Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Windows Azure Active Directory’ Category

(2020-05-08) Upgrading Azure AD Connect – Some Tips

Posted by Jorge on 2020-05-08


These are some tips I would like to share with you when upgrading Azure AD Connect

[1] Before the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

[2] During upgrade, I  ALWAYS UNcheck the following. Why? I like to have the opportunity to check things before any sync cycle starts

image

Figure 1: “Ready To Configure” In The Azure AD Connect Upgrade Wizard

[3] After the upgrade I always check the global configuration options to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare

Azure AD Connect Wizard –> Configure –> View current configuration

image

Figure 2: Global Configuration Of Azure AD Connect

[4A] After the upgrade I always check the selected forests/domains/OUs to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured

Azure AD Connect Wizard –> Configure –> Customize Synchronization Options

In this screen I really want to make sure everything is as it should be! For every connected directory I always expand every AD domain to be sure only required OUs are selected and nothing else. This only applies if you have selected AD domains and OUs that need to be synched. The check is very simple. For every AD domain, expand and then collapse again. Look at the difference in figure 3 and 4

image

Figure 2: Domain And OU Filtering – BEFORE Expanding

image

Figure 3: Domain And OU Filtering – AFTER Expanding And Collapsing

[4B] After the upgrade I always check the Optional Features, Azure AD Apps, Azure AD Attributes and Directory Extensions to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured. I always close/cancel the wizard by clicking on the cross in the upper right corner

[5] After the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

[6] After the upgrade I always compare the global configuration exported before the upgrade and the global configuration after the upgrade. This is done through a PowerShell script I wrote

[7] After the upgrade I always compare the sync rules exported before the upgrade and the sync rules after the upgrade. This is done through a PowerShell script I wrote

[8] After the upgrade I always check the “Application Event Log” for any “weirdness” whatever that may be

[9] After the upgrade I always check the most recent log files in the folder “C:\ProgramData\AADConnect” to see what happened during the AAD Connect upgrade and to see if there is any weirdness

[10] And when everything is OK, I reenable the sync schedule and manually start of a sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | 2 Comments »

(2020-05-08) Azure AD Connect v1.5.29.0 (And v1.5.22.0) Have Been Released

Posted by Jorge on 2020-05-08


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

 

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.5.20.0. I noticed that it triggered a Full Synchronization on the AD MA/Connector(s). Since the full syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Azure AD Connect: Version Release History

1.5.29.0 / 1.5.22.0

Released: 4/23/2020 / 4/20/2020

Released for download.

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Functional changes ADSyncAutoUpgrade

    • N.A.

    Fixed issues:

    • From v1.5.29.0: This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO
    • From v1.5.22.0: This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the In from AD – Group Join rule and have not cloned the In from AD – Group Common rule.

    I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

    Cheers,
    Jorge

    ————————————————————————————————————————————————————-
    This posting is provided "AS IS" with no warranties and confers no rights!
    Always evaluate/test everything yourself first before using/implementing this in production!
    This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
    DISCLAIMER:
    https://jorgequestforknowledge.wordpress.com/disclaimer/
    ————————————————————————————————————————————————————-
    ########################### Jorge’s Quest For Knowledge ##########################
    ####################
    http://JorgeQuestForKnowledge.wordpress.com/ ###################
    ————————————————————————————————————————————————————-

    Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

    (2020-04-10) Azure AD Connect v1.5.20.0 Has Been Released

    Posted by Jorge on 2020-04-10


    Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

    Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

    Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

    IMPORTANT: N.A.

    Azure AD Connect: Version Release History

    1.5.20.0

    Released: 4/9/2020

    Released for download. Not available for auto-upgrade

    Prerequisites for Azure AD Connect

    More information about Azure AD Connect

    Functional changes ADSyncAutoUpgrade

      • N.A.

      Fixed issues:

      • This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.

