Category Archives: active directory

23May/18

Display All The Claims For A User Visiting Your .NET Core Azure Web App

Regular visitors of this blog are used to seeing PowerShell and DevOps content, and this is a little bit of a divergence since it’s written in C#, and it’s a .NET Core MVC Azure Web App, but if it found itself on my plate, maybe it will find itself on yours. I was tasked with writing an Azure Web App that users would visit, sign into using their Azure Active Directory (ie: “Work or School”) account, to test if their Conditional Access and MFA was configured properly. Once logged in, a little information about the user is displayed.

Here’s how to pop all the claim information for an authenticated user into a Razor Page.

Continue reading

16May/18

Script Share: Disable Azure AD MFA Without Wiping User Options

How’s this for a niche topic? If you want to move to Azure AD P2 Conditional Access and have users who are on P1 MFA, then in order to move them over, you have to disable and re-enable MFA on their account – or at least that’s what one PFE told me. The problem is, when you do that, you lose their options like if they prefer to enter a code from the app, receive a text, etc. by default. Wouldn’t it be nice if you could keep that stuff?

Well, you can!

Continue reading

06Dec/17

Beginner PowerShell Tip: The .Count Property Doesn’t Exist If A Command Only Returns One Item

If you’re just getting started in PowerShell, it’s possible that you haven’t bumped into this specific issue yet. Perhaps you’ve got a variable $users and you’re assigning it a value like this.

This will get all the users in your Active Directory whose username ends with “thmsrynr”.

Great! Now how many users got returned? We can check the Count property to find out.

Continue reading

29Nov/17

Beginner PowerShell Tip: Using Variable Properties In Strings

If you’re just getting started in PowerShell, it’s possible that you haven’t bumped into this specific issue yet. Say you’ve got a variable named $user and this is how you assigned a value to it.

Using the Active Directory module, you got a specific user. Now, you want to report two properties back to the end user: SamAccountName and Enabled. The desired output looks like this:

Continue reading

25Oct/17

Working With The PowerShell ActiveDirectory Module As A Non-Privileged User

As a best practice, as an administrator you should have separate accounts for your normal activities (emails, IM, normal stuff) and your administrative activities (resetting passwords, creating new mailboxes, etc.). It’s obviously best not to log into your normal workstation as your administrative user. You’re also absolutely not supposed to remote desktop into a domain controller (or another server) just to launch a PowerShell console, import the ActiveDirectory module, and run your commands. Here’s  better way.

Continue reading

03Apr/17

Quick Tip: Using Variables In ActiveDirectory Filters

If you work with the ActiveDirectory PowerShell module, you’ve probably used the -filter parameter to search for accounts or objects in Active Directory. You’ve probably wanted to use variables in those filters, too.

Say you have a command from something like an remote Exchange management shell, that returned an object that includes a username (called Alias in this example).

And let’s use that in an ActiveDirectory command. Ignoring the fact that you could find the account that has this username without using a filter, let’s see how you would use it in a filter.

You might try this.

But you’d get errors.

That’s because the filter can’t handle your variable that way. To use a variable in an ActiveDirectory cmdlet filter, you need to wrap the filter in curly braces.

And you get your results!

Pretty easy fix for a pretty silly issue.

11May/16

Easily Restore A Deleted Active Directory User

If you have a modern version of Active Directory, you have the opportunity to enable the Active Directory Recycle Bin. Once enabled, you have a chance to recover a deleted item once it has been removed from Active Directory.

Here’s a quick and easy script to recover a user based on their username.

On the first line, we’re getting the DistinguishedName for the deleted user. The DN changes when a user gets deleted because it’s in the Recycle Bin now. Where’s your deleted objects container? Well it’s easily found with the (Get-ADDomain).DeletedObjectsContainer part of line 1. All we’re doing is searching for AD objects in the deleted objects container whose username matches the one we’re looking for. We need to make sure the -IncludeDeletedObjects flag is set or nothing that’s deleted will be returned.

On the second line, we’re just using the Restore-ADObject cmdlet to restore the object at the DN we found above.

15Apr/16

Quick Script Share: Adding A Bunch Of Random Test Users To Active Directory

I recently had a need to add a bunch of random users to a specific OU in Active Directory to do some testing. I didn’t care what their names were, but, I wanted to be able to find all the users that belonged to each batch. Here’s the script I wrote to do this.