Confusion over accounts used to access Microsoft’s online services

I recently bought a new computer, for family use (the Lenovo Flex 15 that I was whinging about the other week finally turned up). As it’s a new PC, it runs Windows 8 (since upgraded to 8.1) and I log in with my “Microsoft account”. All good so far.

I set up local accounts for the kids, with parental controls (if you don’t use Windows Family Safety, then I recommend you do! No need for meddling government firewalls at ISP level – all of the major operating systems have parental controls built in – we just need to be taught to use them…), then I decided that my wife also needed a “Microsoft account” so she could be registered as a parent to view the reports and over-ride settings as required.

Because my wife has an Office 365 mailbox, I thought she had a “Microsoft account” and I tried to use her Office 365 credentials. Nope… authentication error. It was only some time later (after quite a bit of frustration) that I realised that the “Organization account” used to access a Microsoft service like Office 365 is not the same as a “Microsoft account”. Mine had only worked because I have two accounts with the same username and password (naughty…) but they are actually two entirely separate identities. As far as I can make out, “organization accounts” use the Windows Azure Active Directory service whilst “Microsoft accounts” have their heritage in Microsoft Passport/Windows Live ID.

Tweeting my frustrations I heard back from a number of online contacts – including journalists and MVPs – and it seems to be widely accepted that Microsoft’s online authentication is a mess.

As Jamie Thomson (@JamieT) commented to Alex Simons (@Alex_A_Simons – the Programme Director for Windows Azure Active Directory), if only every “organization account” could have a corresponding “Microsoft account” auto-provisioned, life would be a lot, lot simpler.

Working with Exchange 2013 dynamic distribution groups based on custom directory attributes

I’m attending a training course this week (getting back up to speed with Exchange using the Core Solutions of Microsoft Exchange Server 2013 course) and I found that one of the labs wasn’t working. I probably missed a step somewhere and I wanted to verify a dynamic distribution group based on a custom attribute.

Back in the days when I was hands-on with Exchange, there was an Exchange-aware version of Active Directory Users and Computers (ADUC) to work with, but that disappeared in 2007.  These days, the solution is to open ADUC, enable the Advanced view and then look at the Attribute Editor. It took some searching but I found that what Exchange refers to as Custom Attribute 1-15 are actually known by the LDAP names of extensionAttribute1 (to 15) in Active Directory.

Once I’d edited extensionAttribute1 in the user object(s) to add the value the dynamic distribution group was looking for, they were picked up and mail flowed as expected.

One last point: whilst Exchange 2013 doesn’t allow a preview the contents of dynamic distribution groups within the Exchange Admin Center it is possible inside the Exchange Management Shell.

[Update: Custom attributes can also be set in EAC – under more options for mailbox properties – as well as in EMS, where the attribute is known as CustomAttribute1)]

Searching Active Directory with PowerShell and a user’s phone number

I have a guilty secret: I screen my incoming phone calls. I no longer answer blocked numbers on my work phone – it’s always PPI spam – and I recognise the numbers of those I work closely with, so I can prioritise my response (i.e. do I want to be interrupted by that person, or can I respond to voicemail later?). To be honest, it’s just the same with email – some people will get an immediate response, others will need more thought and I’ll respond when I have more time (or not, in some cases). Is it unprofessional? I don’t think so – it’s about time management.

Recently, I had a missed call on my mobile from a number I didn’t recognise. I could see it was internal (all of our mobile phones have the same first few digits) so I thought I’d search the Global Address List in Outlook. Unfortunately though, Outlook doesn’t let me search the GAL on phone numbers…

I could have just called them back (actually, I did!) but the geek in me had the bit between the teeth… could I script up some kind of reverse lookup for phone numbers? And, in true Barack Obama (or Bob the Builder if you’re on this side of the Atlantic) style, the answer turns out to be:

“Yes, we can!”

So, if you use a Windows PC and you like scripting, read on. If you don’t, probably best just call the number back and see who answers!

