Category Archives: Active Directory and Group Policy

Active Directory and Group Policy

Use Azure Storage Explorer to manage Azure storage accounts

You might have used third-party tools to manage Azure storage accounts — including managing storage blobs, queues…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

and table storages — and VM files in the past, but there’s another option. Microsoft developed an Azure storage management tool that can manage multiple Azure storage accounts, which helps increase productivity. Meet certain requirements before installing the tool, and you can realize other benefits of using Azure Storage Explorer, such as performing complete Azure storage operational tasks from your desktop in a few simple steps.

Azure Storage Explorer was released in June 2016. Although Azure Storage Explorer is in preview, many organizations use it to efficiently manage Azure storage accounts. There are several previous versions of Azure Storage Explorer, but the latest version that is reliable and is in production use is 0.8.16.

Benefits of using Azure Storage Explorer

One of the main benefits of using Azure Storage Explorer is that you can perform Azure storage operations-related tasks — copy, delete, download, manage snapshots. You can also perform other storage-related tasks, such as copying blob containers, managing access policies configured for blob containers and setting public access levels, from a single GUI installed on your desktop machine.

Another benefit of using this tool is that if you have Azure storage accounts created in both Azure Classic and Azure Resource Manager modes, the tool allows you to manage Azure storage accounts for both modes.

You can also use Azure Storage Explorer to manage storage accounts from multiple Azure subscriptions. This helps you track storage sizes and accounts from a single UI rather than logging into the Azure portal to check the status of Azure storage for a different Azure subscription.

Azure Storage Emulator, which must be downloaded separately,  allows you to test code and storage without an Azure storage account. Apart from managing storage accounts created on Azure, Azure Storage Explorer can connect to other storage accounts hosted on sovereign clouds and Azure Stack.

Requirements and installing Azure Storage Explorer

Azure Storage Explorer requires minimum resources on the desktop and can be installed on Windows Client, Windows Server, Mac and Linux platforms. All you need to do is download the tool and then install it. The installation process is quite simple. Just proceed with the onscreen steps to install the tool. When you launch the tool for the first time, it will ask you to connect to an Azure subscription, but you can cancel and add an Azure subscription at a later stage if you want to explore the options available with the tool. For example, you might want to modify the proxy settings before a connection to Azure subscriptions can be established.

Configuring proxy settings

It’s important to note that, because Azure Storage Explorer requires a working internet connection and because many of the production environments have a proxy server deployed before someone can access the internet, you’ll be required to modify the proxy settings in Azure Storage Explorer by navigating to the Edit menu and then clicking Configure Proxy as shown in Figure A below:

Azure Storage Explorer proxy server settings
Figure A. Launching the proxy server settings page

When you click on Configure Proxy, the tool will show you the Proxy Settings page as shown in Figure B below. From there, you can enter the proxy settings and then click on OK to save the settings.

Proxy setting configuration
Figure B. Configuring proxy settings in Azure Storage Explorer

When you configure proxy settings in Azure Storage Explorer, the tool doesn’t check whether the settings are correct. It just saves the settings. If you run into any connection issues, please make sure that the proxy settings are correct and that you have a reliable internet connection.

How to use Azure Storage Explorer

If you’ve worked with third-party Azure storage management tools, you’re already familiar with storage operational tasks, such as uploading VHDX files and working with blob containers, tables and queues. Azure Storage Explorer provides the same functionality, but the interface might be different than the third-party storage management tools you’ve worked with thus far. The first step is to connect to an Azure account by clicking on the Manage Accounts icon and then clicking Add an Account. Once it is connected, Azure Storage Explorer will retrieve all the subscriptions associated with the Azure account. If you need to work with storage accounts in an Azure subscription, first select the subscription, and then click Apply. When you click Apply, Azure Storage Explorer will retrieve all of the storage accounts hosted on the Azure subscription. Once storage accounts have been retrieved, you can work with blob containers, file shares, queues and tables from the left navigation pane as shown in Figure C below:

Storage accounts in Azure Storage Explorer
Figure C. Working with storage accounts in Azure Storage Explorer

If you have several Azure storage accounts, you can search for a particular storage account by typing in the search box located on top of the left pane as it is shown in Figure C above. Azure Storage Explorer provides easy management of blob containers. You can perform most blob container-related tasks, including creating a blob, setting up public access for a blob and managing access policies for blobs. As you know, by default, a blob container has public access disabled. If you want to enable public access for a blob container, click on a blob container in the left navigation pane, right-click on the blob container and then click on Set Public Access Level… to display the Set Container Public Access Level page shown in Figure D below.

Blob container public access level
Figure D. Setting public access level for a blob container

Next Steps

Learn more about different Azure storage types

Navigate expanded Microsoft Azure features

Enhance cloud security with Azure Security Center

Azure DevTest Labs offers substitute for on-premises testing

Azure DevTest Labs brings a consistent development and test environment to cost-conscious enterprises. The service…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

also gives admins the chance to explore Azure’s capabilities and determine other ways the cloud can assist the business.

