Auto ADConnect password Hash sync fix-Clean
0 Votes |
Description
This Task runs on machines that password hash sync hasn't ran for 3 hours.
Property Details
27005 | |
QA - Ready for Production Level Testing | |
Auto ADConnect password Hash sync fix-Clean | |
BESC | |
Internal | |
6/13/2023 12:00:00 AM | |
AD Connect Password Hash Sync FIx | |
True | |
ftoole on 6/19/2023 8:26:03 AM | |
ftoole on 6/19/2023 8:26:03 AM | |
499 Views / 0 Downloads | |
![]() ![]() ![]() ![]() ![]() |
Relevance
Used in 2 fixlets | * Results in a true/false |

member of group 1193930 of site "CustomSite__FIX"
Used in 1 fixlet | * Results in a true/false |

exists file "C:\Bes\AzureADpasswordSyncStaging.txt"
Used in 1 fixlet | * Results in a true/false |

exists (lines whose (it contains "Value" and it contains "False") of file "C:\Bes\AzureADpasswordSyncStaging.txt")
Used in 1 fixlet | * Results in a true/false |

exists file "C:\Bes\AzureADpasswordSync.txt"
Used in 1 fixlet | * Results in a true/false |

exists lines whose (it contains "Password sync feature enabled in your Azure" and it contains "True") of file "C:\Bes\AzureADpasswordSync.txt"
Used in 1 fixlet | * Results in a true/false |

exists (lines whose (it as string as lowercase contains " No ping event found within last 3 hours." as lowercase) of files "C:\Bes\AzureADpasswordSync.txt")
Actions
Action 1 (default)
Action Link Click
here to deploy this action.
Script Type
BigFix Action Script
// Force Password Hash sync
action uses wow64 redirection false
createfile until End_of_File
Start-Transcript -Path C:\Bes\AzureADpasswordSyncfix.txt
Import-Module ADSync
$connectors = Get-ADSyncConnector
$aadConnectors = $connectors | Where-Object {{$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}
$adConnectors = $connectors | Where-Object {{$_.ConnectorTypeName -eq "AD"}
$c = Get-ADSyncConnector -Name $adConnectors.Name
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnectors.Name -TargetConnector $aadConnectors.Name -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnectors.Name -TargetConnector $aadConnectors.Name -Enable $true
Stop-Transcript
End_of_File
delete C:\Bes\AzureADpasswordSyncfix.ps1
folder create "C:\Bes\"
copy __createfile C:\Bes\AzureADpasswordSyncfix.ps1
waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) } -ExecutionPolicy Bypass -File C:\Bes\AzureADpasswordSyncfix.ps1
delete C:\Bes\AzureADpasswordSyncfix.ps1
//Wait for 5 mins
parameter "adesso"="{now as string}"
dos time /T > C:\bes\pio.txt
pause while {(now - ((parameter "adesso") as time)) < 5 * minute }
dos time /T >> C:\bes\pio.txt
//check if working
delete C:\Bes\AzureADpasswordSyncStaging.txt
delete C:\Bes\AzureADpasswordSync.txt
delete C:\Bes\AzureADpasswordSyncAzuredomain.txt
delete C:\Bes\AzureADpasswordSynclocaldomain.txt
delete C:\Bes\AzureADpasswordSyncStaging.ps1
folder create "C:\Bes\"
//Get Staging Status and domain information
createfile until End_of_File
Start-Transcript -Path C:\Bes\AzureADpasswordSyncStaging.txt
Import-Module ADSync
$aadSyncSettings=Get-ADSyncGlobalSettings
($aadSyncSettings.parameters | ?{{$_.name -eq "Microsoft.Synchronize.StagingMode"})
Stop-Transcript
Get-ADSyncConnector | Where-Object {{$_.SubType -eq "Windows Azure Active Directory (Microsoft)"} | Out-File -FilePath C:\Bes\AzureADpasswordSyncAzuredomain.txt
Get-ADSyncConnector | Where-Object {{$_.ConnectorTypeName -eq "AD"} | Out-File -FilePath C:\Bes\AzureADpasswordSynclocaldomain.txt
Start-Transcript -Path C:\BES\AzureADpasswordSync.txt
$connectors = Get-ADSyncConnector
$aadConnectors = $connectors | Where-Object {{$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}
$adConnectors = $connectors | Where-Object {{$_.ConnectorTypeName -eq "AD"}
if ($aadConnectors -ne $null -and $adConnectors -ne $null)
{{
if ($aadConnectors.Count -eq 1)
{{
$features = Get-ADSyncAADCompanyFeature
Write-Host
Write-Host "Password sync feature enabled in your Azure AD directory: " $features.PasswordHashSync
foreach ($adConnector in $adConnectors)
{{
Write-Host
Write-Host "Password sync channel status BEGIN ------------------------------------------------------- "
Write-Host
Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name
Write-Host
$pingEvents =
Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -After (Get-Date).AddHours(-3) |
Where-Object {{ $_.Message.ToUpperInvariant().Contains($adConnector.Identifier.ToString("D").ToUpperInvariant()) } |
Sort-Object {{ $_.Time } -Descending
if ($pingEvents -ne $null)
{{
Write-Host "Latest heart beat event (within last 3 hours). Time " $pingEvents[0].TimeWritten
}
else
{{
Write-Warning "No ping event found within last 3 hours."
}
Write-Host
Write-Host "Password sync channel status END ------------------------------------------------------- "
Write-Host
}
}
else
{{
Write-Warning "More than one Azure AD Connectors found. Please update the script to use the appropriate Connector."
}
}
Write-Host
if ($aadConnectors -eq $null)
{{
Write-Warning "No Azure AD Connector was found."
}
if ($adConnectors -eq $null)
{{
Write-Warning "No AD DS Connector was found."
}
Write-Host
Stop-Transcript
End_of_File
copy __createfile C:\Bes\AzureADpasswordSyncStaging.ps1
waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) } -ExecutionPolicy Bypass -File C:\Bes\AzureADpasswordSyncStaging.ps1
delete C:\Bes\AzureADpasswordSyncStaging.ps1
Success Criteria
This action will be considered successful when the applicability relevance evaluates to false.
Sharing
Social Media: |