PowerShell: Test Domain User Account Credentials Test-UserCredentials.ps1

This script will check if the password for a given username is correct.
If the authentication failed using the provided Domain\Username and Password, The script will do some checks and provide clues why the authentication failed.
The checks are:

  • Domain is reachable.
  • User Name exists in the domain.
  • The account is Enabled.
  • The account is Unlocked.

You can run the script from powershell as .\Test-UserCredentials.ps1 or Right click the script and select “Run with PowerShell”,
The script will ask for the user credentials as Domain\Username, and Password in a friendly Windows authentication window, and report the status of the combination.
Screenshots:

Get User Input:
11_02_00-Windows PowerShell

Example for correct username and password
2015-12-22 15_40_43-Windows PowerShell

Example for failed authentication due to: domain is not found/unreachable:
2015-12-22 15_43_15-Windows PowerShell

Example for failed authentication due to: User Name does not exist:
2015-12-22 15_45_40-Windows PowerShell

Example for failed authentication due to: User Account is disabled:
2015-12-22 15_47_29-Windows PowerShell

Example for failed authentication due to Locked out User account:
2015-12-31 10_13_51-Windows PowerShell

Example for failed authentication mostly due to wrong password:
2015-12-28 10_22_50-Windows PowerShell

Download from TechNet Gallery: https://gallery.technet.microsoft.com/PowerShell-Test-Domain-b71cc520

Remove UM DialPlan Associated with UM IP Gateway for Exchange UM and Lync Integration

Removing DialPlan that is associated with UM IP Gateway (after running ExchUCUtil.ps1 scrip …etc) is not a Next,Next, Finish task as deleting a standard DialPlans.

Andrew Morpeth explained how to do this with details in this very helpful article here: https://ucgeek.co/2014/04/removing-exchange-2013-um-dial-plan/

Below is my attempt to provide an alternate approach to the Powershell script provided in above article (You need to provide the DIalPlan Name in the first line):

$UMDialPlan = "<YourDialPlanName>"
Get-UMMailboxPolicy | where {$_.UMDialPlan -eq $UMDialPlan} | FL Name, UMDialPlan
Get-UMMailboxPolicy | where {$_.UMDialPlan -eq $UMDialPlan} | Remove-UMMailboxPolicy
Get-UMHuntGroup | where {$_.UMDialPlan -eq $UMDialPlan}
Get-UMHuntGroup | where {$_.UMDialPlan -eq $UMDialPlan} | Remove-UMHuntGroup
Get-UMService | where {$_.DialPlans -contains $UMDialPlan} | FL Name, DialPlans
Get-UMService | where {$_.DialPlans -contains $UMDialPlan} | Set-UMService -DialPlans @{Remove="$UMDialPlan"}
Get-UMService | Get-UMCallRouterSettings | where {$_.DialPlans -contains $UMDialPlan} | FL Identity, DialPLans
Get-UMService | Get-UMCallRouterSettings | where {$_.DialPlans -contains $UMDialPlan} | Set-UMCallRouterSettings -DialPlans @{Remove=$UMDialPlan}
Remove-UMDialPlan -Identity $UMDialPlan 

OAuth certificate missing

“The same OAuthTokenIssuer certificate needs to be used by all of the Lync Server 2013 servers. In order to assure this, when you assign this certificate, it is replicated via the CMS and is assigned to all of the Lync Server 2013 servers that require OAuth. ” dodeitte

Troubleshooting UC

Issue
Whilst deploying Lync Enterprise Edition with 3 Front End Servers I cam across an interesting issue. FE 1 was fine but when I fired up FE 2 and got to the certificate wizard the OAuth Certificate was missing.

One thing you will notice if there is no OAuth certificate is that the Lync Front End Service wont start. OK so where is the cert???

Found a good blog explaining the purpose of OAuth here (thanks Doug)
So fist thing was to see if the Front End Servers were replicating, and indeed they were BUT no OAuth. 

Checking the Cert Manager through MMC shows that the cert isn’t in the personal store. Adding it there manually didn’t help me much either…

Seems that it needs to be put there by the replication process.

I decided to move along (against my best judgement and the clock) and add the default cert to FE 2 and…

View original post 88 more words

Test If AD User Name and Password Combination are Correct

—UPDATE#1—
Check my enhanced PowerShell script that do the same task as here, and more…: https://ibrahimsolimanblog.wordpress.com/2015/09/10/powershell-test-domain-user-account-credentials-test-usercredentials-ps1/

—Original Post—
This neat VBS script will test the active directory authentication for a given user name and password. and It will tell you if it succeeded or failed with which error.

I used to use Run-AS to test the authentication, but sometimes the user will not have the permissions to access the machine I’m testing on, and I will receive a non clear error.