A DevTest Lab in Azure puts a virtual machine in the cloud to verify developer code before it moves to the organization’s test environment. This practice unveils initial bugs before operations starts an assessment. DevTest Labs gives organizations a way to investigate the Microsoft cloud platform and its compute services, without incurring a large monthly cost. Look at Azure DevTest Labs as a way to augment internal tests — not replace them.

Part one of this two-part series explains Azure DevTest Labs and how to configure a VM for lab use. In part two, we examine the benefits of a testing cloud-based environment.

DevTest Labs offers a preliminary look at code behavior

After we create a lab with a server VM, connect to it using the same tools as you would in an on-premises environment — Visual Studio or Remote Desktop for Windows VMs and Secure Socket Shell for Linux VMs. Development teams can push the code to an internal repository connected to the Azure environment and then deploy it to the DevTest Lab VM.

Use the DevTest Lab VM to check what happens to the code:

  • when no modifications have been made to infrastructure; and
  • if the application runs on different versions of an OS.

Windows Server VMs in Azure provide uniformity

An organization’s test environment often has stipulations, such as a requirement to mirror the production Windows Servers through the last patch cycle, which can hinder the development process. Azure DevTest Labs uncovers how applications behave on the latest Windows Server version. This prepares IT for any issues before the internal testing environment moves to that server OS version. IT also can use DevTest Labs to check new features of an OS before they roll it out to production.

DevTest Labs assists admins who want to study for a certification and need a home lab environment to practice and study. But building a home lab is expensive when you consider costs for storage, server hardware and software. Virtualized labs with VMware Workstation or Client Hyper-V reduce this cost, but it’s still expensive to buy a powerful laptop that can handle all the new technologies in a server OS.

Admins can stand up Windows Server 2016 in DevTest Labs to understand the capabilities of the OS and set up an automatic shutdown time. This gives employees access to capable systems for after-hours studying, and the business only pays for the time the lab runs.

Azure DevTest Labs doesn’t replace on-premises testing

Many organizations have replica environments that mirror production sites, which ensures any fixes and changes will function properly when they go live. Azure DevTest Labs should not replace an on-premises test environment.

[embedded content]

Steps to produce an Azure DevTest
Lab.

Implement DevTest Labs to prevent testing delays; start work in DevTest Labs, which refine the items needed from operations. And because Azure is built to scale, users can add resources with a few clicks. An on-premises environment does not have the same flexibility to grow on demand, which can slow the code development process.

Production apps don’t have to stay in Azure

Azure DevTest Labs also checks applications or configurations, and then deploys them into the company’s data center. When the test phase of development passes, shut down the DevTest Lab until it is needed again.

In addition, IT teams can turn to DevTest Labs to showcase how the business can use Azure cloud. If the company wants to work with a German organization, for example, it must contend with heavy regulations about how data is handled and who owns it. Rather than build a data center in Germany, which could be cost-prohibitive, move some apps into an Azure region that covers the European Union or Germany. This is much less expensive because the business only pays for what it uses.

Still, regulatory issues override all the good reasons to use Azure. If you’re unsure of what regulatory items your organizations needs to know, use this link to get a list. You also can examine Microsoft’s audit reports to perform a risk assessment and see if Azure meets your company’s compliance needs.

Microsoft offers a 30-day free trial of DevTest Labs. It’s a great resource for development and testing, and provides an inexpensive learning environment for administrators who want to explore current and upcoming technologies.

Next Steps

Don’t let a test VM affect the production environment

Explore OpenStack’s capabilities with a virtual home lab

Use a Hyper-V lab for certification studies

Expect service providers to ease Azure Stack deployment

Microsoft is about to release Azure Stack, after two years and many bumps in the road. Despite the hoopla, it’s unclear just how many customers will be there to warmly greet the new arrival.

Microsoft has said that Azure Stack offers both infrastructure as a service (IaaS) and platform-as-a-service capabilities. As such, it brings the perks of the cloud service down into the data center. This might tempt businesses long frustrated with tangled, difficult-to-manage multicloud setups, said Mike Dorosh, an analyst at Gartner.

Dorosh said that, given the product’s complex licensing terms, he doubts many IT shops would opt for an Azure Stack deployment directly from a Microsoft hardware partner — at least initially. Dell EMC, Hewlett Packard Enterprise, Lenovo, Avanade and Huawei offer Azure Stack hardware bundles.

Microsoft designed Azure Stack deployment to be a simple process. Jeffrey Snover, a Microsoft technical fellow, said the installation should be quick and its complexity largely obscured by Microsoft and the hardware vendor. But Dorosh also said he predicts it will test businesses as they attempt to migrate and refactor existing apps and develop and deploy new apps onto Azure Stack.

“Then, the challenge becomes: You don’t have the skills and the tools and the knowledge or the staff to work it,” Dorosh said.

Other factors will likely slow initial adoption. Businesses that have recently invested in a private cloud or their infrastructure won’t replace these new investments with Azure Stack, Dorosh said. He also expects to hear concern about licensing and the speed of Microsoft’s updates.

