Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-10-26) Azure AD Password Protection (A.k.a. Banned Password List) – Checking The DC Agent Status (Part 5)

Posted by Jorge on 2019-10-26


As you deploy RWDCs, you need to make sure all have the Azure AD Password Protection DC Agent installed, and preferably the latest version. Although the Azure AD Password protection Proxy Service component supports autoupgrade, the Azure AD Password Protection DC Agent DOES NOT. It will log an event in the Azure AD Password Protection DC Agent Operational Event Log. With that information you need to download the latest version from here and you can check the version history here. To create a report of RWDCs that have the Azure AD Password Protection DC Agent with some other info, and RWDCs that DO NOT have it installed, what the OS is and if the minimum required .NET Framework version is installed, you can use the following PowerShell script. The script supports, three modes being: forest, domain (specified) and rwdc (specified)! Now be aware that this check script only reports the correct information about an RWDC if the RWDC has been rebooted after the installation of the Azure AD Password Protection DC Agent .

# To Target All RWDCs In The AD Forest

.\AAD-Password-Protection-Install-DC-Agent-Check.ps1 -scope Forest

OR

# To Target All RWDCs In The Specified AD Domain(s)

.\AAD-Password-Protection-Install-DC-Agent-Check.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N>

OR

# For All Specified RWDCs

.\AAD-Password-Protection-Install-DC-Agent-Check.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N>

image

image

image

   

Figure 1: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent Before The Reboot (Scope: Forest)

image

Figure 2: GridView Output Before The Reboot

Based upon the output displayed above I can say the following:

  • This is a disconnected AD forest with no connection to Azure AD. That’s why some RWDCs that are all green still have “Not Registered/Unknown” for the Azure AD Tenant.
  • For all those cases where you can see the version installed and the version registered do not match (“Not Registered/Unknown”), that’s because those RWDCs have not been rebooted yet after installing the Azure AD Password Protection Agent for the first time!
  • For all those cases where you can see the version installed and the version registered do not match (numeric version mismatch), that’s because those RWDCs have not been rebooted yet after upgrading the Azure AD Password Protection Agent

After rebooting all RWDCs, it looks like:

image

image

image

Figure 3: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent After The Reboot (Scope: Forest)

image

Figure 4: GridView Output After The Reboot

  image

Figure 5: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent (Scope: Domain)

image

Figure 6: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent (Scope: RWDC)

You can download the script from here

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: