EMS

August 15, 2016

Hello,

Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility. But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.

clip_image002

Now add the test user to the required Azure groups and open https://myapps.microsoft.com

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.

clip_image004

Now we can create a new group ( we’ll use an O365 group )

clip_image006

Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !

clip_image008

Let’s join.

clip_image010

And the owner can approve / deny,

clip_image012

And the requested user can verify the status of his request using the same interface but my requests

clip_image014

That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !

Enjoy.

Gino D.


Quick Tip ! Automate it !

April 28, 2016

Hello,

I am a big fan of automation , you improve efficiency by generating a consistent result fast.

But it needs to be worth it, you need a certain quantity of requests before the investment pays off.

Luckily we have these kind of environments in our partner portfolio.

Here we use the service manager portal not for the end-users but we present the portal to the first line helpdesk so they don’t have to escalate certain tasks to second line. All requests are automated by orchestrator runbooks.

clip_image002

And we are on 4874 completed request.

clip_image004

Simple math : about 10 minutes if the action is performed manually , this makes 48740 minutes -> 812 hours -> 101 working days saved, this time can be spent on tasks that create a real added value for the partner.

Enjoy.

Gino D


ZTIexecuterunbook MDT 2013 Update 1

November 20, 2015

Hello,

Strange issue today , a fresh install of Orchestrator and sccm , both latest version installed. SCCM 2012 R2 SP1 CU1 and Orchestrator 2012 R2 UR7.

Combined this with the power of MDT 2013 update 1 in order to execute runbooks from a task sequence.

So far so good, I’ve had a similar setup for another customer so nothing could go wrong…

But when I run the task sequence for executing the runbook my task sequence fails and ztiexecuterunbook under MININT\SMSOSD\OSDLogs show:

Microsoft Deployment Toolkit version: 6.3.8298.1000 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

The task sequencer log is located at C:\Windows\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Orchestrator server URL = http://SERVERNAME:81/Orchestrator2012/Orchestrator.svc/Jobs ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook name = New Runbook ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runnbook ID = 444a1fd8-3168-470c-9a8f-805523de27b3 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook parameter mode = MANUAL ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter IntExchange (17ebabac-3fa0-4585-b7e4-54fb0156d650) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrComputername (c684fd8f-e6e0-44b1-b8d0-6e91f879681f) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrClusterName (5e029040-b071-4499-a04e-ad593fe5f795) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserDomain is now = *** ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserID is now = *** ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

<Message containing password has been suppressed> ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

FAILURE ( 10802 ): Unable to find job. ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

The runbook gets started on orchestrator but the task sequence fails !

So we started to do some tests and found that we could simulate the issue on another environment.

Problem turned out to be an error in the scripts of MDT2013update 1. We created 2 identical task sequences executing a simple runbook. One with MDT 2013 toolkit files and one with MDT2013 update 1 toolkit files.

clip_image002

MDT 2013 works fine :

clip_image004

Ztiexecuterunbook shows the wait for completion state.

clip_image006

Now for the MDT 2013 update 1 :

clip_image008

And ztiexecuterunbook shows:

clip_image010

Apparently something slipped through Quality Control 🙂

Enjoy.

Gino D


Orchestrator Quick Tip ! Junction

August 26, 2015

Hello,

When you have multiple actions that you want to run in a parallel way you can link them and use the junction in order to wait for all actions to be finished before continuing.

Here’s the Technet explanation : https://technet.microsoft.com/en-us/library/hh206089.aspx

Now consider the following example :

We use the logging IP in order to grab some information in service manager and save it in a custom field. This is accomplished by calling several sub runbooks.

It looks like this :

clip_image002

Now if we return no data from the junction then our get log data is not succesful as the logging ID is empty.

clip_image004

If you run the tester you recieve no error but the logging id is empty.

clip_image006

clip_image008

While the action clearly stated to use the logging_id from the start activity.

clip_image010

Now if we add the return activity from our previous branch we recieve exactly the same issue.

clip_image012

I had to add a link to our first subrunbook in order to be able to retrieve the Logging_id from our first start action. Then it works.

clip_image014

And set the returned data from the junction to this activity.

clip_image016

At last success.

Enjoy.

Gino D


Orchestrator run .NET version

June 22, 2015

 

All,

We’re using a simple script to enumerate all AD groups containing info in a notes field in Orchestrator.

The script is this :

import-module activedirectory -force

$ArrayProcessList = @()

$Searchbase = “OU=Security Groups,OU=Groups,DC=localdomain,DC=com”

$results = get-adgroup -filter {info -like “*”} -searchbase $searchbase

foreach ( $result in $results )

{

$ArrayProcessList += $result.distinguishedname

}

$ArrayProcessList

When running in the runbook tester with an admin user all works fine. However when testing with a calling runbook so the runbook is executed on the runbook server using service acocunts I recieve an error:

clip_image002

Hmm strange.