Questions linger on Microsoft licensing

Azure Stack could confuse customers with its different fee models. Microsoft uses a consumption model for five Azure Stack services: Base virtual machine; Windows Server virtual machine; Azure Blob Storage; Azure Table and Queue Storage; and Azure App Service. Businesses can use existing licenses to reduce costs.

A company can subscribe to Azure Stack on a base VM charge of $0.008 per virtual CPU per hour or $6 per vCPU per month. Without a license, a Windows Server VM will cost $0.046 per vCPU per hour or $34 per vCPU per month. There are also options for when there is no public internet connection, called disconnected, and fixed-fee models. An IaaS package costs $144 per core per year, and adding an app service brings it to $400 per core per year.

Dorosh said he expects businesses to get better terms from Microsoft on Azure Stack deployment than with similar offerings, such as Azure Pack, because it will bundled into the product. However, Microsoft must also streamline its licensing terms to avoid confusion. For example, if a service provider has an SQL database with multiple SQL licenses, it will need to translate those licenses to the Azure Stack model.

“[Microsoft used to say] it depends on where you bought it and which programs you bought it under,” Dorosh said. “But now, [customers] want to know, ‘Can I move my SQL license or not? Yes or no?'”

Customers must also make frequent updates to Azure Stack to continue to receive support. A company must apply a Microsoft update within six months, but service providers want Microsoft to push adopters to stay within two months of the regular patches, Dorosh said. Falling six months behind would leave both service providers and Azure Stack users at a disadvantage.

“The further you fall behind, the less Azure you are,” Dorosh said. “You’re no longer part of the Azure cloud family — you’re Azure-like.”

More Azure Stack coverage

  • One size won’t fit all for Azure Stack debut: Initially, Azure Stack will only be offered as a one-rack deployment. Microsoft said it might extend to multirack deployments by early 2018. For now, the one-rack deployment could dampen interest in Azure Stack at larger businesses that don’t want to extend hosting into the Azure public cloud.
  • Analysts say Azure Stack will outpace VMware on Amazon Web Services: Both Azure Stack and VMware Cloud on AWS are expected to hit the hybrid cloud technology market in September. Even though VMware Cloud on AWS targets the world’s largest cloud service provider, analysts expect Azure Stack to sell better. A leading reason is that many Azure Stack customers will be migrating data with one vendor — from a Microsoft-operated data center to the Azure public cloud — while VMware Cloud on AWS requires you to use technologies from different vendors.
  • Azure Stack architect addresses delay: When Microsoft first announced Azure Stack in May 2015, the plan was to release it by the end of 2016. The company then pushed the release to September 2017. Snover, the Azure Stack architect, told SearchWindowsServer in June that the code was not ready for the original launch date. “As much as possible, we are trying to be Azure-consistent,” he said, and the effort to convert Azure to work on premises required more time.
  • Azure Stack isn’t a steppingstone to public cloud: Microsoft anticipates its Azure Stack customers will be businesses that have a long-term plan for hybrid cloud deployment. Although you could use Azure Stack as a “migration path to the cloud,” as Julia White, Microsoft corporate vice president for Azure, put it, the software provider’s internal research suggests that won’t be the case: Eighty-four percent of customers have a hybrid cloud strategy, and 91% of them look at hybrid cloud computing as a long-term workflow. Microsoft expects companies with data sovereignty issues will look to Azure Stack as a way to get cloud computing while keeping data in-house.

Preserve your AD organizational unit with these commands

access to resources across the network. If a piece of this directory service gets deleted inadvertently during maintenance work, however, it can bring the company to its knees.

AD organizational units (OU) arrange systems, users and other AD OUs into a specific order. But the accidental removal of an AD organizational unit can cause a massive disruption. For example, if a sysadmin deletes the OU that holds certain user accounts, those workers can’t log in to their PCs. Until an administrator recovers the OU, productivity will suffer. Even though Active Directory has a Recycle Bin, a complete recovery can take several hours in a large organization.

Check that each AD organizational unit is protected quickly using a PowerShell script.

Determine the protection status for one unit

To check the protection setting of a single AD organizational unit — for example, the ComputersOU unit — use the Identity parameter:

Get-ADOrganizationalUnit –Identity “OU=ComputersOU, DC=TechTarget, DC=Com” –Properties ProtectedFromAccidentalDeletion

The ProtectedFromAccidentalDeletion property will return a FALSE value if the AD organizational unit is not protected.

Are all AD organizational units protected?

To identify the protection status of OUs in all AD domains, use the PowerShell script below. It collects all OUs, looks at the protection setting of them and then saves the results to a CSV file.

$ReportFile=”C:TempOUProtectionStatus.CSV”

Remove-item $ReportFile -ErrorAction

$ThisStr=”OU Name, OU Path, In AD Domain, Final Status”

Add-Content “$TestCSVFile” $ThisStr

$DomainList = “C:TempDomainList.TXT”

ForEach ($DomName in Get-Content “$DomainList”)

{

    $AllOUs = Get-ADOrganizationalUnit -Server $DomName -filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false}

    $TotOUNow = $RAllOU.Count

    IF ($TotOUNow -ne 0)

    {

        ForEach ($Item in $AllOUs)

        {

            $FinalSTR = ‘”‘+$Item.Name+'”‘+”,”+'”‘+$Item.DistinguishedName+'”‘+”,”+$ThisDomain+”,Not Ok”

            Add-Content “$ReportFile” $FinalSTR

        }

    }

The script generates a report file with the OU name, OU distinguished path, OU domain name and the OU protection-setting status.

