Azure AD Connect error 8244-- SOLVED

So here I was the other day setting up AAD Connect for a new employer, gotta get those account sync'd!  Anyway this being yet another in a long series of inherited networks I ran into almost every single user object in the specified OU's to be sync'd erroring out according to the Synchronization Service Manager under Connector Operations with a 'permission-issue' error 8244.

I spent some quality time with Google and found where people needed to ensure the local sync account has been added to the domain level with:

So I did that, but it did not help. I start looking into the NTFS Security permissions on the users and OU's and low and behold not a single level has inheritance enabled.

So I found this powershell blurp: https://community.spiceworks.com/topic/2120107-powershell-to-enable-inheritance

Ran this and BOOM all my objects were now enabled, however re-running a Delta sync I was still getting mass errors.  So as a test I added the sync account with FC permissions and that account's password hash was sync to AAD.  Odd I thought, so I went looking further and in the event log event 611

So using this I found, eventually, that the sync account needs permissions to edit: ms-dS-ConsistencyGuid which then led me to this:

$accountname = "<domain>\ad_forest"
$forestdn = "dc=<domain1>,dc=<domain2>"
$cmd = "dsacls '$forestdn' /I:S /G '`"$accountname`":WP;ms-ds-consistencyGuid;user'"
invoke-expression $cmd

Once I ran that, I could then see the sync account under the Security tab of all my user objects and the next Delta sync kickoff ran without any errors.

Powershell Script - Change Contractor Info

Crafted this gem today.. I need to change some AD attributes for contracted personnel, namely adding a 'c-' to the beginning of their email, UPN and SAMAccountName. Adding a '(Contractor)' to the end of the DisplayName field and changing a couple proxyaddresses.


First things, the csv used has the following columns:

name, mail, displayname, samaccountname, proxyaddress_0, proxyaddress_1, proxyaddress_2

Code:

#========================================================================
# Created with: SAPIEN Technologies, Inc., PowerShell Studio 2012 v3.1.26
# Created on:   10/9/2015 1:46 PM
# Created by:   Ben Hart
# Organization: UnifiedBrands
# Filename:     Change-ContractorInfo.ps1
#========================================================================


Import-module ActiveDirectory
Import-Csv -Path d:\Users\username\Desktop\test.csv | foreach-object {


$email = $_.mail
$Displayname = $_.displayName
$UPN = $_.mail
$sam = $_.samaccountname
$proxy0 = $_.Proxyaddress_0
$proxy1 = $_.Proxyaddress_1
$proxy2 = $_.Proxyaddress_2


set-aduser -identity $sam -emailaddress $email -UserPrincipalName $email -DisplayName $Displayname



Set-ADUser -Identity $sam -Replace @{proxyaddresses=@("SMTP:"+$email)}
Set-ADUser -Identity $sam -Add @{proxyaddresses="$proxy0"}
Set-ADUser -Identity $sam -Add @{proxyaddresses="$proxy1"}
Set-ADUser -Identity $sam -Add @{proxyaddresses="$proxy2"}
Set-ADUser -identity $sam -Replace @{targetaddress="$email"}

}

PowerShell Script - Generate list of domain users and their Logon Script values

Yesterday I had cause to make some logon script changes.. Now we still use Batch files but in combination with PowerShell scripts and Group Policy Objects.  However a few years ago I made some test changes and discovered that I had not pushed those out to all users. *DOH*
The push currently to get everyone on the same page is DFS.  Distributed File System for those who don't know... We're preparing to make changes to some file servers and if all users are using DFS paths it'll be very easy.
Anyway below is the script I used to generate the text file with the data.

Get-AdUser -Filter * -Properties ScriptPath | ft Name, Scriptpath > C:\PathToFile\File.txt


Which resulted in A LOT of accounts that I don;t need to sift through.. ex-consultants, service accounts and the like. So I narrowed my field of search down a bit...


Get-AdUser -Searchbase "OU=blahblah,OU=blahblah,DC=Domain,DC=com" -filter * -properties ScriptPath | sort-object ScripPath | ft Name, ScriptPath > C:\PathToFile\File.txt




There you go, enjoy.

Upgrading forest functional level, and DFS mode

So today I ran into a small issue.. I noticed that it seems that computer tombstoning is not happening as I have multiple computer objects with lastLogonTimestamps of 2012...

In pursuing further I discovered that I don't have the AD Recycle Bin because we're still running at a Forest Functional Level of 2003.  Gotta fix that!  Except WHOA.. we use DFS and it's stuck at a 2000 mode.
I go looking and Microsoft graciously did not craft an upgrade for DFS, so it looks like the only way to upgrade my forest level and keep a functioning DFS is to upgrade them both.

Raising the forest functional level is easy and fast.

Open the Active Directory Administrative Center
Right-Click on your domain
Choose raise your Forest functional level

Easy peasey.