      I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

      Cheers,
      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

      (2020-04-04) Azure AD Connect v1.5.18.0 Has Been Released

      Posted by Jorge on 2020-04-04


      Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

      • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
      • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
      • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
      • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

      Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

      Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

      IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.38.0. I noticed that it triggered a Full Import on the AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

      Azure AD Connect: Version Release History

      1.5.18.0

      Released: 4/2/2020

      Released for download. Not available for auto-upgrade

      Prerequisites for Azure AD Connect

      More information about Azure AD Connect

      Functional changes ADSyncAutoUpgrade

        • Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
        • The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
        • Removed the Get-ADSyncRunProfile because it is no longer in use.
        • Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
        • Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

        Fixed issues

        • Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
        • Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
        • Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
        • Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
        • Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

        I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

        Cheers,
        Jorge

        ————————————————————————————————————————————————————-
        This posting is provided "AS IS" with no warranties and confers no rights!
        Always evaluate/test everything yourself first before using/implementing this in production!
        This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
        DISCLAIMER:
        https://jorgequestforknowledge.wordpress.com/disclaimer/
        ————————————————————————————————————————————————————-
        ########################### Jorge’s Quest For Knowledge ##########################
        ####################
        http://JorgeQuestForKnowledge.wordpress.com/ ###################
        ————————————————————————————————————————————————————-

        Posted in Azure AD Connect, Windows Azure Active Directory | 1 Comment »

        (2020-01-30) Deprecation Of Azure AD Connect Versions

        Posted by Jorge on 2020-01-30


        Starting on November 1st, 2020, Microsoft will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time Microsoft will begin this process by deprecating all releases of Azure AD Connect with version 1.1.751.0 (which was released on 4/12/2018) and older, and Microsoft will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.

        You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support Microsoft may not be able to provide you with the level of service your organization needs.

        If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.

        Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version

        In other words: if you are still running the old stuff, start planning to get rid of it! There is NO excuse! Smile

        Azure AD Connect: Version release history

        ————————————————————————————————————————————————————-
        This posting is provided "AS IS" with no warranties and confers no rights!
        Always evaluate/test everything yourself first before using/implementing this in production!
        This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
        DISCLAIMER:
        https://jorgequestforknowledge.wordpress.com/disclaimer/
        ————————————————————————————————————————————————————-
        ########################### Jorge’s Quest For Knowledge ##########################
        ####################
        http://JorgeQuestForKnowledge.wordpress.com/ ###################
        ————————————————————————————————————————————————————-

        Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

        (2019-12-12) Delivered Session About “Moving Towards Passwordless Concept”

        Posted by Jorge on 2019-12-12


        Delivered session @DetronICT, invited by @ThierryVos about "Moving Towards Passwordless Concept" (preso and demos). About 30 tech enthusiasts listened until bitter end. Thanks for the invitation, and until a next time! Reward afterwards? Enjoying some beers together!

        image

        Figure 1: Initial Slide – Title/SubTitle

        image

        Figure 2: Introducing Me

        image

        Figure 3: The Agenda

        image

        Figure 4: The Agenda With Demos

        Cheers,

        Jorge

        ————————————————————————————————————————————————————-
        This posting is provided "AS IS" with no warranties and confers no rights!
        Always evaluate/test everything yourself first before using/implementing this in production!
        This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
        DISCLAIMER:
        https://jorgequestforknowledge.wordpress.com/disclaimer/
        ————————————————————————————————————————————————————-
        ########################### Jorge’s Quest For Knowledge ##########################
        ####################
        http://JorgeQuestForKnowledge.wordpress.com/ ###################
        ————————————————————————————————————————————————————-

        Posted in Active Directory Domain Services (ADDS), Active Directory Federation Services (ADFS), Azure AD / Office 365, Azure AD Connect, Azure AD Identity Protection, Azure AD MFA Adapter, Azure AD Password Protection, Conferences, Field Experiences, Group Policy Objects, Last Logon Information, Microsoft Authenticator App, Multi-Factor AuthN, MVP, Password Expiration Notification, Password-Less, Passwords, Passwords, Self-Service Password Reset, SSO, SYSVOL, Tooling/Scripting, Windows Azure Active Directory | 1 Comment »

        (2019-12-10) Azure AD Connect v1.4.38.0 Has Been Released

        Posted by Jorge on 2019-12-10


        Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

        • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
        • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
        • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
        • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

        Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

        Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

        IMPORTANT: N.A.

