Connect PowerShell to your Azure Subscription using Azure AD account


Just a cross post highlighting my blog entry on our team blog called  “Ask PFE Platforms” about using Azure AD to connect PowerShell to an Azure Subscription

“A while back I had shared with you a way to connect PowerShell to your Azure Subscription via the certificate method using Get-AzurePublishSettingsFile cmdlet. This method works as long as the subscription and certificates are valid, and it has limitations when more than one person is expected to be able to access the subscription. Also, Azure Resource Manager doesn’t accept certificate based authentication. Today, I would like to give you a quick overview on an alternative way using an Azure AD account. Going forward this is a preferred way as it enables mechanism to manage a subscription and is compatible with Azure Resource Manager”

Check it out…

Building a VM in Windows Azure using PowerShell in a few quick steps


Just a cross post highlighting my blog entry on our team blog called  “Ask PFE Platforms” about building VM in Windows Azure using PowerShell.

“……….today I would like to walk you through building a VM in Windows Azure using your favorite management tool ‘PowerShell’, and in doing so you will also unlock 133 cmdlets that will help you manage other services you may have running in Windows Azure. If you have not signed up for a 90 day trial yet, I suggest you give it a try. Also did you know if you have an existing MSDN subscription, you may be entitled to up to 1500 compute hours that’s $6500 in annual Windows Azure benefits at no charge.”

Check it out…


PowerShell Web Access in Windows Server 2012



Just a cross post highlighting my blog entry on our team blog called  “Ask PFE Platforms” about a neat feature in Windows Server 2012 called PowerShell Web Access.

“… can use the new PowerShell Web Access (PSWA) feature in Windows Server 2012 to allow remote administrative access to a set of servers in your IT infrastructure. Furthermore, you can granularly delegate access and only expose specific administrative privileges to different levels of support teams in your IT environment. PowerShell Web Access (PSWA) brings great remote manageability in Windows Server 2012. It acts as a gateway to provide full or limited access into the PowerShell sessions on remote servers.”

Check it out..

Windows Server 2012 RTM today, get started with these great free resources !



1. Visit the launch site and review the technology specific sessions.

2. Download the evaluation copy of Windows Server 2012 from here.

3. Don’t have a lab? You can do a dual boot install with a pre-build downloadable VHD, follow these instructions.

4. Can’t do dual boot ? build your lab environment in the Windows Azure cloud environment.

5. Grab free eBook on Windows Server 2012 by Mitch Tulloch.

6. Watch these Windows Server 2012 Jump Start Technical Training Videos.



Enjoy !!

New Cmdlets added to Active Directory Module to PowerShell v3 in Windows Server 8 (Dev Preview)



Whereas the total number of cmdlets and functions in PowerShell v3 (all modules) has increased to 2300, particularly in Active Directory Module 58 cmdlets were added and they are the following. Keep in mind that this is pre-beta release and things are subject to change. A lot of the new cmdlets are focused on the new claims based ‘Dynamic Access Control’ in Windows Server 8 and amongst others there is a few for the management of AD’s physical topology.

· Add-ADCentralAccessPolicyMember

· Add-ADResourcePropertyListMember

· Clear-ADClaimTransformLink

· Get-ADCentralAccessPolicy

· Get-ADCentralAccessRule

· Get-ADClaimTransformPolicy

· Get-ADClaimType

· Get-ADDCCloningExcludedApplicationList

· Get-ADReplicationAttributeMetadata

· Get-ADReplicationConnection

· Get-ADReplicationFailure

· Get-ADReplicationPartnerMetadata

· Get-ADReplicationQueueOperation

· Get-ADReplicationSite

· Get-ADReplicationSiteLink

· Get-ADReplicationSiteLinkBridge

· Get-ADReplicationSubnet

· Get-ADReplicationUpToDatenessVectorTable

· Get-ADResourceProperty

· Get-ADResourcePropertyList

· Get-ADResourcePropertyValueType

· Get-ADTrust

· New-ADCentralAccessPolicy

· New-ADCentralAccessRule

· New-ADClaimTransformPolicy

· New-ADClaimType

· New-ADReplicationSite

· New-ADReplicationSiteLink

· New-ADReplicationSiteLinkBridge

· New-ADReplicationSubnet

· New-ADResourceProperty

· New-ADResourcePropertyList

· Remove-ADCentralAccessPolicy

· Remove-ADCentralAccessPolicyMember

· Remove-ADCentralAccessRule

· Remove-ADClaimTransformPolicy

· Remove-ADClaimType

· Remove-ADReplicationSite

· Remove-ADReplicationSiteLink

· Remove-ADReplicationSiteLinkBridge

· Remove-ADReplicationSubnet

· Remove-ADResourceProperty

· Remove-ADResourcePropertyList

· Remove-ADResourcePropertyListMember

· Set-ADCentralAccessPolicy

· Set-ADCentralAccessRule

· Set-ADClaimTransformLink

· Set-ADClaimTransformPolicy

· Set-ADClaimType

· Set-ADReplicationConnection

· Set-ADReplicationSite

· Set-ADReplicationSiteLink

· Set-ADReplicationSiteLinkBridge

· Set-ADReplicationSubnet

· Set-ADResourceProperty

· Set-ADResourcePropertyList

· Sync-ADObject

· Test-ADServiceAccount

My First look at Windows Server 8 Developer Preview version and promoting a DC therein



Yesterday marked the day when an early Windows Server 8 Developer Preview version was released. I spun it up and took it for a test drive, I installed ADDS and promoted a DC and following are some screenshots I took.

image image


image image

image image

image image

After the setup was complete..

image image

image image

image image

image image

image image

image image


After the ADDS binaries are installed, you then promote the server to DC role.

image image

image image

image image

Above was an error about not being able to set the DFL to native Win8 so I went back and set to W2K8 R2 along with the same FFL.

image image

image image

As seen in the last screenshot, enabling the AD Recycle Bin is now possible via the GUI i.e ADAC.

