Configuring mailbox permissions on a hybrid setup

Really useful stuff here:  


Run this In powershell/exchange :

 Enable-MailUser stephen.d –ExternalEmailAddress [email protected]

 run following in normal powershell or update via adsiedit.


Set-ADUser stephen.d –Replace @{msExchRecipientDisplayType = “-2147483642”}    (default was 6)

Set-ADUser stephen.d –Replace @{msExchRecipientTypeDetails = “2147483648”}   (default was 128)

Set-ADUser stephen.d –Replace @{msExchRemoteRecipientType = “4”}    (default was not set)

Grant Send on Behalf permissions via powershell

Grant Send on Behalf Permissions using Powershell

We can set or grant send on behalf permission for a exchange mailbox user using the powershell cmdlet Set-Mailbox with the parameter GrantSendOnBehalfTo. Use the below command to set send on behalf permission.
Set-Mailbox "[Identity]" -GrantSendOnBehalfTo @{add="[User]"}
[Identity] - The name of the mailbox user on which the send on behalf permission to be added.
[User] - The user to be granted the send on behalf permission.

The following command grants "Morgan" send on behalf permission to Kevin’s mailbox.
Set-Mailbox "Kevin" -GrantSendOnBehalfTo @{add="Morgan"}
You can also grant permission for multiple users by giving user names as comma separated values.
Set-Mailbox "Kevin" -GrantSendOnBehalfTo @{add="User1","User2"}
The above commands add permission with existing send on behalf permissions and it does not overwrite the existing permissions (this is required for most cases). You can check the applied permissions by using below command.
Get-Mailbox "Kevin" | Select -ExpandProperty GrantSendOnBehalfTo | Select Name,Parent

Grant Send-on-Behalf permission for multiple user mailboxes

We can use the exchange management powershell cmdlet Get-Mailbox to get specific set of user mailboxes and pipe the results to Set-Mailbox cmdlet. The following command grants send on behalf permission for "Morgan" to all the mailboxes.
Get-Mailbox | Set-Mailbox -GrantSendOnBehalfTo @{add="Morgan"}
You can also apply filters in Get-Mailbox cmdlet to select particular set of users. The following command select mailbox users from TestOU and pipe the results to Set-Mailbox cmdlet to set send on behalf rights.
Get-Mailbox | Where {$_.DistinguishedName -like "*OU=TestOU,DC=TestDomain,DC=com*"} |
Set-Mailbox -GrantSendOnBehalfTo @{add="User1","User2"}

VMware Workstation Pro can't run on Windows

This issue occurred around June 2019 for older versions of VMWare Player and Workstation Pro. The reason for the issue is that Microsoft blocked the older versions. Well done Mr Gates.

Fortunatly, there is a way around this. 

Download the Microsoft ADK from here:

Download the Windows ADK for Windows 10, version 1903

Install, and ensure you check the first tool in the installer "Compatibility Tools".

Once installed, launch the "Compatibility Administrator".

Under System Database > Applications > VMWare Workstation Pro

Right-click the .exe entries and disable them.

You're Welcome!


Setup Guide for Fortigate SSLVPN with LDAP Authentication and 2FA


  • You need your SSL VPN portal and settings configured already
  • You should also have already created your SSL VPN policy (allowing from the SSL VPN interface to your LAN)
  • The above requires you to add a user or group already, you can re-use that group for the items below if desired

Set up LDAP Server

I'm using Active Directory, but you can use any LDAP based directory service. The example below assumes your AD domain is domain.local.

  1. Navigate to User & Device > LDAP Server
  2. Add a new server and enter the settings:
    • Name: this is the friendly name, i usually just put the hostname in
    • Server IP: obvious
    • Server Port: leave this default unless you know what you're doing
    • Common Name Identifier: This defaults to CN, which means Common Name. This is dumb. Your users are not going to log in as "Bob Smith", they're going to log in as bsmith or [email protected] Set this to userprincipalname if you want them to use their UPN ([email protected]) or maybe samaccountname if you want them to just use their username.
    • Distinguished Name: You can't use the Browse button until you fill out the rest of this page, but this can just be DC=domain,DC=local. Note: if you choose to scope this further than the domain as listed, your group (in the next section) must be in scope.
    • Bind Type: Regular
    • Username/Password: You can start off with a domain admin for testing, but ultimately you should create an unprivileged service account to use here
    • Secure Connection/Protocol: I used secure and selected LDAPS. If you don't have LDAPS then don't use it.
    • At this point you should be able to Test Connectivity and get a success.

Set up your group

  1. In Active Directory, create a group and add users to it. I called mine SSL VPN Users
  2. In the Fortigate, navigate to User & Device > User Groups
  3. Click on Create New
  4. Name the group the same as you created in AD (this isn't important, just a friendly name)
  5. Select Firewall as the type
  6. Under the Remote Groups section, click Add, select your LDAP server, and then search/select your group.
  7. Important: You have to right click on it and select Add Selected. After that, hit OK, not before.
  8. Hit OK again to save the group
  9. Configure your SSL VPN firewall policy to use this group for authentication


At this point you should be done, because you already set up your SSL VPN, right? You should be able to log in as the user now, you can go to Log & Report > VPN Events to see what the error is if you're not able to log in. You can also use the command diag test authserver ldap "YOUR LDAP SERVER NAME" [email protected] yourpassword to do a direct test.

How to Permanently Remove Deleted Users from Office 365


When you delete a user from the Office 365 control panel they are moved into a recycle bin for 30 days so that they can be recovered easily if the deletion was not intended.

However, if you want to permanently remove a deleted user in Office 365 you can use PowerShell. For this task you will need the Azure Active Directory for PowerShell module installed on your computer.


First, connect to your Azure Active Directory by running Connect-MsolService and entering your admin credentials in the dialog box that appears.


To see a list of the deleted users run Get-MsolUser with the -ReturnDeletedUsers switch.

Get-MsolUser -ReturnDeletedUsers

You can remove a specific deleted user with Remove-MsolUser and the -RemoveFromRecycleBin switch.

Remove-MsolUser -UserPrincipalName [email protected] -RemoveFromRecycleBin
Reference, Links and Imges