Mailbag: Opening Day (Issue #10)

 

Hey y’all Mark and Tom here. Bet you thought we’d miss this week too.  We’ve been a bit busy over here so that would mostly explain it. That and I’m in two fantasy baseball leagues this year. My nerdiness extends into sports as well thank you very much. Tom was doing something nerdy as well…..probably. Anyways keep sending the questions and we’ll keep answering them. Let’s jump in.

 

ADFS in Azure

ADFS Login page customization

Automatically joining a workplace join device

Password not required

Stuff from the Interwebs

 

Question

We want to host ADFS servers in Azure. Is there any documentation around this? Can we do this?

Answer

Yes you can do this and here is some links to get you started. https://technet.microsoft.com/library/dn509539.aspx

 

Question

We want to customize our ADFS login page. How do we do this?

Answer

You’ll be using powershell to do that https://technet.microsoft.com/en-us/library/dn280950.aspx and if that doesn’t meet your requirements you can take a look at https://technet.microsoft.com/en-us/library/dn636121.aspx

 

Question

I’m starting to use workplace join a lot and we want to take away the steps where the user has to manually join the device. Is there a way to automatically do this on a domain joined device?

Answer

Yes you can do this. For Windows 8.1 you can use Group Policy to set this configuration (https://technet.microsoft.com/en-us/library/dn720812.aspx) For Windows 7 you’ll need to download a package and it runs as a scheduled task (https://technet.microsoft.com/en-us/library/dn609827.aspx)

 

Question

I noticed a bunch of user accounts in my domain have "password not required" set. What gives? Should I fix it?

Answer

Yes, you should.

Certain provisioning software (including dsadd) will create the accounts with the user account control attribute set to 0x220 hex, or 544 decimal. That indicates PASSWD_NOTREQD and NORMAL_ACCOUNT. The default value for a standard user created via ADUC, with no other options enabled would be 0x200, or 512 decimal.

While having this set isn't the end of the world, as users will still have to enter a password in the UI while changing the password, it IS possible that an administrator could reset the user's password to blank, not requiring a password at all for logon. Obviously we don't want that.

Fixing this is pretty easy with PowerShell. If you want to discover all of the users, you can consult this handy TechNet KB for the list of values: https://support.microsoft.com/en-us/kb/305144/

After, we need to construct the LDAP filter… we can use a bitwise AND to find out of the UAC attribute contains the value we're looking for:

Get-Aduser -Filter {UserAccountControl -band 0x020}

And that should return all of the accounts with password not required set. You'll probably want to scope that down to a specific OU, as the above syntax will get ALL accounts. There might be a valid reason to leave it in place. If we pipe that to Set-ADUser with a few switches, we can remove the value and security will stop complaining.

 Get-Aduser -Filter {UserAccountControl -band 0x020} | Set-Aduser -PasswordNotRequired:$false

Stuff from the Interwebs

-True Detective season 2 teaser trailer just appeared and it’s awesome like you’d expect. Watch season 1 if you missed it.  

-Hockey playoffs are here for both professional, college and high school. However Minnesota takes their high school hockey extra seriously with the all hockey hair team.

-Also the NHL needs to get rid of the "Loser Point". Tom and I both co-sign on this decision.  

-Baseball has just started, the best time of year. Listen to Domingo, a 7-time Infielder of the Year and 6-time Outfielder of the Year award winner (two years overlapping when he played both SS and LF in order to hit twice in the lineup), get you prep'd on Opening Day. Watch his other videos unless you are Semi-Pro or worse….Sunday League.

 

Mark “that one got too much of my bat” Morowczynski and Tom “cage bombs” Moser