Melbourne, Australia
To be provided
Use Contact to message

Preparing for Azure AD Connect – Fix Active Directory objects with idFix

Harmik Batth Tech's Blog

Preparing for Azure AD Connect – Fix Active Directory objects with idFix

Voiced by Amazon Polly

Preparing for Azure AD Connect – Fix Active Directory objects with idFix

I have been working on various projects, where by getting so much to learn. Currently the project I am working on is Azure AD integration. Due to the limitation of what can be synced to AD in cloud, only way synchronization is allowed.

But before AD object synchronization is allowed, AD objects needs to be checked and fixed.

Microsoft has tool called idFix, which helps in achieving it.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.Ref

Assuming you have downloaded and run the idFix and query all the objects. Now you need to wonder, how you going to fix all of these in bulk. Answer is Powershell, but are you going to write your own scripts and test them, and then execute in production. Well, I had all of these problems, where I was looking at fixing over 3000 records.

For me, I was responsible for fixing over 3000 records, where most of the errors were UPN, Proxy Email Address, Mail Contacts and Email Addresses. So I have decided to use Powershell to do the magic for me. I wrote some scripts, which I would like to share with everyone, hoping it might save some time for somebody else.

So you have ran the idFix and exported the Data out of it. But this will give you lot of data, and we are only interested in DistinguishedName. I assume you know how to filter data in Excel and grab all “DistinguishedName” and copy it to new text file, which will be used later within Powershell.

Now I have four text files with data filter for UPN, Proxy Addresses, Mail Contact and Email Address to be fixed. Lets, call it idFix-UPNUsers.txt, idFix-ProxyAddresses.txt, idFix-MailContacts.txt & idFix-EmailAddresses.txt accordingly.

Ok, we have the required files now, lets run with Powershell script to loop through files and fix the required objects.

For UPN, Requirement is to change the UPN from username@domain.local to EmailAddress as First.Name@publicDomain.com

Idea is also to insert the dummy email address if required. For these objects, you may need to run this script twice. But if you have objects with Email Address specified then won’t need to run twice.

Try
{
$Users = Get-Content “D:\IdFix\idFix-UPNUsers.txt” | Get-ADUser -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname
}
Catch
{
Write-Host “Error while working with user $_.Exception.message”
}

$Users.count #Provides the number of users to be fixed

$RecordsUpdated = 0 #Will be used later to confirm how many records got updated

Foreach ($user in $Users)
{

#Store AD object data in variables for easy use
$UserEmailAddress = $user.EmailAddress
$UserName = $User.name
$Usersamaccountname = $User.samaccountname
$UserMail=$User.mail
$UserUPN=$User.UserPrincipalName

$UserEmailAddress = $UserEmailAddress.replace(” “,””)
$UserEmailAddress = $UserEmailAddress.replace(“..”,”.”)
#User Account with Valid Email Address, set the UPN to Email
Write-host “Setting up UPN attirbute as Email Address”
$RecordsUpdated = $RecordsUpdated +1
Set-ADUser -Identity $Usersamaccountname -EmailAddress $UserEmailAddress
Set-ADUser -Identity $Usersamaccountname -UserPrincipalName $UserEmailAddress

}

Write-Host “Total Records Updated = $RecordsUpdated”

Just in case you have records with no Email Address, then you will need to specify email address or at least put some dummy email address.

This can be done via script below

Try
{
$Users = Get-Content “D:\IdFix\idFix-UPNUsers.txt” | Get-ADUser -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname
}
Catch
{
Write-Host “Error while working with user $_.Exception.message”
}

$Users.count #Provides the number of users to be fixed

$RecordsUpdated = 0 #Will be used later to confirm how many records got updated

Foreach ($user in $Users)
{
$UserEmailAddress = $user.EmailAddress
$UserName = $User.name
$Usersamaccountname = $User.samaccountname
$UserMail=$User.mail
$UserUPN=$User.UserPrincipalName

#Check if user has no Email attribute, then add the Email Address

if ([string]::IsNullOrEmpty($UserEmailAddress))
{
#Setting up Email attirbute

$NormalUserName = $Usersamaccountname.replace(“.”,””) #Searching against normal account to get Email
try
{
$ThisUser = Get-AdUser -identity $NormalUserName -properties * | Select-object samaccountname, EmailAddress, Givenname, sn

}
Catch
{
Write-host “Error while searching for user $NormalUserName”
}
If ($ThisUser)
{
Write-host “Found Normal User as $NormalUserName”
$SetEmailAddress = $ThisUser.Givenname + “.” + $ThisUser.sn + “.Admin@futurefund.gov.au”
try
{
Set-ADUser -Identity $Usersamaccountname -EmailAddress $SetEmailAddress #Add normal account email as email address for dot account as well
}
Catch
{
Write-host “Error while setting AD properties for user $NormalUserName”
}
}
Else
{
Write-Host “No such user found”
}

}
}

Write-Host “Total Records Updated = $RecordsUpdated”

Now For Proxy Address, Add the new Email address with @publicDomain.com.

Perform this only if you don’t have the email address with public domain. This can also be done via Exchange Default settings and update all records.

Try
{
$Users = Get-Content “D:\IdFix\idFix-ProxyAddresses.txt” | Get-ADUser -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname, proxyaddresses
}
Catch
{
Write-Host “Error while working with user $_.Exception.message”
}

Foreach ($user in $Users)
{
$Usersamaccountname = $User.samaccountname

Foreach ($Userproxyaddresses in $user.proxyaddresses)
{

if ($Userproxyaddresses -match “@domain.local”)
{
$Usersamaccountname
$Userproxyaddresses
Write-host “Removing $Userproxyaddresses”
Set-ADUser -Identity $Usersamaccountname -Remove @{Proxyaddresses=”$Userproxyaddresses”}

$UserNewProxy = $Userproxyaddresses.replace(“@domain.local”,”@publicDomain.com”)
if ((Get-ADUser -identity $Usersamaccountname -Properties *).proxyaddresses -match “$UserNewProxy”)
{
#Do Nothing
}
Else
{
Write-host “Adding $UserNewProxy”
#Set AD object with new Proxy Address – by Adding new proxy email address
Set-ADUser -Identity $Usersamaccountname -Add @{Proxyaddresses=”$UserNewProxy”}
}
# Get the records again
Get-ADUser -identity $Usersamaccountname -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname, proxyaddresses
}
}
}

For Mail Contacts, you will need to search AD-Object with LDAPFilter of “objectClass=Contact”. For this you only require the external email address in.

$Users = Get-ADObject -LDAPFilter “objectClass=Contact” -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname, proxyaddresses, Usersamaccountname

Foreach ($user in $Users)
{
$Usersamaccountname = $User.samaccountname
$DistinguishedName = $User.DistinguishedName

Foreach ($Userproxyaddresses in $user.proxyaddresses)
{
if (($Userproxyaddresses -match “@ffma.local”))
{
$Userproxyaddresses

#Remove the internal domain email address from proxy addresses
Set-ADobject -Identity $DistinguishedName -Remove @{Proxyaddresses=”$Userproxyaddresses”}
}
}
}

For Distribution Groups, you would like to leave the internal domain proxy address. But also add PublicDomain email address and make this primary.

Try
{
$Users = Get-ADGroup -Filter * -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname, proxyaddresses
}
Catch
{
Write-Host “Error while working with user $_.Exception.message”
}

Foreach ($user in $Users)
{
$Usersamaccountname = $User.samaccountname

Foreach ($Userproxyaddresses in $user.proxyaddresses)
{

if ($Userproxyaddresses -match “@ffma.local”)
{
$Usersamaccountname
$Userproxyaddresses

$UserNewProxy = $Userproxyaddresses.replace(“@ffma.local”,”@futurefund.gov.au”)
$UserNewProxy1 = $Userproxyaddresses.replace(“SMTP”,”smtp”)

$UserNewProxy
$UserNewProxy1

if ((Get-ADGroup -identity $Usersamaccountname -Properties *).proxyaddresses -match “$UserNewProxy”)
{

#Remove internal Domain with “SMTP” primary record
Set-ADGroup -Identity $Usersamaccountname -Remove @{Proxyaddresses=”$Userproxyaddresses”}
#Add internal Domain with “smtp” as secondary alias or record
Set-ADGroup -Identity $Usersamaccountname -Add @{Proxyaddresses=”$UserNewProxy1″}

#Add public Domain with “SMTP” as Primary alias or record
Set-ADGroup -Identity $Usersamaccountname -Add @{Proxyaddresses=”$UserNewProxy”}
}
Else
{
Write-host “Adding $UserNewProxy”
#Add public Domain with “SMTP” as Primary alias or record
Set-ADGroup -Identity $Usersamaccountname -Add @{Proxyaddresses=”$UserNewProxy”}
}

Get-ADGroup -identity $Usersamaccountname -Properties * | Select Name, EmailAddress, mail,UserPrincipalName, samaccountname, proxyaddresses
}
}

}

 

 

No Comments

Add your comment