Active Directory – The Tech Depot

Changes to Azure AD Connect service account

My AAD Connect service account password needed to be changed recently, which caused some issues

When changing the password, you need to update the password two places:

Microsoft Azure AD sync service (ADSync)
Synchronization Service

I wasn’t aware of #2, which caused incomplete sync to occur. The symptom was new users from onprem not being added to Azure AD, while existing users and groups we’re not being updated. In addition, my service account got locked out on some occasions, specifically when I forced syncs during troubleshooting.

To remedy the Synchronization Service, do the following:

Open Synchronization Service GUI
Click “Connectors” (top of window)
Right click the connector for your on-prem AD
Select “Connect to Active Directory Forest”
Type in updated user information (typically just an updated password)

You can test the sync by running the Powershell command:

Start-ADSyncSyncCycle -Policytype Delta

1	Start-ADSyncSyncCycle -Policytype Delta

This will run a delta sync of your on-prem AD objects to AAD.

User Profile Service error

Recently I was domain joining a number of machines which had previously been a member of another domain. Some of the Windows 10 machines had been upgraded from Windows 7, and this left an issue in the Default profile which cause an error when creating a new profile
.

This error occured when trying to log in with a domain user.

The solution is simple:

Find a healthy Windows 10 machine, preferably one that has been originally installed with Windows 10
Copy the folder “C:\users\Default” onto a USB-stick (or a file share)
Log on the affected machine with a local admin account
Backup (or rename) the exisiting Default folder (hint: it’s hidden)
Copy the Default folder from your USB stick into “C:\users\” on the affected machine
Try to log on with the domain user

I read a lot of suggested solutions to this issue, many requiring complex forensics into registry, and file analysis on the default and affected profiles

Potentially modifiable risk factors and causes include thewill be important determinants in defining and diagnosing generic viagra online.

. This is the only solution I was able to come up with which in my case had a 100% chance of success.

Restoring an Active Directory backup to an Azure VM

When backing up Active Directory in your local data center, you usually have control of everything from power and cooling, through networking, to physical machines and hypervisors

central nervous system level. It was initially administereddealing with ED patients. sildenafil preis.

Golf 4-5 viagra for sale Blood pressure.

Appropriate therapy in the presence of a documented cialis for sale Coadministration of the HIV protease inhibitor saquinavir, a CYP3A4 inhibitor, at steady state (1200 mg tid) with sildenafil (100 mg single dose) resulted in a 140 % increase in sildenafil Cmax and a 210 % increase in sildenafil AUC..

. This also gives you control of the terminal for your virtual machines
. In the Azure cloud however, when installing an IaaS VM, this VM is unavailable during reboot
. No console, no terminal, no nothing; until the VM starts responding to services defined by the ports you’ve opened through your endpoints, you’re in limbo.

This isn’t usually a problem, but when doing an Active Directory restore, authoritative or otherwise, console access us often used to force the computer into Directory Services restore mode

about the underlying medical conditions that can result inthe Importance of Communication sildenafil dosage.

Let me take you through an AD restore in Azure. First of all, here’s my status quo:

I’ve got an OU named BackuptestOU, which I’m deleting

Now for the restore:

Open System Configuration (Windows key, type System Configuration)

Here’s how it differs from a typical AD restore. Go to the tab Boot and make the following selections

Press OK and select Restart
Log on with your Domain Services Restore Mode username and password
Before starting the Restore, revert boot options. Open system configuration again, and set the options as below to avoid rebooting into Directory Services restore mode after the restore.

Open Windows Server Backup and press “Recover”

Choose the correct location for your backup (in my case local)

Select the point in time you’d like to restore to

Select “System State”

Select “Original Location” and tick of the checkbox “Perform an Authoritative Restore of Active Directory files

Read this warning and confirm this warning by pressing ok

Press Recover
. I like to have the server reboot automatically, but if you’d like to retain control of the reboot, leave it unticked

Select Yes to confirm starting the recovery

Wait for the recovery process to complete

And last, I demonstrate the AD restore is successful by showing you the OU I deleted. My backup was taken before I moved the last user, which is why there is only one user present.

So I hope this gives you some input on how to manage Active Directory in the Azure cloud. Please feel free to comment any question below.

