Updated SFB-prem to CU9 but for some reason unable to move test user to Teams or SFBO. anyone facing this issue?
I tried to used PS commands and SFB admin portal but same results
$cred=Get-Credential
$url="https://admxxxx.online.lync.com/HostedMigration/hostedmigrationService.svc"
Move-CsUser -Identity teamstestuser02#xxx.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url
Move-CsUser : Unable to connect to some of the servers in pool
"XXX.com" due to a Distributed Component Object Model (DCOM) error.
Verify that Front End service is running on servers in this pool. If
the pool is set up for load balancing, verify that load balancer is
configured correctly. At line:2 char:1
+ Move-CsUser -Identity teamstestuser02#XXXX.com -Target "sip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=TeamsTestUse...p,xx.xxcom:OCSADUser) [Move-CsUser],
MoveUserException
+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
Have you run this on the FrontEnd Server itself?
I have hit and misses with Move-CsUser when it targets SkypeOnline
Potential mitigations I found:
-Run on FE
-Specify undocumented Switch -DomainController to point it at a writable DC
https://learn.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud should have all the juice you need, make sure that the user you are running this command as (i.E. logged into the FE) has CsServerAdministrator and the $Cred has Global Admin or User Admin + Skype For Business Admin
Hope that helps :)
I used -UseOAuth switch on the Frond End server and the issue resolved. Some users return errors for Rollback, and nothing works for these users until I used force switch, which they lost their contacts and meeting info.
Related
I had a script that was working fine. Went away for a few hours and came back and now it errors.
Error
Get-ADUser : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults
(either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
At C:\Users\orion\Desktop\GetUsersProcessFile.ps1:1 char:1
+ Get-ADUser -Filter * -Properties CN,Department,Description,DisplayNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
The script is as follows
Get-ADUser -Filter * -Properties CN,Department,Description,DisplayName,Division,EmailAddress,extensionAttribute10,GivenName,mail,mailNickname,Name,Office,SamAccountName,sn,Title,UserPrincipalName | export-csv -path e:\ad\user-export.csv
I am looking to export every user I can with the details I want to a CSV file.
As I said, I got it working and it was working but I now get this error. This is sitting on a Windows 2019 Server.
Any ideas why it would suddenly stop working?
I did some digging and found a couple posts that may provide some insight:
First up: https://social.technet.microsoft.com/Forums/lync/en-US/a7ca2b45-bcf7-474b-a3d4-9ccc7b6f792b/internal-error-for-non-domain-admins?forum=winserverpowershell
In this case, someone removed Domain Users from the builtin Users group. Since ADWS restricts access to the Users group, queries were failing.
Second: https://social.technet.microsoft.com/Forums/en-US/f8eb3d11-6a79-4c0b-a59a-8c90b65557cf/active-directory-powershell-quotinternal-errorquot?forum=winserverpowershell
In this case, the problem was fixed by restarting the ADWS service on the domain controllers.
Note that the cmdlets like Get-ADUser and Set-ADUser depends on ADWS running on the DCs, whereas native ADSI methods do not. However, using native ADSI requires a bit more care, e.g. using paging for querying the memberOf property. There's a lot of good documentation out there on using native ADSI objects from PowerShell.
As part of a clean up task, I'm looking for a way to programmatically purge deleted AAD accounts from the User Profile Manager in Sharepoint Online.
I was using the Sharepoint Powershell module (Microsoft.Online.SharePoint.PowerShell) to manually do it, using the Remove-SPOUserProfile commandlet, which worked perfectly if I was using it in an interactive session. But as soon as I tried implementing my script into Azure Automation I found that particular module falls back to Basic Authentication when using a PSCredential object in the Connect-SPOService statement. And Basic Auth is blocked at my Organisation (I can't see them allowing it just for me!)
I found the PnP Module (PnP.PowerShell), which does allow authentication via stored credentials. But it doesn't have an equivalent User Profile Remove cmdlet.
Finally, I tried resorting to pure REST API, and while I can get an existing user profile, I can't get a profile for an account that has been deleted (marked as 'Profiles Missing from Import' in the SPO ProfMngr.aspx page). This is because the SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=#v) API needs to have an exact match (eg i:0#.f|membership|vardhaman#siteurl.onmicrosoft.com), and when an AAD account is deleted the profile username gets DELETED-<GUID> appended to it.
So my questions are:
Am I right or wrong about the sharepoint module and stored creds? (IE, so the module can be used from Azure Automation with a service principal or service account)
Am I right or wrong about the PnP module and it is missing the similar Remove-SPOUserProfile?
With the REST API, how do you search for profiles, especially profiles "missing from import"?
