Wednesday, December 24, 2014

'Twas the night before Christmas

'Twas the night before Christmas, when all through the internet
Not an identity was stirring, not even a Passport .NET
The user accounts requests were submitted with care
Hoping that their access would soon be there

The users were nestled all snug in their beds
While visions of being able to do their jobs danced in their heads
The servers and computers were in sleep mode
Awaiting someone to move a mouse and send the wake up code

An urgent email pinging my iPhone created a vibration
I sprang to my Surface to see what was the perturbation.
Opening up Windows 8.1, I signed in to the computer
I ran AD Users and Computers and Event Viewer

User accounts had been created and added to groups
All while I had slept after eating my soups
As I looked at my network, what should appear?
But a brand new Identity Management System so nice and clear

On Sync Engine, on Management Agent! Now MPRs and Workflows!
On Metaverse on Sync Rules!  On PowerShell and Data flows!
To the web service! To Self Service Password Resets!
Provision, Deprovision and Synchronize all the sets!

Ok, ok so maybe I am just a bit eager for the release of Microsoft Identity Manager (due out 1st half of 2015).

Friday, December 12, 2014

Speaking at 2015 Redmond Summit (Jan 27-29 '15)

I will be speaking at the 2015 Redmond Summit: Where Identity Meets Enterprise Mobility.
This summit is put on by my friends at Oxford Computer Group.

I will be speaking on Password Sync vs.  ADFS. Then the next day I will speak on the Business track about How Identity Management Impacts the Bottom Line.

See you there
January 27-29, 2015 in Redmond, WA on the Microsoft Campus

Join OCG, Microsoft, and industry experts for two and a half days of networking and talks on the latest thinking on identity and enterprise mobility. If you’re overwhelmed by devices, have a hybrid environment, wish to simplify access, or manage identity in an increasingly complex digital world then you won’t want to miss this event. Sessions will assess and look in detail at the largest release of new identity products in Microsoft’s history, including Enterprise Mobility Suite, Intune, Azure Active Directory, Hybrid Identity, and more! Discover how other organizations have tackled the same problems you face through case studies and get technical insight from Microsoft product managers and engineers. Registration is $800 per delegate. Find our more and register!

Thursday, December 4, 2014

What AD Attributes are indexed? ANR? Tuple? PowerShell

Import-Module ActiveDirectory
Write-Host "Tuple Index Enabled Attributes"
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter "(searchFlags:1.2.840.113556.1.4.803:=32)" -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayNAme  | Out-GridView
Write-Host "ANR Enabled Attributes"
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter "(searchFlags:1.2.840.113556.1.4.803:=4)" -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayNAme | Out-GridView
Write-Host "Indexed Enabled Attributes"
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter "(searchFlags:1.2.840.113556.1.4.803:=1)" -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayNAme  | Out-GridView

The above script is something I use to quickly look and see what is indexed in an AD environment

Friday, October 24, 2014

SQL Maintenance for FIM and anything other databases

An easy way to take care for your FIM databases is to "use Ola Hallengren's script ( Download the script, adjust the backup paths and run the script on each instance of SQL Server. It will automatically create several jobs some for maintaining the system databases and some for maintain the user databases. You will need to create schedules for each of the jobs." -- FIM Best Practices Volume 1
I love using Ola script for index maintenance because it is so much smart than the Database Maintenance wizard which wants to spend lots of time rebuilding indexes that only needed to be reorganized and messing with indexes that were just fine or too small to matter. A table with less than 1000 pages is usually too small to matter. Less than 5% fragmentation and why bother. Less than 20% and a reorg will usually solve it. Over 20% and you should usually rebuild.
A benefit of using a smart index maintenance solution is that your transaction log backups won't be as large as they would if you rebuild all indexes.

Friday, October 3, 2014

Mistaken Identity

Years ago, I walked into the client site a few months into an Identity Management project, and the PM told me his account had been deactivated by mistake as an employee with the same last name and same first initial was terminated, and they termed his account by mistake.


A few years before that I visited a client whose VP of HR had his account disabled when they let the janitor go. Again same last name but this time the same first name.

What went wrong?

In both cases the AD account was linked to the wrong employee record.

How did that happen?

In the first example they had been diligently entering the employeeID into the employeeID field in AD long before Identity Management. The helpdesk had a tool to query the HR database to look up an employee ID. Apparently, the day this PM had been hired HR was a little slow or the helpdesk made a mistake. Either way they plugged in the wrong employeeID into his AD account. So when the other gentleman was termed, the script they ran (this was before we turned on FIM) disabled his account too.

Garbage in, garbage out. While FIM was not the "perpetrator" it would have done the same thing acting on the wrong data.

In the HR of VP example, the initially joining was done using MIIS (a FIM predecessor) based on first name and last name. Somehow in the intervening years no one noticed that the wrong job title had been pushed into AD.

So how can you avoid this? You can't entirely, but you can reduce the # of occurrences. The first step is to understand the data you are given. The second step is to question the validity of the data -- especially if a human was involved. If the whole process has been automated then any errors should be consistent throughout. A firm hiring George Cludgy (instead of Clooney) would have that data flow from HR out to AD and everywhere else with the correct employeeID. The name itself might be wrong but at least it would be consistent. However, if a human gets involved to do data entry, even though the look it up you have a chance for errors. So you can't take the presence of an employeeID in AD for granted. You must question its validity and confirm it.

I prefer to get dumps of HR and AD and use PowerShell to match them up. Just kidding, this is a job for SQL. While PowerShell actually can do some matching this really is a job for SQL.

By then running queries in my database before setting up FIM I can get a good idea of the matches and non-matches. I can then get the client to confirm the matches and fix the non-matches.

1) Look at and understand the data
2) Question its validity
   Did humans input the data?
3) Export from AD using csvde
4) Get an export of the employees
5) Load 3 and 4 into a SQL database
6) write some queries joining based on employeeID (if present)
7) look at the matches and come up with some additional ways to verify such as including First name and last name
8) use a nick name database to handle the David vs Dave issues.
9) Use Fuzzy lookups from SSIS to generate possible matches.
10) Get the client to validate your matches, especially the possible matches
11) Get the client to work on the non-matches (these accounts may end up getting disabled if no match can be found)

Tuesday, September 16, 2014

Phoenix MVP Roadshow Transform the DataCenter Wed Sept 24 4 PM-8PM

Register Now! to attend MVP Roadshow Sept 24th 4 PM - 8PM

I will be presenting on why we want to get to Active Directory based on Windows Server 2012 R2 and how to get there. My fellow MVP's will be covering the rest of the agenda. I also created an IT clue game to play in small groups where the objective is to figure out who stole the data and how it could have been prevented.

Presented by: MVP David Lundell, MVP Jason Helmick, MVP Rory Monaghan, MVP Tom Ziegmann

IT professionals face many challenges in their struggle to deliver the infrastructure, applications, and services that their organizations need.  Common issues include limited budgets, datacenter infrastructure complexity, and technical expertise to support a wide variety of changing goals.  New features in the Windows Server and Microsoft Azure platform can help address these problems by increasing resource utilization and by simplifying administration.
 This "Transform Your Datacenter MVP Roadshow" will focus on specific approaches, methods, and features that attendees can use to ultimately improve the services delivered to their users.  We'll begin by examining the issues that often prevent or delay infrastructure upgrades, and look at ways in which IT professionals can use modern approaches to overcome them.  Methods include leveraging cloud services where they make sense, and migrating from older OS's, such as Windows Server 2003.
 Next, we'll examine specific features in the Windows Server 2012 R2 platform that can help simplify and improve datacenter infrastructure.  Powerful features include updates such as iSCSI, SMB 3.0, Scale-Out File Server, data de-duplication, NIC teaming, and additional methods for improving your datacenter environment.  We'll also focus on virtualization features in the latest version of Hyper-V, including features for achieving low-cost high-availability, improved performance and scalability, and simplified administration. 
 Finally, we'll discuss ways in which you can take advantage of features in Windows Server 2012 R2 and services in Microsoft Azure to simplify and optimize your datacenter.  Topics include identifying the best candidate applications and services for moving to or integrating with the cloud, and methods of making these transformations.
 Overall, the focus will be on technical details and features that are available now to help IT pros optimize and transform their datacenter environments.  We hope you'll be able to join us!

4:00 – 4:30        Registration and Welcome/Dinner
 (Post/share whoppers, challenges, and questions through twitter and paper)
4:30 – 5:00        IT Clue game – in small groups
5:00– 5:35        To Upgrade or not to Upgrade?
 §  Why you really need to upgrade from Windows Server 2003 or
 2008! (Server Platform)   
 §  Demo: Combating Configuration Drift with PowerShell
 §  Desired State Configuration Q&A
 §  Why you really need to upgrade your Active Directory from Windows Server 2003 or 2008 to 2012 R2! 
 §  Q&A
5:50– 6:00        10 minute Break
6:00 – 7:00        Upgrading to Windows Server 2012 R2
 §  How to upgrade from Windows Server 2003
 §  How to upgrade from Windows Server 2008 
 §  Q&A
 §  How to upgrade AD from Windows Server 2003
 §  How to upgrade AD from Windows Server 2008 
 §  Q&A 
 7:00 – 8:00Datacenter - Dealing with Application Compatibility and Delivery
 §  Discussion and Demos for strategizing Application Migration  
 §  Discussion and Demos of App-V for Application Delivery
 IT Clue game -- someone stole the data
 Wrap up

ADUC Common Queries: Days Since Last Logon

Recently a client asked me how Active Directory Users and Computers (ADUC) performs the Days Since Last Logon query found in the Find Dialog box's Common Queries option.

LastLogon is not replicated so to really get it you have to query every single DC. So I was reasonably certain that the query didn't use LastLogon but rather used the LastLogonTimestamp which was created "to help identify inactive computer and user accounts."  Assuming default settings "the lastLogontimeStamp will be 9-14 days behind the current date."

However, I couldn't find any documentation confirming that so I had to test it. For all I knew it could have been querying all the DC's to get an accurate LastLogon.

So when I ran the query yesterday, 15th of Sept, 120 days previous was 5/18 and on the domain controller I was querying the lastlogon of the account in question was 5/20 but the LastLogonTimeStampwas 5/14. So I knew that if the ADUC query showed the account in question that it meant that the ADUC query was using LastLogonTimeStamp because if it was using LastLogon (whether it was querying all of the DC's or just the one) then the account wouldn't show up.

Sure enough the account showed up. Conclusion: ADUC's Days Since Last Logon query is using the LastLogonTimeStamp as I expected.