Update to Advanced AAD Connect Permissions tool

Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates: 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has…

1

Use AAD Connect to disable accounts with expired on-premises passwords

This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization: Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to Never Expire. You can continue to sign in to your cloud…

0

Advanced AAD Connect Permissions Configuration

Updated with additional requirements and scenarios, 2017-10-26. I recently worked with a customer that needed assistance in configuring the additional permissions required for AAD Connect delegation.  After chasing down an incredible number of prerequisite information, I decided it would be more helpful to my customer to put together a tool that would help them configure…

4

AADConnect Undocumented Filters

From time to time, you may find that you need to selectively filter out users going to Office 365.  The easiest way to do it is with a scoping filter.  We do have some documents on setting the cloudFiltered attribute in the metaverse to True, but that requires creating new rules.  And, if you’re in…

1

AAD Connect Error CD-8235 Exporting to AD Connector

This afternoon, I ran into a customer with a very interesting configuration–a 300-user department with 15 domain controllers spread among 6 sites. Which, given our guidance in the past didn’t seem that out of line (redundant domain controllers at each site to process logons). What made it really interesting was that each site (including the…

3

PingProvisioningServiceEndPoint error when configuring AAD Connect

This afternoon, while configuring AAD Connect for a customer, I ran into a new error when I clicked Install at the end of the installation wizard: An error occurred executing Configure AAD Sync task: Unexpected exception thrown. Action: PingProvisioningServiceEndPoint, Exception: An error occurred. Error Code: 6. Error Description: Your credentials are not authorized to access…

3

Finding Duplicate Objects in Active Directory

For those of you that have embarked upon the trek to Office 365, you’ve undoubtedly run (or at least heard of) IDFix.  It detects and fixes a number of conditions that will cause the directory sync to report errors. Today, I want to focus on a tool I wrote for a customer almost 2 years…

7

Use AADConnect to add a Proxy Address

* UPDATE* After doing this originally, I decided to take a different route and write it back to the on-premises AD, so that way, the objects are synchronous.  This post now reflects the updated content. A few weeks ago, I had an issue where I needed to remove a proxy address from the proxyAddresses array…

10

Use AADConnect to Populate Office 365 Usage Location

So, a million years and tens of thousands of lines of code ago, I wrote a script for a customer to populate the Office 365 UsageLocation property (Set-MsolUser -UsageLocation) with the ISO country codes from Active Directory.  In Office 365, UsageLocation is used to determine what features are available to your users. If you have the…

12

Remove an unwanted ProxyAddress pattern from users via AADConnect

I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments–Office 365 and another hosted Exchange environment.  In their new Office 365 environment, they didn’t want any address proxies matching a particular pattern to be part of a user’s proxyAddress array–BUT–they also didn’t want to…

1