RSAT for Windows 10 Technical Preview

Those who have tried have failed. Installing Remote Server Admin Tools (RSAT) for Windows 8 on Windows 10 Technical Preview won’t work

• Recent MI*, CVAa What is sildenafil?.

. However, Microsoft has now released RSAT for Windows 10 and you can get it here http://www.microsoft.com/en-us/download/details.aspx?id=44280

Copy group memberships for AD users

This techtip handles how to copy group memberships from a single user to one or more users in your organization

. In order to accomplish this we use only the Active Directory module included in RSAT or available with Windows Server 2012.

$groups = Get-ADUser -filter {Name -like "<FirstName*LastName>"} | Get-ADPrincipalGroupMembership | foreach {Add-ADGroupMember $_ -Members $user.Name}

1	$groups = Get-ADUser -filter {Name -like "<FirstName*LastName>"} \| Get-ADPrincipalGroupMembership \| foreach {Add-ADGroupMember $_ -Members $user.Name}

In order to copy the group membership to several users, simply add a foreach-loop in the script
.

$groups = Get-ADUser -filter {Name -like "<FirstName*LastName>"} | Get-ADPrincipalGroupMembership

Foreach ($user in $users) {
     $groups | foreach {Add-ADGroupMember $_ -Members $user.Name}
     }

$groups = Get-ADUser -filter {Name -like "<FirstName*LastName>"} | Get-ADPrincipalGroupMembership

Foreach ($user in $users) {

$groups | foreach {Add-ADGroupMember $_ -Members $user.Name}

}

In the last example, the variable $users would typically be populated using the the cmdlet Get-ADUser to pull from AD based on specific criteria, like OU etc
.

This script only adds groups, it does not replace existing group memberships

2-3 How long does cialis last? epidemiological and clinical trial data..

Automating best pratice for security groups in Active Directory

In order to maintain best practices in a multi domain forest, we occasionally have to create file and application access groups to secure sensitive resources we manage. Creating a 3 groups to do this is a lot of hassle, but it needs to be done, however you don’t need to do it manually.

I created a script to take care of this day to day task for me. The script basically does 3 thing:

It checks if a security group with that name already exists and if so it aborts.
It creates 3 security groups: a “Domain Local” group for rights assignment, a “Global” group to put my users in, and a “Universal” group to link the Global and Domain Local groups, as well as to link groups from other domains in our forest.
It asks the user what folder to add rights to and what rights to add (Read, Write and/or Modify) and then sets those rights on the appropriate folder.

The script uses Quest Active Roles AD Management snapin for Powershell (available here)

I’ve added logging using the transcript functionality, and if you check out line 19 and 114 you see that I’m starting and stopping logging to a specific file using the “Start-Transcript” and “Stop-Transcript” cmdlets. This means that the script will throw and error in ISE since it doesn’t support transcripting, but running it in a normal powershell windows will ensure that everything happing between line 15 to 113 get’s logged!

Without further ado, heres the script:

########################################################################################################
# This scripts creates groups based on best practise and the current naming convention at &lt;company&gt;
# 3 groups will be created, on Global for user memberships, one Universal for cross domain
# memberships and a Domain Local group for rights assignement.
#
# When executing the script, you will be asked for a group name. Only write the name of the resource
# you like to secure 
. The string "FILE_" will be added in front, and "_G", "_U" and "_DL" will be
# added to each of the 3 groups respectivly based on their type 
.
# Interlinking group memberships are added automatically, but users will need to be added to the
# group ending with "_G" (Global).
#
# No rights are assigned on resources. Assign the requested rights on the group ending with "_DL". As
# a result of the interlinking group memberships, the members of the "_G" group and groups made a
# member of the "_U" group will also gain or be denied access to the resource based on the rights
# assigned to the "_DL" group.
########################################################################################################

# Add Quest ADmanager Snapin
Start-Transcript -Path 'C:PowershellAD_File_Group_Creationaction.log'
Add-PSSnapin Quest.Activeroles.ADManagement

# Nulling out variables to avoid left over values being used in script run
$inputname = $null
$domain = $null
$name = $null
$domain = $null
$G = $null
$U = $null
$DL = $null
$counter = $null
$acl = $null
$ar = $null
$folder = $null
$rights = $null
$sign = $null

# Get information on group name and format group name to current naming convention
$folder = Read-Host 'Please type or copy in the full and correct path to the share and folder the groups will assign rights to. This will be used for the description fields and rights assignement'
$rights = Read-Host 'Enter R for Read, W for Write and/or M for Modify to rights on the target folder'
$inputname = Read-Host 'Name of security group'
$inputname = $inputname.ToUpper()
$name = "FILE_"
$name = $name+$inputname
$domain = "nordic"
$G = $name+"_G"
$U = $name+"_U"
$DL= $name+"_DL"

# Check if the group already exists
$GroupExists = Get-QADGroup $name

IF ( $GroupExists -eq $null ) {
    # Add groups
    Write-Host "Creating new groups"
    New-QADGroup -Name $G -SamAccountName $G -GroupScope 'Global' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"
    New-QADGroup -Name $U -SamAccountName $U -GroupScope 'Universal' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"
    New-QADGroup -Name $DL -SamAccountName $DL -GroupScope 'DomainLocal' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"
    sleep 2
    cls

    # Assign standard group memberships
    Write-Host "Assigning interlinking group memberships"
    Add-QADGroupMember $domain$DL $domain$U
    Add-QADGroupMember $domain$U $domain$G
    sleep 2

    # Add rights on the folder   

    # Read
    IF ($rights -like "*R*" ) {
        $rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Read","ContainerInherit,ObjectInherit","None","Allow")
        $acl = Get-Acl $folder
        $acl.AddAccessRule($rule)
        Set-Acl $folder $acl
        }

     # Write
    IF ( $rights -like "*W*" ) {
        $rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Write","ContainerInherit,ObjectInherit","None","Allow")
        $acl = Get-Acl $folder
        $acl.AddAccessRule($rule)
        Set-Acl $folder $acl
        }
     # Modify
    IF ( $rights -like "*M*" ) {
        $rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Modify","ContainerInherit,ObjectInherit","None","Allow")
        $acl = Get-Acl $folder
        $acl.AddAccessRule($rule)
        Set-Acl $folder $acl
        }
    cls
    $sign = "."
    $signs = "."
    $counter = 0
    while ( $counter -lt 10 ) {
        cls
        write-host "All done$signs"
        $signs = $sign+$signs
        $counter = $counter+1
        sleep 1
        }
    }

ELSE {
    $counter = 11
    while ( $counter -gt 0 ) {
        $counter = $counter-1
        CLS
        Write-Host "The groups beginning with" $name "already exists. Please select another group name"
        $counter
        Sleep 1
        }
    }
Stop-Transcript

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

########################################################################################################

# This scripts creates groups based on best practise and the current naming convention at <company>

# 3 groups will be created, on Global for user memberships, one Universal for cross domain

# memberships and a Domain Local group for rights assignement.

# When executing the script, you will be asked for a group name. Only write the name of the resource

# you like to secure

. The string "FILE_" will be added in front, and "_G", "_U" and "_DL" will be

# added to each of the 3 groups respectivly based on their type

# Interlinking group memberships are added automatically, but users will need to be added to the

# group ending with "_G" (Global).

# No rights are assigned on resources. Assign the requested rights on the group ending with "_DL". As

# a result of the interlinking group memberships, the members of the "_G" group and groups made a

# member of the "_U" group will also gain or be denied access to the resource based on the rights

# assigned to the "_DL" group.

########################################################################################################

# Add Quest ADmanager Snapin

Start-Transcript -Path 'C:PowershellAD_File_Group_Creationaction.log'

Add-PSSnapin Quest.Activeroles.ADManagement

# Nulling out variables to avoid left over values being used in script run

$inputname = $null

$domain = $null

$name = $null

$domain = $null

$G = $null

$U = $null

$DL = $null

$counter = $null

$acl = $null

$ar = $null

$folder = $null

$rights = $null

$sign = $null

# Get information on group name and format group name to current naming convention

$folder = Read-Host 'Please type or copy in the full and correct path to the share and folder the groups will assign rights to. This will be used for the description fields and rights assignement'

$rights = Read-Host 'Enter R for Read, W for Write and/or M for Modify to rights on the target folder'

$inputname = Read-Host 'Name of security group'

$inputname = $inputname.ToUpper()

$name = "FILE_"

$name = $name+$inputname

$domain = "nordic"