        Azure AD Connect: Version Release History

        1.4.38.0

        Released: 12/6/2019

        Released for download. Not available for auto-upgrade

        Prerequisites for Azure AD Connect

        More information about Azure AD Connect

        New Features And Improvements

          • We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. This will provide a performance improvement during password synchronization from AAD to Azure AD Domain  Services.
          • We added support for reliable sessions between the authentication agent and service bus.
          • This release enforces TLS 1.2 for communication between authentication agent and cloud services.
          • We added a DNS cache for websocket connections between authentication agent and cloud services.
          • We added the ability to target specific agent from cloud to test for agent connectivity.

          Fixed issues

          • Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login windows credentials instead of the admin credentialss provided while running ps. As a result of which it was not possible to enable DSSO in multiple forest through the AADConnect user interface.
          • A fix was made to enable DSSO simultaneously in all forest through the AADConnect user interface

          I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

          Cheers,
          Jorge

          ————————————————————————————————————————————————————-
          This posting is provided "AS IS" with no warranties and confers no rights!
          Always evaluate/test everything yourself first before using/implementing this in production!
          This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
          DISCLAIMER:
          https://jorgequestforknowledge.wordpress.com/disclaimer/
          ————————————————————————————————————————————————————-
          ########################### Jorge’s Quest For Knowledge ##########################
          ####################
          http://JorgeQuestForKnowledge.wordpress.com/ ###################
          ————————————————————————————————————————————————————-

          Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

          (2019-11-10) Azure AD Connect v1.4.32.0 Has Been Released

          Posted by Jorge on 2019-11-10


          Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

          • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
          • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
          • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
          • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

          Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

          Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

          IMPORTANT: In one environment I upgraded from Azure AD Connect 1.3.21.0. I noticed that it triggered a Full Import on both the AD and AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

          IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.18.0. I noticed that it triggered a Delta Import on both the AD and AAD MA/Connector, but it triggered a Full Sync on the AD MA/Connector and a Delta Sync on the AAD MA/Connector. Since the full sync may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

          IMPORTANT: Due to an internal schema change in this release of Azure AD Connect, if you manage ADFS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher.

          Azure AD Connect: Version Release History

          1.4.32.0

          Released: 11/08/2019

          Released for download. Not available for auto-upgrade

          Prerequisites for Azure AD Connect

          More information about Azure AD Connect

          New Features And Improvements

          • N.A.

          Fixed issues

          • This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue (Updated sync rule: “In from AD – Computer Join”). Note that this rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold

          I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

          Cheers,
          Jorge

          ————————————————————————————————————————————————————-
          This posting is provided "AS IS" with no warranties and confers no rights!
          Always evaluate/test everything yourself first before using/implementing this in production!
          This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
          DISCLAIMER:
          https://jorgequestforknowledge.wordpress.com/disclaimer/
          ————————————————————————————————————————————————————-
          ########################### Jorge’s Quest For Knowledge ##########################
          ####################
          http://JorgeQuestForKnowledge.wordpress.com/ ###################
          ————————————————————————————————————————————————————-

          Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

          (2019-11-03) Azure AD Password Protection (A.k.a. Banned Password List) – Getting Statistics (Part 8)

          Posted by Jorge on 2019-11-03


          After running for some time in either AUDIT ONLY mode or ENFORCE mode, it is interesting to get some statistics of what your users are doing with regards to the passwords being used. Every RWDC with the Azure AD Password Protection DC Agent installed will evaluate the provided password against the algorithm. Regarding the algorithm see (2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6).

