Mailbag: Opening Day (Issue #10)

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

 

Hey y’all Mark and Tom here. Bet you thought we’d miss this week too.  We’ve been a bit busy over here so that would mostly explain it. That and I’m in two fantasy baseball leagues this year. My nerdiness extends into sports as well thank you very much. Tom was doing something nerdy as well…..probably. Anyways keep sending the questions and we’ll keep answering them. Let’s jump in.

 

ADFS in Azure

ADFS Login page customization

Automatically joining a workplace join device

Password not required

Stuff from the Interwebs

 

Question

We want to host ADFS servers in Azure. Is there any documentation around this? Can we do this?

Answer

Yes you can do this and here is some links to get you started. https://technet.microsoft.com/library/dn509539.aspx

 

Question

We want to customize our ADFS login page. How do we do this?

Answer

You’ll be using powershell to do that https://technet.microsoft.com/en-us/library/dn280950.aspx and if that doesn’t meet your requirements you can take a look at https://technet.microsoft.com/en-us/library/dn636121.aspx

 

Question

I’m starting to use workplace join a lot and we want to take away the steps where the user has to manually join the device. Is there a way to automatically do this on a domain joined device?

Answer

Yes you can do this. For Windows 8.1 you can use Group Policy to set this configuration (https://technet.microsoft.com/en-us/library/dn720812.aspx) For Windows 7 you’ll need to download a package and it runs as a scheduled task (https://technet.microsoft.com/en-us/library/dn609827.aspx)

 

Question

I noticed a bunch of user accounts in my domain have "password not required" set. What gives? Should I fix it?

Answer

Yes, you should.

Certain provisioning software (including dsadd) will create the accounts with the user account control attribute set to 0x220 hex, or 544 decimal. That indicates PASSWD_NOTREQD and NORMAL_ACCOUNT. The default value for a standard user created via ADUC, with no other options enabled would be 0x200, or 512 decimal.

While having this set isn't the end of the world, as users will still have to enter a password in the UI while changing the password, it IS possible that an administrator could reset the user's password to blank, not requiring a password at all for logon. Obviously we don't want that.

Fixing this is pretty easy with PowerShell. If you want to discover all of the users, you can consult this handy TechNet KB for the list of values: https://support.microsoft.com/en-us/kb/305144/

After, we need to construct the LDAP filter… we can use a bitwise AND to find out of the UAC attribute contains the value we're looking for:

Get-Aduser -Filter {UserAccountControl -band 0x020}

And that should return all of the accounts with password not required set. You'll probably want to scope that down to a specific OU, as the above syntax will get ALL accounts. There might be a valid reason to leave it in place. If we pipe that to Set-ADUser with a few switches, we can remove the value and security will stop complaining.

 Get-Aduser -Filter {UserAccountControl -band 0x020} | Set-Aduser -PasswordNotRequired:$false

Stuff from the Interwebs

-True Detective season 2 teaser trailer just appeared and it’s awesome like you’d expect. Watch season 1 if you missed it.  

-Hockey playoffs are here for both professional, college and high school. However Minnesota takes their high school hockey extra seriously with the all hockey hair team.

-Also the NHL needs to get rid of the "Loser Point". Tom and I both co-sign on this decision.  

-Baseball has just started, the best time of year. Listen to Domingo, a 7-time Infielder of the Year and 6-time Outfielder of the Year award winner (two years overlapping when he played both SS and LF in order to hit twice in the lineup), get you prep'd on Opening Day. Watch his other videos unless you are Semi-Pro or worse….Sunday League.

 

Mark “that one got too much of my bat” Morowczynski and Tom “cage bombs” Moser