You want to use the closest Domain Controller (DC) in you powershell script, then you can simply use this one-liner:
Get-ADDomainController -Discover -NextClosestSite
The parameter -NextClosestSite does deliver you the closest Domain Controller, either in your Site, or in the best Site based on the Site link costs, based on the Microsoft Article about the cmdlet:
Source: Get-ADDomainController
The Azure AD administrative units are in Preview since a while, but lastly they got an update and I decided to check the opportunities that it might gives. Right from the bat, this feature has still a lot of possible improvement, I list those which would affect me the most at the end of the blog. But beside this, there are some neat use cases where I would configure Administrative Units.
Protect service accounts
Since the user administrator role can reset nearly every users password within the Azure AD (exceptions are Global Admin role members and more, see Azure AD User Administrator; thanks to nicola for the correction), it is very unlikely that you want to have a lot of administrators having that role. With Azure AD administrative units, you can add add regular users to a administrative unit. On this administrative unit you then can safely assign the User Administrator role to a technician, without giving the opportunity to gain access to an account with higher permissions. The following roles can be assigned within an administrative unit:
You can add a user to multiple administrative units, which allows to create a well designed delegation model for users and groups in Azure Active Directory.
This blog post covers some information about the data location of your Office 365 tenant. First I show you where you can get the information, where your Office 365 data is currently stored.
Open https://admin.microsoft.com and navigate to “Settings”:
Continue reading
This is a short one: While you will find plenty of blogs how to configure a Windows 10 Kiosk Device, I was not able to find a very important information:
Where can I find Information, if starting an app within a multiple App Kiosk configuration fails. And it’s that simple:
Open Event Viewer and go to Microsoft\Windows\AppLocker, there you will find more Information about the process that fails to start:
Hope this helps 🙂
In this blog I would like to describe, how I managed to set required user settings to Windows 10.
Since I still do have an On-Premises environment, in which also File Servers reside and a DFS Namespace is still up and running, I wanted to make sure to get the advantages of using the local network.
So here are my two use-cases to solve:
1. Add a Network location for the DFS Path if the user is logged on On-Premises
2. Modify the local “host” file, to redirect the workfolder clients to the file server internally
Continue reading
It might be not that popular with Windows 10, but every company wants a well curated startmenu, rather than the default delivered from Microsoft:
We have multiple Options to configure the startmenu, I’m sure I don’t know them all. But when it comes to Windows 10 and Intune autopilot, we do not really have an option as what I have considered. This blog tries to catch the available options we currently have with Intune and Autopilot.
Continue reading
Title says it all, and at first sight, simply to achieve, right?
Let me tell you: In my opinion, it is not quite as easy as it should be.
Lets start by creating a new group within Azure AD, to do this, navigate to your Azure AD and open the Groups blade, where you can start the process by a click on “New Group”:
Continue reading
Since I changed my clients from GPO managed to Intune controlled, not all settings from GPO, but some of them needs to be set through Intune as well. As outlined in my previous blog, I tried to disable the Fast Startup Option on Windows 10 through a CSP. And I did not even found a CSP supporting this setting. Within this blog, I would like to show, how you can configure the fast startup (“Turn on fast startup (recommended)”) setting in Windows 10 through Microsoft Intune:
You may ask, why I want to disable this? My reason: I don’t want to reuse a desktop session which was hibernated. And only a reboot will force the client to create a new desktop session, if fast startup is enabled.
Continue reading
When a journey ends, a new journey will begin. My journey with the old school domain joined and GPO managed devices within my LAB ended, and I finally conquer new areas with Azure AD join and Intune controlled devices. Due to the lack of opportunities, I still waited so long, because a lot of settings were not possible to set. And some of them are still not that simple to set through Intune, but there is a solution for, I would like to say, most of the requirements.
So within this blog post, I would like to document my current knowledge of Windows 10 settings management through Intune. As today, we have the following options to configure GPO alike settings through Microsoft Intune:
Let’s have a closer look to the different options.
Continue reading
Today I would like to share my experience with troubleshooting a overcommitted security admin with less knowledge than it would be required (In fact, I’m talking about me here). Some month ago, I read about NTLM (v2 as well), and I decided to restrict NTLM in my LAB, to check what is working afterwards, and what stops working. To my surprise, everything went smooth, and I could not find an issue. So I forgot about this setting, everything seems to work, and it did.
Lastly I decided to cut off Direct Access, since Microsoft does not invest in its future, and for other reasons, I’m not required to have a permanent connection to the LAB from remote, a VPN would be sufficient. I’m using WorkFolders as well, and secured it with Azure MFA, the same should apply to my VPN connection, the authentication should be not only be covered by Username and Password. With this, the goal was set, and I built up the LAB. Everything went nice, until the first VPN client wanted to connect. The NPS Server gave me the error:
“The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.”
blog.hosebei.ch 