Expired AD accounts remains active in Azure AD

azure

In a hybrid environment where an AAD Connect is configured to sync the onprem/classic Active directory and its users to Azure Active Directory, the expire date property in AD is not synced.
This in itself is not that big of a deal, but the fact that an expired user in AD, that is blocked for use and login onprem, is fine to use in the cloud environment. It can be used in Office 365, in Azure, in other connected Cloud services/SaaS applications out there.

Expired8

This is a fact, and it not good that a user that is considered to be deactivated, is still able to access an organizations services in the cloud. The example is an external consultant that in a project has a limited time on the AD Account, and in a onprem environment, an expired account = a blocked account.
With AAD Connect and a hybrid AD setup, this is untrue…

How to fix this? There are many solutions available if you have a look out there, good and bad, there are ways to configure AAD Connect to sync the expiry date and then build something to handle it in the Azure AD environment.
I will here suggest the simplest solution to a complicated problem…

Solution:
The ‘Enabled’ property of a user account is one of the properties that are always synced to Azure AD. This is on an active account set to TRUE. Setting the enabled property to FALSE disables the account. You can verify this in AD Users & Computers and see that the Account disabled is checked. So, using this disables the account in AD, is synched to Azure AD, and causes the account to be disabled in Azure AD as well, good!

In order to set Enabled to FALSE when the Expire date has passed, we need something to do it for us.
The below PowerShell script does this, it filters all users on only those which are still active AND has a passed expire date. (Add more or other filters as appropriate)
Schedule this script to run once a day and you will solve the problem.
In addition to just solving the problem, the script will do some logging for you, so that you can see which users are actually disabled by this script and which have some other reason.

$LogPath = 'C:\Scripts\DisableExpiredAccounts'
$Now = Get-date

function LogToFile ($LogPath, $LogText){
if(-not (Test-Path $LogPath)){
New-Item -ItemType Directory -Force -Path $LogPath
}
(Get-Date -Format "yyyy-MM-dd HH:mm").ToString() + " | " + $LogText | Out-File $LogPath\ExpiredUserLog.txt -Append -force
}

$AllUsers = Get-ADUser -filter {Enabled -eq $True -and accountExpirationDate -lt $Now} -Properties *

If ($AllUsers.count -gt 0){
LogToFile $LogPath ("Number of expired users found: "+ $AllUsers.Count)
}

foreach($user in $AllUsers){
$UserExpiryDate = (Get-Date ($User.accountExpirationDate) -Format "yyyy-MM-dd HH:mm").ToString()
try{
#Disable the account
Disable-ADAccount $User.SAMAccountName
LogToFile $LogPath ("Expired on: " + $UserExpiryDate + " | Disabled: " + $User.UserPrincipalName + " - " + $User.DisplayName)
}
catch{
# If disable failed, log
$ThisError = $Error[0]
LogToFile $LogPath ("Failed on: " + $UserExpiryDate + " | User: " + $User.UserPrincipalName + " - " + $User.DisplayName + " - - - ERROR!")
LogToFile $LogPath ("Error message:" + $ThisError)

}
}

Done!
Now, as this has to run on a regular basis, and we don’t want to add any additional infrastructure to our onprem environment (Even if its in Azure), I recommend putting it on the actual AAD Connect VM.
Put the script in any folder suitable (ex. c:\scripts\) as DisableExpiredAccounts.ps1
Open Task Scheduler on the server
Add a new task

Expired0

Call it something descriptive (DisableExpiredAccounts)
Add a ‘run as’ service account (with permissions to read AD and change user properties)

Expired1
Add a trigger, scheduled to run once every day at 7:00 AM

Expired2

Expired3
Add an action, run the program PowerShell.exe, add the argument ‘C:\Scripts\DisableExpiredAccounts.ps1’

Expired4

Expired5
Make sure it is enabled, and save the task.
Test run it to make sure it works.

Expired6

The log will show you if there were any changes made.

Expired7

Done!

Follow this up and verify that the user gets disabled in your Azure AD as well, just to make sure.

References:

https://docs.microsoft.com/en-us/powershell/module/activedirectory/disable-adaccount?view=windowsserver2019-ps

https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31459621-sync-account-expired-useraccountcontrol-to-azure

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

One Bastion to access them all (All peered vNets)

azure

Until now, Azure Bastion has been restricted to use within the one vNet where it is connected.
It could not work across vNet peerings or vNets connected to Virtual VAN’s.
If you wanted to use Bastion, you needed to create separate Bastions per vNet. Bastion with regular use comes with a cost of approximately $120/Bastion and Month, $1500/Bastion/Year. (10 vNets = $15.000)
This have now changed. Now, $1500/customer/year is enough (Well worth it!). (10 vNets = $1.500)

Bastion can now work across vNet peering!
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

Note.
If you have a virtual VAN and your vNets are connected this way, you can add peering in a hub & spoke modell to the vNet where your Bastion is located, this will allow you to use Bastion anyway without disturbing the Virtual VAN functionality.

All you have to do, is create a 2 way peering between the vNet with a Bastion, and the second vNet, and Bastion will show up in the portals ‘Connect’ dialogue.

Bastion2

Bastion1

References

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to clear out all local admin accounts

azure

In a true scenario, we got from a pentest report, that to many of our servers had local active accounts that were local administrators. To mitigate this, we planned to do the following:

Delete all accounts except the default administrator (Disable default on 2016)
Rename the default to a different name
Set a new ‘impossible’ password that nobody knows (45chrs)
Leave as-is domain users in the local administrators group

Simple enough if done on one server, via the Windows GUI…but given the circumstanses, having about 100 Windows servers, we decided to do it using PowerShell and to run the script from the Azure portals ‘Run command’ feature (Recommended). Both can however also be used locally on the servers.
What differs in the two versions are, if the servers are running 2016 or later, or 2012R2 or earlier. We had both so we needed two scripts.
(Apologies for the bad formatting in this blog-template)

Windows Server 2016 and later:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$Admins = Get-LocalGroupMember -Group 'Administrators' | Select-Object ObjectClass, Name, PrincipalSource | Where-Object {$_.PrincipalSource -eq "Local"} | Select-Object Name
$DefaultAdmin = (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | ? {$_.SID -like "S-1-5-21-*-500"}).Name
foreach($Admin in $Admins) {
  $UserName = ($Admin.Name).ToString().split("\")[1]
  Disable-LocalUser $UserName
  If ($UserName -ne $DefaultAdmin) {
    Remove-LocalUser $UserName
    Write-Host "Removed Admin: $UserName"
  }
  else {
    $Random = ConvertTo-SecureString ((1..45 | ForEach-Object   {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join "") -AsPlainText -Force
    Set-LocalUser -Name $DefaultAdmin -Password $Random
    Write-Host "Default Admin password reset to 45 chrs long random string"
    if ($DefaultAdmin -ne $NewAdminName){
      Rename-LocalUser -Name $DefaultAdmin -NewName $NewAdminName
      Write-Host "Renamed default Admin: $UserName to $NewAdminName"
    }
  }
}
Write-host "Done - Server secured :-)"

– – – – – – – – – – – – – – – – – – – –

Pre Windows Server 2016:

# Delete all local admin but default, rename it to Osadmin and reset pwd to 45 chrs random string
$NewAdminName = "OSAdmin" 
$LocalAdmins = (get-wmiobject -ComputerName $Env:Computername win32_group -filter "name='Administrators' AND LocalAccount='True'").GetRelated("win32_useraccount")
foreach ($LocalUser in $LocalAdmins){
  $UserName = $LocalUser.Name
  $UserSID = $LocalUser.SID
  $userDomain = $LocalUser.Domain
  if ($LocalUser.Domain -eq $Env:Computername)
  {
    If ($userSID -like "S-1-5-21-*-500"){
      Write-Host "OK Default: $userName $userDomain" -ForegroundColor Green
      If ($UserName -ne $NewAdminName){
        $LocalUser.Rename($NewAdminName)
      }
      $Random = (1..45 | ForEach-Object {('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+')[(Get-Random -Maximum ('abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!"§$%&/()=?}][{@#*+').length)]}) -join ""
      [adsi]$User = "WinNT://./$NewAdminName,user"
      $User.SetPassword($Random)
      $User.SetInfo()
    }
    else {Write-Host "DELETE: $userName $userDomain" -ForegroundColor Red
    [ADSI]$server = "WinNT://$Env:computername"
    $server.delete("user",$UserName)
  }
}
else {Write-Host "OK Domain: $userName $userDomain" -ForegroundColor Green}
}

Happy PowerShell scripting!

References
Not this one

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Use PowerShell to Add ACL, permission or Role assignment on all objects in all subscriptions

azure

The following script is made for those of you who has many subscriptions, or many objects, and you want to do something with them…
In my case, I needed to add the DBA’s AAD Group as Reader to all the disks of the SQL Server VM’s. Migrated servers, 6 disks each…you do not want to do that manually in the portal…

Run it a PowerShell tool of choice, prompt from script, ISE, VS Code or in CloudShell.
! However, there is a verified bug in a Az module used by New-AzRoleAssignment, tested and verified to work in CloudShell with Az module az.resources 2.5.1

Get-AzDisk can be replaced with Get-AzXXX to get any type of object you need.
New-AzRoleAssignment can be replaced with just about anything you want to do to the objects.

# Adds a Role assignment(ACL/RBAC) on all disks in all subscriptions based on strings in disks names
# In this example, the AAD Group ‘AAD-Group’ is added as Reader on all disks in all subscriptions, where the disks name contains the keywords: VM1, VM2 or SQL1

$Group = Get-AzADGroup -SearchString “AAD-Group”

$MySubs = Get-AzSubscription

Foreach ($Sub in $MySubs){

Write-host $Sub.name

Select-AzSubscription $sub.Name

$Disks = Get-AzDisk | Where-Object { $_.Name -match ‘VM1’ -or $_.Name -match ‘VM2’ -or $_.Name -match ‘SQL1’}

ForEach ($Disk in $Disks){

Write-Host $Disk.name

# Reader, Contributor, Owner, etc.

New-AzRoleAssignment -ObjectId $Group.Id -RoleDefinitionName ‘Reader’ -ResourceName $Disk.Name -ResourceGroupName $Disk.ResourceGroupName -ResourceType $Disk.Type

}

– – – – – – – – – – – – – – – – – – – –

# Adds a Role assignment(ACL/RBAC) on all recovery vaults in all subscriptions

# In this example, the AAD Group ‘AAD-Group’ is added as Reader on all Recovery vaults in all subscriptions.

$Group = Get-AzADGroup -SearchString “AAD-Group”

$MySUbs = Get-AzSubscription # Get-AzSubscription

#Write-Output $MySubs

Foreach ($Sub in $MySubs){

Write-host $Sub.name

Select-AzSubscription $sub.Name

$Vaults = Get-AzRecoveryServicesVault

ForEach ($Vault in $Vaults){

Write-Host $Vault.name

# Reader, Contributor, Owner, etc.

New-AzRoleAssignment -ObjectId $Group.Id -RoleDefinitionName ‘Reader’ -ResourceName $Vault.Name -ResourceGroupName $Vault.ResourceGroupName -ResourceType $Vault.Type

}

Happy PowerShell scripting!

References
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Install the PowerShell Az module (even if AzureRM is installed)

azure

If you are having trouble getting from the ‘old’ AzureRM PowerShell commends to the ‘new’ Az…
The following script solves it for you, run it and you will end up having the ‘new’ Az module installed (New-AzVM etc.) and if you had a conflicting AzureRM installed, that is resolved for you, by itself!

Run it a PowerShell tool of choice, prompt from script, ISE or VS Code. But run the tool as Administrator, the operation requires elevated mode.

# This script needs to be run in an elevated PowerShell, prompt, ISE or VSCode
# Written by Thomas Odell Balkeståhl - www.candelit.se

Write-Host "Starting AZ Module installer" -ForegroundColor Green

if ((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
Write-host "Running in elevated mode - Ok'" -ForegroundColor Green
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-InstalledModule -ErrorAction Ignore -WarningAction Ignore -Name 'azureRM'))

{

Write-Warning -Message ('AzureRM module is installed. Having both the AzureRM and ' +

'Az modules installed at the same time is not supported.')

Write-host "Would you like to uninstall the AzureRM module now? (Default is Yes)" -ForegroundColor Yellow

$Readhost = Read-Host " ( y / n ) "

Switch ($ReadHost)

{

Y {Write-host "Yes, Uninstalling AzureRM"; $UninstallSetting=$true}

N {Write-Host "No, Skip uninstall..."; $UninstallSetting=$false}

Default {Write-Host "Default, Uninstalling AzureRM"; $UninstallSetting=$true}

}

If ($UninstallSetting){

Uninstall-Module AzureRM -Force

Write-Host "AzureRM module uninstalled"

Write-Host "Next, Installing Az Module"

try {

Install-Module -Name Az -AllowClobber -SkipPublisherCheck

Get-InstalledModule -Name Az -AllVersions

Write-Host "Az Module installed!" -ForegroundColor Green

}

catch {

Write-Host "Something went wrong, try running the command 'Install-Module -Name Az -AllowClobber' manually to see what went wrong" -ForegroundColor Yellow

}

}




}

else {

if (!(Get-InstalledModule -Name Az -AllVersions -ErrorAction Ignore)){

Write-Host "Az Module missing, Installing"

try {

Install-Module -Name Az -AllowClobber -SkipPublisherCheck

Get-InstalledModule -Name Az -AllVersions

Write-Host "Az Module installed!" -ForegroundColor Green

}

catch {

Write-Host "Something went wrong, try running the command 'Install-Module -Name Az -AllowClobber' manually to see what went wrong" -ForegroundColor Yellow

}

}

else {

Get-InstalledModule -Name Az -AllVersions

Write-Host "Az Module is installed" -ForegroundColor Green

}

}
}
else{
Write-host "You have to run the script in elevated mode - 'run as admin'" -ForegroundColor Yellow
}

Happy PowerShell scripting!

References
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps

___________________________________________________________________________________________________

Enjoy!

Regards

Thomas Odell Balkeståhl on LinkedIn

Office 365 guide series – Function to resolve a users OneDrive for Business URL

SP2013logo

Hi SharePoint Online PowerShellers!

This time I will give you a Quick but great function to use if you are working with OneDrive for Business:

Function to resolve a users OneDrive for Business URL

‘

Simple solution, great to have, unbelievably efficient…

Ok, this is perhaps my shortest post ever…I’ll just explain real Quick.
OneDrive for Business gets it URL from the tenantname and the users UserPrincipalName. Creating this every time can be troublesome…
This is what I use, a function I created last summer when I was tired of doing them one at the time…

It works even with users that have a different domain in the UPN than what is the tenant name.
This is it:

Function GetODfBURL($UserPrincipalName, $TenantName)
# Creates a correct ODfB URL from email and TenantName/OrgName, returns URL as a String
{
    # ConStructing OneDrive personal URL from the UPN/Email address
    $StrUser = $UserPrincipalName
    $pos= $StrUser.IndexOf("@")
    $len = $StrUser.Length -1
    $StrUser = $StrUser.SubString(0, $pos)
    $StrUser = $StrUser -replace "\.", "_"
    $Orgpos = $pos + 1
    $Orglen = $len - $pos
    $StrOrg = $UserPrincipalName.SubString($Orgpos, $Orglen)
    $StrOrgNamePos = $StrOrg.IndexOf(".")
    $StrOrgName = $StrOrg.SubString(0, $StrOrgNamePos)
    $StrOrgSuffixPos = $StrOrgNamePos +1
    $StrOrgNameLen = $StrOrg.Length - $StrOrgSuffixPos
    $StrOrgSuffix = $StrOrg.SubString($StrOrgSuffixPos, $StrOrgNameLen)
    $StrOrg = $StrOrg -replace "\.", "_"
    $PersonalOrgURL = "https://" + $TenantName + "-my.sharepoint.com/personal/"
    $SiteUrl= $PersonalOrgURL + $StrUser
    $SiteUrl= $SiteUrl+ "_" + $StrOrg
    return $SiteUrl
}
$ODfBURL = GetODfBURL "thomas.balkestahl@blksthl.se" "blksthl"

This will give the URL: https://blksthl-my.sharepoint.com/personal/thomas_balkestahl_blksthl_se

Thats it. Use it or not 🙂

References and Credits

‘
Nope, not this time…

Credits & many thanks to

To all of you.

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 guide series – Manage files and folders with PowerShell and CSOM

SP2013logo

How to manage files and folders with PowerShell and CSOM

‘

How can we manage these items…?

‘

This is a pure guide to using PowerShell to manage and manipulate files and folders, libraries and all document management related tasks in a SharePoint Online or OneDrive for Business environment.

The sections in this guide are:

– Prerequisites
– Load assemblies
– Load a CSOM Context
– Web
– List/Library
– GetFileByServerRelativeUrl and GetForlderByServerRelativeUrl
– Create a file from a local copy
– Create a folder from a local copy
– Set properties on a file
– Set properties on a folder
– ResolveUser (Function)
– GetItemProperties (Function)

‘

Prerequisites

Before beeing able to do much in SharePoint Online or OneDrive for Business, you have to start using CSOM, or Client Side Object Model, this allows us to do pretty much everything we could do before using regular PowerShell and the SharePoint CMD’lets from the SharePoint PowerShell add-on.
Install assemblies:
Download and install ther latest version of the SharePoint Server 2013 Client Components SDK, this can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=35585
After the SDK and the CSOM assembly DLL’s are in place, make sure you load the assemblies before calling them.

Load assemblies

 Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll"
 Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

This will open up for usage of CSOM in PowerShell.

Load a context

$SPOUser = "administrator@blksthl.onmicrosoft.com"
# Uses a hardcoded password, use only during test/lab:
$SPOPassword = convertto-securestring "Password01" -asplaintext -force
# Better: $SPOPassword = Read-Host -Prompt "Please enter your password" -AsSecureString
$SPOODfBUrl = "https://blksthl.sharepoint.com/personal/jeffrey_lebowski_blksthl_com"
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SPOODfBUrl)
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($SPOUser,$SPOPassword)
$Context.RequestTimeout = 16384000
$Context.Credentials = $Credentials
$Context.ExecuteQuery()

Returns: $Context

Web

(Using $Context from the section on Context above)

$Web = $Context.Web
$Context.Load($Web)
$Context.ExecuteQuery()

Returns: $Web

List/Library

$SPODocLibName = "Documents"
$SPOList = $Web.Lists.GetByTitle($SPODocLibName)
$Context.Load($SPOList.RootFolder)
$Context.ExecuteQuery()

Returns: $SPOList

GetFileByServerRelativeUrl and GetForlderByServerRelativeUrl

In order to use the ‘Get…ByServerRelativeUrl’ methods you have to supply a relative path to the file or folder, this means a path starting from the FQDN.