Is there some way to predict what the DELETED-<GUID> will be for a given user? Because I was able to get a user profile if I looked up the full deleted name and supply that to my REST call.
The official documentation on this is light - the old traditional sharepoint APIs aren't being developed any more, in favour of MS Graph, but the Graph Documentation doesn't seem to cover my particular use case.
Any pointers appreciated
Update 1
Thanks #Michael Han_MSFT.
I was using a pre-release/nightly build (0.3.32) but looking at Release documentation so didn't realise remove profile was in there.
I'm still getting problems though:
Connect-PnPOnline `
-url "https://<tenantname>.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
# $guest1 = Guest account's email address
$azureEmail = ($guest1 -replace "#", "_") + "#ext##<tenantname>.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile : The remote server returned an error: (401) Unauthorized.
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-PnPUserProfile], WebException
+ FullyQualifiedErrorId : System.Net.WebException,PnP.PowerShell.Commands.UserProfiles.RemoveUserProf
ile
So I tweaked the URL:
Connect-PnPOnline `
-url "https://<tenantname>-admin.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
$azureEmail = ($guest1 -replace "#", "_") + "#ext##azurediagovt.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile :
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Remove-PnPUserProfile], HttpRequestException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.RemoveUserProfile
So you can see if I go to <tenantname> I get a 401, but if I go to <tenantname>-name the response is simply blank.
I was certain I had given my App the right permissions (Is there some way to review what permissions have been assigned?)
In AppInv.aspx I think had this permissions code (I was following a couple of blogs):
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/Tenant" Right="FullControl"/>
<AppPermissionRequest Scope="http://sharepoint/social/Tenant" Right="FullControl"/>
</AppPermissionRequests>
As a further test, I tried the PnP version of what I was doing in REST (Get-PnpUserProfileProperty) and got
Get-PnPUserProfileProperty : Current user is not a tenant administrator.
At line:1 char:1
+ Get-PnPUserProfileProperty -Connection $pnpctx -Account "scottdu#data ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Get-PnPUserProfileProperty], ServerException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.GetUserProfileProperty
Which is strange, because REST would give me a results.d response.
At this stage, I could look at making the App Id a Sharepoint Service Admin (I already have approval to allow Azure Automation to have whatever rights it needs to solve this).
(Update 1a: Made no difference, unless there is a delay between assigning the role and the permissions taking affect).
AAD registered app can be used to connect PnpOnline and delete user profile. Please see my below steps:
(Main refer article: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread)
Step1:Registering an Azure AD application in the Azure Active Directory tenant that is linked to your Office 365 tenant and grant permission
Use admin account to access https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps. Click “New registration” and create a name of your app.
Go to “API permissions” and click on the "Add a permission" button and grant SharePoint API permission.
Select needed permissions.
Admin need to consent for those permissions, after that in status column will show green.
Step2: Create a self signed certificate and connect with app
Go to this link(https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#setting-up-an-azure-ad-app-for-app-only-access), copy the scripts and save as “Create-SelfSignedCertificate.ps1”.
Run below command with PowerShell. You will be asked to give a password to encrypt your private key, and both the .PFX file and .CER file will be exported to the current folder.
.\Create-SelfSignedCertificate.ps1 -CommonName "YourCompanyName"
-StartDate 2020-1-09 -EndDate 2022-10-01
Go to AAD app, click on "Certificates & secrets" in the left menu bar. Click on the "Upload certificate" button, select the .CER file you generated and upload it.
Step3: Connect pnp online and perform delete profile
$ Connect-PnPOnline -ClientId <$application client id as copied over
from the AAD app registration above> -CertificatePath '<$path to the
PFX file generated by the PowerShell script above>'
-CertificatePassword (ConvertTo-SecureString -AsPlainText "<$password assigned to the generated certificate pair above>" -Force) -Url
https://<$yourtenant>.sharepoint.com -Tenant
"<$tenantname>.onmicrosoft.com"
$Remove-PnPUserProfile -LoginName $UPN
For REST api way, I found this article noted REST for delete user profile is not implemented.
(https://learn.microsoft.com/en-us/sharepoint/dev/general-development/work-with-user-profiles-in-sharepoint)
You could try the command : Remove-PnPUserProfile
https://pnp.github.io/powershell/cmdlets/Remove-PnPUserProfile.html
You should install the prerelease version of PnP.PowerShell:
https://www.powershellgallery.com/packages/PnP.PowerShell/0.3.8-nightly
Update:
You could try to use tenant administrator account to connect the sharepoint admin site, then run the command Remove-PnPUserProfile. This works for me:
I'm trying to use the 'Add-AzureRmServiceFabricNodeType' command to add a new nodeType to an existing service fabric cluster. This is my command:
Add-AzureRmServiceFabricNodeType -ResourceGroupName "$ResourceGroupName$" -Name "$ClusterName$" -NodeType "$TypeName$" -VmSku "Standard_H8" -Capacity 3 -VmUserName "$UserName$" -VmPassword $pwd
Having already logged in and set the subscription using 'Login-AzureRmAccount' and 'Set-AzureRmContext'
The call runs for ~1hr and then returns the following error:
WARNING: Rolling back the changes to the cluster
Add-AzureRmServiceFabricNodeType : 'accountName' cannot be null.