Protection status results
Figure 1. A PowerShell script can check the protection settings for all AD organizational units and produce a CSV file with the results.

The script’s results indicate that the protection setting for UsersOU, ComputersOU, ServersOU and domain controllers is not enabled. The script collects the OU distinguished name to make it easier to locate the AD organizational unit and then enable the protection setting.

To turn on the protection for one or all AD organizational units in domain, use the Set-ADOrganizationalUnit cmdlet.

Stand up infrastructure on a budget with Azure DevTest Labs

Many businesses expect IT teams to do more without giving them more money — and, sometimes, cutting an already…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

small budget. But new projects mean test and development — an expensive endeavor in the data center. One way to alleviate this financial strain is to move those test and development workloads into the cloud.

Running a test environment in the data center is expensive, with high costs connected to hardware, software, power and cooling — not to mention all the time and effort IT spends keeping everything running and properly updated. Instead, administrators can turn to the cloud to develop and test applications in Microsoft’s Azure DevTest Labs. This enables companies to trade in hardware expenses and switch to a pay-per-use model. Other features in the service, such as the auto shutdown for VMs, can further control costs.

In this first part of a two-part series, we explain the merits of using a test bed in Azure and configuring a VM for lab use. In part two, we explore ways to manage the VM in DevTest Labs, as well as benefits gained when a workload moves out of the data center.

What is Azure DevTest Labs?

Many businesses maintain an on-premises test environment that emulates the production environment, which lets development teams test code before it is pushed into production. This also enables other teams within the app dev team to perform usability and integration testing.

But a test environment can have slight variations from the production side. It might not have key updates or patches, or it could run on different hardware or software. These disparities cause the application to fail when it hits the production environment. Azure DevTest Labs address these issues, enabling admins to build an infrastructure that is disposable and adaptable. If the test environment requires drastic changes, the team can remove it and build a new one with minimal effort. In contrast, a typical on-premises production setting generally cannot be offline for very long; the investment in hardware, software and other infrastructure requires lengthy deliberation before IT makes any changes.

The team can turn off DevTest Labs when the test period ends so that resources go away, and there are no costs until the service is needed again.

Creating another lab scenario to test a new feature removes the effort to twist and tweak an existing test environment to bring necessary components online, which can cause problems with other testing scenarios. An on-premises test environment requires sizable expense and effort to maintain and keep in sync with production. In contrast, admins can quickly configure a test setting in Azure DevTest Labs.

What are the benefits of Azure DevTest Labs?

The most noticeable benefits to DevTest Labs include:

  • Pay as you go pricing: The lab only incurs cost when a VM runs. If the VM is deallocated, there are no charges.
  • Specified shutdown: IT staff can configure DevTest Labs to shut down at a certain time and automatically disconnect users. Turning the service off — for example, shutting it down between 5 p.m. and 8 a.m. — saves money.
  • Role-based access: IT assigns certain access rights within the lab to ensure specific users only have access to the items they need.

How do I get started with Azure DevTest Labs?

To set up Azure DevTest Labs, you’ll need an Azure subscription. Sign up for a 30-day trial from the Microsoft Azure site. Go to the Azure Resource Management portal, and add the DevTest Labs configuration from the Azure Marketplace with these steps:

  • Select the New button at the top of the left column in the Azure portal. This will change the navigation pane to list available categories of services and the main blade to a blank screen. As you make selections, this will populate with related information.
  • In the search box, enter DevTest Labs, and press Enter.
  • In the blade that displays the search results, click on DevTest Labs. This will display more information about DevTest Labs and a Create button.
Install Azure DevTest Labs
Figure 1. Find the option to add the Azure DevTest Labs to your subscription from the Azure Marketplace.

Click the Create button. Azure will prompt you to enter configuration settings for the instance, such as:

  • The name of the lab: The text box shows a green checkmark if the value is acceptable.
  • The Azure subscription to use
  • The region where the DevTest Lab will reside: Pick a region closest to user(s) for better performance.
  • If auto shutdown should be enabled: This is enabled by default; all VMs in the lab will shut down at a specified time.

Enter values for these options; items marked with a star are required. Click Create, and Azure will provision the DevTest Labs instance. This typically takes a few minutes to gather the background services and objects needed to build the lab. Click the bell icon in the header area of the Azure portal screen to see the progress for this deployment.

DevTest Labs provisioning
Figure 2. Click the bell-shaped icon in the Azure portal to check the provisioning progress of the DevTest Labs instance.

Once Azure provisions the lab, you can add objects and resources to it. Each lab gets a resource group within Azure to keep all the items packaged. The resource group takes the name of the lab with some random characters at the end. This ensures the resource group name for the lab is unique and ensures the admin manages its resources through DevTest Labs.

To find the lab, select the option for DevTest Labs from the left navigation pane. For new users, it might be listed under More Services at the bottom. When the lab is located, scroll down to the Developer Tools section, and click the star icon next to the service name to pin DevTest Labs to the main navigation list.

Click DevTest Labs in the navigation list to open the DevTest Labs blade and list all the labs. Click on the name of the new lab: techTarget — for the purposes of this article.

Azure DevTest Labs environment
Figure 3. After Azure provisions the lab, the administrator can add compute and other resources.

This opens the blade for that lab. The administrator can populate the lab with compute and other resources. New users should check the Getting Started section to familiarize themselves with the service.

What components can we put in the lab?

DevTest Labs creates sandbox environments to test applications in development or to see how a feature in Windows Server performs before moving it to a production environment.

Administrators can add components to each lab, including:

  • VMs: Azure uses VMs from the Marketplace or uploaded images.
  • Claimable VMs: The IT department provides a pool of VMs for lab users to select.
  • Data disks: You can attach these disks to VMs to store data within a lab.
  • Formulas: Reusable code and automation objects are available to objects within the lab.
  • Secrets: These are values, such as passwords or keys, the lab needs. These reside in a secure key vault within the Azure subscription.

Administrators can modify configuration values and policies related to the lab, change the auto startup and auto shutdown times and specify machine sizes that users can create. To find more information on these items, select My virtual machines under MY LAB in the navigation list. Click Add at the top of the blade to insert a VM.

Add a new VM
Figure 4. Create a new VM with the Add button in the lab.

For the purposes of this article, select Windows Server 2016 Datacenter as the VM base image. The next blade shows the following items that are required to build the VM:

  • VM name: A unique name for the VM.
  • Username: The admin username for this VM — it cannot be administrator.
  • Disk type: Options include solid-state drive or hard disk drive — SSD provides better performance, but will raise the cost of operations slightly.
  • VM size: The number of CPU cores and amount of RAM — after selecting the one you want, click Select.
Configure the lab VM
Figure 5. Make selections to build the VM for the lab. The blades show the options and prices based on the size of the VM.

You can also select artifacts to install when the VM is created, and configure advanced options for the resource. Find more information about artifacts at Microsoft’s Azure documentation site.

For labs with more complex needs, advanced settings let administrators adjust the VM’s networking settings and set the VM as claimable.

When you finish the lab VM configuration, click Create. Azure will do its work, which will take some time to complete.

In the next installment of this article, we will look at VM management in Azure DevTest Labs and different testing scenarios within the service.

Next Steps

A Hyper-V lab can help with certification studies

Explore OpenStack’s capabilities with a virtual home lab

Keep a test VM from affecting the production environment

Powered by WPeMatico

Automate Active Directory jobs with PowerShell scripts

Most IT professionals have some experience with Active Directory, whether they use it to create new users, reset…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

passwords or generate child domains. Tools like Active Directory Users and Computers and Active Directory Administrative Center get the job done, but they’re based on a GUI and require a lot of manual manipulation.  

Active Directory is suitable for automation — it’s an area where admins make constant, and often repetitive modifications, such as creating users, computers and organizational units. With the right tools in place, you can use PowerShell to automate Active Directory tasks and eliminate a lot of these recurring steps.

Install the AD module

There are a few steps to take before you can automate Active Directory. First, install the Remote Server Administration Tools package, which is specific to your OS version.

After the installation, enable the AD module. Go to Programs and Features in the Control Panel and follow this path: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.

Once the AD module is enabled, open the PowerShell console and use the Get-Command cmdlet to check that every command is available to you.

PS> Get-Command -Module ActiveDirectory

CommandType     Name                                               Version    Source
———–     —-                                               ——-    ——
Cmdlet          Add-ADCentralAccessPolicyMember                    1.0.0.0    ActiveDirectory
Cmdlet          Add-ADComputerServiceAccount                       1.0.0.0    ActiveDirectory
Cmdlet          Add-ADDomainControllerPasswordReplicationPolicy    1.0.0.0    ActiveDirectory
Cmdlet          Add-ADFineGrainedPasswordPolicySubject             1.0.0.0    ActiveDirectory
….

Active Directory is suitable for automation — an area where admins make constant, and often repetitive modifications, such as creating users, computers and organizational units.

Next, run the Update-Help command to download the latest documentation for each PowerShell command. Microsoft regularly updates the comprehensive PowerShell help system. Running the Update-Help command is a worthwhile step for administrators who are new to PowerShell, especially when exploring a new module.

Now that the AD module is ready to go, there are a few common ways to automate Active Directory jobs.

How to find users

To adjust settings for a user, you need to find the user. There are several ways to do this in Active Directory, but the most common is with the Get-AdUser cmdlet. This cmdlet enables you to search based either on the name of the user or via a filter that locates several users at once. The following example uses a filter to find users with the first name Joe:

PS> Get-AdUser -Filter ‘givenName -eq “Joe”‘

If you know the user’s name, you could use the Identity parameter:

PS> Get-AdUser -Identity ‘jjones

Create new users

The New-AdUser cmdlet creates new users and lets you specify the majority of the attributes. For example, if you want to create a new user called David Jones with a password of p@$$w0rd10, use PowerShell’s splatting feature to package several parameters to pass them to the New-AdUser cmdlet.

$NewUserParameters = @{
    ‘GivenName’ = ‘David’
    ‘Surname’ = ‘Jones’
    ‘Name’ = ‘djones’
    ‘AccountPassword’ = (ConvertTo-SecureString ‘p@$$w0rd10’ -AsPlainText -Force)
    ‘ChangePasswordAtLogon’ = $true
}

New-AdUser @NewUserParameters

Add users to groups

Another common administrative task is to add new users to groups. This is easily done with the Add-AdGroupMember cmdlet. The example below adds the user David Jones to an Active Directory group called Accounting:

Add-AdGroupMember -Identity ‘Accounting’ -Members ‘djones

Automate creation of users

We can combine these commands when the human resources department provides a CSV file that lists new users to create in Active Directory. The CSV file might look like this:

“FirstName”,”LastName”,”UserName”
“Adam”,”Bertram”,”abertram
“Joe”,”Jones”,”jjones

To create these users, write a script that invokes the New-AdUser command for each user in the CSV file. Use the built-in Import-Csv command and a foreach loop in PowerShell to go through the file and give users the same password.

Import-Csv -Path C:Employees.csv | foreach {
    $NewUserParameters = @{
        ‘GivenName’ = $_.FirstName
        ‘Surname’ = $_.LastName
        ‘Name’ = $_.UserName
        ‘AccountPassword’ = (ConvertTo-SecureString ‘p@$$w0rd10’ -AsPlainText -Force)
    }

    New-AdUser @NewUserParameters
}

These are a few basic examples of how an admin can automate Active Directory tasks with PowerShell. The Active Directory PowerShell module has many commands that enable admins to execute more complex jobs, such as permission delegation for groups. 

Next Steps

Use PowerShell to assign Office 365 licenses

Top PowerShell commands for admins

Test PowerShell scripts to code more efficiently

Powered by WPeMatico

Troubleshoot Azure AD synchronization issues with these strategies

be sure to monitor the synchronization to ensure changes are replicated successfully. You can implement monitoring mechanisms to trigger alerts in the event of AD synchronization issues, but in order to actually address any issues, you need to resolve the conflicts with objects.

Resolve InvalidSoftMatch errors

Once a full AD synchronization is complete, the directory synchronization tool performs delta synchronization. During delta synchronization, the tool checks attributes of the objects that have been changed and new objects that need to be replicated to Windows Azure Active Directory (WAAD). For example, if you change a user account in on-premises AD, when DirSync performs the next delta synchronization, it checks what has been changed. DirSync follows two rules before the modified or new objects can be replicated: Hard Match and Soft Match.

When it comes time to update or add an object in WAAD, Azure AD matches the object using the SourceAnchor property of the object to the ImmutableID property of the object in WAAD. This match is generally called a Hard Match in AD synchronization. If the SourceAnchor data doesn’t match the ImmutableID data, Azure AD performs a Soft Match. Soft Match checks the value of ProxyAddresses and UserPrincipalName attributes before the object can be updated or added. You might hit Soft Match errors if Hard Match doesn’t find any matching object and Soft Match does find a matching object, but that object contains a different value in the ImmutableID property. This situation usually occurs when the matching object was synchronized with another object in on-premises AD. This type of error is called InvalidSoftMatch. To resolve InvalidSoftMatch errors, run the Azure AD Connect Health for Sync tool, which can help you identify conflicting objects. Once the conflicting objects have been identified, check to see which object shouldn’t be present in WAAD. Once identified, either remove the duplicate object or change the value, and then let the directory synchronization attempt a replication of the objects automatically. You can also force directory synchronization as explained below.

Make sure AD synchronization user account is operational

It’s important to ensure that the account you configure for synchronization is operational. By default, accounts created in Azure cloud are set to expire within 90 days. The password for the synchronization account must be set to never expire. To change the synchronization service account to never expire, you can use the Set-MsolUser PowerShell cmdlet. First, you need to connect to Azure by running the Connect-MsolService cmdlet and then find the synchronization service account by running the Get-MsolUser –UserPrincipalName AccountName@DomainName.com cmdlet. Once the synchronization service account is identified, set the account’s password to never expire by using the Set-MsolUser cmdlet as shown below:

Set-MsolUser –UserPrincipalName AccountName@DomainName.Com –PasswordNeverExpires $True

There’s no need to restart the directory synchronization service for the changes to take effect.

Perform a full or delta synchronization

Note that the directory synchronization tool performs a full AD synchronization when you first install the tool. Once the full synchronization is complete, it continues to perform delta synchronizations. If you need to trigger a full synchronization immediately, use the PowerShell cmdlets that are available with the installation of the directory synchronization tool. The Start-ADSyncSyncCycle PowerShell cmdlet can help you perform either a full or delta synchronization.

Note that the directory synchronization tool performs a full AD synchronization when you first install the tool.

Run Import-Module ADSync to import the directory synchronization modules and then execute the PowerShell commands below to initiate a full or delta synchronization.

To force full synchronization, execute the Start-ADSyncSyncCycle –PolicyType Initial PowerShell command, and to force delta synchronization, execute the Start-ADSyncSyncCycle –PolicyType Delta PowerShell command. If you encounter any issues, check the event logs.

General purpose built-in tools

The directory synchronization installation creates various files under the C:Program FilesWindows Azure Active Directory Sync folder. The two most important files are ConfigWizard and DirSyncSetup.Log. ConfigWizard allows you to reconfigure the AD synchronization settings. For any synchronization-related errors that might have occurred during the initial or delta synchronization, check the DirSyncSetup.Log file.

Powered by WPeMatico

Twelve Windows 10 GPOs IT must know about

Microsoft provides an extensive set of Group Policy Objects for managing Windows 10 computers. Only a handful — 12 to be exact — are specific to Windows 10 Enterprise.

Even so, those 12 Windows 10 GPOs can go a long way in IT’s quest to control users’ desktops. The group policies allow IT to enable Windows Spotlight, prevent the lock screen from displaying, manage the Start layout and more.

The administrative template files (ADMX), which are where the group policies live, are made up of structured Extensible Markup Language (XML) that provides a language-neutral reference to each policy. The files work in conjunction with language-specific resource files (ADML) that provide the actual display name and help descriptions for those policies.

A quick introduction to the ADMX file

Each ADMX file includes a set of related policies that corresponds to a policy path within the Group Policy structure. For example, the CloudContent.admx file includes the policy Configure Windows spotlight on lock screen. If IT pros use the Group Policy Editor on a Windows 10 machine to view the local group policies, they would find the policy at the following path:

User Configuration > Administrative Templates > Windows Components > Cloud Content

User Configuration indicates the scope of the policy, which, in this case, is User. If the scope were Machine, the first element would read Computer Configuration. A policy can be available at the User scope, Machine scope or both.

Windows 10 GPOs can go a long way in IT’s quest to control users’ desktops.

Administrative Templates is common to all policies in the ADMX files. As a result of this structure, the Computer Configuration node and the User Configuration node are both in the Group Policy Editor, with each node containing the Administrative Templates subnode.

The remaining elements in the policy path are specific to the policies within a particular ADMX file. In this case, the elements Windows Components > Cloud Content correspond to the CloudContent.admx file, which includes the Configure Windows spotlight on lock screen policy, along with other policies.

Each policy has a friendly display name and a formal reference name. Configure Windows spotlight on lock screen is the display name in this example. The reference name is ConfigureWindowsSpotlight. The ADMX and ADML files use the reference names to sync with one another. The display name appears only in the applicable ADML file and is the name that shows up within the local Group Policy Editor in Windows.

The following sections provide an overview of the Windows 10 Enterprise Group Policy that is specific to that version of the OS based on their ADMX files.

CloudContent.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Cloud Content

The CloudContent.admx file contains several policies related primarily to Windows Spotlight, an option for displaying different background images on the lock screen and for automatically displaying suggestions about Windows 10 features. A few of them are Windows 10 GPOs exclusively.

Configure Windows spotlight on lock screen
Reference name: ConfigureWindowsSpotlight
Scope: User

Implements Windows Spotlight on the lock screen and prevents users from modifying the lock screen. IT can also set up the lock screen to display internal communications.

Turn off all Windows Spotlight features
Reference name: DisableWindowsSpotlightFeatures
Scope: User

Turns off Windows Spotlight on the lock screen. It also turns off Microsoft consumer features, Windows tips and other related features.

Turn off Microsoft consumer experiences
Reference name: DisableWindowsConsumerFeatures
Scope: Machine

Prevents users from receiving notifications about their Microsoft accounts or personalized recommendations from Microsoft.

Do not show Windows Tips
Reference name: DisableSoftLanding
Scope: Machine

Prevents users from receiving Windows tips, which are contextual pop-up messages explaining how to use Windows.

ControlPanelDisplay.admx template file

Policy path: [scope] > Administrative Templates > Control Panel > Personalization

The ControlPanelDisplay.admx file contains a number of policies for managing personalization settings on the desktop.

Do not display the lock screen
Reference name: CPL_Personalization_NoLockScreen
Scope: Machine

Allows users to see their selected tiles after locking their PCs, rather than seeing the lock screen. This policy only applies to users who do not have to press CTRL+ALT+DEL when they log on.

Force a specific default lock screen and logon image
Reference name: CPL_Personalization_ForceDefaultLockScreen
Scope: Machine

IT can specify the default image users see on their lock and logon screens. When configuring this policy, IT must provide the fully qualified path and file name for the image.

Logon.admx template file

Policy path: [scope] > Administrative Templates > System > Logon

The Logon.admx file contains a number of policies specific to users starting up and logging onto their systems. Although none of these are Windows 10 GPOs only, there is an important issue IT should be aware of related to the policy Turn off app notifications on the lock screen.

