WRISH

This is Part 3 of a multi part blog post automating AD Forest Recovery, take your forest to rehab, sit it down and force it not to have any AD corruption. Activate Administrator Account Now I am not one for a false sense of security, but people building environments that I support are. That is why, more often than not, the Administrator account is renamed, the password is divided in 2 and stored at different ends of the earth, one under the 6 watchful eyes of Cerberus the other stuffed in a filing cabinet lost to the ages.

The Intune connectors dump all their useful information to .svclog files. You can read these files wtih svcTraceViewer.exe which you can get by installing the Windows Communication Foundation SDK.

Don’t want to download the SDK just to get one tool? Do not fear - they are just XML. Here is an imperfect script for reading svclog files.

I’ve been doing some work with Microsoft Intune - specifically around Conditional Access, Azure AD and Intune. There are plenty of guides online for getting a Fiddler trace of HTTPS traffic between Android and a back end, but they all require you to have your Windows Laptop on the same network as your Android device. In a modern corporate network architecture that isn’t easy. The Microsoft support team, my customer network, and my conracting company network were all locked down preventing this setup.

This is Part 2 of a multi part blog post covering the steps to Isolate a Domain Controller - if not emotionally, then logically. Reset your DFSR SYSVol State A DC booting into it’s own little world wont become healthy until SYSVOL has completed a sync with a partner in its domain, now this step is optional if your domain is temporary, but if you ever want to promote a new DC, or have a beautiful clear DCDIAG, then you’ll need to force SYSVOL into a synced state.

Dragging a single Domain Controller by its nostril into an isolated network can be time consuming. For testing or disaster recovery, the steps are the same, and while well documented almost everywhere, there don’t seem to be any quick and dirty tools to do the steps for you. That is why I wrote this series of powershell functions that can be applied to a DC you have restored in your Virtual environment to get your test Forest up and running quickly.

Troubleshooting the ADFS Rapid Restore Tool import-module ADFSRapidRecreationTool.dll import-module : The specified module 'ADFSRapidRecreationTool.dll' was not loaded because no valid module file was found in any module directory. Supply the full path to the dll to import it ``` Backup-ADFS : Failed to connect to the database associated with ADFS ``` You do not have permissions to the ADFS database, if you are using a SQL database make sure your account has access to the database, if WID, make sure you are running as administrator.

Azure conditional access provides flexible control over access to Office 365 resources and services based on location/user group membership/device etc. If you set up conditional access rules, any user who doesn’t have an Azure AD Premium license will not be affected by them - access is permitted by default! How to work around this without manually assigning licenses to every user or using a dodgy script? Azure AD has a capability called Dynamic Groups.

Azure conditional access provides amazingly flexible control over access to Office 365 resources and services based on location/user group membership/device etc. Leveraging it to block access generally requires EMS (Enterprise Mobility + Security) licenses for all users. This short script will assign EMS licenses to all users in your tenant who are licensed but do not have EMS yet.

Download Cleanup-UserProfiles.ps1 Big environments get messy, lots of users, lots of admins, lots of logging in here and there. Profiles accumulate, C drive starts to get full, oh the humanity! Fear not humble Admin, on our adventures today we discover how to remove old user profiles with naught but the flick of a WMI method. The meat and bonse of this function is getting user profiles and deleting them: $userprofiles = Get-WmiObject -Class Win32_UserProfile $userprofiles[$whichOne].

You’ve got a list of values, you want that in an array.

You could copy it to a file, and import it. You could dump it as a string and split it into an array.. or you could Create-ArrayFromPastedText.