Example 1
https://company.sharepoint.com/get/fileorfolder/by/relative/url
FQDN: https://company.sharepoint.com
ServerRelativeUrl: /get/fileorfolder/by/relative/url

Example 2
https://company-my.sharepoint.com/personal/firstname_lastname_company_com
FQDN: https://company-my.sharepoint.com
ServerRelativeUrl: /personal/firstname_lastname_company_com

Example file:

"/personal/jeffrey_lebowski_blksthl_com/documents/report1.xlsx"

Example folder:

 "/personal/jeffrey_lebowski_blksthl_com/documents/subfolder"

Create a file from a local copy

This can be accomplished in several ways, this is one:

1.
$LocalFile = Get-ChildItem -path "C:\Homedirs\jeff\report1.xlsx"
$FolderRelativeUrl = $SPOList.RootFolder.ServerRelativeUrl
$FileName = $LocalFile.Name
$FileUrl = $FolderRelativeUrl + "/" + $FileName
[Microsoft.SharePoint.Client.File]::SaveBinaryDirect($Web.Context, $fileUrl, $LocalFile.OpenRead(), $true)

Returns: New file created in SPO/ODfB

Create a folder from a local copy

$SPOFolder = $SPOList.RootFolder
$LocalFolder = Get-ChildItem -path "C:\Homedirs\jeff\" -Recurse -Include "folder1" 
$FolderName = $LocalFolder.Name
$NewFolder = $SPOFolder.Folders.Add($FolderName)
$Web.Context.Load($NewFolder)
$Web.Context.ExecuteQuery()

Returns: New folder created in SPO/ODfB

Set properties on a file

Input: $FileRelativeUrl, $SPOItemModifier, $SPOItemOwner, $ItemCreated, $ItemModified

$CurrentFile = $Context.web.GetFileByServerRelativeUrl($FileRelativeUrl)
$Context.Load($CurrentFile)
$Context.ExecuteQuery()
$ListItem = $CurrentFile.ListItemAllFields;
$ListItem["Editor"] = $SPOItemModifier; # Get object from ResolveUser
$Listitem["Author"] = $SPOItemOwner; # Get object from ResolveUser
$Listitem["Created"] = $ItemCreated;
$Listitem["Modified"] = $ItemModified;
$ListItem.Update()
$Context.Load($CurrentFile)
$Context.ExecuteQuery()

Returns: Folder stamped with new properties in SPO/ODfB

Set properties on a folder

Input: $FolderRelativeUrl, , $SPOItemModifier, $SPOItemOwner, $ItemCreated, $ItemModified

$CurrentFolder = $Context.web.GetFolderByServerRelativeUrl($FolderRelativeURL)
$Context.Load($CurrentFolder)
$Context.ExecuteQuery()
$SPOFolderItem = $CurrentFolder.ListItemAllFields;
$SPOItemOwner = ResolveUser $UserEmail # For ResolveUser see separate function described later in this post
$SPOFolderItem["Editor"] = $SPOItemModifier # Must be a userobject, see 'ResolveUser'
$SPOFolderItem["Author"] = $SPOItemOwner # Must be a userobject, see 'ResolveUser'
$SPOFolderItem["Created"] = $ItemCreated # In the format: "8/10/2013 7:04 PM", see 'GetItemProperties'
$SPOFolderItem["Modified"] = $ItemModified # In the format: "8/10/2013 7:04 PM", see 'GetItemProperties'
$SPOFolderItem.Update()
$Context.Load($CurrentFolder)
$Context.ExecuteQuery()

Returns: Folder stamped with new properties in SPO/ODfB

ResolveUser (Function)

Function ResolveUser ($InputUPN)
# Resolves a user to a userobject
{
    $OutputUserObject = $Web.Context.web.EnsureUser($InputUPN)
    $Web.Context.Load($OutputUserObject)
    $Web.Context.ExecuteQuery()
    Return $OutputUserObject
}

Returns: UserObject for $InputUPN (UserPrincipalName/Email)

GetItemProperties (Function)

Function GetItemProperties ($InFileObject)
# Gets basic properties to set on files and folders
{
    $Global:ItemCreated = $InFile.CreationTime
    $Global:ItemModified = $InFile.LastWriteTime
}

Returns: Global: Variables for ItemCreated and LastWriteTime of $InFileObject (File or Folder)

‘

Thats all for now, I hope that you let me know if there is anything that seems to be wrong or does not work. The problem with describing all this in a complete way, is that it is easy to leave something out and it is also difficult to test every aspect while writing. Time is limited for all of us…
Anyway, my goal was to write a post that covered what I was myself missing…I hope that this is it. And again, please let me know if there are any mistakes in here.

References and Credits

None at this time…

Credits & many thanks to

LabCenter – you guys always publish my articles!

My family, my parents, Ia and the kids!

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 guide series – Verify Provisioned OneDrives using PowerShell

SP2013logo

Hi SharePoint Online administrators!

This time I will show you how to:

Verify if a provisioned OneDrive for Business site was provisioned.

‘

Is this really right…? What did they…(Åminne bruk, Värnamo, Sweden)

If you followed my previous post, Office 365 guide series – Provision OneDrive for Business using PowerShell then you will mst likely have a bunch of sites that you Think you have provisioned and are not really sure if it worked?
There are obviously ways to verify manuelly but if the list of users was long, then that is not the funniest work out there…

I suggest you use this script instead…:-)

If you have a single emaildomains in your oranization use the first one, if you have multiple emaildomains, use the second.
All you have to do is copy or retype the script to a Prompt/ps1 or ISE session, then run the script. You have the option to save some time by entering your account name in the script(see start)

1. Script 1	Use this script if your organization only uses one domainname as email domain. For example, if you use only ‘contoso.com’ then you should use this script.
2. Script 2	Use this script if your organization only uses multiple domainnames as email domains. For example, if you use ‘contoso.com’, ‘microsoft.com’, northwindtraders.com’ as UPN names within your O365 tenant, then use this script. You will here be asked for the domain used in the O365 tenant address.
3. Example 1	Example of a usecase with multiple emaildomains and script 2.
4. Example 2	Example of a usecase with a single emaildomain and script 1.

Note: If you copy paste the code from here into a PowerShell promt or ISE, please verify that all quotes and doublequotes are copied correctly, character coding may cause problems.

‘

Single email domain in your oranization:

***** SCRIPT 1 STARTS HERE *****

#
# By Thomas Balkeståhl - http://blog.blksthl.com
#
$o365cred = Get-Credential -Username "thomas.balkestahl@cramo.onmicrosoft.com" -Message "Supply a Office365 Admin"
$Userlist = read-host "submit your list of users that have been provisioned"
$Userlist = $Userlist -replace " ", ""
$Emails = $userlist -split ","
#Splitting list into Array
Foreach($Email in $Emails)
{
    # Constructing URL from the UPN/Email address
    $struser = $Email
    $pos= $strUser.IndexOf("@")
    $len = $struser.Length -1
    $strUser = $strUser.SubString(0, $pos)
    $strUser = $strUser -replace "\.", "_"
    $orgpos = $pos + 1
    $orglen = $len - $pos
    $strOrg = $Email.SubString($orgpos, $orglen)
    $strOrgNamePos = $strOrg.IndexOf(".")
    $strOrgName = $strOrg.SubString(0, $strOrgNamePos)
    $strOrgSuffixPos = $strOrgNamePos +1
    $strOrgNameLen = $strOrg.Length - $strOrgSuffixPos
    $strOrgSuffix = $strOrg.SubString($strOrgSuffixPos, $strOrgNameLen)
    $strOrg = $strOrg -replace "\.", "_"
    $PersonalOrgURL = "https://" + $strOrgName + "-my.sharepoint.com/personal/"
    $SiteUrl= $PersonalOrgURL + $strUser
    $SiteUrl= $SiteUrl+ "_" + $strOrg
    write-host "Verifying user:" $Email
$HTTP_Request = [System.Net.WebRequest]::Create($SiteUrl)
$HTTP_Request.UseDefaultCredentials = $true
$HTTP_Request.Credentials = $o365cred
try {
    $HTTP_Response = $HTTP_Request.GetResponse()
}
catch [System.Net.WebException] {
    $HTTP_Response = $_.Exception.Response
}
$HTTP_Status = $HTTP_Response.StatusCode
If ($HTTP_Status -eq 200 -or $HTTP_Status -eq 403 )   { 
    Write-Host -ForegroundColor Green "Site for user $Email exists!" 
}
Else {
    Write-Host -ForegroundColor Yellow "The OneDrive site for user $Email does not respond, try again later or provision it again"
}
$HTTP_Request = $null
$HTTP_Response = $null
$HTTP_Status = $Null
}

***** SCRIPT 1 ENDS HERE *****

‘

If you have multiple email domain in your oranization, use this second script:
***** SCRIPT 2 STARTS HERE *****

#
# By Thomas Balkeståhl - http://blog.blksthl.com
#
$O365Admin = read-host "Supply your Office 365 Admin username(UPN)"
# Add you admin account below, uncomment and comment out the line above to save time...
# $O365Admin = "admin.user@domain.com"
$o365cred = Get-Credential -Username $O365Admin -Message "Supply a Office365 Admin"
$strO365OrgName = read-host "submit your O365 orgname (Only organization, like 'contoso')"
$Userlist = read-host "submit your list of users that have been provisioned"
$Userlist = $Userlist -replace " ", ""
$Emails = $userlist -split ","
#SPlitting list into Array
Foreach($Email in $Emails)
{
    # Constructing URL from the UPN/Email address
    $struser = $Email
    $pos= $strUser.IndexOf("@")
    $len = $struser.Length -1
    $strUser = $strUser.SubString(0, $pos)
    $strUser = $strUser -replace "\.", "_"
    $orgpos = $pos + 1
    $orglen = $len - $pos
    $strOrg = $Email.SubString($orgpos, $orglen)
    $strOrgNamePos = $strOrg.IndexOf(".")
    $strOrgName = $strOrg.SubString(0, $strOrgNamePos)
    $strOrgSuffixPos = $strOrgNamePos +1
    $strOrgNameLen = $strOrg.Length - $strOrgSuffixPos
    $strOrgSuffix = $strOrg.SubString($strOrgSuffixPos, $strOrgNameLen)
    $strOrg = $strOrg -replace "\.", "_"
    $PersonalOrgURL = "https://" + $strO365OrgName + "-my.sharepoint.com/personal/"
    $SiteUrl= $PersonalOrgURL + $strUser
    $SiteUrl= $SiteUrl+ "_" + $strOrg
    write-host "Verifying user:" $Email
$HTTP_Request = [System.Net.WebRequest]::Create($SiteUrl)
$HTTP_Request.UseDefaultCredentials = $true
$HTTP_Request.Credentials = $o365cred
try {
    $HTTP_Response = $HTTP_Request.GetResponse()
}
catch [System.Net.WebException] {
    $HTTP_Response = $_.Exception.Response
}
$HTTP_Status = $HTTP_Response.StatusCode
If ($HTTP_Status -eq 200 -or $HTTP_Status -eq 403 )   { 
    Write-Host -ForegroundColor Green "Site for user $Email exists!"
}
Else {
    Write-Host -ForegroundColor Yellow "The OneDrive site for user $Email does not respond, try again later or provision it again"
}
$HTTP_Request = $null
$HTTP_Response = $null
$HTTP_Status = $Null
}

***** SCRIPT 2 ENDS HERE *****

‘

Example 1

‘

Multiple emaildomains
O365 Orgname: contoso
Users: test.user1@contoso.com, test.user2@northwind.com, test.user3@contoso.com, test.user4@contoso.com, test.user5@contoso.com

Like you can see, the list contains users with different emaildomains, contoso and northwind. THe submitted O365 orgname is however used to verify the OneDrive site, contoso.
In this example, the user test.user@contoso.com does not seem to have the OneDrive site provisioned.

‘

‘

Example 2

‘

Single emaildomain
Users: test.user1@contoso.com, test.user2@contoso.com, test.user3@contoso.com, test.user4@contoso.com, test.user5@contoso.com

Like you can see, the list contains users with only contoso as emaildomain.
In this example, the user test.user2@contoso.com does not seem to have the OneDrive site provisioned. Try to provision again/verify manuelly.

‘

‘

References and Credits

Office 365 guide series – Provision OneDrive for Business using PowerShell
https://blog.blksthl.com/2014/08/07/office-365-guide-series-provision-onedrive-for-business-using-powershell/

Credits & many thanks to

‘

Jörgen Andersson, Xperta

Always, Mattias Gutke at CAG

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 guide series – Provision OneDrive for Business using PowerShell

SP2013logo

Hi SharePoint Online administrators!

This time I will show you how to:

Provision OneDrive for Business using only PowerShell.

‘

Get the people up there…into the Clouds…(Liseberg, Gothenburg, Sweden)

Time to roll out OneDrive for Business in the Enterprise? Or maybe you just want to implement OneDrive for Business in a controlled way, and you may not be a hardcore developer either.

If you want to do any kind of preparation before letting the users into their OneDrives, then you will need to have them created/provisioned first, after that you can go ahead and give yourself permission (separate blogpost) and migrate a users files (separate blogpost), preconfigure, brand, and so on.
I have in this guide tried to offer a way to provision the OneDrive for Business to your users in a way that do not require you to know C#, Visual Studio or any development at all, how does that sound? All you need to do is follow this guide to the letter, and you will be sucessfull.

The only way I have found so far to provision a users OneDrive for Business as a administrator is to use code developed by the Office AMS Community Project. This includes among other things, a great Visual Studio sample Project for provisioning users OneDrive for business, and this is really spot on. But…it is not that easy to get going, for a non-developer it may prove to be impossible.

I have used code developed in the samples but I will only use PowerShell to execute it. This is what will make it easy for others (such as you?) to use.
The Office AMS Project also includes the SharePoint client assemblies needed to do anything with SPO using CSOM, Client Side Object Model(Code executed on the client).

In order to get started provisioning your users OneDrive for Business sites(or we can just as well call them MySites, since this is wat they really are…), you just follow these steps:

‘

Quickguide
1. Download	Download and unpack the Office App Model Samples from Codeplex, last tested version is currently 2.0 found here: DOWNLOAD Office AMS.
2. Get assemblies	Locate the Microsoft.sharepoint.client assembles in the unpacked Office App Model Samples folders, located in <unpack location>\Office App Model Samples v2.0\Assemblies\16\ Copy the files Microsoft.SharePoint.Client.dll, Microsoft.SharePoint.Client.UserProfiles.dll and Microsoft.SharePoint.Client.Runtime.dll and put them in a folder of your choice, I used C:\Temp\ in my sample. (You can also leave the files as is, but then you have to alter the PowerShell code to reference the path in the Office AMS folders)
3. Run the script	In a PowerShell prompt/ISE running as admin, run the PowerShell script available below and‘HERE (Download as Word file), this will load the code needed to access SPO and start provisioning. (Verify and update if needed the $MyAssemblies line at the very bottom)
4. Execute	Execute the code in your PowerShell prompt/ISE running as admin (It has to be the same prompt/ISE used to execute the script), use this syntax: Syntax: [OneDriveforBusiness.Provision]::Execute(<SharePointAdminURL>,<GlobalTenantAdminAccount>,<AdminAccountPassword>,<ListofUsersEmailSeparatedbyCommas>)
5. Done – Verify…	Done! Verify that the sites have been provisioned by entering the address in your browser of choice.
References/Credits	Reference links and credits

The detailed Guide:

‘

1. Download

New!
Download the latest version of SharePoint Server 2013 Client Components SDK x86 or x64. This SDK contains the dll’s needed.
During the install, the dll’s will be added to the following path:
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\

Download the latest version (Office App Model Samples 2.0 – July 2014 – Update 1) of the Office App Model Samples, the Project has been renamed to the more formal Office365 Developer Patterns & Practices but it is still the same.
The last tested version is currently 2.0 found here: DOWNLOAD Office AMS

Back to Menu
‘

2. Get the assemblies

‘

Unpack the files to a location of choice. (The files will ironically enough not synch very well if stored in a OneDrive for Business synchronized folder – long path among other issues).
Locate the ‘assemblies\16’ folder, in this folder you will find the 3 files we need, Microsoft.SharePoint.Client.dll, Microsoft.SharePoint.Client.UserProfiles.dll and Microsoft.SharePoint.Client.Runtime.dll. Either you put these Three files in a better location, or you make a note of the path to the folder.

Back to Menu
‘

3. Run the script

‘

Start a PowerShell prompt/ISE running as administrator. This is where all the magic will happen. Copy the powershell script below, or download the scriptfile HERE (Word file), then add the script to the Prompt/ISE.
Before executing the script, you will need to alter one thing, the path to the assembly files. Update the line where we give a value to the $MyAssemblies to reflect where you have your SharePoint.client dll files. This is crucial since the code needs to be able to access these asseblies during execution.

$MyAssemblies = (‘C:\Temp\Microsoft.SharePoint.Client.dll’,’C:\Temp\Microsoft.SharePoint.Client.Runtime.dll’,’C:\Temp\Microsoft.SharePoint.Client.UserProfiles.dll’,’System’,’System.Security’)

Unless you have stored your SharePoint.client.dll’s in C:\Temp folder, you will have to update the Three paths to reflect where the files are stored. Example:

$MyAssemblies = (‘C:\Users\Thomas\Documents\Office App Model Samples v2.0\Assemblies\16\Microsoft.SharePoint.Client.dll’,’C:\Users\Thomas\Documents\Office App Model Samples v2.0\Assemblies\16\Microsoft.SharePoint.Client.Runtime.dll’,’C:\Users\Thomas\Documents\Office App Model Samples v2.0\Assemblies\16\Microsoft.SharePoint.Client.UserProfiles.dll’,’System’,’System.Security’)

Once this is done, you can go ahead and execute the script.

‘HERE (Download as Word file)

# By Thomas Balkeståhl - blog.blksthl.com August 6 2014
#
# 1. Run script to load the C# code into the Assembly
# 2. Execute using the following syntax:
#
# Syntax:  [OneDriveforBusiness.Provision]::Execute(<SharePointAdminURL>,<GlobalTenantAdminAccount>,<AdminAccountPassword>,<ListofUsersEmailSeparatedbyCommas>)
# Example: PS C:\> [OneDriveforBusiness.Provision]::Execute("https://donkeymind-admin.sharepoint.com","globaladmin@donkeymind.com","MyVerySecretPassWord1!","user1@donkeymind.com,user2@donkeymind.com,user3@donkeymind.com")
# Input:            
# adminurl = The Tenanat Admin URL for your SharePoint Online Subscription, example: "https://donkeymind-admin.sharepoint.com".
# adminuser = The Credentials of the user who has tenant admin permission, example: "admin@donkeymind.com".
# password = The password in cleartext to your tenant admin account(I know, not ideal...but it was a quick and dirty to make it work).
# users = The email IDs for users who's personal site you want to create in the form of a comma-separated string, example: "user1@donkeymind.com,user2@donkeymind.com,user3@donkeymind.com". Do not enter more than 200 users at a time.
$MyCSharpSource = @" 
using Microsoft.SharePoint.Client;
using Microsoft.SharePoint.Client.UserProfiles;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Text;
using System.Threading.Tasks;
namespace OneDriveforBusiness
{
    public class ProvisionOneDrive
    {
        public static void Execute(string adminurl, string adminuser, string password, string users)
        {
        
            string siteUrl = adminurl;
            string userName = adminuser;
        
