Mailbag: Opening Day (Issue #10)
Hey y’all Mark and Tom here. Bet you thought we’d miss this week too. We’ve been a bit busy over here so that would mostly explain it. That and I’m in two fantasy baseball leagues this year. My nerdiness extends into sports as well thank you very much. Tom was doing something nerdy as well…..probably. Anyways keep sending the questions and we’ll keep answering them. Let’s jump in.
Automatically joining a workplace join device
Question
We want to host ADFS servers in Azure. Is there any documentation around this? Can we do this?
Answer
Yes you can do this and here is some links to get you started. https://technet.microsoft.com/library/dn509539.aspx
Question
We want to customize our ADFS login page. How do we do this?
Answer
You’ll be using powershell to do that https://technet.microsoft.com/en-us/library/dn280950.aspx and if that doesn’t meet your requirements you can take a look at https://technet.microsoft.com/en-us/library/dn636121.aspx
Question
I’m starting to use workplace join a lot and we want to take away the steps where the user has to manually join the device. Is there a way to automatically do this on a domain joined device?
Answer
Yes you can do this. For Windows 8.1 you can use Group Policy to set this configuration (https://technet.microsoft.com/en-us/library/dn720812.aspx) For Windows 7 you’ll need to download a package and it runs as a scheduled task (https://technet.microsoft.com/en-us/library/dn609827.aspx)
Question
I noticed a bunch of user accounts in my domain have "password not required" set. What gives? Should I fix it?
Answer
Yes, you should.
Certain provisioning software (including dsadd) will create the accounts with the user account control attribute set to 0x220 hex, or 544 decimal. That indicates PASSWD_NOTREQD and NORMAL_ACCOUNT. The default value for a standard user created via ADUC, with no other options enabled would be 0x200, or 512 decimal.
While having this set isn't the end of the world, as users will still have to enter a password in the UI while changing the password, it IS possible that an administrator could reset the user's password to blank, not requiring a password at all for logon. Obviously we don't want that.
Fixing this is pretty easy with PowerShell. If you want to discover all of the users, you can consult this handy TechNet KB for the list of values: https://support.microsoft.com/en-us/kb/305144/
After, we need to construct the LDAP filter… we can use a bitwise AND to find out of the UAC attribute contains the value we're looking for:
And that should return all of the accounts with password not required set. You'll probably want to scope that down to a specific OU, as the above syntax will get ALL accounts. There might be a valid reason to leave it in place. If we pipe that to Set-ADUser with a few switches, we can remove the value and security will stop complaining.
Stuff from the Interwebs
-True Detective season 2 teaser trailer just appearedand it’s awesome like you’d expect. Watch season 1 if you missed it.
-Hockey playoffs are here for both professional, college and high school. However Minnesota takes their high school hockey extra seriously with the all hockey hair team.
-Also the NHL needs to get rid of the "Loser Point". Tom and I both co-sign on this decision.
-Baseball has just started, the best time of year. Listen to Domingo, a 7-time Infielder of the Year and 6-time Outfielder of the Year award winner (two years overlapping when he played both SS and LF in order to hit twice in the lineup), get your prep'd on Opening Day. Watch his other videos unless you are Semi-Pro or worse….Sunday League.
Mark “that one got too much of my bat” Morowczynski and Tom “cage bombs” Moser