28 April 2017

Create new AD User with Remote Mailbox | Office 365 Hybrid

I recently had a client who had a Hybrid Office 365 who required a set of users to be created, and Office 365 mailboxes created at hte same time.  Whilst I could have had a script to create the users, then go through and add mailboxes to them, I decided that it would be better to smash it all in one hit.

Thanks to my colleague Gareth for writing this script

The following process is comprised of two steps.

  1. Run a script that references a CSV File
  2. A CSV file that has all the relevant information in it
In this case my CSV file had the following:

The BackupEmail was put there at the Client's request.  It was just an area to put the user's personal email address within the AD object.  

The script used is the following, which needs to be saved as CreateUsers.csv.  Note the bold areas which are the variables that have been included.

$Users = Import-Csv -Path "C:\Userlist.csv"
$OU = "OU=Sub-OU,OU=Parent-OU,DC=DOMAIN,DC=com,DC=au"     
foreach ($User in $Users)           
    $Displayname = $User.Firstname + " " + $User.Lastname           
    $UserFirstname = $User.Firstname           
    $UserLastname = $User.Lastname           
    $SAM = $User.Username         
    $UPN = $User.Firstname + "." + $User.Lastname + "@domain"        
    $Password = "<insertpassword>" 
    $Mobile = $User.Mobile
     $remoterouting = "smtp:" + $UPN
     $Notes = $User.BackupEmail
    New-ADUser -Name "$Displayname" -DisplayName "$Displayname" -SamAccountName $SAM -UserPrincipalName $UPN -GivenName "$UserFirstname" -Surname "$UserLastname" -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path "$OU" -ChangePasswordAtLogon $false –PasswordNeverExpires $true -MobilePhone $Mobile -HomePhone $Notes
    Enable-RemoteMailbox $SAM -RemoteRoutingAddress $remoterouting

Save the script as well as the .csv file into the same location, then run the script through Exchange Management Shell.

This will create the user account and will also create the Office 365 Mailbox which can be viewed from either Exchange On Prem, or the O365 Tenant.  Remember that it takes a bit of time for Azure AD Connect to sync all the AD objects as well.  It might help to force an Azure AD Connect sync.

The last step you will need to do is to assign an Office 365 license to that particular user, or users.

03 April 2017

The Group Policy Client service failed the logon - Access is denied

I recently had a client who was receiving this error when he was trying to log into his domain account:

The fix for this is rather simple and straight-forward, however it's rather nasty if you don't know what to do.  The following steps can be followed to resolve this issue:

  • Login with another account, preferably a Domain Admin account
    • This should work as the issue is with the profile, not the computer
  • Create a local account on the machine and ensure it's also a local administrator
  • Remove the machine from the domain
  • Login as the local account you just created
  • Rename the profile name in C:\Users 
    • I would usually create a new folder called "Backup" and then move the profiles into there
  • Open Start Menu and search for Regedit
  • Open the following location
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

  • Click on the different SIDs until you find the one that has Profile Path which is related to the user that's having problems

  • Right-click the SID and export it just to make sure you have a copy

  • Delete the SID

  • Join the computer back to the domain
    • I had deleted the computer object from AD and I even renamed the computer
  • Login as the user who was having problems
  • Should be working perfectly now.