At line:1 char:1
+ Add-AzureRmServiceFabricNodeType -ResourceGroupName "%ResourceGroupName% ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmServiceFabricNodeType], ValidationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.AddAzureRmServiceFabricNodeType
I have successfully added a nodetype to this cluster in the past, but then i didn't set the -VmSku option. As well as that difference, the subscription has since been upgraded from a pay as you go sub to an Enterprise Agreement. Based on the error received I guess it might have something to do with that, but i can't seem to find what exactly.
Any ideas?
I will assume you used the secure encoding to provide the password
$password = ConvertTo-SecureString -String 'Password$123456' -AsPlainText -Force
I also suggest you add the -Tier as part of your command, because as part of provisioning process it requires the sku, tier and capacity. If you not provide one it will use the default, and the sku might not be compatible with the default tier or your account availability.
You can also check in Azure if the VMSS are created once you run the command.
If you want to investigate further, I would recommend reading the source code for the command operation executed for adding node types.
I would like to set Edge as an Assigned Access to a User.
I'm using the following PowerShell Command:
Set-AssignedAccess -AppUserModelId Microsoft.MicrosoftEdge -UserName xy
But I always get the following error (translated from German):
System error 1376 has occurred.
The specified local group does not exist.
New-CimInstance : A general error has occurred, for which
no specific error code is available.
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1:300
Zeichen:13
+ New-CimInstance -ClassName WEDL_AssignedAccess -Property ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (WEDL_AssignedAccess:CimInstance) [New-CimInstance], CimException
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand
The local user exists, and the app exists too. I also logged in with the user I want to set the assignedaccess to make sure the profile is set u0p correctly
This happened on two different Windows 10 (build 14393) machines
I'm on PSVersion:
PS C:\WINDOWS\system32> $psversiontable.psversion.toString()
5.1.14393.1944
Does anybody know how to solve this?
Ran in to this yesterday. From what i could tell the "local group" thats referenced is actually the admin group.
I ran the following commands in an elevated powershell prompt:
Net localgroup administrators /add.
This creates a local Administrators group.
Net localgroup administratörer administrators /add.
This adds the administrators group to the local admin group (Administratörer is the Swedish localization of Administrators, use the local version depending on your country and replace it).
After this is done, run your previous commands.
Give it a try, hope it helps :)
//Chris
Set-AssignedAccess -UserName weakusername -AUMID Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
I'm using a script to create a folder on a remote server which is a filew server and a RODC.
When I run the script from a domain admin user the command complet successfuly. When I run with an account that is on the group that can administer the RODC I got an access denied.
$remotefolder = [scriptblock]::create("New-Item -Path d:\testfolder -type directory -Force ")
Invoke-Command -ComputerName server1 -ScriptBlock $remotefolder
I get this error:
[server1] Connecting to remote server server1 failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (server1:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
As it's an RODC there's no local groups that I can add my users that need to run this script.
Is anybody know how I can stop getting this accessdenied ?
Update 12/12:
I tried the same script block on a domain member server only and I don't get the access denied message, the folder is created as it should. Any toughs on how I can get this script block running on a RODC without using a Domain admin user ?
You should probably read up on PSSessionConfiguration before you do this, so you understand the implications, starting with
help about_Session_Configurations
First, create a domain group called 'RODC PowerShell Users'. Put yourself in it, wait for replication, log off and on again. Check that you're in this group.
Second, from an elevated shell on the RODC, run this:
Set-PSSessionConfiguration microsoft.powershell -ShowSecurityDescriptorUI
(After the first, time you'll probably want to use -Force but it's useful to see what it's doing.) Hit Y when asked to confirm.
After a few seconds it will display the Permissions UI for http://schemas.microsoft.com/powershell/microsoft.powershell
Click Add, enter your group name in the dialog that appears, and click OK.
In the "Permissions for RODC PowerShell Remoting Access" box, start with Read and Execute. (You may need Write or Full Control, depending on what you want to do.)
Click OK.
Then enter Y in the PowerShell window to confirm you want to restart WinRM.
From your remote box, assuming you've already set up remoting on the RODC, you should now be able to run:
Invoke-Command -ComputerName server1 { $env:computername }