protected” groups). Every hour, a background process runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the size or the binary string is different, the security descriptor on the object is overwritten by the security descriptor from the AdminSDHolder object..
As you can see, multiple layers of security are incorporated into this functionality. First, the permissions applied to users belonging to protected groups are more stringent than the default permissions applied onto other user accounts. Next, the default behaviour is that inheritance is disabled on these privileged accounts, ensuring that permissions applied at the parent level aren’t inherited by the protected objects, regardless of where they reside. Finally, the background process running every 60 minutes identifies manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object.

For more information check HERE.

How to bulk add SPAM white and black list in Exchange Online Protection?

I hope you have a text files with SPAM white and black lists. If so, it’s all down to run the PowerShell command after connecting to Exchange Online.

If you created custom SPAM filter policy, replace “default” in Identity property with your custom filter policy name in the commands below.

Create different text files for Allowed and Blocked email addresses. Also create different text files for allowed and blocked email domain names.

The first line should be “Recipients” in all the text files.

Add bulk add SPAM White List (email addresses)

Import-Csv “C:\..\AllowedEmails.csv” | foreach {Set-HostedContentFilterPolicy -Identity Default -AllowedSenders @{add=$_.Recipients}} 

Add bulk add SPAM Block List (email addresses)

Import-Csv “C:\..\BlockedEmails.csv” | foreach {Set-HostedContentFilterPolicy -Identity Default –BlockedSenders @{add=$_.Recipients}} 

Add bulk add SPAM White List (email domains)

Import-Csv “C:\..\AllowedDomains.csv” | foreach {Set-HostedContentFilterPolicy -Identity Default –AllowedSenderDomains @{add=$_.Recipients}} 

Add bulk add SPAM Block List (email addresses)

Import-Csv “C:\..\BlockedEmails.csv” | foreach {Set-HostedContentFilterPolicy -Identity Default –BlockedSenderDomains @{add=$_.Recipients}} 

I hope it saved you sometime on your research.  Leave me a reply if it did.

Exchange: How to mail-enable the security group?

Say you have a AD Security Group, you want to convert to a distribution group. (When do we stop calling Distribution List…I always said DL. Now it’s distribution group..whatever!!)

It’s a very easy task. There is only one requirement.

Security group must be a Universal Group.

if it is not a universal group already, go ahead change in Active Directory (Uses and Computers console).

Open Exchange Admin (Power)Shell and type this:

Enable-DistributionGroup -Identity “Your Security Group Name”

That’s it. You are done. To verify open ADUC and check the group type. It should gained a email address and it will show up in Exchange Admin Center in Groups.

If you really really want to od in a GUI instead of PowerShell, follow the instructions below.

1. Open Exchange Admin Center
2. Go to Recipients ==> Groups
3. Click + to add a new group, choose Existing group
4. Select your AD Security Group and follow the wizard.

Enjoy. Smile

Exchange: How to restrict conference room only to specific users?

By default resource mailbox process meeting requests from all users. What if you need to restrict to specific users who can book a resource?

All my investigation pointed to do this:

Set-CalendarProcessing  -Identity  -AllBookInPolicy:$false

Set-Calenderprocessing -Identity -BookInPolicy “username1″,”username2″,”username3”

Now I checked what AllBookInPolicy means and TechNet says “The AllBookInPolicy parameter specifies whether to automatically approve in-policy requests from all users.”.  OK sounds like a correct setting.

Then I checked what BookInPolicy means, “The BookInPolicy parameter specifies a comma-separated list of users who are allowed to submit in-policy meeting requests to the resource mailbox. Any in-policy meeting requests from these users are automatically approved.”

BookInPolicy means the it will automatically approves all meeting requests regardless of availability. That’s NOT good. And these solution didn’t work for me.

So I thought creative and decided to do this:

Set-Mailbox -Identity “” -AcceptMessagesOnlyFrom “username1″,”username2″,”username3”

Ta.Da! That satisfies the only specific users can book the resource by sending meeting requests. And resource mailbox automatically process the meeting requests by accepting or rejecting depending upon availability. <.. Evil Genius laugh ..> 😮

Mac: Outlook throws Error when compose emails “Some of the files in this Web page aren’t in the expected location”

You are getting this error whenever you compose a new email or replying to an email.






It means your HTML signature has a bad formatted hyper-link or “Text to display” property.

To fix this issue, you may delete and recreate a new Signature or find the bad hyper-link in your signature and fix it.

  • Open Outlook –> Preferences –> Signatures
  • Right click (on each) hyperlink and choose Hyperlink –> Edit Hyperlink
  • Verify and fix the “Text to Display” and Address fields.










That’s it. Send your emails in peace. 🙂