Author: Adam Fowler

Websites Timing Out – This Page Can’t Be Displayed

timeout

I came across this issue where a particular user was getting lots of timeouts for websites via Internet Explorer. The problem didn’t follow the user to other PCs, and I couldn’t see any firewall issues. The websites were random, but I did notice they were generally slow to load websites.

Another symptom was getting this same error when signing up for things or processing payments – all processes that can take a while to respond. Even loading pictures on emails sometimes timed out this way!

I did find a 3rd party search engine had been added to IE and removed that, but that made no difference.

After a bunch of testing and research being convinced it was a local profile issue, probably around IE timeout settings, I found this article which gave a registry setting around timeouts. I adjusted the value for KeepAliveTimeout in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings but it made no difference.

What I did notice though, was another registry value in the same spot – ReceiveTimeout. This was set to 5000 which would equate to 5 seconds converted from milliseconds, similar to the KeepAliveTimeout setting.

Comparing it to another computer, that registry setting didn’t even exist. I tried upping the value to 60000 for a minute, and after lots more testing, the problem appeared to be fixed! I then deleted the registry key and the problem didn’t reoccur.

My assumption is that the 3rd party search engine (which seemed a bit dodgy) added certain registry settings under the user’s profile for their own purposes, and removing it didn’t clear it up.

Of course, deleting the profile would have had the same result, but then we wouldn’t understand why it broke!

 

 

Changing Many File Permissions Without Inheritance

I ran into a scenario when moving files from an older Windows Server 2003 box to Windows Server 2012, where I couldn’t access folders even as an administrator.

It turned out that not having Users (ServerName\Users) causes problems beyond Windows Server 2003. When moving a mass of files with many folders lacking inheritance, this can be a problem.

After some research and testing, it’s reasonably easy to modify NTFS security permissions to lots of files, while leaving existing settings in tact and not requiring inheritance to apply changes.

Scripting Guy covered it pretty well here, but here’s the condensed version:

First, install File System Security PowerShell Module because it’s easier to do than using native PowerShell Set-ACL commands. This can be installed on a remote box from where the files are, but remote can be slow based on latency and the amount of files you’re dealing with. Read the installation notes on that page so you’re ready to go with the module.

You can test it’s working by running a command like:

get-ntfsaccess -path c:\PutAFilenameHere.Now

You’ll get the permissions of the file back.

To change your permissions on mass, you need to get a listing of the files and pipe that to your modified settings:

dir \\FileServerName\ShareName -recurse | add-ntfsaccess -account “BUILTIN\users” -accessrights read

Note that the -recurse switch gives you all files and subfolders of the share, and although the permission you’re looking at via Windows Explorer will show Users (ServerName\Users), this is actually the BUILTIN\users permission. If you try to use the servername, you’ll get this error:

Add-NTFSAccess : Cannot bind parameter ‘Account’. Cannot convert value “servername\users” to type
“Security2.IdentityReference2”. Error: “Some or all identity references could not be translated.”

That’s it, you can now add, remove or modify permissions all over the place without affecting other existing permissions or affecting the inheritance.

Edit: The actual issue I describe here can also be fixed by changing a few Group Policies too.

Attempt to reconsent to the application was unsuccessful

azure-active-directory

You may see this error if you’re using Azure AD Applications via the older GUI. Since there are zero Google results on it:

google

…this is just a quick post to say that the cause of the error seems to be due to a browser timeout – restart your browser and you should be fine!

AzureAD – Assign Application to User via PowerShell

Scenario:

You’ve created an application in Azure AD, and want to script allocating access to the app rather than using the web interface. App show up at https://myapps.microsoft.com

Azure AD Premium is required for group access which would be ideal, but if you don’t have that you’ll need to add access on a user by user basis.

Answer:

PowerShell of course. First, you’ll need Azure AD for PowerShell (Preview version 2.0.0.17 at time of writing).