Now 'upgrading' your DFS mode take a little more work.


First you're going to want to backup your existing DFS configuration, run the following from one of your domain controllers:

dfsutil root export \\<domain.fqdn>\<Namespace> %temp%\namespace_backup.xml

Next you are going to remove your old namespace..  open your DFS Management snap-in and remove your namespace servers. That's it.

Now in this step you will be creating a 'new' namespace however you will keep the original names.  If your original namespace was "consoso.com\Public" then create the new one using that name.  Except during the creation make sure the box for 2008-mode is checked. Also it hurts nothing to leave the DFS Share from the default "C:\%systemroot%\DFSRoots"

Make sure you add all the same namespace servers you had before as well..

Lastly you will import your old config via:

dfsutil root import merge %temp%\namespace_backup.xml \\<domain.fqdn>\<Namespace>

Search-ADAccount -lockedout.. Where have you been all my life?

So yesterday I had a supervisor call me because a few of his users could not get logged in.  I went down the usual list of accounts that I know they use and non-were locked out.  I tell him to get find out what username the problem folks are using and to let me know.  So he hangs up and while Im sitting there I decide to google it.

Search-ADAccount - locked out

Is what I found.. OMG! Where has this command been for the past few years? So easy.. So short.. So easy to remember.

PowerShell: Export-CSV with specific user info

Today I had need to export a bunch of info about our users for some sort of internal survey sending situation.


Get-ADUser -Filter * -SearchBase "OU=Employees,DC=Domain,DC=Com" -Properties DisplayName, EmailAddress, Department, Manager | Select DisplayName, EmailAddress, Department, Manager | Export-CSV "D:\path"

PowerShell - Searching AD for locked out domain accounts

So yeah.. should be a no-brainer to most however with the changed cmdlets in Powershell 4 I had to look it up.  This is one of those little things that you probably don't need very often but when you do it's a life saver.

Import-Module activedirectory
Search-ADaccount - Lockedout


That's it.  Easy right?

Modifying the Manager field in AD in bulk..

A quick PowerShell script that will allow you to modify the Manager field in user properties in AD.

get-aduser -filter * -searchbase "ou=test,dc=domain,dc=com" | set-aduser -manager "JBlow"


Or for the entire domain if you are running a small shop:

get-aduser -filter * | set-aduser -manager "JBlow"

The Manage value must be either a SamAccountName or Distinguished Name.

Creating new address lists in Exchange for non-employees

So the company I work for has a rather unique AD structure.  For whatever reason we do not use the default containers Users, or Computers.  Someone years before me thought that was too insensitive or whatever.. we have People and Machines.  Funny no?

But we also have containers or OU's for Vendors, Customers, Reps, Dealers, ASAs and Distributors.  Now I'm seeing all these user objects.. because they access an externally hosted website that uses AD authentication, and wonder why there are not address lists for these so Customer Service or Sales can contact them a little easier.

So here we go.. Mail-Enabling in bulk.  I've exported all those OU's out to a tab-delimited CSV, re-arranged the columns to include only Name and ExternalAddress.

get-User -OrganizationalUnit 'domain.com/people/customers' | Export-CSV c:\users\bhart\customers.csv

import-csv "c:\users\bhart\customers.csv" |  foreach-object {Enable-MailUser -identity $_.Name -ExternalEmailAddress $_.ExternalAddress}

And BOOM 

The 100+ user objects are now mail enabled.. well except for the few objects without an ExternalEmailAddress variable, but you get the idea.

Now I just need to go through this process on the remaining 4 other OU's.

AD/PowerShell - "Directory Object Not Found"

I ran into this error (it's not the first time either) when attempting to get-aduser with a searchbase containing an LDAP string.

get-aduser : Directory object not found

The reason for this is that instead of using ou=orgunit,dc=domain,dc=com you should substitute cn for ou.  So it'd be

get-aduser -searchbase "cn=users,dc=domain,dc=com"

AD - Changing CompanyName in bulk with Powershell

While waiting for a new AddressList in Exchange to update I realized that there are at least 3 different variations of our Company Name in user objects that should only be one.  Granted they all mean the same thing however it's not perfect and I demand perfection!

Get-ADUser -SearchBase "ou=employees,ou=people,dc=domain,dc=com" -filter *

Gives me a nice list of every single user object in that OU, but now I need to pipe that output into a Set-ADUser cmdlet.

Get-ADUser -SearchBase "ou=employees,ou=people,dc=domain,dc=com" -filter * | Set-ADUser -company "ABC Widgets, Inc" 

And BOOM.

Exchange 2010 - System Attendant/AD Topology services will not start.