Digging into this issue I noticed that the powershell version running using the run .net script is a V2.0 X86 powershell edition ( thank for that Thomas 🙂 )

As you can see in the default V3 version the import-module works.

clip_image004

And this doesn’t work in the V2 version :

clip_image006

Okay , so we have identified the issue , how to resolve it ?

We like this : http://karlprosser.com/coder/2012/04/16/calling-powershell-v3-from-orchestrator-2012/

Modify the script so it starts a new powershell session and pass the output

clip_image008

So start with a variable and run powershell { command} after this, make sure you output the desired result and then pass the initial variable as published data.

clip_image010

And check result !

clip_image012

clip_image014

Yes ! Success.

Enjoy.

Gino D


Azure Active Directory Premium

February 3, 2015

 

Hello,

Premium always has a nice ring to it. It sound like the best thing you can get. Seriously try adding premium to anything and it sound good.

Now as you all know active Directory, you all know that there’s a Cloud substitute named Azure Active Directory , let’s have a look at the best version of this : the Azure Active Directory Premium.

What’s the difference ?

See https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Today we’ll focus on the branding and self service password reset functionality. ( Also available in the basic version )

We’ll cover some other features, like delegated group management later.

Let’s start with opening the azure management and activating the trial premium azure ad.

clip_image001

Create a new group

clip_image002

Add a user to the group

clip_image003

Now assign the license to the created group.

clip_image004

Also add at least one user to the assigned licenses. (Won’t work with only the group applied, makes sense )

clip_image005

Now logoff and logon and the additional configure tabs should be present.

clip_image006

Now let’s enable the password reset , activate the secret password option and create a set of security questions.

clip_image007

Let’s also do some rebranding on the logon portal

clip_image008

Now let’s test …

clip_image009

Press Tab et voila …

clip_image010

Nice … no let’s try the self service password reset, logon to the http://myapps.microsoft.com page and register for the password reset.

clip_image011

Let’s setup the security questions in this case. ( You can also require this registration at first logon )

clip_image012

Done.

clip_image013

Okay now say we’ve lost our password how can we reset it ?

Easy go to https://passwordreset.microsoftonline.com or click the can’t access button on the portal. Make sure your test user is part of the azure premium license users or you will recieve a message that the functionality is not activated for this user. In this case the user will still have the possibility to contact the admin using a link for requesting a password reset.

clip_image014

Fill in the required information ( remark that the logo also applies here )

clip_image015

And fill in the requried questions …

clip_image016

And now you can select a new password

clip_image017

Done.

clip_image018

Now with the premium edition you could sync the new password back to the local AD environment.

Great features, the need for an on-premise Active Directory environment just got smaller.

Also remember that the Azure premium ad, intune and Azure rights management are now available in one license package EMS. Enterprise Mobility Suite : http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/

Enjoy.


Quick tip ! Azure Automation

November 19, 2014

Hello,

Want to save some money on your cloud infra ? Make sure to put it off when you’re not using it.

And now you have the ability to use some automation features for this.

Compare it to orchestrator here : http://msdn.microsoft.com/en-us/library/azure/dn643629.aspx

 

Log on to the azure management portal and open automation

 


 

Create an account

 


Fill in accountname and select region

 


Ok now we can create a new runbook . You can create one from scratch or use an existing runbook.

 


In this case we want to shut down the environment.

 

You can review the script presented.

 


And modify the name, account or subscription.

 


 

Ok now go to the runbook and modify the required parameters.

Use the author command.

 


 

Test the runbook

 


 

And verify the result

 

 


 

As you can see we need to create a connection Asset. So back to to the runbooks -> Assets.

Additional information about the assets can be found here http://azure.microsoft.com/blog/2014/07/29/getting-started-with-azure-automation-automation-assets-2/


And add a setting. Make sure to copy your subscription ID before starting the wizard !


 

Select a connection, Azure, give it a name.

 


And create a cert and paste your subscription id.

 

 

Now create a self signed certificate for uploading to Azure.

Use server 2012 R2 web services.

 

Open IIS -> Server certificates

 


 

Create a self signed certificate

 


 

Modify name and leave it in personal store

 

 

 

Click view details and copy to file

 


 

Export once as cer without private key.

 


And once as .pfx with the private key.

 


 

Now add the .cer file to Azure management certificates.

 


 

Now back to Azure Automation and create an additional credential asset.

 


 

Next up browse for your .pfx file and enter your password.

 


 

 

Now go to the runbook and modify the parameters using the author tool.

 


 

$MyConnection -> This your Automation connection created in the assets section

$MyCert = This is the name of the new imported credential in the assets section

 

Also correct the Azure subscription name hardcoded in the script.

 

 


 

Save , test and verify result.


 

Haleluja ! Success !

Now all we need to do is add a schedule and that’s it.

Publish.


 

Now create a new schedule

 


Name it.

 


In this case set to Friday , 19:00 each 7 days.

 


That’s it , imagine the possibilities.

 

Enjoy.

Gino D

Additional info can be found here : http://blogs.technet.com/b/keithmayer/archive/2014/04/04/step-by-step-getting-started-with-windows-azure-automation.aspx