More Win8 Server stuff to follow Smile

Directory Service: Event ID 1480 and 1393, replication halted due to low disk space


The information provided in event logs is often not too clear but it has definitely gotten better starting in W2K8. I recently encountered an issue where replication delays to certain DC were reported. I immediately looked at the repadmin  replication summary and noticed that my deltas that usually stayed around within an hour had jumped up to 13~ hours.




The ‘destination DSA’ section gives you a clue about the DC that’s having issues pulling replicated changes in. I looked at the event logs on the said DC and filtered the DS logs around to 13 hours ago. I noticed event ID 1393, and 1480 sighting the issue with the low disk space and how it had paused the netlogon service. Luckily there was no “user authentication traffic” against this DC as it was a hub site DC with no user subnet tied to this site, otherwise the impact would have been bigger with users not being able to logon to their workstations. The lag on the replication on this instance was reported by an internal application portal that was not reflecting the changes that were made in AD. Nonetheless, it was an issue that had to be fixed.






A low disk space issue on a DC is serious issue anyway but in this instance, a FIM job had just run that had imported thousands of new objects incurring a slight NTDS size change. This is one of the reasons I don’t like to put NTDS and SYSVOL on the system partition. I did perform the clean up of some unneeded and temp files but the long term solution is to relocate the DB to a different drive/volume,


Immediately after the replication was back to normal.



PowerShell : Exporting multi-valued attribute via Export-Csv cmdlet


The attributes that are multi-valued are hard to export to a CSV via the Export-Csv cmdlet as the exported value just shows the string type in Excel/Notepad.

For instance, take a look below when I try to export the proxyAddresses attribute values in PowerShell console and to a CSV later.



I found out that you can using the join function i.e @{Name=’proxyAddresses’;Expression={[string]::join(“;”, ($_.proxyAddresses))}} can export the multiple values from a multi-valued attribute to a CSV accordingly.

So, this is how it would look for the query I ran above.

Get-QADUser test.user1 -IncludeAllProperties | select name,@{Name='proxyaddresses';Expression={[string]::join(";", ($_.proxyaddresses))}} | Export-Csv .testUser1.csv

To accomplish the export of all values in a spreadsheet/csv.


This should come handy also when you are trying to retrieve the ‘memberof’ attribute of users and trying to export all groups that a user is part of to a CSV. Just replace the attribute you are after in the join function above.

Add -notype paramater at the end of the export-csv cmdlet to avoid the #type information in the first row in csv.

Auditing Group Membership changes


I often get this asked this question, “how do I audit group membership changes”. Whereas a lot of AD Change Monitor Tools (Quest, Netwrix etc.) have nice reports that can be generated to look up this information, this question comes up when a change auditor product for AD is not in picture. Let me cover the highlights here.

1. You need to have the Auditing enabled with Group Policy.

Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy



2. In order to see on which DC the change was made, you can lookup the metadata via repadmin.

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=techevan,DC=lab"

Towards the end of the output you see the “absent” in this example on which DC a particular user was removed from this group.

Type     Attribute     Last Mod Time         Originating DSA         Loc.USN          Org.USN Ver        Distinguished Name
===  ========  ===========      =================   ======= ======= === =========================
ABSENT   member        2010-11-05 16:55:28 TestSiteTEST-DC01  749327  749327   2  CN=Rick Sheikh,OU=Users,DC=techevan,DC=lab


3.  You can comb the logs on the said DC using EventComb or Event Viewer. Event ID 4729 is logged when a member is removed from a group.


Some other important Event IDs for User and Group Auditing in Windows Server 2008 R2 are these:

4727 – A security-enabled global group was created.

4728 – A member was added to a security-enabled global group.

4730 – A security-enabled global group was deleted.

4731 – A security-enabled local group was created.

4732 – A member was added to a security-enabled local group.

4733 – A member was removed from a security-enabled local group.

4734 – A security-enabled local group was deleted.

4735 – A security-enabled local group was changed.

4737 – A security-enabled global group was changed.

4754 – A security-enabled universal group was created.

4755 – A security-enabled universal group was changed.

4756 – A member was added to a security-enabled universal group.

4757 – A member was removed from a security-enabled universal group.

4758 – A security-enabled universal group was deleted.


More reading here :

Running PowerShell under “run-as” or elevated privileges


There are times when I am in a PowerShell session and pass another set of credentials when I use connect-qadservice cmdlet to connect to another domain with the –credential parameter, however often times I would launch the PowerShell under “run-as” with the elevated credentials and launch a native session and I would have multiple session going at the same time. For latter scenario, I needed a way to identify which is which to adhere to a safe practice. There are probably other ways to tackle this but you can create PowerShell profile in each of your elevated session and change the look and feel as below.

Launch the PowerShell under run-as and run this :

new-item -path $profile -type file -force

notepad $profile

And add the following line into your profile


You may also want to add a different ‘window’ title for your admin session, you can add this.

$a = (Get-Host).UI.RawUI
$a.WindowTitle = “Admin Session”

Save the changes in the notepad and launch your elevated PowerShell session to see the results.


See this for more changes and tweaks you can do to a PowerShell console.