Wednesday, June 4, 2014

Office 365: fix the UserPrincipalName if you synced AD prior to adding the new UPN suffix


Probably like many people, I started testing out Office 365 in phases. One change that we had to make was to add a UPN alias for @domain.org to replace our @domain.local. I was a little leery of this, so I tested out some Office 365 features before adding the domain alias, including adding licenses to about 20 of our accounts.

The problem: those accounts that I just synced up were stuck with the ugly @domain.onmicrosoft.com domain, instead of our nice @domain.org alias. Forcing a resync did not resolve it.

This Technet article explains very clearly how to fix the problem:

Open Windows Azure Active Directory Module for Powershell, and then type in:
 
Set-MsolUserPrincipalName -UserPrincipalName user1@domain.onmicrosoft.com -NewUserPrincipalName user1@domain.org 

Simple, but I didn't want to run this dumb command one at a time for each account. Simple enough in powershell, but I ran into a few gotchas so here is the successful command line I ran:

Get-MsolUser -domainname "domain.onmicrosoft.com" | where islicensed -eq $true | %{Set-MsolUserPrincipalName -userprincipalname $_.userprincipalname -NewUserPrincipalName($_.userprincipalname.replace("@DOMAIN.onmicrosoft.com","@domain.org"))}




One thing that took me a minute to remember after several runs with nothing happening is that string.replace() method is case sensitive, so make sure that you properly capitalize the UPN that you want to replace.

Monday, June 2, 2014

Bulk Import photos into Active Directory for Sharepoint, Outlook 2010, Outlook 2013 and Lync

A simple Powershell script to import photos from a directory into AD. The photos should be named with the format "samAccountName.jpg", less than 10k in size, and recommended dimensions of 96x96.

To get the photos into the proper format, I used imageMagick's "mogrify" command.

mogrify -path OUTPUT_PATH -format jpg -thumbnail 96x96 *.jpg

Embedded github "Gist":

Thursday, May 29, 2014

Workflow Manager 1.0 problems on Server 2012 R2

Recently I tried setting up Workflow Manager 1.0 on a new Server 2012 R2 server. The problems were inconsistent and unspecific in the error message--I tried several URIs that all matched the server, but when using http:// I would get a 404 error and with https I would get a "the root certificate authority is not trusted" even after using a domain CA and spending a lot of time to try to match up the correct URIs in the certificate and to manually register the domain CA with Sharepoint's internal list of trusted roots.

The trick is to install updates to Workflow Manager that are not part of the web platform installer, as I learned from Rob Hardy's blog. After installing CU 2 for Service Bus and Workflow Manager, I was able to register the Sharepoint Workflow Service with no problems using HTTP.

I am not going to try HTTPS again right now, after getting things to finally work.

Tuesday, May 20, 2014

Install Truecrypt Silently via .MSI

I was recently asked to deploy Truecrypt 7.1a to 250 computers. We use System Center Configuration Manager, so the simplest way to do this was going to be an .msi. Unfortunately, there is no official MSI for Truecrypt. I found a reference to a 32 bit version, and Richud's instructions on modifying the 32 bit version to install on Windows 7 64 bit.

Here is the compiled Truecrypt 7.1a silent MSI to save others some time. I followed Richud's instructions on modifying the file exactly, using the free MSI editor InstEd.

Tuesday, April 29, 2014

Retrieve an Active Directory Attribute to set the Default Save Location in Microsoft Office 2010

Every year when we image new computers, I try to work a little harder at making the image as automated as possible. We have a lot of short-term volunteers and students who turn over frequently. Training is also spotty, so the easier and more consistent we can make things, the better.

One thing that we try to do is set the default save location in Microsoft Office (Word and Excel) to our network location for users so that they don't accidentally save files to the C: drive. This has always been a manual task, and as such, it has often been missed. This especially true for student machines where there may be 2 or 3 different students using the workstation over the course of a week. There had to be a better way...and it turns out that there is: LDAP queries in Group Policy Preferences!

