Wednesday, May 28, 2014

Where Are My AD Computers?

Just a quick PowerShell snippet to show where the computer objects are located in AD.  It uses a little function to calculate the OU from the DistinguishedName, then uses Select-Object to add a property to the AD object.

Next we just need to use Group-Object to show each OU and how many computers the OU contains.

Since I had all those computers in memory, thought it’d be a good time to also see how many were enabled, and how many were actually active (had they set their password in the last 100 days).

Nothing too fancy, just a couple of examples using some of the core PowerShell cmdlets.



### Get all the AD computers


$computers = Get-ADComputer -Filter * -Properties Enabled,OperatingSystem,PasswordLastSet



### quick function to calculate the OU by DN


function Get-OU ($ADOjbect)


    $DNParts = $ADOjbect.DistinguishedName -split ','

    $DNParts[1..($DNParts.count -1)] -join ','




### where are they?


$computers |

Select-Object -Property *,@{Name="OU"; Expression = {Get-OU $_}} |

Group-Object -Property OU -NoElement |

Sort-Object -Property Count -Descending



Count Name         

----- ---- 

 8816 OU=Hoof,DC=Litware,DC=ca

 5485 OU=Hearted,DC=Litware,DC=ca

 3241 OU=Ice,DC=Litware,DC=ca

 2823 OU=Melted,DC=Litware,DC=ca




### Are they enabled?


$computers | Group-Object Enabled -NoElement


Count  Name                    

-----  ----                    

12,507 False                   

53,967 True                    



### Are the active? (password set within the last 100 days)


$computers |

Where-Object {$_.PasswordLastSet -and ([DateTime]::Now - $_.PasswordLastSet).Days -lt 100 } |



Count    : 34,753


Tuesday, May 20, 2014

Counting the Days with PowerShell

Being a PowerShell addict means finding excuses to do something fun when the task at hand is pretty boring.

This little snippet just finds the number of working days in a given month, something handy when estimating time and materials contracts.


### Capture the holidays in a HashTable

### Could have used an array but thought I might need the name of the holiday eventually

$Holidays = @{

"New Year's Day"              = Get-Date 'Jan 1'

"Martin Luther King, Jr. Day" = Get-Date 'Jan 21'

"Presidents' Day"             = Get-Date 'Feb 18'

"Memorial Day"                = Get-Date 'May 27'

"Independence Day"            = Get-Date 'Jul 4'

"Labor Day"                   = Get-Date 'Sep 2'

"Thanksgiving Day"            = Get-Date 'Nov 28'

"Day After Thanksgiving"      = Get-Date 'Nov 29'

"Christmas Day"               = Get-Date 'Dec 25'



### PowerShell Loves Puppies

$VerbosePreference = 'Continue'


### Initialize the number of working days (this turns out to be my ideal)

$workingDays = 0


### Set the Month

$Month = 7


### Get the number of days in the month

$DaysInMonth = [DateTime]::DaysInMonth([DateTime]::Today.Year,$Month)


### Count the days in the month, excluding weekends and holidays

for ($day = 1; $day -le $DaysInMonth; $day++)


    if (([DateTime]"$Month $day").DayOfWeek -in @('Saturday','Sunday'))


        Write-Verbose "Weekend! $Month $day"


    elseif($Holidays.ContainsValue([DateTime]"$Month $day"))


        Write-Verbose "Holiday! $Month $day"








### Spew the output



Monday, May 19, 2014

System Center Advisor

This is a pretty cool solution with a small footprint.  The solution is ideal for FIM deployments because FIM has so many dependencies that are analyzed by System Center Advisor.

Any FIM deployment in an environment that lacks monitoring should consider using System Center Advisor.  The price is right (free), it runs in the cloud, and has a very simple client agent installation.

There’s a good overview video over on Channel9: System Center Advisor.  There’s also pretty good documentation available on TechNet: System Center Advisor on TechNet

Thursday, May 15, 2014

Professional Productivity–Scott Hanselman

Came across this video by Scott Hanselman and find myself telling people about it ALL THE TIME.

Professional Productity – Scott Hanselman

Scott is a software hero of mine.  I am a huge fan of his contributions and demeanor.  Before blowing up in frustration I often wonder, what would Scott do?  After watching the above video I’m pretty the following points would apply:

  • I must dance
  • Don’t be an ask-hole

Microsoft Message Analyzer

Most relationship status changes are announced on FaceBook, but I discovered this one on the PowerScripting Podcast.  Turns out NetMon and SvcTraceViewer got serious and produced offspring, known a Message Analyzer.

Message Analyzer takes a little getting used to (I’m still a noob) but I’ve already used it to help diagnose a couple of problems I’m working on.  One of the cool things about it is the ability to capture both network and system traces (such as ETW).  Pretty cool to see them both in the same chart so you can watch how an application like FIM interacts with the network.  Also cool to use as a discovery tool to learn how a system is behaving, instead of just looking at the code to gauge what it will do.

BTW – the PowerScripting Podcast is one of my favourites.  I listen to it when I’m driving, or when I’m riding my bike.  Even the shows that don’t seem relative to my work always leave me with something useful.  Great job guys, way to support the community!

Wednesday, May 14, 2014

The Future of FIM

For years we have lacked a good roadmap for the FIM product.  The product did not enjoy heavy investment and we did not hear much about where it was going.  One could be forgiven for thinking it was all but dead because the products around it were all being turfed as Microsoft shifted focus.

Today there is no excuse for thinking that FIM is dead.  Microsoft has finally thawed the roadmap, poured money and time into it, and has been public about their plans.  here are some salient blog posts:

· Forefront Identity Manager futures

· Forefront Identity Manager vNext roadmap (now Microsoft Identity Manager)

· Hybrid Identity, Mobile Device Management, and the Enterprise Mobility Suite

Those posts only pertain to FIM.  The reality is that Microsoft is doing a ton of identity work in AD and Azure to drastically lower the integration bar (my job may be at risk) and raise the success rate.

Microsoft’s original investment in identity (the acquisition of Zoomit in 1999) served largely to seed Active Directory deployments.  Today Microsoft’s re-investments in identity seem to serve as seeding Azure services, or what Microsoft is calling Hybrid Identity.  Tying FIM to Azure this way is pretty cool, and I think will create a lot of demand.

I’m very excited about this year and what we’re seeing from Microsoft.  Long live the metadirectory!

Tuesday, May 13, 2014

VM Sizing for FIM in Azure

Been running my FIM lab VMs in Azure lately trying to learn how to best automate them.

My lazy observation is that running the FIM Service and Portal is tolerable in a Medium VM (A2) (2 cores, 3.5 GB memory).  My preference was to run it in an Small (A1) (1 core, 1.75 GB memory) but the memory and processor load was just too high.  I am being lazy here because I could optimize the computer but it is just cheaper for me to go bigger then use the time I saved to go ride my bike.

The difference is pretty small really because I only run these for hours at a time.  If I were to leave them on for the whole month it would be about:

  • Small VM ~$67/month
  • Medium VM ~$134/month

So far I haven’t gone home without forgetting to turn the lights off…

PowerShell Desired State Configuration–Time to Get-OnBoard

My brain is still full from the PowerShell Summit a couple weeks ago.  One of the big takeaways for me was just how serious Microsoft is about Desired State Configuration.  There was a session where Jeffrey Snover invited a bunch of people from the product group to introduce themselves and what they were working on.  The vast majority of them were working on DSC.  That was a big signal for me because it demonstrated that this is not just some neat feature that landed in the Windows Management Framework, but this is a serious part of dev and ops.