Ok so sometimes you might run into an issue where either the System Attendant or the AD Topology or both services will not start.  Typically this can be caused by 1 of 2 reasons:

A. The server is being disallowed from accessing AD
B. The server cannot reach AD

Here's a list of the most common fixes:

1. Verify your DNS records for Exchange, and DC's
2. Disable any firewalls on your Global Catalog server
make sure your Sites in AD are configured correctly and that the sites can talk to each other
3. check to make sure the security groups Exchange Domain Servers and Exchange Enterprise Servers still exist in ADUC
4. Verify the server hosting your GC is up and accessible
5. Ping your GC from Exchange
6. Make sure AD replication is working correctly
7. Make sure the NTFS perms on the Exchange folder on your Exchange server is still set to allow full access to System and Administrators

Active Directory - Random Script 3

Powershell script use to set the security permissions on a set of User folders on a network file share

$domainname = "domain"

dir \\ServerName\Users\ | ?{$_.psiscontainer} | %{
    $dir = $_
    $dir | Get-Acl | %{
        $acl = $_
        if(!$acl.areaccessrulesprotected){
            $acl.setaccessruleprotection($true,$true)
            Set-Acl -Path $acl.path -AclObject $acl
        } 
        $entry =@()       
        $user = "$domainname\$($dir.name)"    
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    "BUILTIN\Administrators",
 "FullControl",
    "ContainerInherit,ObjectInherit",
 "None",
 "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    "$domainname\Domain Admins",
 "FullControl",
    "ContainerInherit,ObjectInherit",
 "None",
 "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    "$domainname\Backup Exec",
 "FullControl",
 "ContainerInherit,ObjectInherit",
 "None",
 "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    "NT AUTHORITY\SYSTEM",
 "FullControl",
 "ContainerInherit,ObjectInherit",
 "None",
 "Allow"
        )      
        $entry += New-Object System.Security.AccessControl.FileSystemAccessRule(
    "$domainname\$($dir.name)",
 "FullControl",
"ContainerInherit,ObjectInherit",
 "None",
 "Allow"
        )      
        $acl.access | %{$acl.RemoveAccessRuleSpecific($_)}
        $entry | %{$acl.AddAccessRule($_)}
    }
    set-acl -Path $acl.path -AclObject $acl
}

Active Directory - Random Script 2

Powershell script using Quest AD Plugins, adding a user to a specific security or distribution group.

# script to modify membership of AD groups
# Powershell script to change a users domain password, requires ps snapin from
# http://www.quest.com/activeroles-server/arms.aspx
# then register the snapin with Register the snap-in. (Key point)
# add-PSSnapin quest.activeroles.admanagement
# bhart

$domainstr = ",dc=domain1,dc=org"
$domainnb = "domain"             ## domain netbios name
$domain = "FQDN"
$ou = "ou=People, dc=domain,dc=org"

$pw = Read-Host "Please enter domain admin password"
connect-QADService -service 'localhost' -proxy -ConnectionAccount 'difc\administrator' -ConnectionPassword $pw

$groupname = Read-Host "Please enter group name or partial"
$username = Read-Host "Please enter username to add"

Get-QADGroup $groupname 

$groupname2 =Read-Host "Please enter the full group name"

Add-QADGroupMember $groupname2 -Member $username

Active Directory - Random Script 1

powershell script to poll and display computer accounts older than 60 days since last dc contact.

# Calculate the UTC time 60 days ago, in FileTime (Integer) format and convert it to a string
$LLTSlimit = (Get-Date).AddDays(-60).ToFileTimeUTC().ToString()
# Create the LDAP filter for the AD query
# Searching for enabled computer accounts which have lastLogonTimestamp older than 60 days
$LDAPFilter = "(&(objectCategory=Computer)(lastlogontimestamp<=$LLTSlimit) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
# Create an ADSI Searcher to query AD
$Searcher = new-object DirectoryServices.DirectorySearcher([ADSI]"")
$Searcher.filter = $LDAPFilter
# Execute the query
$Accounts = $Searcher.FindAll()
# Process the results
If ($Accounts.Count –gt 0) {
# Create an array to store all the results
$Results = @()

# Loop through each account

ForEach ($Account in $Accounts) {

# Create an object to store this account in
$Result = "" | Select-Object Name,ADSPath,lastLogonTimestamp
# Add the name to the object as a string
$Result.Name = [String]$Account.Properties.name
# Add the ADSPath to the object as a string
$Result.ADSPath = [String]$Account.Properties.adspath
# Add the lastLogonTimestamp to the object as a readable date
$Result.lastLogonTimestamp = `

[DateTime]::FromFileTime([Int64]::Parse($Account.Properties.lastlogontimestamp))

# Add this object to our array

$Results = $Results + $Result
}
}

# Output the results
$Results | Format-Table -autosize
# Extending this script to disable the discovered accounts is as easy as adding this code snippet to the end:
# Disable each account
#ForEach ($Result in $Results) {
#$ADSIAccount = [ADSI]$Result.ADSPath
#$ADSIAccount.PSBase.InvokeSet("AccountDisabled", "True")
#$ADSIAccount.SetInfo()
#}