Append Description to a list of users

Today I needed to append, not overwrite, the description variable for a list of users. To do this, I created a simple .txt file containing the usernames I wanted to change.


I then ran this very simple command which takes the existing Description and adds the phrase “User Enabled 07/06/2016” to the end of the Description.

Get-Content "c:\migration\userstest.txt" | get-aduser -Properties Description | ForEach-Object { Set-ADUser $_ -Description "$($_.Description) User Enabled 07/06/2016" }

Easy peasy lemon squeezy!

Stale Forest / External Trust

Recently I had to remove an External Trust between two domains and replace it with a Forest Trust. Simple work for an Active Directory consultant, you might think, but as with most consultancy work, it’s the simple stuff that catches you out!

After removing the external trust, I validated that it had indeed been removed by checking in Active Directory Domains & Trusts, and also by running netdom query trust. However when trying to create the new Forest Trust, an error message was shown stating that an external trust still existed. More specifically, the error stated:

A trust relationship with the domain you specified already exists

It turned out that, although both the GUI and the netdom commands showed that the trust had been deleted, a stale object still existed. To remove this object, ADSIEdit.msc was used, which is always a risky business! The process for this was:

  1. Open ADSIEdit.msc – If you are running Server 2003, you must install the Windows Server 2003 Support Tools
  2. Connect to the Domain partition
  3. Expand the System container
  4. Find the stale object, the name of this will be of the domain being trusted, and the class is trustedDomain
  5. Delete this trust object

trustedDomain object

This should allow you to create the new trust object.

Imminent Exchange 2013 Hybrid Mail Flow Interruption


Do you keep your Exchange 2013 Hybrid server on the latest CU? If you don’t; read this article. If you do; read it anyway because you may still be affected! Microsoft recommend that you keep up to date with Exchange CUs if you are running in a Hybrid Office 365 environment, and this is a classic example of why that is the case.

On April 15th 2016, Microsoft will be replacing the Office 365 TLS certificate and the new certificate with have a different Issuer and Subject. This means that if the following scenarios are true, you may face partial loss of mail flow on April 15th if you don’t take remedial action:

  • Your on-premises Exchange servers are running Exchange 2013 Cumulative Update 8 (CU8) or lower.
  • You’ve upgraded the Exchange 2013 servers that handle hybrid mailflow to Exchange 2013 CU9 or higher. However, since upgrading to CU9, you HAVE NOT re-run the Hybrid Configuration wizard (either from the Exchange Admin Center or via the direct download link).

The remedial action is as follows:

  1. If the Exchange 2013 servers handling hybrid mailflow are running Exchange 2013 CU8 or lower, follow the instructions in Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the new HCW application and run the wizard following the instructions here .

There is also a manual update option for those who do not want to run the HCW again (maybe due to extensive customisation).

More details can be found here:

Thanks god that the 5 Exchange Hybrid servers I just built are running CU11!


AADSync / AADConnect default Domain Controller

I came across an odd situation recently whereby my AADConnect installation had decided to communicate with a Domain Controller which was in another site, across an Active Directory replication link with a 180 minute replication interval. This was no good for my customer as they made their AD changes on the site local to AADConnect, so I decided to remedy this by forcing AADConnect to communicate with a particular DC. This can be useful for many reasons, and you can actually set a list of ‘preferred Domain Controllers’ to allow for fault tolerance.

To do this, go into the Synchronisation Service, head on over to the Connectors tab and find your Active Directory Domain Services Connector. The below example is synchronising multiple AD Forests. Once you’ve selected your domain, you can see which Domain Controller is currently in use by checking the ‘Connection Status’ area (shown in the central area of the below screenshot).

Synchronisation Service

To change the Domain Controller in use, go to the Properties tab for your domain (on the right hand ‘Actions’ pane). Go into the ‘Configure Directory Partitions’ tab and you will see a handy tick box entitled ‘Only use preferred domain controllers’.

AADConnect - Directory Partitions

Place a checkmark in this box, and a window will appear, allowing you to enter your shortlist of Domain Controllers.

AADConnect - Preferred DCs

Once you’ve entered your preferred DCs, OK your way out of these windows and hey presto, you are done! It’s a nice and easy task to perform, but not one I’ve seen documented online before.

Thanks for reading!

Setting the ImmutableID to $null

Here’s a small Friday afternoon snippet of useful information for all you Office 365/Identity nerds out there.

If you have converted an AAD user from ‘Synced with Active Directory’ to ‘In Cloud’ and you want to sync a new user object with that user, you will need to clear the ImmutableID and then match it up with the new user object. I’m planning on creating a more extensive post on that very subject in the near future, but for now, I’ll give you this titbit of information:

Clearing the ImmutableID is done using the Powershell command:

Set-MSOLUser -UserPrincipalName -ImmutableID "$null"

You might think that those quote marks are a bit pointless, but you would be wrong! If you were to run the command as shown below, without the “” marks, it wouldn’t show you an error, but it also wouldn’t actually clear the ImmutableID.

Set-MSOLUser -UserPrincipalName -ImmutableID $null

As with all things PowerShell, syntax is everything!

ADFS Certificate Renewal

I don’t usually do this, but I love this post so much I needed to tell my readers about it. ADFS has 3 certificates assigned to it, and it’s uncommon for the token-signing and token-decrypting certificates to be trusted, 3rd party certs. They are usually left as self-signed certs. Their use scenario doesn’t demand that 3rd party certs are used, and in all honesty using these would provide no tangible benefit. So whenever I deploy ADFS, only the Service Communications certificate uses a trusted 3rd party cert.

The renewal of these self-signed certificates can be a pain and can easily be forgotten until it’s too late, so whenever I deploy ADFS for a customer, I always set the duration of these certificates to 100 years, using this handy guide!

Azure App Cloud Discovery & PAC Files

Azure App Cloud Discovery is a seriously cool piece of technology. Being able to scan your entire computer estate for cloud SaaS applications in either a targeted, or catch-all manner can really help discover the ‘Shadow IT’ going on in your environment. Nowadays, users not having local admin rights won’t necessarily stop them from using cloud SaaS apps in any way which is going to increase their productivity. Users don’t generally think about the impact of using such applications, and the potential for data leakage.

But, as with lots of Microsoft’s other cloud technologies which are being launched left, right and centre at the moment, the Enterprise isn’t catered for as it might hope. Most Enterprise IT departments leverage some kind of web filtering, or proxying. This may be using transparent proxying, in which case you can count your blessings as Cloud App Discovery will work just fine. If you are explicitly defining a proxy in your internet settings, then you can get around that by adding particular registry keys. However if you are using a PAC file to control access to the internet, then unfortunately Cloud App Discovery will not work for you. This is a shame as it is, in my opinion, the best way to approach web proxying in an Enterprise, but that’s another story. From what I have heard, a feature is in the works which will allow you to configure Cloud App Discovery agents to log their findings to an internal data collector. This data collector can sit on a local server and then upload data to Azure on your behalf, which is a much more elegant solution to the problem of data collection from multiple machines. However as far as I know, this feature is not available yet. I’ll be keeping my ear to the ground and will let you know if this changes.

In the meantime, if you are desperate to get your data collection up and running in the meantime, you could change to explicitly defined proxying, and configure registry settings for your clients as per the following MS article:

Cloud App Discovery is a feature of Azure Active Directory Premium, a toolkit designed to take your Azure Active Directory to new, cloudier heights. Azure AD Premium can be bought standalone, or comes bundled with the Enterprise Mobility Suite. I would highly recommend it to Office 365 customers as it can give you and your users some great new features which can help make your Azure AD the best it can be!

Edit: It looks like PAC file support has been added rather surreptitiously. No announcement was made, and the KB articles haven’t been updated. I happened to check the Change Log today and Release includes an option to tweak your PAC file to support Cloud App Discovery.

Alternatively, if you use a PAC file (Proxy Auto Configuration) to manage proxy configuration, please tweak your file to add as an exception URL.

I’m yet to test this myself but it looks promising!

Shameless TechNet self promotion

I’ve just realised that I never shared this link. I wrote this technical piece for the TechNet UK Blog back in July 2015, and just thought I’d give it a bump. The subject matter is regarding the post-hybrid Office 365 landscape, and what you should be doing once you’ve migrated all your mailboxes (apart from get yourself an ‘I am a cloud god’ mug).

Office 365 – The Journey Continues

Happy New Year

Eighteen days into 2016, and after a short flurry of new blog posts, I thought I’d check in and say Happy New Year! I hope all my readers had a great 2015 and also some epic plans for 2016. You will be hearing plenty from me about interesting project related issues and fixes I come across. Hopefully the IT community can continue to help each other keep the lights on in an industry which is becoming increasingly vital to the day to day running of businesses worldwide.

Most people thought that 2015 was the year of the cloud, and indeed a lot of uptake was seen in this area. However I’m convinced that 2016 is the year that the platform really matures and starts to make good on it’s promises. It’s true to say that lots of people spent a lot of time in 2015 working even harder than usual; trying to balance the day to day running of their existing On Premise infrastructure with various cloud migration projects, and this will surely continue in 2016. As we move through the year though, businesses who have already made this time investment should be able to allow their IT departments to stop worrying about keeping the lights on, and start planning new ways to make IT awesome for their end users.

For me, that’s what cloud is really about. It takes the hypervisor patching, hardware maintenance and repetitive tasks out of our schedules, and allows us to focus on making IT awesome. If enterprise IT is to evolve in the way it needs to in order to keep up with consumer tech and users expectations, we need to invest our time into discovering and deploying new and interesting technologies which will help our businesses succeed. Cloud computing can help give us both the time, and the technology to evolve the services we offer our users and customers. Machine learning and data analytics are making huge advances at the moment, and the Internet of Things is finally taking off and giving us ways to harvest data which can be used for a real purpose.

I’m very excited about what 2016 has to offer, and you should be too. See you on the other side =]



Exchange 2013 Hybrid – Content was blocked because it was not signed by a valid security certificate

Hello again. The last few days have given me lots of new things to do, so apologies if you are being inundated with blog posts!

So today I went to enable a new Exchange 2013 Hybrid configuration. I used the Start Menu launcher for ‘Exchange Administrative Centre’, which to be honest I don’t usually do. This took me to https://localhost/ecp/?ExchClientVer=15. I then went to Hybrid and enabled the Hybrid Configuration. I logged into Office 365 and was greeted by this friendly message of doom:

Content was blocked because it was not signed by a valid security certificate

This error is quite easily solved; do not use localhost as the server name when you access the ECP. Use your client access namespace instead. For example, if my CAS name was, I would browse to

Just be sure to put and your CAS name into your Intranet Zone too or you’ll then get an error about Cookies!

412 - Cookies are disabled

Thanks for reading!