Tim D'Annecy

Add AAD login after creating an Azure VM

September 20, 2021

If you've deployed an Azure VM and did not enable the “Login with AAD credentials”, option, you can enable sign in using Azure Active Directory credentials later using Cloud Shell with this command in Azure CLI:

az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group ResourceGroup \
--vm-name VMName

After running that command, you'll need to add an entry to the local group to allow interactive sign in using RDP. The extension doesn't add this permission and you will need to do it manually, running this command in a remote Powershell:

net localgroup "remote desktop users" /add "AzureAD\user@domain.com"

You will also need to add 2 lines the RDP file downloaded from the “Connect” tab so that you can connect without issues:

enablecredsspsupport:i:0
authentication level:i:2

After connecting to the VM using RDP, you will also need to disable network-level authentication from Control Panel.

In the background, the extension will change the Join Type of the VM to “Azure AD Joined” and your Devices blade will update with that information after a couple of minutes.

No need to re-create the VM.

Just putting this here for my notes.

Discuss...

Meraki split-tunnel VPN Powershell script

September 8, 2021

#Windows #Powershell #Meraki

I wrote up a quick and dirty Powershell script today that adds a split-tunnel VPN connection, asks the user for connection info, dials the connection, then configures static routes.

# Add-MerakiVPN.ps1
# Creates a split-tunnel VPN connection and adds static routes.
# Tim D'Annecy 2021-09-08

function Add-MerakiVPN {
 
    $ServerAddress = 'blahblahblah.dynamic-m.com' # Change this value to match your Meraki hostname
    $ConnectionName = 'Meraki VPN'
    $PresharedKey = 'blah' # Change this value

    Add-VpnConnection `
        -Name $ConnectionName `
        -ServerAddress $ServerAddress `
        -TunnelType L2tp `
        -EncryptionLevel Optional `
        -SplitTunneling `
        -AllUserConnection `
        -L2tpPsk $PresharedKey `
        -AuthenticationMethod Pap, MSChapv2 `
        -Force

    $StaticRoutes = @(
        '10.0.13.0/24', # Change these to match your internal subnets
        '10.0.12.0/24',
        '172.16.0.0/16'
    ) 

    try {
        rasphone.exe -d $ConnectionName
        Start-Sleep -Seconds 30
        $StaticRoutes | foreach {
            New-NetRoute -DestinationPrefix $_ -InterfaceAlias $ConnectionName
        }
    }
    catch {
        Write-Error 'There was an error adding the VPN connection'
        exit
    }
}

Add-MerakiVPN

Plex port forwarding on Google wifi

August 30, 2021

#networking

I just upgraded to Google Fiber and received a Google wifi device [A] as a router/wifi radio device.

Once I connected to the fiber jack with an ethernet cable, the wifi device comes online and is manageable on my phone with the Google Home app.

I connected my NAS device to the single ethernet port on the wifi device. Google wifi ethernet ports

After a few seconds, the Google Home app displays the NAS and gives it a DHCP address.

Inside Google Home under the Wifi menu, I tapped on the Settings icon and selected “Advanced networking > Port Management”.

From there, I was able to add a manual forward for TCP traffic on port 32400. Google Home wifi port forwarding

I saved the setting and my Plex server was immediately able to connect with Remote Access.

One-line Powershell script to input a list of users and output Active Directory info

August 26, 2021

#Powershell #Windows

This one-liner imports a CSV formatted with at least the header Name and a list of user names. It outputs to a CSV with the SamAccountName and Enabled properties.

import-csv ".\in.csv" | ForEach-Object  { Get-ADUser -Identity $_.Name -Property samaccountname,enabled } | Select-Object -Property samaccountname,enabled | Export-Csv -Path ".\out.csv" -NoTypeInformation -Append

Discuss...

Get SSID name in Powershell

August 16, 2021

#Windows #Powershell

I found this post on Reddit and wanted to save the command for my notes.

Running this command in Powershell will give you the PC's currently connected SSID. This is handy for troubleshooting network issues when connected remotely through a PSSession.

netsh wlan show interfaces | select-string SSID

Get Exchange Online Mail Contact creation date in Powershell

August 11, 2021

#powershell #Exchange

If you're using Microsoft Exchange Online, there's no way to currently see when a Mail Contact was created on the web dashboard.

I wanted to know when an address was added as a Mail Contact in one of our tenants, but I also wasn't able to get an audit trail using the Microsoft Compliance center.

As a workaround, this Powershell command will give the basic info for “WhenCreated”.

Get-Recipient -RecipientTypeDetails MailContact -ResultSize Unlimited | sort WhenCreated | select Name,Alias,WhenCreated

Turn off QNAP SSH maintenance prompt

August 9, 2021

#bash #linux

QNAP recently enabled a maintenance prompt that appears when you connect over SSH. In the current version of the QNAP OS, I'm not able to turn off the prompt via GUI and needed to run a bash command to get it to go away.

I found this command somewhere and it's been working for me:

sed -r -i.bak 's/^(.*admin.*qts-console-mgmt.*)$/#\1/' /etc/profile

Fix RSAT error 0x800f0954

August 9, 2021

#Windows

Open Local Group Policy Editor (gpedit.msc)
Change entry at Computer Configuration > Administrative Templates > System > Specify settings for optional component installation and component repair to “Enabled” and check the box for “Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)”

Run gpupdate in Command Prompt.
Open Settings > Apps > Apps & features > Optional features and click “Add a feature”. Search for and install “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”

Alternatively, you can add it through Powershell:

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Verify the installation was complete by running Import-Module activedirectory in Powershell.

Allow Windows Quick Assist UAC prompts in Intune

August 6, 2021

#Windows #Intune

On Windows, to allow Quick Assist to display UAC prompts to a remote user, you need to make a few quick changes.

Microsoft Endpoint (Intune)

Older instructions are here: https://www.cloud-boy.be/portfolio/run-as-admin-gives-black-screen-in-quick-assist-teamviewer-intune-fix/ [A]

New instructions are:

Open the Endpoint management dashboard
Click on “Devices” and select “Configuration profiles”. Click on “Create profile”. Change Platform to “Windows 10 and later” and the Profile type field to “Settings catalog (preview)”. Click the “Create” button.
Give it a basic name and navigate to the “Configuration settings” page.
Click the “Add settings” button. Double click on the “Local Policies Security Options” entry in the Settings picker pane on the right. Check the box for the option “User Account Control Switch To The Secure Desktop When Prompting For Elevation”. Back on the main settings area to the left, change the dropdown to “Disabled” and click the “Next” button.
Enable the policy to all devices (as needed) and then test.