On a dark and stormy night an Active Directory upgrade was underway, Windows Server 2003 domain controllers decommissioned, consolidated and replaced with Window Server 2008 R2 servers. Suddenly I got a call from those doing the upgrade, “I can’t see some of the new domain controllers on the existing domain controllers, what’s wrong?” A replication island had been created and several domain controllers were trapped on it. Could we rescue them in time?
In my presentation last week at #OCGUS15 The Redmond Summit put on by my friends at OCG, on “How does Identity Management Impact the Bottom Line? Selling IDM” I illustrated how understanding more about Financial statements such as Profit/Loss statements as well as Balance Sheets can be helpful. So here is a link to learn more: •http://www.investopedia.com/articles/basics/06/financialreporting.asp Among other things this is helpful to be able to articulate how your projects and programs can impact the bottom line such as how User provisioning/Deprovisioning impacts the Profit and Loss Statement:
I am looking forward to presenting in an hour or so on “How Identity Management Impacts the bottom line.” Yesterday I had fun delivering a session on “ADFS vs Password Sync? It depends” This morning Alex Simons of Microsoft revealed a few new things that change some of my advice. Soon Azure AD can do the location restriction by application for SSO. This potentially eliminates a deal breaker for some people You can now run Password Sync and ADFS at the same time.
‘Twas the night before Christmas, when all through the internet Not an identity was stirring, not even a Passport .NET The user accounts requests were submitted with care Hoping that their access would soon be there The users were nestled all snug in their beds While visions of being able to do their jobs danced in their heads The servers and computers were in sleep mode Awaiting someone to move a mouse and send the wake up code
I will be speaking at the 2015 Redmond Summit: Where Identity Meets Enterprise Mobility. This summit is put on by my friends at Oxford Computer Group. I will be speaking on Password Sync vs. ADFS. Then the next day I will speak on the Business track about How Identity Management Impacts the Bottom Line. See you there January 27-29, 2015 in Redmond, WA on the Microsoft Campus Join OCG, Microsoft, and industry experts for two and a half days of networking and talks on the latest thinking on identity and enterprise mobility.
Import-Module ActiveDirectory Write-Host “Tuple Index Enabled Attributes” Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=32)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView Write-Host “ANR Enabled Attributes” Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=4)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView Write-Host “Indexed Enabled Attributes” Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=1)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView The above script is something I use to quickly look and see what is indexed in an AD environment
An easy way to take care for your FIM databases is to “use Ola Hallengren’s script (http://ola.hallengren.com/scripts/MaintenanceSolution.sql). Download the script, adjust the backup paths and run the script on each instance of SQL Server. It will automatically create several jobs some for maintaining the system databases and some for maintain the user databases. You will need to create schedules for each of the jobs.” – FIM Best Practices Volume 1
Years ago, I walked into the client site a few months into an Identity Management project, and the PM told me his account had been deactivated by mistake as an employee with the same last name and same first initial was terminated, and they termed his account by mistake. Ironic. A few years before that I visited a client whose VP of HR had his account disabled when they let the janitor go.
Register Now! to attend MVP Roadshow Sept 24th 4 PM - 8PM I will be presenting on why we want to get to Active Directory based on Windows Server 2012 R2 and how to get there. My fellow MVP’s will be covering the rest of the agenda. I also created an IT clue game to play in small groups where the objective is to figure out who stole the data and how it could have been prevented.
Recently a client asked me how Active Directory Users and Computers (ADUC) performs the Days Since Last Logon query found in the Find Dialog box’s Common Queries option. LastLogon is not replicated so to really get it you have to query every single DC. So I was reasonably certain that the query didn’t use LastLogon but rather used the LastLogonTimestamp which was created “to help identify inactive computer and user accounts.
