powershell Archives - IdAM Thoughts

MIM

Batch Process an Array via Powershell for FIMService write back (Or any PS scenario)

So,

A long time ago I wrote a post showing how you can do Composite write-back to FIMService via Powershell. That used “Search-ResourcePaged” command from the Lithnet Module. But it’s not helpful in the scenario where you already have a list of users (say an exported CSV or a text file) you want to perform some action on. In that scenario, XPath is not needed (and might not help if there is no pattern to search) as you already have your objects to work on.

So say, for example, I have a list of 10000 objectID from FIM and want to delete them.

Simple way will be

$objects = ("objectID1",
"objectID2",
"objectID3"
........)

$i = 0
foreach ($obj in $objects)
  {
  Remove-Resource $obj
  $i++
  write-host "Done $i of" $objects.count
  }

1

2

3

4

5

6

7

8

9

10

11

12

$objects = ("objectID1",

"objectID2",

"objectID3"

........)

$i = 0

foreach ($obj in $objects)

{

Remove-Resource $obj

$i++

write-host "Done $i of" $objects.count

}

Pretty simple but will take about 1/sec and take 10000 seconds to do it.

Yeah I am not going to wait that long…

Did some RnD (and Google) and found some different ways of going about it..

One way was doing ForEach -Parallels flag. I tried it but actually had a reverse affect for me… I did it wrong obviously.. It worked but took long/er for some reason (Even with -throttlelimit set)… Moved on… Went above my head for the limited time I had to do the job.

Then found a pretty simple way to do it online and made some modification to suit my scenario

$objects = ("objectID1",
"objectID2",
"objectID3",
.........)

for($i = 0; $i -lt $objects.Count; $i += 1000) #Change 1000 to the number you want to process in a single batch
   { 

    $num = $i + 999 #Change this number to 1 less that the batch number
    if ($num -ge $objects.Count) 
       {
            $num = $objects.Count 
       }

    $newarray = $objects[$i..$num]

    Remove-Resource $newarray #Delete the Resource from FIMService or you can do any other action like foreach for the $newarray and do a Get-Resource and modify and then save after the loop is over

    Write-Host "No of Objects in the batch:" $newarray.Count
    Write-Host "Done $num of" $objects.Count -ForegroundColor Cyan
   }

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

$objects = ("objectID1",

"objectID2",

"objectID3",

.........)

for($i = 0; $i -lt $objects.Count; $i += 1000) #Change 1000 to the number you want to process in a single batch

{

$num = $i + 999 #Change this number to 1 less that the batch number

if ($num -ge $objects.Count)

{

$num = $objects.Count

}

$newarray = $objects[$i..$num]

Remove-Resource $newarray #Delete the Resource from FIMService or you can do any other action like foreach for the $newarray and do a Get-Resource and modify and then save after the loop is over

Write-Host "No of Objects in the batch:" $newarray.Count

Write-Host "Done $num of" $objects.Count -ForegroundColor Cyan

}

Voila!!! it’s done in seconds. It will send batch of 1000 objects at a time to FIMService as a composite request and do them quickly. I did like 10000 in 10-15 seconds or so. You can also import a csv/txt file and create an array as well.

I am not a powershell expert and it may not be perfect or most elegant way of doing it but gets the job done quickly.

You can use the logic for virtually anything and not just to write back to FIMService. But yeah helped me to do large modifications / deletes pretty quickly.

Till the next time…

By Piyush Khandelwal, 6 years06/15/2018 ago

MIM

Powershell Tip: FIM/MIM Explicit Disconnectors be gone… quickly!!!

Happy New Year!!! Hope everyone had a great 2017 and hopefully an even better 2018

If you know disconnectors then you definitely know how irritating the FIM/MIM GUI can be to convert a disconnector from explicit to normal or vice versa when you have potentially 10’s or 100’s of them… Joiner tab isn’t really friendly to select multiple disconnectors and “batch” convert them.

Thanks to Lithnet MIIS Powershell you can do the conversion of 100’s of them in 1 line and in couple of seconds

If you have a MA with 100’s of explicit disconnectors just run the following command (replacing the <MA NAME> with the ….. MA Name )

Get-Disconnectors -Type Explicit -MA <MA NAME> | % { Set-DisconnectorState $_ -Type Normal }

1	Get-Disconnectors -Type Explicit -MA <MA NAME> \| % { Set-DisconnectorState $_ -Type Normal }

Done… Simples… You can ofcourse do the opposite as well if you wish i.e. Normal disconnectors -> Explicit Disconnectors.

By Piyush Khandelwal, 6 years ago

MIM

MIM AD Sync Error: Unable to update the password – Another POV

So we sync AD users from cross-domain (not a single forest). So say from “DC=contoso,DC=com” to “DC=fabrikam,DC=com”. Not getting too much into it, we do some matching and rules extension to convert a few value to match the destination domain.

Have recently been seeing the following error when sync engine is trying to enable a disabled user in fabrikam domain.

cd-error

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Although the password policy is the same between the two domains.

After a tip, for some reason after the user was synced but for some reason the password was not set. And when it was trying to enable the users, it didn’t have a password and failing the domain policy.

Fix: I got the list of users failing from MIM and set their password manually in the destination by using the following script

$users = ("LISTUSERSHERE")

foreach ($user in $users)
    {
        get-aduser $user | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<COMPLEXTEMPPASSWORD>" -Force)
    }

1

2

3

4

5

6

$users = ("LISTUSERSHERE")

foreach ($user in $users)

{

get-aduser $user | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<COMPLEXTEMPPASSWORD>" -Force)

}

After this, the sync engine fixed the user up automatically.

By Piyush Khandelwal, 6 years ago

Powershell

Powershell Tip: Send quick Email when a service goes down [Update: And bring it back up]

Yes we have SCOM monitoring and stuff, but if some testing or debugging is going on and do don’t want to do down the hassle of setting up alerts and just simply want to get notified when a service goes down, here is a simple script

$status = (Get-Service "<ServiceName>").Status

while ($status -eq "Running")
	{
		Start-Sleep -Seconds 10
	}

Send-MailMessage -From "<FromAddress>" -To "<ToAddress>" -Body "<Body>" -Subject "<Subject>" -SmtpServer "<SMTPServer>"

1

2

3

4

5

6

7

8

$status = (Get-Service "<ServiceName>").Status

while ($status -eq "Running")

{

Start-Sleep -Seconds 10

}

Send-MailMessage -From "<FromAddress>" -To "<ToAddress>" -Body "<Body>" -Subject "<Subject>" -SmtpServer "<SMTPServer>"

It’s pretty self explanatory.

You can also send it to multiple recipients

$status = (Get-Service "<ServiceName>").Status

while ($status -eq "Running")
	{
		Start-Sleep -Seconds 10
	}

$recipients = @("<Recipient1>","<Recipient2>")

Send-MailMessage -From "<FromAddress>" -To $recipients -Body "<Body>" -Subject "<Subject>" -SmtpServer "<SMTPServer>"

1

2

3

4

5

6

7

8

9

10

$status = (Get-Service "<ServiceName>").Status

while ($status -eq "Running")

{

Start-Sleep -Seconds 10

}

$recipients = @("<Recipient1>","<Recipient2>")

Send-MailMessage -From "<FromAddress>" -To $recipients -Body "<Body>" -Subject "<Subject>" -SmtpServer "<SMTPServer>"

Voila!! It will check every 10 seconds and if the service is in any other state apart from “Running”, it will send you an email and stop execution.

Update: And easy to bring it back up when it goes down. Run the following in PS as Admin. It will send a mail when service is down and bring it back up.

Function FixService()
    {
        Send-MailMessage -From <FROMADDRESS> -To <TOADDRESS> -Body "<ServiceName> at $($(Get-Date).ToLongTimeString())" -Subject "<SUBJECT>" -SmtpServer <SMTPSERVER>
        Start-Service "<ServiceName>" 

        Write-Host "Service restarted at $($(Get-Date).ToLongTimeString())" -ForegroundColor Cyan

        CheckService

    }

Function CheckService()
    {
        Write-Host "Service is running" -ForegroundColor Green

        while ((Get-Service "<ServiceName>").Status -eq "Running")
            {
                Start-Sleep -Seconds 10
            }

        Write-Host "Service stopped at $($(Get-Date).ToLongTimeString())" -ForegroundColor Red

        FixService
    }

CheckService

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Function FixService()

{

Send-MailMessage -From <FROMADDRESS> -To <TOADDRESS> -Body "<ServiceName> at $($(Get-Date).ToLongTimeString())" -Subject "<SUBJECT>" -SmtpServer <SMTPSERVER>

Start-Service "<ServiceName>"

Write-Host "Service restarted at $($(Get-Date).ToLongTimeString())" -ForegroundColor Cyan

CheckService

}

Function CheckService()

{

Write-Host "Service is running" -ForegroundColor Green

while ((Get-Service "<ServiceName>").Status -eq "Running")

{

Start-Sleep -Seconds 10

}

Write-Host "Service stopped at $($(Get-Date).ToLongTimeString())" -ForegroundColor Red

FixService

}

CheckService

By Piyush Khandelwal, 6 years10/27/2017 ago

ADConnect

AzureAD: Get List of all users with a particular license

You might have to do reporting and want a list of all users in Azure AD which have a particular license..

Following is an easy way to do so

Connect-MsolService

Get-MsolAccountSku

Get-MSOLUser -All | where {$_.isLicensed -eq "TRUE" -and $_.Licenses.AccountSKUID -eq "TENANTNAME:AAD_PREMIUM"} | select displayname,userprincipalname | export-CSV C:\licensedusers.csv -NoTypeInformation

1

2

3

4

5

Connect-MsolService

Get-MsolAccountSku

Get-MSOLUser -All | where {$_.isLicensed -eq "TRUE" -and $_.Licenses.AccountSKUID -eq "TENANTNAME:AAD_PREMIUM"} | select displayname,userprincipalname | export-CSV C:\licensedusers.csv -NoTypeInformation

Get-MsolAccountSku will give you a table of all the License Types you have and count

AccountSkuId	ActiveUnits	WarningUnits	ConsumedUnits
TENANTNAME:AAD_BASIC	300000	0	1
TENANTNAME:AAD_PREMIUM	300000	0	200000
TENANTNAME:AAD_PREMIUM_P2	300000	0	200000
TENANTNAME:POWER_BI_STANDARD	1000000	0	200000

You can then choose the AccountSkuId you want to report on and pass that in the “TENANTNAME:AAD_PREMIUM” of the Get-MSOLUser command

It took me about 20 min to run this report for about 155000 users

By Piyush Khandelwal, 7 years ago

powershell

MIM

Batch Process an Array via Powershell for FIMService write back (Or any PS scenario)

Like this:

MIM

Powershell Tip: FIM/MIM Explicit Disconnectors be gone… quickly!!!

Like this:

MIM

MIM AD Sync Error: Unable to update the password – Another POV

Like this:

Powershell

Powershell Tip: Send quick Email when a service goes down [Update: And bring it back up]

Like this:

ADConnect

AzureAD: Get List of all users with a particular license

Like this:

powershell

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: