Local Administrator Password Solution (LAPS)

Solution automatically manages local administrator password on domain joined computers, so as the password is:

• Unique on each managed computer
• Randomly generated
• Securely stored in AD infrastructure

Solution is built upon just AD infrastructure, so there is no need to install and support other technologies. Solution itself is a Group Policy Client Side Extension that is installed on managed machines and performs all management tasks.

 

Core of the solution is GPO Client side Extension (CSE) that performs the following tasks during GPO update:

• Checks whether the password of local Administrator account has expired or not
• Generates the new password when old password expired or is required to be changed prior to expiration
• Changes the password of Administrator account
• Reports the password to password Active Directory, storing it in confidential attribute with computer account in AD
• Reports the next expiration time to Active Directory, storing it in confidential attribute with computer account in AD
• Password then can be read from AD by users who are allowed to do so
• Password can be forced to be changed by eligible users

 



Architecture of the solution 

  

SCCM CB Version History

Windows 10 and Windows Server 2016 fails managing DirectAccess clients

What is ISATAP ?
Intrasite Automatic Tunnel Addressing Protocol (ISATAP).

Important Note: There has been much confusion regarding the supportability of DirectAccess in Azure. Historically it has not been supported.

DirectAccess manage out using the Intrasite Automatic Tunnel Addressing Protocol (ISATAP), you may find connecting to remote DirectAccess clients by hostname using Windows 10 or Windows Server 2016 fails. Connections to remote DirectAccess clients using Windows 7, Windows 8.x, Windows Server 2008/2008R2, and Windows Server 2012/2012R2 work without issue.
On a Windows 10 or Windows Server 2016 host configured to use ISATAP for DirectAccess manage out, the remote DirectAccess client resolves to an IPv6 address correctly.
In addition, a route to the DirectAccess client’s IPv6 prefix is also present in the routing table.
Nevertheless, attempts to connect to the remote DirectAccess client by name fail.
The DirectAccess client is reachable by its IPv6 address, however.

Fix:- PowerShell command
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name AddrConfigControl -PropertyType DWORD -Value 0 -Force

CB with Intune (Hybrid/Stand-Alone) - Architecture

CB with Intune (Hybrid/Stand-Alone) - Architecture

PowerShell Script to Domain Join



Domain Join - PowerShell Script Refer Below

#************************************************************************************************************************
$ErrorActionPreference = "SilentlyContinue"
Set-ExecutionPolicy remotesigned -Force $ErrorActionPreference
Clear-Host
Write-Host "*******************************************************************************"  -foregroundcolor "Green"
Write-Host "File Name : Domain_Join.ps1"                  -foregroundcolor "Green"                                                                                        
Write-Host "Purpose  : Domain_Join"           -foregroundcolor "Green"                       
Write-Host "Version  : 1.0"                    -foregroundcolor "Green"
Write-Host "Date  : 30/13/2017"                  -foregroundcolor "Green"
Write-Host "Author  : Ganapathy Natarajan"           -foregroundcolor "Green"
Write-Host "Requires : PowerShell V2"                  -foregroundcolor "Green"   
Write-Host "*******************************************************************************"  -foregroundcolor "Green"
$DomainName = "LAB"
$JoinDomainUserName = "Administrator"
$Password = "Password@123" | ConvertTo-SecureString -asPlainText -Force
#************************************************************************************************************************
$DomainUserName = "$DomainName\$JoinDomainUserName"
$Credential = New-Object System.Management.Automation.PSCredential($DomainUserName,$Password)
Try
{
 Add-Computer -DomainName $DomainName -Credential $Credential
 Write-Host "Successfully machine joined to $DomainName Domain Network"      -foregroundcolor "Green"
 Write-Host "System is going to reboot now....."           -foregroundcolor "Green"   
 Restart-Computer
}
catch
{
 Write-Host "Failed to joined $DomainName Domain Network"    -foregroundcolor "Green"
 Write-Host "Try next time again....."      -foregroundcolor "Green"
}
#************************************************************************************************************************

Click-to-Run and Windows Installer on same computer isn't supported

What is Click-to-Run ?
Click-to-Run is the technology used to install Office 365 subscription.

What is Windows Installer ?
Windows Installer technology (MSI) is used to install the volume license editions of Office, like Microsoft Office Professional Plus and Microsoft Office Standard.

Note: Unfortunately, you can't have Office products of the same version (like 2013 or 2016) that use two different installation technologies installed on the same computer.

VB Scripting - Error Handling

I am aware VB-Scripting is vanishing where PowerShell takes precedence, but still this post is for people who still use VB-script. The post talks about some of the rules that can be implied with error handling.

Rules:

• Explicitly set error handling using the “On Error” statement.
• Explicit declaration makes it clear that error handling has been considered.
• Use “On Error GoTo 0” to turn off error handling.  With error handling turned off, a VB script will stop immediately upon encountering a run-time error.  This should only be used in circumstances where failure of the script is inconsequential.
• Use “On Error Resume Next” to turn on error handling.  With error handling turned on, a VB script will not stop execution.  Instead it attempts to run the next line, skipping lines that generate errors and running lines that do not.  With error handling turned on, it is important to check Err.Number to trap fatal error conditions.
• Process errors appropriately when error handling is turned on.
• When a VB script is set to handle errors (On Error Resume Next), the script should check Err.Number after every operation that might cause an error.  Whenever Err.Number is not equal to zero, the script should take appropriate action and clear the error using Err.Clear.
• Include an “On Error” statement at the beginning of every function and subroutine.
• This will ensure that error handling statements from previous functions do not spill over into the current function.
• When using the WMI interface, get details about errors from the SwbemLastError object.
• The WMI interface cannot return detail error information in the standard ERR object.  It is necessary to use SwbemLastError to retrieve details about the last error encountered in the WMI interface.
• Use the application event log to record success/failure of the script.
• The message accompanying the event log entry should include the full script name & version, the user name, and the logon server as well as text describing the condition encountered.  The text describing the condition may include values of critical variables, e.g. properties of the Err object (number, description, source) would be helpful for troubleshooting.  The Event Type will indicate success, error, warning, or information.  Use of the event log is required for logon/logoff, startup/shutdown and their subordinate scripts.

    set wshShell = WScript.CreateObject("WScript.Shell")

    wshShell.logevent EVENT_INFO, _

        "User: " & wshShell.ExpandEnvironmentStrings("%USERNAME%") _

        & vbCrLf & "Logon Server: " _

        & vbCrLf & wshShell.ExpandEnvironmentStrings("%LOGONSERVER%") _

        & vbCrLf & "Script Name: " & Wscript.ScriptFullName _

        & vbTab & "Version: " & SCRIPT_VERSION _

        & vbCrLf & "Description of the condition...."

ConfigMgr 1610 Appended with a New Boundary Group Feature

Jotted below the new Boundary Group features added in ConfigMgr 1610.

• Two new tabs has been added (Relationship & Security)
• Boundary Group relationships control's fallback
• If the associated distribution point is offline for a given amount of time as we specified in the settings it will connect to the other DP.