            SecureString pwd = GetPassword(password);
            string[] emailIds = GetEmailId(users);
            /* End Program if no Credentials */
            if (string.IsNullOrEmpty(userName) || (pwd == null) || emailIds == null || string.IsNullOrEmpty(siteUrl))
                return;
            SharePointOnlineCredentials _creds = new SharePointOnlineCredentials(userName, pwd);
            CreatePersonalSiteUsingCSOM(_creds, siteUrl, emailIds);
            Console.Read();
        }
        public static SecureString StringToSecure(string nonSecureString)
        {
            SecureString _secureString = new SecureString();
            foreach (char _c in nonSecureString)
                _secureString.AppendChar(_c);
            return _secureString;
        }
        // tenantAdminUrl = The Tenanat Admin URL for your SharePoint Online Subscription
        // spoCredentials = The Credentials of the user who has tenant admin permission.
        // emailIDs = The email IDs for users whos personal site you want to create.
        public static void CreatePersonalSiteUsingCSOM(SharePointOnlineCredentials spoCredentials, string tenantAdminUrl, string[] emailIDs)
        {
            using (ClientContext _context = new ClientContext(tenantAdminUrl))
            {
                try
                {       
                    _context.AuthenticationMode = ClientAuthenticationMode.Default;
                    _context.Credentials = spoCredentials;
                    ProfileLoader _profileLoader = ProfileLoader.GetProfileLoader(_context);
                    _profileLoader.CreatePersonalSiteEnqueueBulk(emailIDs);
                    _profileLoader.Context.ExecuteQuery();
                    Console.Write("Provisioning of the users supplied has been initiated, please allow for the provisioning to finish, this can take up to 5 minutes.");
                }
                catch (Exception _ex)
                {
                    Console.WriteLine(string.Format("Provisioning failed, find the problem and try again. The error message is {0}", _ex.Message));
                }
            }
        }
        
        public static SecureString GetPassword(string password)
        {
            SecureString sStrPwd = new SecureString();
            foreach (char ch in password) sStrPwd.AppendChar(ch);
            return sStrPwd;
        }
        public static string[] GetEmailId(string users)
        {
            string[] emailID;
            try
            {
                string Output = "Provisioning the supplied list of users: " + users;
                Console.WriteLine(Output);
                string emailInput = users;
                if (!string.IsNullOrEmpty(emailInput))
                {
                    emailID = emailInput.Split(new char[] { ',' });
                    return emailID;
                }
                else
                {
                    return null;
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
            return null;
        }
    }
}
"@
$ass1 = [System.Reflection.Assembly]::LoadFile("c:\temp\Microsoft.SharePoint.Client.dll") 
$ass2 = [System.Reflection.Assembly]::LoadFile("c:\temp\Microsoft.SharePoint.Client.Runtime.dll") 
$ass3 = [System.Reflection.Assembly]::LoadFile("C:\temp\Microsoft.SharePoint.Client.UserProfiles.dll")
$MyAssemblies = @( $ass1.FullName, $ass2.FullName,$ass3.Fullname,"System","System.Core","System.Security")
Add-Type -ReferencedAssemblies $MyAssemblies -TypeDefinition $MyCSharpSource -Language CSharp -PassThru

HERE (Download as Word file)

Back to Menu
‘

4 Executing the provisioning code

‘

We have now loaded the code into memory (a .NET Framework class in your Windows PowerShell session), where it will be available just like if we had created a C# DLL and loaded it into the GAC. Remember though, the code is now static and connot be altered. If you need to make any Changes, have a look in the references section where I will show how to be able to alter the code after it has been loaded once.

Now, we have to call on the code laoded into memory, this is done from the same prompt/ISE used to load the code, the code only exists in that prompt session so it will not be available in any other prompt.

Use the following syntax to execute:

Syntax: [OneDriveforBusiness.ProvisionOneDrive]::Execute(<SharePointAdminURL>,<GlobalTenantAdminAccount>,<AdminAccountPassword>,<ListofUsersEmailSeparatedbyCommas>)

Example: PS C:\> [OneDriveforBusiness.ProvisionOneDrive]::Execute(“https://donkeymind-admin.sharepoint.com”,”globaladmin@donkeymind.com”,”MyVerySecretPassWord1!”,”user1@donkeymind.com,user2@donkeymind.com,user3@donkeymind.com”)

What you need to supply when running the code, is your SharePoint online admin address, a tenent admin account and password, plus a list of emailadresses to the users that will be provisioned with a OneDrive for Business.

Start by typing in this:

[OneDriveforBusiness.ProvisionOneDrive]::Execute

What this does is call the code we just loaded from PowerShell, The Namespace is OneDriveforBusiness, the Class is ProvisionOneDrive and finally, the void or function is Execute.

<SharePointAdminURL>: The Admin address is available if you go the the Admin/SharePoint administration web. This will be visible in the address field of your browser:

Note the address: https://donkeymind-admin.sharepoint.com.

<GlobalTenantAdminAccount>: An account that is a global Office 365 Tenant Administrator.
The account must have this setting in Office 365 Admin Center/Users & Groups – User object:

<AdminAccountPassword>: The password of the <GlobalTenantAdminAccount>. This will be entered in cleartext, not the ideal security solution but this is the only way I could solve it.
(Suggestions on how to prompt for the password in a secure way is welcome!)

<ListofUsersEmailSeparatedbyCommas>: This is the users that will have provisioned with OneDrive for Business. A list of UPN’s (User Principal Name) separated by commas. The UPN must be the one registered in Office 365. The UPN is in the form of a emailadress, for example: user@domain.com. Enter the string using double quotes on both sides.

This is what the string should look like: “user1@donkeymind.com, user2@donkeymind.com, user3@donkeymind.com, user4@donkeymind.com, user5@donkeymind.com”

When you have all the values in order, type in the command with your parameters and execute the provisioning:

PS C:\PSScripts> [OneDriveforBusiness.ProvisionOneDrive]::Execute(“https://donkeymind-admin.sharepoint.com”,”thomas@donkeymind.onmicrosoft.com”,”**********”,”testaccount@donkeymind.onmicrosoft.com”)

When executed ok, you will see this:

The limit for submitting users to be provisioned have been set by Microsoft to 200 at the time. This code do allow more but it will cause issues. Better to do them 200 at the time, wait unitl done and then do 200 more, alternatively, alter the code to include a check so that every user have been provisioned ok Before moving onto the next.

Now, you can execute the commend again and again. You can also use the code obviously for other tenants. Simple provide the commend with a different account, a different admin URL and you are good to go. Good luck!

Back to Menu
‘

5. Done! Verify….

‘

For a tool to verify your list of users directly, check out this guide: Office 365 guide series – Verify Provisioned OneDrives using PowerShell

Verify that the sites have been provisioned by browsing to the direct URL using your admin account. The URL will look like this:

User: thomas.balkestahl@donkeymind.onmicrosoft.com
URL: https://donkeymind-my.sharepoint.com/personal/thomas_balkestahl_donkeymind_onmicrosoft_com/

User: han.solo@alliance.org
URL: https://donkeymind-my.sharepoint.com/personal/han_solo_alliance_com/

Since you are using your admin account, you have access to the private part of the OneDrive/MySite.

Note: All the steps in this guide have been verified on a Windows 8.1 Update 1 machine, using PowerShell ISE and the Office AMS July 2014 Update 1. All tests have been done during August of 2014, the functionality of Office 365 may change over time and may thus cause this guide to fail. If this happens I will try to be alert and update the guide accordingly.

‘

Possible errors

‘

1. You need to alter the script, then run the script again?

You have two choices if this happens, you have loaded the code once and you need to edit it and run again. If you do this you may get the error message saying that the ‘Type has already been added’ or similar. If you get this, simply restart your PowerShell prompt/ISE, OR, Change the name of the public class:

Add for example a number after, so that the class is called: ProvisionOneDrive1, then 2 and so on.

2. Nothing happens, no OneDrive shows up?

Verify all your values, then execute the command again. Remember though, that the time it takes for a site to show up may vary and can take up to 5 minuter PER SITE. Wait a moment longer, try it again

If you have the wrong address when verifying, you will see either of these pages depending on the URL used:

A link like:
https://donkeymind-my.sharepoint.com/personal/testuser4_donkeymind_onmicrosoft_com/_layouts/start.aspx#/Documents/Forms/All.aspx?LoadProfile=TRUE

A link like:
https://donkeymind-my.sharepoint.com/personal/testuser4_donkeymind_onmicrosoft_com

404 could also just mean that the site is in queue and has not been provisioned yet.

References and Credits

‘
Stefan Gossners old post: Using CSharp (C#) code in Powershell scripts
http://blogs.technet.com/b/stefan_gossner/archive/2010/05/07/using-csharp-c-code-in-powershell-scripts.aspx

Office365 Developer Patterns & Practices/Office App Model Samples
http://officeams.codeplex.com/

TechNet Add-Type
http://technet.microsoft.com/en-us/library/hh849914.aspx

Credits & many thanks to

‘

Kimmo Forss, Microsoft

Jörgen Andersson, Xperta

All the contributors of Office AMS

Always, Mattias Gutke at CAG

Stefan Gossner, Microsoft (Blog) for that short and concise post written a few years back.

My love for putting up with me while solving this problem and writing this post!

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

The easy guide to creating a scheduled task running as system

G’day Windows lovers.
Again, this is not a SharePoint post per se, but hey, we all need to Schedule a task from time to time, unless we have completely flown into the clouds…
No need for any command prompt, at.exe, schtasks.exe or anything like that. This can all be done from the gui.

Note: Some people may state that it is a bad idea running a scheduled task as system, that this is bad for security reasons. I can agree with both sides but a fact is that Microsoft has a number of their default scheduled tasks running as system, so it can’t all be wrong. Also, running the task as a different administrator account is even worse, so…do as you like here. Secure the location of the script files, at least do that.
Good or bad, it is still a fact that some people in some situations want to do this, run a script as system, perhaps for the simplicity of it, for not having to rely on service accounts beeing created or other reasons good or bad.

Step by step:

Note: These steps have been verified on Windows Server 2012, but will function just as well on Windows Server 2012 R2 or Windows Server 2008R2/Windows Server 2008, Windows 7 nd Windows 8x

–

Note: You have to be logged on as a local administrator in order to follow these steps.

Start the Windows Task Scheduler, from the ‘Start’ menu or search, any way works…
When the Windows Task Scheduler is open, Browse to a task under Microsoft. I’m using a .NET Framework task in my example, that will work…

Have a look at the tasks in the .NET Framework container. Select the task at the top and make sure that it is a task running as System by checking its properties.

The properties at the bottom will show you if the task is configured to run as SYSTEM. If the task selected is not, pick another task in the list until you find one that is.

Right-click on the task and select export.

Save the file to a good location locally on the server and give it a good name.

Replace the default name with something of your own:

Save the file, then back in Task Scheduler, select the top of the tree, Task Scheduler Library.

Right-click on Task Scheduler Library and select Import Task…

Browse to the file you just exported.

Click on Open to start the import of the task. Name the new task with the name you want, you now have an exact copy of the default .NET framework task, now we need to make modifications so that it will suit your needs.
Right-click on the task, select Properties to make all the settings available for change.
In my example, I want the task to start a PowerShell script as system.
In order to do that, go to the Actions tab.

Delete the existing action, in my example ‘Custom handler’ and add your own.

If you like me, want to run a PowerShell script, type powershell in the program field and type the path to your .ps1 file in the Add Arguments field.
Save the new action and verify the values.

Now, change all the parameters to suit your needs. For example, you might want to add a scheduled trigger.
Click on the Triggers tab and add the Schedule you need.

In my example, I added a Schedule that starts the task at 07:00 every day and keeps doing this forever…

Now, as a last step, select the completed task under the Task Scheduler Library and verify all the settings, especially, make sure that it is configured to run as SYSTEM!
I also selected Run with highest privilieges in my example because the script I had writted required Run as Administrator to function properly.

Thats all, you’re done! Good luck!
References:

Thanks to:

Me, Myself and I!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Function to resolve a users OneDrive for Business URL

References and Credits

Credits & many thanks to

How to manage files and folders with PowerShell and CSOM

Prerequisites

Load assemblies

Load a context

Web

List/Library

GetFileByServerRelativeUrl and GetForlderByServerRelativeUrl

Create a file from a local copy

Create a folder from a local copy

Set properties on a file

Set properties on a folder

ResolveUser (Function)

GetItemProperties (Function)

References and Credits

Credits & many thanks to

Verify if a provisioned OneDrive for Business site was provisioned.

‘

‘

Example 1

Example 2

References and Credits

Credits & many thanks to

Provision OneDrive for Business using only PowerShell.

Quickguide

The detailed Guide:

1. Download

2. Get the assemblies

3. Run the script

4 Executing the provisioning code

5. Done! Verify….

‘

Possible errors

References and Credits

Credits & many thanks to