Update to the AAD Connect Advanced Permissions Tool

A few users reported bugs with logging that I have updated.  There was also an unreported bug when searching the XML generated by Get-ADSyncServerConfiguration for the connector’s AD user, which I have also resolved. You can get the updated tool at https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74.


Update to the AAD Connect Network and Name Resolution Test Tool

A few months ago, I debuted a new tool for AAD Connect deployment (read about it here: AAD Connect Network and Name Resolution Test or download it here: https://gallery.technet.microsoft.com/Azure-AD-Connect-Network-150c20a3) which allows you to test a number of conditions to make sure your server and environment are suitable for deploying AAD Connect. This week, I needed…


AAD Connect Network and Name Resolution Test

Update: I’ve added several additional parts to this tool since it was originally released, including some debug logging, an Azure credential check to ensure that your identity is part of Global Admins, additional cloud endpoint checks, and a more thorough system inventory. While assisting some of my customers last year on an multi-forest AAD Connect…


Update to the AAD Connect Advanced Permissions tool

Two updates for the tool in a week?  Yes! It is so! At the behest of my good friend Darryl and one of his customer’s needs, I have updated the the AAD Connect Advanced Permissions tool with the following: Allow the underscore (“_”) character to be used in an OU name path Allow CN= to…


Update to the AAD Connect Advanced Permissions tool

On the recommendation of my good friend Darryl, I’ve added some things to my AAD Connect permissions tool: Better logging of errors.  When running the tool for a large organization that had $ characters in its service account names, the tool would report successful but not leave any log files or indicators where things may…


Update to Advanced AAD Connect Permissions tool

Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates: 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has…


Use AAD Connect to disable accounts with expired on-premises passwords

This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization: Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to Never Expire. You can continue to sign in to your cloud…


Advanced AAD Connect Permissions Configuration

Updated with additional requirements and scenarios, 2017-10-26. I recently worked with a customer that needed assistance in configuring the additional permissions required for AAD Connect delegation.  After chasing down an incredible number of prerequisite information, I decided it would be more helpful to my customer to put together a tool that would help them configure…


AADConnect Undocumented Filters

From time to time, you may find that you need to selectively filter out users going to Office 365.  The easiest way to do it is with a scoping filter.  We do have some documents on setting the cloudFiltered attribute in the metaverse to True, but that requires creating new rules.  And, if you’re in…


AAD Connect Error CD-8235 Exporting to AD Connector

This afternoon, I ran into a customer with a very interesting configuration–a 300-user department with 15 domain controllers spread among 6 sites. Which, given our guidance in the past didn’t seem that out of line (redundant domain controllers at each site to process logons). What made it really interesting was that each site (including the…