Working around accounts that expire with AAD Connect: REDUX

When attempting to migrate a Microsoft 365 organization from federated authentication to Password Hash Sync, there are a couple of gotchas that can impact how you manage certain accounts.  These changes in authentication behavior determine whether you need to implement new workflows or business processes–changes surrounding expired accounts and accounts flagged to force password change on next logon.… [ Continue reading ]

Working around accounts that expire with AAD Connect

When attempting to migrate a Microsoft 365 organization from federated authentication to Password Hash Sync, there are a couple of gotchas that can impact how you manage certain accounts.  These changes in authentication behavior determine whether you need to implement new workflows or business processes–changes surrounding expired accounts and accounts flagged to force password change on next logon.… [ Continue reading ]

Update to AADConnect Network Communications Test

It’s been a few months since I’ve updated this tool, but feedback from two individuals led me to a couple of small updates:

  • Updated the method by which domain controllers are selected for testing.  Previously, I just used the $env:LOGONSERVER variable to find the authenticating DC and didn’t actually use any of the other DCs in site (any of which AAD Connect can bind to). 
[ Continue reading ]

Update to AADConnect Network Communications Test

Today’s a bugfix day! Woo!

One of my peers, @DerrickBaxter, brought a few issues to my attention that I resolved:

  • Updated password write-back endpoints
  • Updated syntax for checking for RODCs
  • Error resolving Administrator Roles
  • Failing Azure AD Credential check functionality that logged both failure AND success

I’ve also updated a few other things, including updating the checks for DCOM/OLE permissions, trusted sites, and execution policies.… [ Continue reading ]

Update to Find-DuplicateValues script

Hey! As we enter the waning days of summer, I wanted to update a tool that I’ve had sitting around for a while.

Years ago, when I was in Microsoft Consulting Services, I ran into one particular customer that had manually populated the mail property of thousands of service accounts, groups, vendor accounts, and contacts–not with the object or user’s individual email address, but with the email address of the person who managed the AD object. … [ Continue reading ]