If IT enables this policy and also enables the local security policy Do not require CTRL+ALT+DEL — in the Windows Settings node — Windows automatically disables lock screen apps. As a result, IT cannot configure assigned access on the device, which limits users to interacting with only one application, something IT might want to do when setting up a device in kiosk mode.

Turn off app notifications on the lock screen
Reference name: DisableLockScreenAppNotifications
Scope: Machine

Prevents applications from appearing on the lock screen. Otherwise, users can choose which notifications appear on the lock screen.

Do not require CTRL+ALT+DEL
Policy path: Computer Configuration > Windows Settings > Local Policies > Security Options
Scope: Machine

The policy is not part of the Logon.admx template file. That said, if IT enables it, the user is not required to press CTRL+ALT+DEL when logging on. This policy is disabled by default on domain-controlled computers.

Search.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Search

The policies in the Search.admx file let IT control search-related features on users’ desktops.

Don’t search the web or display web results
Reference name: DoNotUseWebResults
Scope: Machine

Prevents Search from querying the web and prevents Search from displaying web results.

StartMenu.admx template file

Policy path: [scope] > Administrative Templates > Start Menu and Taskbar

The StartMenu.admx file includes a wide range of policies related to the Start menu, only one of which applies exclusively to Windows 10 Enterprise.

Start layout
Reference name: LockedStartLayout
Scope: User and Machine

IT can specify the Start layout for managed devices and prevent users from modifying the Start configuration. IT must first generate the XML files necessary to store the Start layout configuration.

WindowsStore.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Store

The WindowsStore.admx file includes several policies related to the Windows Store application and application updates.

Turn off the Store application
Reference name: RemoveWindowsStore
Scope: User and Machine

Prevents users from accessing the Windows Store application. Access to the Windows Store application is required to install application updates.

Only display the private store within the Windows Store app
Reference name: RequirePrivateStoreOnly
Scope: User and Machine

This policy prevents users from viewing the retail catalog in the Windows Store app. It does not affect users’ ability to view apps in a private store.

Powered by WPeMatico

How to use Azure Active Directory differently than classic AD

it leaves a lot behind, Azure Active Directory gives administrators ways to extend AD into cloud resources and achieve critical connections, such as application federation, once they know how to use it.

Most Windows administrators use classic AD to manage users, profiles, Group Policy Objects and other relationships. Bandwidth and interoperability are rarely an issue on premises. The cloud is a whole different proposition. Servers and services in the cloud have different needs and requirements than in-house deployments. Azure Active Directory extends classic AD into the cloud environment, rather than replacing AD with a cloud version. Active Directory has a treelike structure of organization, but Azure AD is essentially a flat exported version.

Azure Active Directory vs. on-premises AD

The public cloud is as device-agnostic as possible, which means it isn’t designed to look after computers and Group Policy Objects. Azure doesn’t need the heavy feature set of on-premises AD; it requires only that authenticated user accounts, groups and security information carry forward into the cloud. This is where administrators use Azure Active Directory.

Azure Active Directory is a web-based system that manages and authenticates users against web services. It works with web-hosted, custom-built applications, as well as integrated third-party web services and applications. Microsoft’s term for this list is the portfolio. Look for ways to use Azure Active Directory as an easily managed, extensible identity services front end to web services, platform-as-a-service offerings and other products.

Microsoft Azure Active Directory management console
Figure 1. The management console for Azure Active Directory shows components for administrators to control.

Azure Active Directory can also manage identity and application provisioning on Windows devices: The enterprise Windows 10 systems have a configuration option for on premises or Azure Active Directory. Don’t expect it to apply Group Policy Objects, however.

Azure Active Directory even has its own PowerShell extensions to manage and configure users.

How to use Azure Active Directory in an enterprise

Azure Active Directory’s setup suits companies with BYOD programs. Azure Active Directory connects Microsoft- and Android-based user devices, as a truly web-first affair. Once authenticated, the user can consume applications from the Azure system portfolio as dictated by the administrator. As the Azure Active Directory framework grows, its portfolio supports more applications. While end users download and consume apps easily, administrators retain a certain amount of control over local system configuration regarding apps.

Administrators can control the application sign-in for a web service from the portfolio. They can let the user specify username and password, choose to store preconfigured values or use federated services, such as Active Directory Federation Services (ADFS). Azure Active Directory passes these settings down upon app install.

Administrators can set up and release an application for users via a wizard interface in Azure Active Directory. They specify groups or individual users and can add users from other Azure Active Directory-enabled companies. In large environments, administrators commonly add these users so that Azure domains can authenticate with each other via ADFS without divulging any secrets. Multifactor authentication is also available on Azure Active Directory.

Administrators should take advantage of the in-app authentication feature. This enables you to validate Office 365 license statuses and management, authenticate users seamlessly to OneDrive and SharePoint and set up other pathways.

Use Azure Active Directory with Azure Active Directory Connect, a Microsoft tool that ties on premises to cloud. It helps prevent pesky authentication prompts or nasty hacks around them. An organization installs Azure AD Connect on the on-premises AD controller to extend authentication across both private and public cloud.

Administrators with a simple Active Directory setup, with a single domain and forest, will find it easy to extend into Azure.

Powered by WPeMatico