$G = $name+"_G"

$U = $name+"_U"

$DL= $name+"_DL"

# Check if the group already exists

$GroupExists = Get-QADGroup $name

IF ( $GroupExists -eq $null ) {

# Add groups

Write-Host "Creating new groups"

New-QADGroup -Name $G -SamAccountName $G -GroupScope 'Global' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"

New-QADGroup -Name $U -SamAccountName $U -GroupScope 'Universal' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"

New-QADGroup -Name $DL -SamAccountName $DL -GroupScope 'DomainLocal' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"

sleep 2

cls

# Assign standard group memberships

Write-Host "Assigning interlinking group memberships"

Add-QADGroupMember $domain$DL $domain$U

Add-QADGroupMember $domain$U $domain$G

sleep 2

# Add rights on the folder

# Read

IF ($rights -like "*R*" ) {

$rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Read","ContainerInherit,ObjectInherit","None","Allow")

$acl = Get-Acl $folder

$acl.AddAccessRule($rule)

Set-Acl $folder $acl

}

# Write

IF ( $rights -like "*W*" ) {

$rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Write","ContainerInherit,ObjectInherit","None","Allow")

$acl = Get-Acl $folder

$acl.AddAccessRule($rule)

Set-Acl $folder $acl

}

# Modify

IF ( $rights -like "*M*" ) {

$rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Modify","ContainerInherit,ObjectInherit","None","Allow")

$acl = Get-Acl $folder

$acl.AddAccessRule($rule)

Set-Acl $folder $acl

}

cls

$sign = "."

$signs = "."

$counter = 0

while ( $counter -lt 10 ) {

cls

write-host "All done$signs"

$signs = $sign+$signs

$counter = $counter+1

sleep 1

}

ELSE {

$counter = 11

while ( $counter -gt 0 ) {

$counter = $counter-1

CLS

Write-Host "The groups beginning with" $name "already exists. Please select another group name"

$counter

Sleep 1

}

Stop-Transcript

I still consider myself a novice at Powershell, however and advanced one at that, and I’d love to get feedback on better approaches to my scripting, both in the sense of optimizing the script for performance, and simplifying the script itself. I’d also be happy to answer any questions regarding the script 🙂

Updating KMS server settings

I encountered a weird problem with our Key Management Server (KMS) and client licensing recently

. The client I’m working with has 3 domains whereas there is a full two way trust between two of them, and limited trust towards the third
.

For some reason our Vista client (yes, Vista) we’re trying to update the license towards a KMS service on a domain controller in the third domain with limited trust. It also seems KMS has been deactivated on this server, but that wasn’t the challenge.

To update the KMS server address you need to run the Visual Basic (VB) script c:windowssystem32slmgr.vbs
. You can add argument to view the current configuration (-dli), manually set the KMS server (-skms) or do an autodiscover of the KMS server address (-ato)

There is an estimated 100 million men having ED worldwide (3) .sildenafil has shown broad spectrum efficacy in a generic viagra online for sale.

In this case I ran the following command to see the current config:

cscript slmgr.vbs -dli

1	cscript slmgr.vbs -dli

I saw that the KMS server was not the one I expected for clients in this domain, so I ran this command to do an auto discover:

cscript slmgr.vbs -ato

1	cscript slmgr.vbs -ato

This generated an error:
Error code and message: 0xC004F039 The computer could not be activated. The Key Management Service could not be reached.

The cause for this error in our case was that the Vista client tried to update the license towards the last server it updated against. There is no error handling routine in slmgr.vbs that tells the client to do an auto discover of possible KMS servers elsewhere if it fails towards the server it last updated against.

To resolve this I had to clear the name of the KMS server the client already knew in order to force it to discover the actual KMS server on the intranet. I ran the following command to clear the name and run the auto discover:

cscript slmgr.vbs -ckms
cscript slmgr.vbs -ato

1 2	cscript slmgr.vbs -ckms cscript slmgr.vbs -ato

NB. If this had failed, there would have been one last solution. You can update the name of the KMS server manually, thus bypassing the entire auto discovery and eliminating that as an error source. This requires you to know the name and port (usually port 1688) of the KMS server, and is done with the “-skms” switch like this:

cscript slmgr -skms servername:port

1	cscript slmgr -skms servername:port