How to configure retention policies for terminated user to ensure that their files are retained for a period of time

OneDrive is a cloud-based storage service provided by Microsoft. If you’re using OneDrive for Business, you can configure retention policies for user accounts that have been terminated to ensure that their files are retained for a specific period of time.

Here’s how to configure OneDrive to retain files for 5 years after a user account is terminated:

  1. Sign in to the Microsoft 365 admin center with your admin credentials.
  2. Click on … Show all.

3. Click on Compliance under Admin centers.

4. Click on Data lifecycle management

5. You have options such as Overview, Retention policies, labels, Label policy, Policy lookup and Import.

Click the “Create a policy” button and select “Exchange” as the policy type.

Enter a name for the policy, such as “OneDrive Retention Policy for Terminated Users”.

In the “Policy settings” section, select “Retain deleted items for the following number of days” and enter “1825” (5 years).

In the “Apply policy to” section, select “All mailboxes”.

Click the “Save” button to create the policy.

Once you’ve created the policy, it will automatically apply to all user accounts that are deleted in the future. The files in their OneDrive accounts will be retained for 5 years after the accounts are terminated, and can be accessed by an administrator if needed.

Note that retention policies only apply to OneDrive for Business, and not to personal OneDrive accounts. Additionally, it’s important to understand that while retention policies can help ensure that data is not lost, they do not provide any guarantee of data privacy or security.

Does office 365 offers archive for terminated employees?

Yes, Microsoft Office 365 does offer an archive for terminated employees. This is usually achieved through the use of inactive mailboxes, which allow you to retain the email data of a terminated user for a specified period of time. During this time, you can access the data in the inactive mailbox for compliance and legal purposes.

Once the specified retention period has ended, the data in the inactive mailbox can either be deleted permanently or moved to a longer-term archival solution. This functionality is available in the Exchange Online component of Office 365 and can be configured through the Exchange Admin Center or using PowerShell scripts.

The specified retention period for an inactive mailbox in Office 365 is determined by your organization’s policies and requirements. You can set the retention period to any length of time, and it can be different for different types of data. For example, you may want to retain email data for a longer period of time than other types of data, such as OneDrive files.

The exact steps for setting the retention period for an inactive mailbox in Office 365 will depend on your organization’s setup, but typically involve creating a retention policy and applying it to the inactive mailbox. You can then configure the policy to specify the length of time you want to retain the data and specify what should happen to the data once the retention period has ended.

How to check a PC security using Microsoft Defender on Windows 10/11

If you suspect your PC may be hacked by Malware or virus, you can check it using Microsoft Defender on Windows. This example is based on Windows 11.

  1. Click on Start icon.

2. Click on Settings.

3. Click on Privacy & security.

4. Click on Windows Security.

5. Windows Security will show you any issues. If you do see any problem or Action recommended, click on it to fix the problem.

How to activate GloablProtect DUO MFA

Situation: The client has a Palo Alto Firewall and configure GloablProtect MFA using DUO. Here are the steps to activate GloablProtect DUO for using MFA.

  1. Login DUO.com and click on Users.

2. Click on Inactive Users (assuming you already created the users).

3. Add Phone and click on Activate Duo Mobile.

4. Click on Generate Duo Mobile Activation Code.

5. The user’s phone receive a text message with link. Click on the link to Activate (assuming you have DUO app on the phone). On DUO website, it shows Reactive DUO Mobile.

6. Now, try to login Gl;oablProtect. the user’s phone DUP app should have a popup. Tape Approve and you should be able to login.

Note: If it doesn’t work, you can check Bypass in User’s Status to test if you can login GloabalProtect without MFA. If you login with Bypass enabled, it is MFA issue. If you can’t, it is possible GloablProtect has a configuration issue.

How to install Exchange schema extension on-premise AD serve

  1. I downloaded the 2016 Exchange server eval – Download the latest version of Exchange. For more information, see Updates for Exchange Server.
  2. Ran the command to update AD Schema
  3. Manually syncd ad/o365 afterwards and hoped for the best.

It turns out that nothing changed for any users already syncd with office365, so id call that a success.

However, you will need to go in to the Azure ad sync tool on your DC and manually tell it what to export from AD to the cloud that is now new…. Such as the hide from address book attribute for example. If you set it in AD, it won’t sync that attribute until you edit the export in the ad sync tool.

I ended up getting it all to work just as intended fairly quickly being there was zero documentation that I could find regarding this part of it.

How to enable Guest account in Windows 10 and 11

A guest account in Windows OS allows users to access the computer, share folders and printers from remote computers. There are many ways to enable or create a Guest accounts.

Option 1: Enable guest account via Local Users & Groups

1. In the Start menu or taskbar search box, type Lusrmgr.msc and then press Enter key to open Local Users and Groups.

2. Click Users under Local Users and Groups (local).

3. Right-click the Guest and then click Properties or double-click on Guest to open its properties.

4. Uncheck Account is disabled.

Option 2: Enable Guest account via Command Prompt
  1. Type CMD in the Start menu or taskbar search box, and then Run as administrator.

2. Click Yes when you see the User Account Control prompt.

3. Type the following command and then press Enter key.

net user guest /active:yes

Option 3: Enable Guest account via Group Policy

Note that Group Policy is not part of the Home edition of Windows 10. So, this method doesn’t work on Windows 10 Home edition.

1. Open Group Policy Editor by typing Edit Group Policy in the Start or taskbar search box and then pressing Enter key.

2. In the Group Policy Editor, navigate to the following policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

3. On the right-side, double click on Accounts: Guest account status to open its Properties.

4. Check Enable.

5. Click OK to save the settings.

Option 4 Create a regular user account using GUI

  1. Open the Start menu and click on the Settings icon.

2. In the Settings window, click on Accounts.

3. Select Family & other users from the left-side panel.

4. Click on Add account in Other users.

5. Click on I don’t have this person’s sign-in information in How will this person sign in?.

6. Click on Add a user without a Microsoft account.

7. Click on Add a guest.

The Guest account will be enabled and you can use it to log in to the computer without affecting the main user account’s settings and files.

Update: Microsoft has hidden the Guest account from Windows 10 and 11. Also, Microsoft has moved almost all user account settings to the new Settings app, but there is no option under the Accounts section of Settings to enable the guest account. The Settings app only allows you to create standard local or Microsoft accounts.

To enable the guest account in Windows 10 and 11, we may have Mutiple options.

Option 1: Enable guest account via Local Users & Groups

1. In the Start menu or taskbar search box, type Lusrmgr.msc and then press Enter key to open Local Users and Groups.

2. Click Users under Local Users and Groups (local).

3. Right-click the Guest and then click Properties or double-click on Guest to open its properties.

4. Uncheck Account is disabled.

Option 2: Enable Guest account via Command Prompt

  1. Type CMD in the Start menu or taskbar search box, and then Run as administrator.

2. Click Yes when you see the User Account Control prompt.

3. Type the following command and then press Enter key.

net user guest /active:yes

Option 3: Enable Guest account via Group Policy

Note that Group Policy is not part of the Home edition of Windows 10. So, this method doesn’t work on Windows 10 Home edition.

1. Open Group Policy Editor by typing Edit Group Policy in the Start or taskbar search box and then pressing Enter key.

2. In the Group Policy Editor, navigate to the following policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

3. On the right-side, double click on Accounts: Guest account status to open its Properties.

4. Check Enable.

5. Click OK to save the settings.

How to collect GloablProtect longs in Windows or Mac

  1. Open the GlobalProtect app
  2. Open the menu button
  3. Choose Settings
  4. Go to the Troubleshooting tab
  5. Click the Collect Logs button
  6. When the process completes, click Open Folder to view the collected log package (GlobalProtectLogs.zip), which you can email to the ITS Service Desk for troubleshooting

How to modify AuthOrig in AD attribute

To modify the AuthOrig attribute in Active Directory (AD), you can use the following steps:

  1. Open the Active Directory Users and Computers console.
  2. Locate the object you want to modify and right-click it.
  3. Select “Properties”.
  4. Go to the “Attribute Editor” tab.
  5. Locate the AuthOrig attribute and double-click it.
  6. For this example, let’s say you want to add user named Bob in Chicagotech.net to the AuthOrig attribute. Enter CN=Bob,OU=Users,DC=Chicagotech,DC=Net in the value field and click “OK”.
  7. Click “OK” again to close the properties of the object.
  8. Close the Active Directory Users and Computers console.

How to block some users to send emails to an organization-wide distribution group

There are multiple methods to achieve this goal.

Option 1: Create a mail flow rule

  1. Login Microsoft 365 admin center
  2. Go to  Exchange online admin center.
  3. Go to ->mail flow.

3. Rules.

4. Select Restrict messages by sender or recipient.

5. In Set rule conditions, Apply this rule ifThe sender is…-> a member of…-> select distribution group address. Do the following: Block the message and Delete the message without notifying anyone. Except if: the sender is a member of…:

6. Click on Next in Set rule settings.

7. Click Finish on Review and finish.

Option 2: Modify “delivery management” setting:

1. Go to Exchange admin center->recipients->groups

2. Double-click the Distribution group to edit it.

2. Select “delivery management”->and add specific senders as well as groups that are allowed to send message to the group, by which way messages sent by anyone else will be blocked.