Already we are seeing rapid waves of goodies for DSC:

Anyhow, I’m back on the DSC bandwagon working on some custom resources and just figured out how to stop installing them to the Windows folder.  Cool!  Looking forward to sharing the resources once they are worthy.  At the moment the represent my fumbling around learning DSC, and also what that means in terms of improvements we can make to the FIM PowerShell Module to be a better fit for DSC.  This stuff fills my tank!

Leveling an LDAP Query String

The neat freak in me likes to level strings in code to make them easier to read.  This is just a little trick to level a string containing an LDAP filter before sending it to Get-ADUser.

The trick is to just level the string out, but remove the CR and LF using the –replace operator.

The LDAPFilter variable will then contain something usable by Get-ADUser while you still get to look at something easy to read.


$LDAPFilter = "






)" -replace "`r" -replace "`n"


Get-ADUser -LDAPFilter $LDAPFilter


Thursday, May 08, 2014

Comparing FIM Requests

Troubleshooting FIM Service requests can be tricky, sometimes you really want to know why one request failed while another succeeded.

Finding the differences between two requests can be difficult to eyeball in the FIM Portal because the request parameters (the detail in the ‘Detailed Content’ tab of a FIM Request) are difficult to compare side-by-side.  Also, these are difficult to compare when you export the attribute because they are stored as XML strings.

PowerShell to the rescue!

The sample below uses the PowerShell Compare-Object cmdlet to find the differences in two FIM RequestParameter arrays.  The arrays are created using the Get-FimRequestParameter function from the FIM PowerShell Module.



asnp fimautomation

ipmo FimPowerShellModule



Get the Request Parameters for Two Requests.  They basically look like this:


Mode Operation PropertyName Value           

---- --------- ------------ -----

     Create    Description  some funny description 

     Create    DisplayName  _DscTestSet1

     Create    Filter       <Filter xmlns:xsi='

     Create    ObjectType   Set 

     Create    ObjectID     14221f54-3f17-4026-9097-10201993794d 

     Create    Creator      7fb2b853-24f0-4498-9534-4e10589723c4 

     Create    Temporal     false                     


$p1 = Export-FIMConfig -only -custom "/Request[ObjectID='5f770f4e-80ea-4910-a2aa-93d9a6a8abb3']" | Convert-FimExportToPSObject | Get-FimRequestParameter

$p2 = Export-FIMConfig -only -custom "/Request[ObjectID='35be2ef9-3930-48b7-82b9-816c944cfd76']" | Convert-FimExportToPSObject | Get-FimRequestParameter


### Compare the Request Parameters

Compare-Object $p1 $p2 -Property PropertyName,Value



The output shows the differences:


PropertyName Value                                SideIndicator

------------ -----                                -------------

ObjectID     88272395-ccb1-4238-8095-2d4ea89a9adf =>          

ObjectID     14221f54-3f17-4026-9097-10201993794d <=          





Troubleshooting with System.DirectoryServices.DirectorySynchronization

The FIM Synchronization Engine uses the DirSync Control to track changes in Active Directory.  The DirSync Control is a very durable way to track changes in AD since it uses the same underlying mechanism that powers AD replication.  That same control is also very handy for reading data from AD because it bypasses access control lists.

Recently I was troubleshooting an object in FIM Sync so I wanted to look at the actual object in AD.  Using Get-ADUser didn’t work, then LDP also didn’t work, but sure enough there it was in my FIM Connector Space.

I suspected the Active Directory connector in FIM was able to see the object because it was querying with the AD DirSync Control.  The script snippet below proved the theory, and also proved once again that PowerShell is really cool.




Execute these as an AD User with DirSync Privs



### SUCCESS!!! (finds the object in AD)

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher

$directorySearcher.Filter = "(samAccountName=HoofHearted?)"

$directorySearcher.DirectorySynchronization = New-Object System.DirectoryServices.DirectorySynchronization



### FAILURE!!! (returns nothing)

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher

$directorySearcher.Filter = "(samAccountName=HoofHearted?)"

#$directorySearcher.DirectorySynchronization = New-Object System.DirectoryServices.DirectorySynchronization