10 April 2020

Manually force an Azure AD Connect sync

The Azure AD Connect tool has a default sync schedule to run every 30 minutes. However sometime you need changes you make to get sync-ed NOW! So from time-to-time it’s necessary to manually force Azure AD Connect to run and sync your on-prem AD up to Azure AD. This can be done with PowerShell as either a full sync or a delta sync.


Open Powershell.

If you’re running PowerShell on the server where AD Connect Sync resides, you can skip this step. Connect to the AAD Connect Sync server by running the following command to create a PSRemoting session. Replacing <SERVERNAME> with the name of your AD Connect server.

Enter-PSSession -ComputerName <SERVERNAME>

Import the ADSync module with the following command.

Import-Module ADSync

Run one of the following command to manually force the sync.

For a Delta Sync (most commonly use cases)

Start-ADSyncSyncCycle -PolicyType Delta

For a Full Sync (less common use cases)

Start-ADSyncSyncCycle -PolicyType Initial

If you used the “Enter-PSSession” command earlier, then you need to exit that session. Otherwise it will stay open even after terminating the connection. To close the “PSSession” use the following command:

Exit

1 April 2020

Software Restriction by GPO

Using GPOs is a great way to allow or block programs from running on your corporate network. Just be careful and limit yourself to only blocking the applications which you actually have a need to block. Don’t go too crazy locking down programs

Microsoft first made the introduction of “Software Restriction Policies” in Windows Server 2008 and they’ve continued to evolve. Today I will show you four ways which Microsoft allows us to restrict programs from running.

  1. File Path / File Name Rule
  2. Network Zone Rule
  3. Hash Rule
  4. Certificate Rule

To begin, fire up the Group Policy Management Editor. Click on the start menu and type “gpmc.msc”. If you are on a Domain Controller it should work. If you’re on a workstation you’ll likely have to run Server Manager as a Domain Admin (or other user with the correct administrative privileges), choose “Group Policy Management” from the ‘Tools’ dropdown.

Once it’s open, scroll down to the folder “Group Policy Objects” and right-click on it to create a “New ” policy object. Give it an appropriate name, something like “Software Restrictions – Test”. Now find and right-click on your new policy and select “Edit…”.

The software restriction policy exists under both “Computer Configuration” and “User Configuration”. So depending on your needs, you can lock down either the user or the computer. 

Drill down into the policy… “Policies” -> “Windows Settings” -> “Security Settings” -> “Software Restriction Policies”.

Right-click on “Software Restriction Policies” and click “New Software Restriction Policies”

Select and open the “Additional Rules” folder.

Right-click under the two pre-existing default entries, and then from that drop-down menu select the type of rule you want to create. I’ll expand on the four methods below…

There are three security levels used in all of these rules:

  1. DISALLOWED: Software will not run, regardless of the access rights of the user.
  2. BASIC USER: Allows programs to run only as standard user.  Removes the ability to “Run as Administrator”.
  3. UNRESTRICTED: No changes made by this policy – Software access rights are determined by the file access rights of the user.

My examples below all show how to block software with ‘dissallowed’ rules. But just remember that you can just as easily allow for software by using ‘basic user’ and ‘unrestricted’ rules. Use them wisely!

1. Block by File Path / File Name Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Path Rule”.

Type, or use the “Browse…” button, to enter the file path or file name you wish to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Note: System variables will all function in the rule, variables such as %windir%, %ProgramFiles(x86)%, %AppData%, %userprofile%, and others.

It is important to note that many applications launch in more than just one way. So you may have to block multiple executables to fully block the application, just fyi.

You also need to take note of where/how software get launched from, as some applications have multiple ways they can be launched. Just FYI, in case you start banging your head as to why some block rule doesn’t seem to be working.

Also be careful using just the file name itself to try to block a program from running. If you were to block just the file name ‘update.exe’ for example, hundreds of applications all ship with an ‘update’ executable and they would all be hindered and unable run.

My rule of thumb is to always use the full path unless it’s truly a unique file name, and even then I still prefer to use the full path.

2. Block by Network Zone Rule

Select “New Network Rule”.

Select the Network zone you want to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

These rules allow you to block programs if they come from sites you’ve designated into a zone, like your Restricted sites. Or in the case that you were to be creating an allow rule, your local Intranet. While this option exists, it seems unlikely to me that most SMBs ever use it.

3. Block by Hash Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Hash Rule”.

Use the “Browse…” button to navigate to the file which you are wanting to block. Select the file and click ‘Open’. It will automatically pull the needed file information and the “hash” it needs from the file you selected. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

The only problem this method has is that file hashes change any time there is ANY change to file. It doesn’t matter how small of a change is made, it will always create a new hash. That means that hash rules are best applied to older software that you are trying to kill, and not for programs that get updated often.

4. Block by Certificate Rule

In this example we will be blocking applications signed by Adobe Inc.

Select “New Certificate Rule”.

