August 15, 2016


Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility. But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.


Now add the test user to the required Azure groups and open https://myapps.microsoft.com

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.


Now we can create a new group ( we’ll use an O365 group )


Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !


Let’s join.


And the owner can approve / deny,


And the requested user can verify the status of his request using the same interface but my requests


That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !


Gino D.

Quick Tip ! Automate it !

April 28, 2016


I am a big fan of automation , you improve efficiency by generating a consistent result fast.

But it needs to be worth it, you need a certain quantity of requests before the investment pays off.

Luckily we have these kind of environments in our partner portfolio.

Here we use the service manager portal not for the end-users but we present the portal to the first line helpdesk so they don’t have to escalate certain tasks to second line. All requests are automated by orchestrator runbooks.


And we are on 4874 completed request.


Simple math : about 10 minutes if the action is performed manually , this makes 48740 minutes -> 812 hours -> 101 working days saved, this time can be spent on tasks that create a real added value for the partner.


Gino D

ZTIexecuterunbook MDT 2013 Update 1

November 20, 2015


Strange issue today , a fresh install of Orchestrator and sccm , both latest version installed. SCCM 2012 R2 SP1 CU1 and Orchestrator 2012 R2 UR7.

Combined this with the power of MDT 2013 update 1 in order to execute runbooks from a task sequence.

So far so good, I’ve had a similar setup for another customer so nothing could go wrong…

But when I run the task sequence for executing the runbook my task sequence fails and ztiexecuterunbook under MININT\SMSOSD\OSDLogs show:

Microsoft Deployment Toolkit version: 6.3.8298.1000 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

The task sequencer log is located at C:\Windows\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Orchestrator server URL = http://SERVERNAME:81/Orchestrator2012/Orchestrator.svc/Jobs ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook name = New Runbook ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runnbook ID = 444a1fd8-3168-470c-9a8f-805523de27b3 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook parameter mode = MANUAL ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter IntExchange (17ebabac-3fa0-4585-b7e4-54fb0156d650) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrComputername (c684fd8f-e6e0-44b1-b8d0-6e91f879681f) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrClusterName (5e029040-b071-4499-a04e-ad593fe5f795) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserDomain is now = *** ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserID is now = *** ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

<Message containing password has been suppressed> ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

FAILURE ( 10802 ): Unable to find job. ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

The runbook gets started on orchestrator but the task sequence fails !

So we started to do some tests and found that we could simulate the issue on another environment.

Problem turned out to be an error in the scripts of MDT2013update 1. We created 2 identical task sequences executing a simple runbook. One with MDT 2013 toolkit files and one with MDT2013 update 1 toolkit files.


MDT 2013 works fine :


Ztiexecuterunbook shows the wait for completion state.


Now for the MDT 2013 update 1 :


And ztiexecuterunbook shows:


Apparently something slipped through Quality Control 🙂


Gino D

Orchestrator Quick Tip ! Junction

August 26, 2015


When you have multiple actions that you want to run in a parallel way you can link them and use the junction in order to wait for all actions to be finished before continuing.

Here’s the Technet explanation : https://technet.microsoft.com/en-us/library/hh206089.aspx

Now consider the following example :

We use the logging IP in order to grab some information in service manager and save it in a custom field. This is accomplished by calling several sub runbooks.

It looks like this :


Now if we return no data from the junction then our get log data is not succesful as the logging ID is empty.


If you run the tester you recieve no error but the logging id is empty.



While the action clearly stated to use the logging_id from the start activity.


Now if we add the return activity from our previous branch we recieve exactly the same issue.


I had to add a link to our first subrunbook in order to be able to retrieve the Logging_id from our first start action. Then it works.


And set the returned data from the junction to this activity.


At last success.


Gino D

Orchestrator run .NET version

June 22, 2015



We’re using a simple script to enumerate all AD groups containing info in a notes field in Orchestrator.

The script is this :

import-module activedirectory -force

$ArrayProcessList = @()

$Searchbase = “OU=Security Groups,OU=Groups,DC=localdomain,DC=com”

$results = get-adgroup -filter {info -like “*”} -searchbase $searchbase

foreach ( $result in $results )


$ArrayProcessList += $result.distinguishedname



When running in the runbook tester with an admin user all works fine. However when testing with a calling runbook so the runbook is executed on the runbook server using service acocunts I recieve an error:


Hmm strange.

Digging into this issue I noticed that the powershell version running using the run .net script is a V2.0 X86 powershell edition ( thank for that Thomas 🙂 )

As you can see in the default V3 version the import-module works.


And this doesn’t work in the V2 version :


Okay , so we have identified the issue , how to resolve it ?

We like this : http://karlprosser.com/coder/2012/04/16/calling-powershell-v3-from-orchestrator-2012/

Modify the script so it starts a new powershell session and pass the output


So start with a variable and run powershell { command} after this, make sure you output the desired result and then pass the initial variable as published data.


And check result !



Yes ! Success.


Gino D

Azure Active Directory Premium

February 3, 2015



Premium always has a nice ring to it. It sound like the best thing you can get. Seriously try adding premium to anything and it sound good.

Now as you all know active Directory, you all know that there’s a Cloud substitute named Azure Active Directory , let’s have a look at the best version of this : the Azure Active Directory Premium.

What’s the difference ?

See https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Today we’ll focus on the branding and self service password reset functionality. ( Also available in the basic version )

We’ll cover some other features, like delegated group management later.

Let’s start with opening the azure management and activating the trial premium azure ad.


Create a new group


Add a user to the group


Now assign the license to the created group.


Also add at least one user to the assigned licenses. (Won’t work with only the group applied, makes sense )


Now logoff and logon and the additional configure tabs should be present.


Now let’s enable the password reset , activate the secret password option and create a set of security questions.


Let’s also do some rebranding on the logon portal


Now let’s test …


Press Tab et voila …


Nice … no let’s try the self service password reset, logon to the http://myapps.microsoft.com page and register for the password reset.


Let’s setup the security questions in this case. ( You can also require this registration at first logon )




Okay now say we’ve lost our password how can we reset it ?

Easy go to https://passwordreset.microsoftonline.com or click the can’t access button on the portal. Make sure your test user is part of the azure premium license users or you will recieve a message that the functionality is not activated for this user. In this case the user will still have the possibility to contact the admin using a link for requesting a password reset.


Fill in the required information ( remark that the logo also applies here )


And fill in the requried questions …


And now you can select a new password




Now with the premium edition you could sync the new password back to the local AD environment.

Great features, the need for an on-premise Active Directory environment just got smaller.

Also remember that the Azure premium ad, intune and Azure rights management are now available in one license package EMS. Enterprise Mobility Suite : http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/


Quick tip ! Azure Automation

November 19, 2014


Want to save some money on your cloud infra ? Make sure to put it off when you’re not using it.

And now you have the ability to use some automation features for this.

Compare it to orchestrator here : http://msdn.microsoft.com/en-us/library/azure/dn643629.aspx


Log on to the azure management portal and open automation



Create an account


Fill in accountname and select region


Ok now we can create a new runbook . You can create one from scratch or use an existing runbook.


In this case we want to shut down the environment.


You can review the script presented.


And modify the name, account or subscription.



Ok now go to the runbook and modify the required parameters.

Use the author command.



Test the runbook



And verify the result




As you can see we need to create a connection Asset. So back to to the runbooks -> Assets.

Additional information about the assets can be found here http://azure.microsoft.com/blog/2014/07/29/getting-started-with-azure-automation-automation-assets-2/

And add a setting. Make sure to copy your subscription ID before starting the wizard !


Select a connection, Azure, give it a name.


And create a cert and paste your subscription id.



Now create a self signed certificate for uploading to Azure.

Use server 2012 R2 web services.


Open IIS -> Server certificates



Create a self signed certificate



Modify name and leave it in personal store




Click view details and copy to file



Export once as cer without private key.


And once as .pfx with the private key.



Now add the .cer file to Azure management certificates.



Now back to Azure Automation and create an additional credential asset.



Next up browse for your .pfx file and enter your password.




Now go to the runbook and modify the parameters using the author tool.



$MyConnection -> This your Automation connection created in the assets section

$MyCert = This is the name of the new imported credential in the assets section


Also correct the Azure subscription name hardcoded in the script.




Save , test and verify result.


Haleluja ! Success !

Now all we need to do is add a schedule and that’s it.



Now create a new schedule


Name it.


In this case set to Friday , 19:00 each 7 days.


That’s it , imagine the possibilities.



Gino D

Additional info can be found here : http://blogs.technet.com/b/keithmayer/archive/2014/04/04/step-by-step-getting-started-with-windows-azure-automation.aspx