The below script which I modified from Philippe’s comment here should cover both internal, cloud and B2B invited users. The original script was using -objectid rather than -searchstring which works better and is more accurate for the internal and cloud accounts, but doesn’t work at all for B2B accounts.

The AppID can be obtained from this command:

Get-AzureADApplication -SearchString “Display Name for App”

Put the corresponding AppID into the below script, and you’re good to go. You’ll get prompted for Azure AD credentials as per usual. You can also get this

This is designed for a single user addition, but you could easily import the email addresses from a CSV file, and do a ‘for each’ on each entry like I did here.

# The UserPrincipalName or ObjectId of the user
  $userId = "[email protected]"

# The AppId (a.k.a. "client ID") of the app to assign the user to
  $appId = "AppIDGoesHere"

# Connect to Azure AD
  Connect-AzureAD -Confirm

# Get the user to be added
  $user = Get-AzureADUser -searchstring $userId

# Get the service principal for the app you would like to assign the user to
  $servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"

# Create the app role assignment
 new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

 

Note: If you try this and get the error below, it’s because the app is already assigned.

new-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: One or more properties are invalid.
At Z:\script.ps1:17 char:1
+ new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUser
AppRoleAssignment

Softerra Adaxes – Several Months In

logo-1

Softerra Adaxes is an Active Directory management & automation tool which I’ve grown very fond of.

First I reviewed Softerra Adaxes, then I actually bought Softera Adaxes and even did a brief case study for them. I thought it would now be good to share how far we’ve come through using this tool, and what the experience is like for those considering this option of automation. Here’s my thought process and how I personally approached the rollout, along with my experiences along the way:

Initially to me, the idea of having an ‘Outlook rules’ style approach to building a system that automated user management was enough to me. We’d been creating accounts manually for a long time, and the process was documented but took 20 minutes or so to perform. There was also a lot of room for human error, especially when someone was interrupted while creating an account.

There was of course the ‘selfish’ reason of not wanting to do these user management tasks myself, but it’s hard to pass those tasks off with the inherit risks or lack of knowledge of the tools being used to ease the process. This is what had held me off writing my own giant PowerShell script to automate all the steps.

After mucking around with the Adaxes basics, I started to realise that this software solution seemed to actually deliver on what I was personally looking for – something that wasn’t complex, but also let me define whatever criteria, business rules and caveats to the user creation process that I wanted. On top of that, there was inbuilt webpages where I could deliver these options to other staff requiring no software installs, and the ability to show or lock down whatever I chose, to both control and protect the Active Directory environment.

It did take a few weeks to set up properly, but I wouldn’t have really spent more than an actual day’s worth of work in those few weeks doing it. That was just to create a new user in all the various systems I wanted, with our unique user setting requirements. I wouldn’t say the entire system is so simple and easy to navigate that you can get cracking, but it’s also not complex. Once you find the setting or understand how Adaxes achieves a solution, it’s not difficult to set things up.

The inbuilt functionality of website templates – where you can create multiple sites displaying whichever fields you like to whichever users you like – is a good way to deliver the solution to end users. You can have a page for IT and another page for Finance with completely separate functions to best fit each use case.

For me, it was great that I could create websites with zero programming requirements. It’s all driven by a GUI, and somehow it’s still very flexible in what it can do. It might be frustrating to someone who actually writes code, but that’s not who would normally be using this solution. I really feel it’s aimed at someone like me, the IT Pro/Sys Admin who wants to automate and allow others to use the tools, without needing to code or expect others to run PowerShell commands themselves.

adaxes1Basic site with one option – menu and right side options can even be hidden if required.

Once I’d finished the user creation process and published the method of doing so to a website, I had internal staff muck around with it and use it, purely for new user creations. The feedback I received was immediately positive – that 20 minute or so process had been reduced to a few minutes, and even generated out an email saying the account creation was done. This in itself to me was the tick of a successful project, and I knew I could do a lot more around automation and empowering others to do repeatable tasks.

Some of the problems I hit on the user creation automation were:

  • After upgrading from Lync 2010 to Skype for Business 2015, there were intermittent errors popping up for creating a SfB user. This was a known problem to Softerra, and took several months to resolve with a new version of Adaxes. I did have a workaround luckily, so it only took some rule modifying to work around it until a proper solution was found.
  • ‘User unknown’ – I ran into some problems where I’d create the user or enable them for Exchange, but then the next command wouldn’t find the account. Adaxes was faster than what other systems could replicate changes, so some tactful ‘start-sleep’ PowerShell command steps during the workflows to allow replication to occur before the next step triggered. This does mean that the overall process can take a minute or two, and the person who triggered the user creation has to wait for it to finish.
  • Not all functionality was available that I needed in the GUI. For example, creating a Skype for Business user is easy, but you can’t assign a policy. Instead you need to use PowerShell commands to do what you want. That took a bit longer and needed more testing, but wasn’t much of an issue once I found that out.
  • When a new user was created that already existed (e.g. another John Smith – john.smith) I hadn’t considered that scenario. I asked in the Adaxes forums and was told how to run some pre-checks to make sure the username and phone number were unique and bomb out if they weren’t, rather than half creating an account and having to clean it up afterwards.
  • The upgrade process isn’t painful when a new version of Adaxes comes out (which came out while I was doing the user creation and I wanted to try upgrading early on), but there’s a few more steps than next, next finish. An uninstall is required with backing up a few files, then a fresh install and importing what you backed up. I’m hoping that will be streamlined a bit in the future.

After the user creation process was settled, I started to create more automation tasks. Deprovisioning was an obvious one, and was a lot easier than user creation as well as taking a lot less time to set up. This command would clean up all the bits and pieces from an account, including home drives and Exchange settings (along with moving the mailbox to a different database). This was rolled out relatively quickly.

I should also note, the logging is very helpful. If someone triggers a command from the website, they can see if it was successful or not, or where it failed. It made testing easy to do, but I was also able to read through logs via the GUI on the server to find out more about what failed and why.

adaxes2Updating options on one of the web interfaces – no coding required.

I then decided to wait for common scenarios to come up and build them as needed. We often had ‘returning staff’ which if their Active Directory account still existed, I couldn’t use my user creation method when the account already exists. This took a rethink of how I’d designed my rules so far, and decided to re-do a lot of it in a more modular fashion. Because there’s the ability to copy and paste rules, this was a lot easier than I expected. The end result was that I’d have a list of modules to run against a task – e.,g. a new user would call commands such as ‘enable email’ and ‘enable Skype for Business’ which my new ‘returning staff’ would call ‘re-enable email’ but the same ‘enable Skype for Business’ command as a new user. This now meant I could move a mailbox from one database to another and unhide the user from the Global Address Book when they returned, but because all users have their Skype for Business disabled, that step was the same in either scenario.

Another valuable idea I had was to let users control the membership of Active Directory groups that they were the owner of. After some mucking around, I created a website solely for that purpose. The great part about it was that whomever logged onto the site (with passthrough authentication so no extra typing required) could only see groups they were an owner of, based on the Manager field in Active Directory. This gives anyone in the company who is in control of a group, the ability to add or remove members without any IT assistance required. Perfect for application owners who control who can get to their application or not via a security group.

My next task will be the automation of a user name change. With the updated modular design, I can copy out the steps that I need and modify them to my new requirements; of course finding the hour or two to build and test this is the hardest part. (Note: Between the week of writing this and publishing, I’ve now done it.

I’ll give praise to both the Adaxes forums and their helpdesk support via email- almost always, within 24 hours max (and usually 4-5 hours) I’d get a specific and clear answer on how to do something I couldn’t work out personally, and it was from someone who knew the product rather than a basic 1st level helpdesk type response.

I hope this gives a real impression of my experience and opinion of Softera Adaxes at a high level, after using it for an extended time. There’s no real gaps to the product that I’ve found. and you can pick and choose as to how much customisation you want to do through PowerShell scripting. I’m still happy with the product, and it will continue to evolve with us.