It’s been a while since I’ve updated this popular tool, and the need was brought to my attention by a peer who noticed an attribute being exported to on-premises AD (but failing):
As it turns out, the msDS-KeyCredentialLink is required for Windows Hello for Business Hybrid.
I’ve updated the permissions tool to handle the msDS-KeyCredentialLink attribute (which is used in Windows Hello for Business). I’m sure there are some weird edge cases, so I’ve not only added the user to the Key Admins group, but I have also delegated RP and WP on the objects directly (I’m a belt and suspenders kind of guy).
Go grab the new version at http://aka.ms/aadpermissions.
Hey, all! One AAD tool update deserves another!
Every so often, I check in to make sure I’m keeping the AAD Connect Network Test Tool as fresh as I can. I’ve made a few changes to the way it works (hopefully which you all think is for the better). One of the changes that I made on another tool recently was manipulating $PSBoundParameters to set some defaults, and I decided to pull that change into here as well:
If ($AllTests)
{
If (!$PSBoundParameters.ContainsKey("AzureCredentialCheck")) { $AzureCredentialCheck = $true }
If (!$PSBoundParameters.ContainsKey("Dns")) { $Dns = $true }
If (!$PSBoundParameters.ContainsKey("Network")) { $Network = $true }
If (!$PSBoundParameters.ContainsKey("OnlineEndPoints")) { $OnlineEndPoints = $true }
If (!$PSBoundParameters.ContainsKey("ActiveDirectory")) { $ActiveDirectory = $true }
If (!$PSBoundParameters.ContainsKey("SystemConfiguration")) { $SystemConfiguration = $true }
}
So, what I did was add a new switch parameter called AllTests. If the AllTests switch is called, then I’m going to use it to turn on all the individual test parameters. Running -AllTests is functionally equivalent to running -AzureCredentialCheck -Dns -Network -OnlineEndPoints -ActiveDirectory -SystemConfiguration. One of the benefits of doing it this way is that you can combine the AllTests parameter with an individual test parameter to exclude a certain test.
For example, -AllTests -Dns:$false will run all tests except Dns. Pretty nifty.
At any rate, in addition to that change, I’ve updated the endpoints list and put some error handling around the Resolve-DnsName cmdlets that the script uses. I ran into a use case where the network was timing out, and it spit back some unsightly errors to the screen. I don’t like when someone calls my baby ugly, and I also don’t like showing my baby being ugly. Green is good. Red is bad.
The completed result is pretty again:
I fixed a few extra little pieces as well–such as instances when the Azure AD credential check wouldn’t run, and making the -AllTests parameter on by default if no other parameters were specified.
You can get the updated tool at http://aka.ms/aadnetwork. Cheers!