Getting ready to query Active Directory with PowerShell

The first hurdle was that, in order to query Active Directory from PowerShell, I needed to have the Remote Server Administration Tools (RSAT) component installed on my Windows 7 workstation in order to do this, but it’s actually a two-step installation process.

  1. Firstly, download and install the RSATs to the workstation.
  2. In Control Panel, Programs, Programs and Features, Turn Windows features on or off, make sure that the Active Directory Module for Windows PowerShell is available under Role Administration Tools, AD DS and AD LDS Tools.

Once the RSATs were installed and the Active Directory Module for Windows PowerShell was enabled, I could fire up Windows PowerShell and issue the command to load the Active Directory management cmdlets:

Import-Module ActiveDirectory

Finding the available attributes to search against

Next up, I needed to know which properties are available for an Active Directory User object. I used my own email address as a filter to Get-User, which retrieved the details for the given AD User object, then selected all properties and piped the resulting output into Get-Member (which gets the properties and methods of objects):

Get-ADUser -Filter {EmailAddress -like ""} -Properties * |
Get-Member -MemberType property

Building up confidence, I started to play around and query individual attributes for the selected object:

$user = Get-ADUser -Filter {EmailAddress -like ""} -Properties *

I found that each of these returned the information I would expect for my own user account in Active Directory.

Constructing the query

The next step was to search the whole directory but this time to filter the properties returned and to pipe through Where-Object to match certain criteria, then pipe the resulting output from that query into a table:

Get-AdUser -Filter * -Properties OfficePhone |
Where-Object {$_.UserPrincipalName -match "Wilson"} |
Format-Table OfficePhone,UserPrincipalName

This returns the office phone number for everyone whose user name contains the string Wilson.  That tested the principle but was not the query I was trying to create, so I edited the query to match a number against a number of phone number properties (making sure that all the properties that need to be displayed are in the filter) and also prompted for the search string, storing it in a variable:

$Search = Read-Host 'What number would you like to search for?'
Get-AdUser -Filter * -Properties OfficePhone,MobilePhone,TelephoneNumber |
Where-Object {$_.OfficePhone -match $Search -or $_.MobilePhone -match
$Search -or $_.TelephoneNumber -match $Search} |
Format-Table GivenName,Surname,OfficePhone,MobilePhone,TelephoneNumber

This time, the resulting output was exactly what I was after – a single entry matching the partial phone number I’d asked it to match (824753 in the example below):

GivenName  Surname  OfficePhone  MobilePhone    TelephoneNumber
---------  -------  -----------  -----------    ---------------
Mark       Wilson   73824753     +447xxx824753  73824753

Finally, I wrapped the whole thing up in a script and, as long as I’ve done the usual Set-ExecutionPolicy remotesigned stuff, I can perform reverse lookups on phone numbers to my heart’s content… now, if only I could have an iPhone app to do this for me when the calls come in…

Announcing the Windows Server User Group (WSUG)

Back in 2008, I set up a LinkedIn group after the UK Windows Server User Group’s leader, Scotty McLeod, was involved in a tragic accident and it was originally intended to provide a temporary workaround until we got the Windows Server Team site up and running again.

Towards the end of last year Mark Parris and I had a conversation around combining the UK Active Directory User Group with the UK Windows Server User Group. The reasoning behind this was that Windows Server User Group meetings had become few and far between, meanwhile the Active Directory User Group is an active community. At the same time Active Directory touches almost every component of Windows Server (it does, after all, account for five of the Windows Server roles) and the division between Windows Server content and Active Directory content was becoming very blurred.

Consequently, the two user groups will now merge to become collectively known as the Windows Server User Group (WSUG).

Mark has set up a new website and forums and, whilst they still require some work, they share credentials and support both traditional user/password authentication and OpenID.

Meanwhile the LinkedIn group will still exist, but I’m honestly not sure that it provides any value and I would encourage members to sign up at the WSUG website, where we are trying to build an active Windows Server community with discussion forums and in-person meetings (generally held at Microsoft offices in the UK).

Twitter users can also follow @windowsserverug for event announcements, etc.

Please let us know what you would like to see on the forums and, if you would like to get more involved, please get in touch with either Mark Parris or myself.  You can find our contact details on the WSUG site.

John Craddock whiteboards DirectAccess and Active Directory Recycle Bin

I spent yesterday evening at an Active Directory User Group (ADUG) meeting where John Craddock presented on IPv6 and DirectAccess (repeating two of John’s TechEd Europe 2009 sessions).  I have to admit that, at times, I struggled to keep up as the technology went deep but it was extremely worthwhile.  I hope to find the time to write some blog posts to summarise some of key points from the evening; however John also has two 10 minute videos on the Dutch site NGN, in which he “whiteboards” Direct Access and Active Directory Recycle Bin.  These are worth a few minutes of your time to get a quick overview of two new technologies in Windows Server 2008 R2.

Maintaining a common user profile across different Windows versions

I wish I could take the credit for this, but I can’t: last week one of my colleagues (Brad Mallard) showed me a trick he has for creating a single user profile for multiple Microsoft operating systems. Michael Pietroforte wrote about the different user profile formats for Windows XP and Vista back in 2007 but Brad’s tip takes this a step further…

Using Group Policy Preferences, Brad suggests creating a system variable to record the operating system version for a given client computer (e.g. %osversion%) and assign it to the computer account. Then in Active Directory Users and Computers (ADUC/dsa.msc), set the user’s profile path to \\servername\sharename\%username%.%osversion%. ADUC will resolve the %username% portion but not the %osversion% part so what remains will be something like \\bigfileserver\userprofiles\mark.wilson.%osversion%.

Using this method, one user can hotdesk between several locations with different desktop operating systems (e.g. Windows XP and Windows 7). Each time they log on to a machine with a different operating system, a new profile will be created in a subfolder of their user name. Technically, that’s two profiles – but at least they are in one location for management purposes. Combine this with folder redirection for documents, IE favorites, etc. and it should be possible to present a consistent view between two operating system releases.

Learn about managing AD using PowerShell and AGPM with the Active Directory UK user group

Mark Parris is organising another meeting of the Active Directory UK User Group for 16 September 2009 and this time the topics will be:

  • An introduction to PowerShell, demo-heavy and presented by Richard Siddaway. In this session Richard will looking specifically at the new AD provider and cmdlets in PowerShell v2, which is included in Windows Server 2008 R2.
  • Managing GPOs with Advanced Group Policy Management (AGPM) 3.0, where Jane Lewis will present AGPM (part of MDOP), investigating and discussing some of its key features and looking at how it can help customers manage, control and secure Group Policy.‬‪

Registration is required.

Joint user group meeting (Windows Server UK User Group/Active Directory UK User Group)

After lying dormant for some time, the Windows Server UK User Group (and the associated LinkedIn group) and the Active Directory UK User Group are pleased to announce a joint user group meeting on 11 March 2009 at Microsoft’s offices in London (Victoria) (map and directions).

The draft agenda is:

  • 18:00 for 18:25 arrival and registration
  • 18:25-18:30 Welcome and introductions
  • 18:30-19:45 James O’Neill takes a quick tour through the new features in Windows Server 2008 R2 (just to whet your appetite).
  • 19:45-20:00 Refreshments
  • 20:00-21:15 Amish Lukka (from Microsoft PFE) will be presenting an insight into new Active Directory features in Windows Server 2008 R2.
  • 21:15-21:30 Wrap-up.
  • 21:30 Adjourn to a nearby public house where Mark Parris will be happy to share his experiences of the Microsoft Certified Masters: Windows Server 2008: Directory class that he attended last November.

If you are interested in attending the meeting – please send an email to with your name and we’ll see you there. For those who can’t make it in person, we will set up a Live Meeting session (which will be recorded) and details will be made available closer to the event.

More Xtremely Technical seminars scheduled for spring 2009

A couple of weeks back, I was lucky enough to attend one of John Craddock and Sally Storey’s XTSeminars on Windows Server 2008 (those who were at the inaugural Active Directory User Group meeting would have got a taster). I’d blogged about the event beforehand and it really was an excellent use of my time – I can’t understate how good these seminars are (think 2 whole days of detailed presentations and demonstrations, diving pretty deep in places, with none of the marketing overhead you would have in a Microsoft presentation).

If the credit crunch hasn’t hit your training budget yet, then you might want to consider one of the workshops that are scheduled for the spring and the current dates are:

  • 25-26 February 2009, Microsoft Active Directory Internals.
  • 11-12 March 2009, Active Directory Disaster Prevention and Recovery.
  • 18-19 March 2009, Windows Server 2008.

If you do decide that you’re interested in one of these sessions and you book onto it – please mention my name (of even get in touch with me to let me know) – it won’t make any difference to your booking process but it will help me if they know you heard about the seminars on this blog!

Book review: Active Directory Disaster Recovery, Florian Rommel

Florian Rommel: Active Directory Disaster RecoveryA few months ago, I was asked if I would write a review of a new book about Active Directory (AD) disaster recovery (DR) and I was more than happy to do this – especially as I’d just finished writing an AD design for a DR infrastructure at my organisation. The book in question was Florian Rommel’s Active Directory Disaster Recovery book, which claims to offer expert guidance on planning and implementing Active Directory disaster recovery plans.

AD DR is an important topic. Stop to think for a moment about how many services are reliant on this critical piece of many enterprises’ infrastructure and then consider what would happen if the AD was corrupted and no-one could log on…

…and that’s why this book is potentially useful to so many administrators charged with the correct operation of Active Directory (including troubleshooting and recovering from any issues).

The book starts out by explaining why organisations need a DR plan for AD (rather than just relying on the multi-master replication model), before moving on to look at AD design principles. The trouble is that those principles do not fit with Microsoft’s current advice for domain and forest design and there’s also the question of whether such design concepts even belong in a disaster recovery book (it could be argued that, if you’re reading this book, then you should already know about AD – indeed, the back covers says that the book “expects the reader to be familiar with the basics of Active Directory and Windows servers”).

After two chapters of rather slow introduction the real content starts and subsequent chapters cover: designing and implementing a DR plan; strengthening AD for resilience; acting on the failure of a single DC (and then recovering from that failure); recovery of lost or deleted objects; recovering from a complete AD failure (shouldn’t that come after the single DC failure?); recovering from hardware failure; common recovery tools; and, finally, an example business continuity plan.

Regardless of whether I agree with the advice in this book, the simple fact is that I found it very difficult to read. Not because it’s technical but because English does not appear to be the native tongue of either the author or the editorial and production team. As a result the text doesn’t scan well and is too informal in places – it felt more like the technical documentation I read at work than a professionally published book. That may sound like the pot calling the kettle black but I’m writing this on a blog (where opinion should be expected) and my prose is not subject to the review, proof reading and editing that a book should be (nor do I charge you to read it).

I really want to say good things about this book as Florian Rommel clearly knows a lot about the subject. I have no doubt that he put a lot of work into its production (and I would have done a much better job of the AD design I mentioned at the head of this post had I read this book first) but the author seems to have been let down by the reviewers (James Eaton-Lee and Nathan Yocom) and by his proof reader (Dirk Manuel). I spotted a few errors that should have been picked up before publishing and there is far too much written that appears to be opinion rather than fact backed up with credible examples (in fairness, there is a bibliography but it would be better if there was a clear link between the content and the referenced source). Crucially though, for a book published in June 2008, four months after the release of Windows Server 2008, there’s no mention of any of the Active Directory changes in Microsoft’s latest server operating system.

Sadly, the end result does not justify the cover price of £36.99 or $59.99.

Active Directory Disaster Recovery by Florien Rommel is published by Packt Publishing (ISBN: 978-1-847193-27-8)