Now, to the script:

Set objNetwork = CreateObject("WScript.Network")
strDomain = objNetwork.UserDomain
Const ADS_SECURE_AUTHENTICATION = 1
strUsername=InputBox("Enter Username:")
strPassword=InputBox("Enter Password:")
Set objDS = GetObject("LDAP:")
On Error Resume Next
Set objDomain = objDS.OpenDSObject("LDAP://" & strDomain, strUsername, strPassword, ADS_SECURE_AUTHENTICATION)
If Err.Number Then
    WScript.Echo _
    "For user:" & vbCrLf & _
    "   " & strDomain & "\" & strUsername & vbCrLf & _ 
    "Error Number:" & vbCrLf & _
    "   " & Err.Number & vbCrLf & _
    "Error Description:" & vbCrLf & _
    "   " & Err.Description
Else
    WScript.Echo _
    "Valid password entered for user" & vbCrLf & _
    "   " & strDomain & "\" & strUsername
End If
On Error Goto 0

Run it, Provide the user name (Without providing the domain name), then provide the password, and get the result.

Source: http://stackoverflow.com/questions/3856479/testing-username-password-against-active-directory-domain-in-vbscript

[Powershell] Know your Variable Type

You can define variables in your Powershell script by various means, it’s a good idea to check if the parameter type is defined as expected,

in one of the scripts I came across, one command was failing with this error:

Cannot process argument transformation on parameter <Variable Name>. Cannot convert value to type System.String.

Displaying the parameter alone, I found it looks as an array, also I did query the variable type, and of course it was not System.String which is required by the command to complete:

 $MyVariable.GetType().FullName

the result can be one of the following, weather it’s correct or no, it depends on how you plan to use this variable in your script:

Alias Type
[int] 32-bit signed integer
[long] 64-bit signed integer
[string] Fixed length string of Unicode characters
[char] A Unicode 16-bit character
[bool] True/False value
[byte] An 8-bit unsigned integer
[double] Double-precision 64-bit floating point number
[decimal] A 128-bit decimal value
[single] Single precision 32-bit floating point number
[array] An array of values
[xml] XML objects
[hashtable] A hashtable object (similar to a dictionaryobject)

For my case, We redefined the variable so it only hold the correct single value, and hence $MyVariable.GetType().FullName returned: System.String

[Powershell] Remove Spaces from User Input if you will Build an Array

In one of the scripts I came across, The users have  to input IP addresses in the form of: IP1,IP2,IP3,…etc. The Powershell script will take this input and build an array to be passed to NETSH and other network commands. The problem is, the users will for different reasons enter the IPs in the form of: IP1, IP2, IP3, … adding an extra space after “,” sometimes there’s a leading or trailing spaces from copy and paste from other places. The result is ==> the network commands was failing to process these extra spaces. Anyway, to solve this, and to avoid similar situations, When you are getting a variable from users, it’s a good practice to do some cleanup, because you will never know what users will enter. One good example, is to utilize –replace parameter with \s to remove all spaces, tabs So:

$Param = "   10.10.10.1            ,  10.10.10.2           ,  10.10.10.3    "

#You clean it up by:
$Param = $Param -replace '\s',''

#This will make:
$Param

#Returns:
10.10.10.1,10.10.10.2,10.10.10.3

UPDATE#1:
It also worth mentioning that, If you only want to remove the leading and trailing spaces from the users input, Use the Trim() method. So:

$Param = "   First Name Last Name    "

#You clean it up by:
$Param = $Param.trim()

#This will make:
$Param

#Returns:
First Name Last Name

Exchange 2013 Preferred Architecture

Here’s a cut-to-the-chase summary of The Preferred Architecture blog by Ross Smith IV, you will find a link for the original article at the end of this blog.

Here’s the summary (with el touch beta3y):

  • Simplicity, Simplicity, Simplicity.
  • For each exchange service (OWA, SMTP,…) Use one name that balances the connections between the 2 datacenters (If you have 2 Datacenter with “fast” network connection).
  • Each datacenter is a separate AD site.
  • All Exchange servers are multi-role servers (Each Server have Mailbox and CAS roles).
  • All Exchange servers are Physical servers!!!
  • 2 Disks in a RAID 1 to host the OS, Exchange binaries, protocol/client logs, and transport database.
  • JBOD SAS 7.2K disks with large capacity for Databases files and logs.
  • AutoReseed is enabled, and at least 1 disk is reserved for it.
  • DAG is stretched across the 2 Datacenters, and active copies distributed equally across all servers in the DAG.
  • Each Datacenter have the same number of Servers in the DAG.
  • The DAG have even numbers of servers, and a witness server is used for for quorum arbitration.
  • DAG’s witness server is placed in a third reliable Datacenter.
  • Use a single network card that will carry both MAPI and Replication traffic (Assuming you network infrastructure can provides 10 Gb end-to-end).
  • Each database has four copies, with two copies in each datacenter
  • ReplayLagTime is 7 days for the lagged database copy (Set-MailboxDatabaseCopy -Identity DatabaseName\MailboxServerName -ReplayLagTime 7.0:0:0)
  • Backup, Backup, backup.

References:

The Preferred Architecture

Configure AutoReseed for a database availability group