Auto ADConnect password Hash sync fix-Clean
Log In or Register to download the BES file, and more.

0 Votes

Description

This Task runs on machines that password hash sync hasn't ran for 3 hours.

 


Property Details

ID27005
StatusQA - Ready for Production Level Testing
TitleAuto ADConnect password Hash sync fix-Clean
DomainBESC
SourceInternal
Source Release Date6/13/2023 12:00:00 AM
KeywordsAD Connect Password Hash Sync FIx
Is TaskTrue
Added by on 6/19/2023 8:26:03 AM
Last Modified by on 6/19/2023 8:26:03 AM
Counters 659 Views / 0 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 2 fixlets   * Results in a true/false
Show indented relevance
member of group 1193930 of site "CustomSite__FIX"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists file "C:\Bes\AzureADpasswordSyncStaging.txt"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists (lines whose (it contains "Value" and it contains "False") of file "C:\Bes\AzureADpasswordSyncStaging.txt")
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists file "C:\Bes\AzureADpasswordSync.txt"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists lines whose (it contains "Password sync feature enabled in your Azure" and it contains "True") of file "C:\Bes\AzureADpasswordSync.txt"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists (lines whose (it as string as lowercase contains " No ping event found within last 3 hours." as lowercase) of files "C:\Bes\AzureADpasswordSync.txt")

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// Force Password Hash sync
action uses wow64 redirection false
createfile until End_of_File
Start-Transcript -Path C:\Bes\AzureADpasswordSyncfix.txt
Import-Module ADSync
$connectors = Get-ADSyncConnector
$aadConnectors = $connectors | Where-Object {{$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}
$adConnectors = $connectors | Where-Object {{$_.ConnectorTypeName -eq "AD"}
$c = Get-ADSyncConnector -Name $adConnectors.Name
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnectors.Name -TargetConnector $aadConnectors.Name -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnectors.Name -TargetConnector $aadConnectors.Name -Enable $true
Stop-Transcript
End_of_File

delete C:\Bes\AzureADpasswordSyncfix.ps1
folder create "C:\Bes\"
copy __createfile C:\Bes\AzureADpasswordSyncfix.ps1
waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) } -ExecutionPolicy Bypass -File C:\Bes\AzureADpasswordSyncfix.ps1
delete C:\Bes\AzureADpasswordSyncfix.ps1
//Wait for 5 mins
parameter "adesso"="{now as string}"
dos time /T > C:\bes\pio.txt
pause while {(now - ((parameter "adesso") as time)) < 5 * minute }
dos time /T >> C:\bes\pio.txt

//check if working
delete C:\Bes\AzureADpasswordSyncStaging.txt
delete C:\Bes\AzureADpasswordSync.txt
delete C:\Bes\AzureADpasswordSyncAzuredomain.txt
delete C:\Bes\AzureADpasswordSynclocaldomain.txt
delete C:\Bes\AzureADpasswordSyncStaging.ps1
folder create "C:\Bes\"
//Get Staging Status and domain information
createfile until End_of_File
Start-Transcript -Path C:\Bes\AzureADpasswordSyncStaging.txt
Import-Module ADSync
$aadSyncSettings=Get-ADSyncGlobalSettings
($aadSyncSettings.parameters | ?{{$_.name -eq "Microsoft.Synchronize.StagingMode"})
Stop-Transcript
Get-ADSyncConnector | Where-Object {{$_.SubType -eq "Windows Azure Active Directory (Microsoft)"} | Out-File -FilePath C:\Bes\AzureADpasswordSyncAzuredomain.txt
Get-ADSyncConnector | Where-Object {{$_.ConnectorTypeName -eq "AD"} | Out-File -FilePath C:\Bes\AzureADpasswordSynclocaldomain.txt
Start-Transcript -Path C:\BES\AzureADpasswordSync.txt
$connectors = Get-ADSyncConnector
$aadConnectors = $connectors | Where-Object {{$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}
$adConnectors = $connectors | Where-Object {{$_.ConnectorTypeName -eq "AD"}
if ($aadConnectors -ne $null -and $adConnectors -ne $null)
{{
if ($aadConnectors.Count -eq 1)
{{
$features = Get-ADSyncAADCompanyFeature

Write-Host
Write-Host "Password sync feature enabled in your Azure AD directory: " $features.PasswordHashSync
foreach ($adConnector in $adConnectors)
{{
Write-Host
Write-Host "Password sync channel status BEGIN ------------------------------------------------------- "
Write-Host
Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name
Write-Host
$pingEvents =
Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -After (Get-Date).AddHours(-3) |
Where-Object {{ $_.Message.ToUpperInvariant().Contains($adConnector.Identifier.ToString("D").ToUpperInvariant()) } |
Sort-Object {{ $_.Time } -Descending
if ($pingEvents -ne $null)
{{
Write-Host "Latest heart beat event (within last 3 hours). Time " $pingEvents[0].TimeWritten
}
else
{{
Write-Warning "No ping event found within last 3 hours."
}
Write-Host
Write-Host "Password sync channel status END ------------------------------------------------------- "
Write-Host
}
}

else
{{
Write-Warning "More than one Azure AD Connectors found. Please update the script to use the appropriate Connector."
}
}
Write-Host
if ($aadConnectors -eq $null)
{{
Write-Warning "No Azure AD Connector was found."
}
if ($adConnectors -eq $null)
{{
Write-Warning "No AD DS Connector was found."
}
Write-Host
Stop-Transcript
End_of_File

copy __createfile C:\Bes\AzureADpasswordSyncStaging.ps1
waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) } -ExecutionPolicy Bypass -File C:\Bes\AzureADpasswordSyncStaging.ps1
delete C:\Bes\AzureADpasswordSyncStaging.ps1
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!