Use the “Browse…” button to navigate to the certificate file which you are wanting to use to block signed software. Select the file and click ‘Open’. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Certificate rules are by far one of the most secure rules as they rely on certificates from trusted publishers. Because of this but they require more work on the PC’s part as it goes out and tries to verify the validity of the certificate, so they may significantly effect performance. I can’t tell you how much of an impact they’ll create, but it’s enough that MS warns us. Also, if the certificate ever expires, you’ll need create a new rule.

Here is how you can pull a certificate from a digitally signed application.

13 March 2020

Hiding email address in O365 with hybird on-prem AD sync

So another gotcha when using O365 in hybird mode with on-prem sync is that you can’t hide a user’s email address [from address books and distribution lists] by using the Exhange Admin Portal. This is because the setting are made on-prem, and those defined values are simply pushing to your AAD tenant in Microsoft’s Azure cloud.

We used to be able to, from the Exchange Management Console on the on-prem server, just open the user and check a tick box to hide their address from everything. The work around isn’t much harder, it’s just buried deeper.

Open the user in your on-prem AD, and navigate the “Attribute Editor” tab.

Scroll down until you find the following attribute.

  • msExchHideFromAddressLists

Setting it to “TRUE” will make the email addess hidden.

Setting it to “FALSE” or “<not set>” will make the email address visible.

After you have made the desired change to the value of the attribute, you just need to wait for [or force] your on-prem AD to re-sync with your AAD.

12 March 2020

Alias emails in O365 with hybird on-prem AD sync

If you use O365 in hybird mode, with your tenant sync-ed to your on-prem AD or Exchange server, then you will definitely run into an issue if you try to add an alias email address to a user.

When you attempt to add an alias, or alternate, email in your Exchange Admin Center portal you will see this error message.

To get around this you’ll need to edit the user “local” from your on-prem AD. In AD, right-click and open the users’ properties. Select the tab “Attribute Editor”

You will want to look for and edit the following two attributes.

  • msExchShadowProxyAddresses
  • ProxyAddresses

Add the user’s alias/alternate email address into the above mentioned attributes in the form of: smtp:updatedname@domain.tld

That’s it. Now you just need to let your AD sync back up to the O365 cloud.

WARNING: If you add it in CAPS (SMTP:updatedname@domain.tld) then it will get interpreted as the default address and not as an alias/alternate email. Make sure that “smtp” is lowercase.

28 November 2019

O365 MFA – “Office Phone”

Multi-factor authentication is something that you should have enabled in your Azure or Office 365 tenant. It’s going to solve at least 90% of your problems about worrying if someone is going to ‘hack’ into your organization. That said, it can provide a few headaches of it’s own.

When your user is choosing their methods or means to authenticate, one of the options is to use their “Office Phone”. That great… But if you sync your on-prem AD to AzureAD then you’ll quickly realize that that option is grayed out and you can’t set it. You’ll get some message about contacting your administrator.

To set this number, simply edit the properties of your user in your on-prem AD.

  • Open “Active Directory Users and Computers” and navigate to your user.
  • Right-click on the user and choose ‘properties’.
  • Under ‘Telephone’ enter the user’s phone number, country code first, like either of the examples below.
    • +1 8085551234
    • +1 8085551234 x123
  • Click ‘OK’ to save the edits.

After you have finished editing the user, all you have to do is wait for next sync cycle. From then on, your users will be able to authenticate and login by using their work desk phone.

15 November 2019

What was that GPO setting?

There is a GPO setting for, literally, almost everything in Windows!

Software companies provide all of these settings to administrators by means of Group Policy Administrative Templates, better known as ADMX templates or ADMX files. The domain admin imports these ADMX files, into their Active Directory schema, and can then manage an array of settings for the software related to the imported ADMX template.

You can usually find these files on your software vendor’s website, or try doing a search for your software along with the term ” ADMX”. The files or templates consist of two parts; (1) ADMX file – this half are the settings that it allows you to set, and (2) ADML file – the is the language localization file and will have the same name as the ADMX file it is associated with.

While these ADMX templetes allow for an amazing level of control and standardization within a domain or corporate environment, it can be pretty intimidating trying to comb through all of the available settings to find the one thing you want to tweak. It’s akin to trying to find a needle in a hay stack.

Luckily we live in the age of the Internet. There are a couple of websites that I like to use, that have made the task of finding particular GPO settings incredibly simple. Since I’m starting off with Microsoft – Think of it as “Bing’ but just for GPOs & ADMXs. As i mentioned, the first one is “powered” by Microsoft themselves. I feel that it does a great job of simplifying the task of searching for the right GPO setting you want.

Group Policy Search – https://gpsearch.azurewebsites.net/

The other site that I like to use is not Microsoft specific, but compiles and lists the configurable settings available from many software vendors (I stopped counting after I got to 50 different venders).

If the software you use has an available ADMX template, there is pretty darn good chance that it’s settings will be listed on the site below.

GetADMX – https://getadmx.com/