          On every RWDC with the Azure AD Password Protection DC Agent installed, every password is evaluated, and the outcome is  logged in an event in the event log “\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin”. More detailed info about the events can be found here..

          When the PowerShell CMDlet is executed against an RWDC it basically counts the number of events for a specific action and reports that. If you therefore delete events or that RWDC is decommissioned for some reason, the statistics are lost. Remember, there are two modes, each mode has 2 possible actions, and multiple outcomes are possible that contribute to the statistics

          Modes:

          • AUDIT ONLY Mode
          • ENFORCE Mode

          Actions:

          • Password Change: actor knows old password and provides new password (always the owner of the account, or at least a person that knows the old password)
          • Password (Re)Set: actor does not know or remember old password and sets a new password. This could be an admin on behalf of the user account or an intermediate system (e.g. azure ad sspr or dell sspm or whatever) on behalf of the user and still actioned by the user itself

          Statistics

          • PasswordChangesValidated: number of password changes that were validated in either mode
          • PasswordChangeAuditOnlyFailures: in AUDIT ONLY mode, the number of password changes that were validated and the result was not successful
          • PasswordChangeErrors: in ENFORCE mode, the number of password changes that resulted in an error for some reason
          • PasswordChangesRejected: in ENFORCE mode, the number of password changes that resulted in the password being rejecte
          • PasswordSetsValidated: number of password (re)sets that were validated in either mode
          • PasswordSetAuditOnlyFailures: in AUDIT ONLY mode, the number of password (re)sets that were validated and the result was not successfu
          • PasswordSetErrors: in ENFORCE mode, the number of password (re)sets that resulted in an error for some reason
          • PasswordSetRejected: in ENFORCE mode, the number of password (re)sets that resulted in the password being rejected

          So how many passwords were correctly validated in either mode:

          • Successful “Password Changes” = PasswordChangesValidated – PasswordChangeAuditOnlyFailures – PasswordChangeErrors – PasswordChangesRejected
          • Successful “Password (Re)Sets” = PasswordSetsValidated – PasswordSetAuditOnlyFailures – PasswordSetErrors – PasswordSetsRejected

          So to gather the statistics through an AD forest I have written a script that gathers the statistics from the RWDCs that are part of the specified scope. The script supports, three modes being: forest, domain (specified) and rwdc (specified)! Independent of the scope, it also counts the total of every statistic property and presents it accordingly at the end or in the GridView through a separate entry at the end. You can therefore see the statistics per RWDC and in total. It also provides a CSV file with the info for later use in either Excel, GridView or some other way.

          # To Target All RWDCs In The AD Forest

          .\AAD-Password-Protection-Statistics.ps1 -scope Forest

          OR

          # To Target All RWDCs In The Specified AD Domain(s)

          .\AAD-Password-Protection-Statistics.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N>

          OR

          # For All Specified RWDCs

          .\AAD-Password-Protection-Statistics.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N>

          image

          image

          Figure 1: Creating A Report Of RWDCs With Numbers Regarding Passwords Processed And Evaluated

          image

          Figure 2: GridView Output With The Same Results

          You can download the script from here

          Cheers,

          Jorge

          ————————————————————————————————————————————————————-
          This posting is provided "AS IS" with no warranties and confers no rights!
          Always evaluate/test everything yourself first before using/implementing this in production!
          This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
          DISCLAIMER:
          https://jorgequestforknowledge.wordpress.com/disclaimer/
          ————————————————————————————————————————————————————-
          ########################### Jorge’s Quest For Knowledge ##########################
          ####################
          http://JorgeQuestForKnowledge.wordpress.com/ ###################
          ————————————————————————————————————————————————————-

          Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

           
          %d bloggers like this: