IT

Searching Multi-Valued Properties in PowerShell

Posted on by Adam Fowler

I’ve been playing with Office 365 commands in PowerShell and had to do a search. Sounds simple, but depending on what you’re searching, some scenarios are less basic than others.

Everything in PowerShell is an object. Usually, a property in PowerShell has a single value, such as:

UserPrincipalName: [email protected]

which is one of the results from Get-MsolUser. However, another property is different:

AlternateEmailAddresses: {[email protected]}

Visually, the difference is just the {} braces that contain the value. These braces mean that the property has been built to contain multiple items, rather than a single item.

If I wanted to see a list of all UserPrincipalNames, I’d use this command:

Get-MsolUser -all | select UserPrincipalName

A nice list of UPNs would display on the screen. However, that same command against AlternateEmailAddress, all that comes up is a bunch of blank lines.

To make this work, we need to select the value and show all the expressions of each value:

get-msoluser -all | select @{Name=“AlternateEmailAddresses”;Expression={$_.AlternateEmailAddresses}}

To then search on those values with the ‘where’ command, you’d have to write it like this:

get-msoluser -all | select @{Name=“AlternateEmailAddresses”;Expression={$_.AlternateEmailAddresses}} | where {$_.AlternateEmailAddresses -like "*contoso*"}

The good news is, for a where search by itself, you can forget all that and go back to basics:

Get-MsolUser -all | Where AlternateEmailAddresses -like "*contoso*"

Because of this requirement on the Select command, it lead me down the wrong path for a bit. There’s other reading on how to list all the values of a multi-valued property

If you’re still lost and want to get started with PowerShell, try checking out this PowerShell Basics video

Welcome to 2017

Posted on by Adam Fowler

Welcome to 2017! I figured this was a great time to reflect over 2016, as well as looking forward to what 2017 holds.

Last year I wrote New Year 2016 Resolutions which is worth a rehash to see how I went:

1. Be more personal in what I do (selectively).
I did this a little, but can probably do it a little more. My last blog post in 2016 was an opinion piece, but I need to do more personal I believe.

2. Get less caught up in particular individuals or situations.
Mostly achieved :) It still happened a few times but I walked away quicker, continue working on this one too.

3. Be more positive
I think I did fairly well on this – I’ll still call someone out on it when I don’t agree, but overall I feel like I didn’t dwell on many negative things.

4. Get more involved in communities
Tick :) I was handed the Adelaide Windows User Group to run, and merged with Adelaide System Center User Community to become Adelaide Windows and System Center Community. I’ve also presented in the user group a few times, as well as another short presentation at itSMF. More presentations needed

5. Helping others
I always want to do this more, but I’ve tried to do this where possible. It’s been happening, which is great!

6. Do more writing
I did more but could have done more again. Will see how 2017 goes, I have a few external posts scheduled, and writing this post is a good start.

You can probably see a theme here – I worked towards what I wanted but felt I could have done more. What will 2017 hold for me then?

I’m off to a pretty good start. I was awarded the Microsoft MVP title in the area of Cloud and Datacenter Management! I can proudly display this logo now:

This category covers all these areas:

 

  • Azure Stack
  • Datacenter Management
  • PowerShell
  • Hyper-V
  • Storage
  • Networking
  • High Availability
  • Installation and Servicing
  • Enterprise Security
  • Group Policy
  • Windows Server for Small & Medium Business
  • Linux on Hyper-V
  • Chef/Puppet in Datacenter
  • Container Management
  • Linux in System Center/Operations Management Suite

This doesn’t mean I’m a pro at all of them either… don’t bother asking me about Chef/Puppet right now for example, as I’ve never had to use them in real life! If you want to know what a MVP is, have a look at Microsoft’s overview.

Who knows what this new title will bring, but it’s incredibly rewarding to be recognised at this level. I’m hoping to be able to visit Microsoft HQ as part of the MVP Global Summit later this year too :)

I’ve had a huge response to announcing my MVP title which has been very touching in itself; just people bothering to respond with a ‘congratulatons’ is a very nice feeling – thank you all who have!

Beyond that, I’m really going to be continuing on the points I set back at the start of 2016. Nothing’s really changed there, so I’ll continue down that path.

Right now, I aim to make the most of being an MVP and continuing to do what I do; there’s always lots more to learn, and plenty of opportunities to pass on those new skills and tips.

An area of focus for me will be Azure and Office 365 which is ever changing, and it’s where all the exciting new things are these days ;)

Looking forward to 2017 both work wise and family wise (and continuing to keep the balance between both) – bring it on!

 

 

Opinion: Australia’s New Website Blocking

Posted on by Adam Fowler

Australians may find that over the Christmas break their favorite torrent site will no longer load. Certain websites are getting blocked in Australia due to a court ruling which is going to accomplish very little in my opinion, and here’s why:

Copyright holders have had a successful ruling that Australian ISPs have to block five torrent websites – The Pirate Bay, Torrentz, TorrentHound, IsoHunt and SolarMovie. Each domain blocked will cost the copyright holders $50.

Looking past any piracy arguments beyond the fact that piracy is copyright infringement (not theft) – there are many glaringly obvious problems with this ruling that will end up achieving very little.

this is a mere selection of the torrent sites that exist, and many people will just move onto another.

If they don’t do that, they might google ‘how to access piratebay’ and click on one of the first hits: https://thepiratebay-proxylist.org/ – which is a list of sites that proxy through the original website’s content via a ‘middle’ domain.

The time the courts has given ISPs to negotiate with the copyright holders, decide on a method of blocking, and implement was 15 days – a ridiculously short time to do something like this well.

Telstra have already implemented DNS blocking which is one of the easiest to implement, and also one of the easiest to work around.

DNS blocking works by redirecting traffic from a client when it requests to go to a certain site – e.g. https://thepiratebay.org/ – which would normally have the site owner’s IP address mapped to it. Instead they’re getting in the middle and presenting their own warning page. You can also just use a different DNS server than what your ISP automatically gives you, such as Google’s own at IP 8.8.8.8 – making this fairly pointless. Anyone that’s worked out how to torrent, can work out one of the several ways to bypass a DNS block.

If ISPs choose to do IP blocking instead, that will lead to other issues as well, and still won’t do any blocking about the proxy sites. Of course sites can also change IPs regularly.

Edit: While writing this it appears other ISPs such as Optus have implemented the same DNS blocking:

What is all this trying to achieve then?

There is the whole fear factor aspect of big brother watching which may convince people that see these messages to swear off pirating for the rest of their life. The recent letters for Australians caught downloading Dallas Buyers Club scared some people, but everyone I’ve spoken to that was worried either started using a VPN, or went back to the old sneakernet method of getting material from others who hadn’t changed their ways.

If anything, services like Getflix were the only winners, proving both DNS bypassing for overseas content as well as VPN services.

I don’t see any difference in this particular legal case. It gives more attention to the topic, but nothing will really change.

The whole ‘make getting material easy, cheap and worldwide’ argument still applies as demonstrated by services like Netflix, iTunes and the Apple store.

Maybe the best approach would be micro transaction fines to copyright infringement, payable online at the time of downloading a movie or TV show. Wait, that’s pretty much what iTunes is anyway!

It is an unwinnable battle for the copyright holders to go after pirates (rightly or wrongly it’s still how it is) which leaves them the single answer of providing a reasonable, paid service most will use to consume their media.

Azure AD Connect Pass-Through Authentication Tips

Posted on by Adam Fowler

A few days ago, an updated version of Azure AD Connect was released – 1.1.371.0 (download). This included the public preview of Passthrough Authentication and Seamless Single Sign-on which lets an internal domain connected computer authenticate against an internal domain controller and sign into Office 365 resources. This gives a great cheap option to do this rather than requiring ADFS on premise to do this or just entering user credentials to authenticate against Azure AD; but there are caveats I’ll cover below.

Install Gotcha

After you’ve updated the client (regardless of the authentication type chosen), there’s a quick ‘gotcha’: The Azure AD Connect application shows a different message when you launch it:

“Synchronization has been disabled to allow changes to your current configuration. Azure Active Directory will not receive further updates until reconfiguration is complete.”

 

This is very different from previous versions:

As I was testing passthrough authentication at the time, I misunderstood this message to mean that something was being configured, and I had to wait. What it actually means is that by launching the application, syncs are now paused until you go finish with this program; either by making a configuration change or just exiting.

This also means that if you leave this window open, synchronization will not occur again until it’s closed – even if you have multiple servers set up. If you get an email alert saying synchronisation hasn’t occurred for a while, this is the first thing to is to check that someone didn’t leave the application open.

Azure AD Connect Passthru Auth

I’ve been waiting all year for this option, but there is a lot of misinformation around what it actually can do. After having the privilege of speaking to the Senior Program Manager on SSO and Passthru Auth for Azure AD Connect Ross Adams for two hours (thanks Ross for your invaluable time!) I found out about these key points:

  • Passthrough Authentication right now does not give you a pure automatic authentication experience. It avoids the requirement of having to retype your password, you still need to choose your account
  • Azure AD App Proxy is required for Single Sign-on and Passthrough Authentication, but won’t function for actual application proxying when in this mode. You’ll need a different box running App Proxy if you use it this way.
  • Appending your domain onto supported urls with WHR (Custom login page e.g. https://login.microsoftonline.com/?whr=contoso.com) will reduce the amount of clicks a user needs to get in – generally a single click to pick their account

This doesn’t quite match the experience compared to having ADFS on premise, as I confirmed with friend     Ken Goodwin. This is his explanation of the ADFS experience:

If you just go to office.com to logon, after you type in your email address it’ll redirect you to the adfs server which will automatically log you on (assuming internal). If you pre-specify the domain using https://login.microsoftonline.com/?whr=domin.com, then the logon will be automatic.

This might act differently if you’re able to enable auto-acceleration on your SharePoint sites at least which drops the WHM requirement – as long as you have Azure Active Directory Premium.

Keep in mind, Passthrough Authentication and Single Sign-On are still in public preview so this may change and improve. I’m still having a mixed experience on a few items, so don’t go too crazy with rolling this out to your live setup yet. I expect we’ll see some updates soon, and finish up with a really solid new feature to improve the experience for all.

Update: Another tip – if you disable and re-enable Pass Through Auth then your old Kerberos tickets will be invalid. Wait 10 hours or run the command “Klist purge” on an affected PCs – otherwise you’ll get weird authentication errors when trying to log into a site.

Websites Timing Out – This Page Can’t Be Displayed

Posted on by Adam Fowler

timeout

I came across this issue where a particular user was getting lots of timeouts for websites via Internet Explorer. The problem didn’t follow the user to other PCs, and I couldn’t see any firewall issues. The websites were random, but I did notice they were generally slow to load websites.

Another symptom was getting this same error when signing up for things or processing payments – all processes that can take a while to respond. Even loading pictures on emails sometimes timed out this way!

I did find a 3rd party search engine had been added to IE and removed that, but that made no difference.

After a bunch of testing and research being convinced it was a local profile issue, probably around IE timeout settings, I found this article which gave a registry setting around timeouts. I adjusted the value for KeepAliveTimeout in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings but it made no difference.

What I did notice though, was another registry value in the same spot – ReceiveTimeout. This was set to 5000 which would equate to 5 seconds converted from milliseconds, similar to the KeepAliveTimeout setting.

Comparing it to another computer, that registry setting didn’t even exist. I tried upping the value to 60000 for a minute, and after lots more testing, the problem appeared to be fixed! I then deleted the registry key and the problem didn’t reoccur.

My assumption is that the 3rd party search engine (which seemed a bit dodgy) added certain registry settings under the user’s profile for their own purposes, and removing it didn’t clear it up.

Of course, deleting the profile would have had the same result, but then we wouldn’t understand why it broke!