This is one of the hidden features of Group Policy Preferences. I stared at it for a while and couldn't figure this out on my own, as it doesn't seem like there is a way to retrieve and store information in a variable using GPP. Here is the key: using LDAP queries, it is possible to retrieve any Active Directory Attribute and store it in an environment variable. We were already storing the path to the user's shared folder as an AD attribute "userSharedFolder", so all I had to was retrieve it and set the appropriate registry keys based on this attribute.

What is userSharedFolder?

UserSharedFolder is an unused ActiveDirectory attribute. In our case, we have been storing the path to the user's shared network folder in this attribute already, in order to facilitate creating and archiving new accounts with Powershell. You can access this attribute manually if you like, using the ADUC attribute editor.

Open Active Directory Users and Computers.
Click on View | Advanced Features.

Open any user object, click on Attribute Editor and scroll down. Attributes are all alphabetized.





In many environments you might instead be using the HomeDirectory (Home Folder) attribute that is exposed by default in ADUC and allows Windows to automatically map a drive to that path.



In our environment, the HomeDirectory attribute is only present in some accounts and is not where we want the user to default saving. If you want to use HomeDirectory instead, you can skip the LDAP lookup below and use the always present  environment variable HomeShare or HomeDrive.

Create the Environment Variable

First, we will retrieve this AD attribute and set it to an environment variable.

Create a new GPO. I removed "authenticated users" from the read permissions for this GPO and added just a few test accounts.

Expand User Configuration, Preferences, Windows Settings, and create a new Environment preference.



Set the action to "Update", choose "User Variable" and give it the name "USERSHAREDFOLDER". This is the environment variable that we will be able to access later to set the appropriate registry keys.

Below we will set the value to %_USERSHAREDFOLDER%. This is the value that we will retrieve from our LDAP query in just a minute.

Name: USERSHAREDFOLDER, Value: %_USERSHAREDFOLDER
Now, click on Common.
Set the option "Run in logged-on user's security context" and Item-level targeting. Optionally, you may want to set "Apply once and do not reapply" if you would like the user to be allowed to change this setting on their own. Click Targeting.

We will set the Filter to "(&(objectClass=user)(sAMAccountName=%USERNAME%))", the binding leave to the default of LDAP (this will bind to the root of your domain controller).

For attribute we will be looking at userSharedFolder, and based on this attribute we will set the value of a temporary environment variable, _USERSHAREDFOLDER. This environment variable will not persist, but it will be used to set the value of the persistent environment variable USERSHAREDFOLDER (as specified on the first screen).

Note: if you are testing this, environment variables set by GPP apparently only apply on a new logon. gpupdate /force won't update the variable unless you allow it to log you out and then log back in.

Use the Environment Variable to set Default Save Location for Microsoft Office

Here are the registry keys that need to be set for each Microsoft Office Application:

--------------------------
Excel 2010
--------------------------
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options
Value Name: DefaultPath
Value Type: REG_EXPAND_SZ
Value data: {%USERSHAREDFOLDER%}

For Excel 2013, setting is identical but change 14.0 to 15.0

--------------------------
Word 2010
--------------------------
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
Value Name: DOC-PATH
Value Type: REG_EXPAND_SZ
Value data: {%USERSHAREDFOLDER%}

For Word 2013, setting is identical but change 14.0 to 15.0

--------------------------
Access 2010
--------------------------
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Settings
Value Name: Default Database Directory
Value Type: REG_SZ
Value data: {%USERSHAREDFOLDER%}

For Access 2013, setting is identical but change 14.0 to 15.0

--------------------------
Powerpoint 2010
--------------------------
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\RecentFolderList
Value Name: Default
Value Type: REG_EXPAND_SZ
Value data: {%USERSHAREDFOLDER%}

For Powerpoint 2013, setting is identical but change 14.0 to 15.0

Go back to our GPO and expand User Configuration | Preferences | Windows Settings | Registry.
Create a new Registry preference. Leave Action to Update, and copy the appropriate key paths above (repeat for each application that you use in your environment). We use only Word and Excel: