Wednesday, June 11, 2025

MSGraph- Disable EntraID (AAD) sync and revert users to cloud.

 Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope AllUsers -Force

Import-Module Microsoft.Graph.Identity.DirectoryManagement

Connect-MgGraph -Scopes "Organization.ReadWrite.All", "Directory.ReadWrite.All"

$orgId = (Get-MgOrganization).Id


Update-MgOrganization -OrganizationId $orgId -OnPremisesSyncEnabled:$false

(Get-MgOrganization).OnPremisesSyncEnabled

# Should return: False


MSGraph- Force Password Change at Next Login / Revoke Token (Log them out)

 To force user to change at next login and log them out.

Install-Module Microsoft.Graph.Users -Scope AllUsers -Force
Install-Module Microsoft.Graph.Users.Actions -Scope AllUsers -Force

Import-Module Microsoft.Graph.Users

Import-Module Microsoft.Graph.Users.Actions

Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.AccessAsUser.All"

    $email = "user@domain.com"

    # Force password change at next login
    Update-MgUser -UserId $email -PasswordProfile @{ ForceChangePasswordNextSignIn = $true }

    # Confirm it's flagged
    Get-MgUser -UserId $email -Property PasswordProfile | Select-Object UserPrincipalName, @{Name="ForceChange";Expression={$_.PasswordProfile.ForceChangePasswordNextSignIn}}

    # Revoke sign-in sessions (log them out of everything)
    Revoke-MgUserSignInSession -UserId $email



Friday, March 21, 2025

Unable to connect to Office 365 / Exchange online, or Entra ID - Microsoft.Online.Administration.Automation.MicrosoftOnlineException was thrown.

Forget all of the former connection to 365. Microsoft broke it as of ... 3/2025. 

You'll get-powershell 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.

For Entra ID, you need to upgrade to the latest version. That's it.

For powershell, you need to install the latest Exchange online management -
Find-Module ExchangeOnlineManagement -AllVersions
If you already have it installed, remove it so you can install the latest version -     
Remove-Module ExchangeOnlineManagement
Uninstall-Module ExchangeOnlineManagement -AllVersions -Force
Install the latest version, click "Y" for Yes, NOT "A" for all.
Install-Module ExchangeOnlineManagement -RequiredVersion 3.7.2 -Scope AllUsers
Now Import the module - 
Import-Module ExchangeOnlineManagement -RequiredVersion 3.7.2
Now you can connect to Exchange Online -
Connect-ExchangeOnline
That's it!

Friday, February 21, 2025

How to install Windows 11 on a PC that doesn't support it (No TPM)

 

How to install Windows 11 on a PC that doesn't support it (No TPM)

  1. When you get to the Windows 11 setup screen, press Shift + F10 to open Command Prompt.
  2. Type regedit and press Enter.
  3. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\Setup
  4. Right-click Setup, select New > Key, and name it LabConfig.
  5. Inside LabConfig, right-click and create the following DWORDs:
    • BypassTPMCheck → Set value to 1
    • BypassSecureBootCheck → Set value to 1
    • BypassRAMCheck → Set value to 1 (if needed)
  6. Close Registry Editor, then exit Command Prompt and continue installation.

Thursday, December 19, 2024

FortiGate FortiNet FortiClient VPN stuck at Connecting with SAML Enabled.

 

Resolving FortiClient Stuck on 'Connecting' with SAML on Windows 11

I encountered an issue where FortiClient would hang on "connecting" when using SAML authentication on new Windows 11 machines. After some troubleshooting, I found the solution: install the latest version of the Microsoft Visual C++ Redistributable.

https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170



Tuesday, December 17, 2024

Windows Domain Controller (Server) boots up in "Private" network zone instead of "Domain"

Troubleshooting Windows Domain Controller Booting in "Private" Network Zone

Occasionally, your Windows Domain Controller (Server) may boot into the "Private" network zone instead of the expected "Domain" network zone. Here are steps to address this issue:


Primary Solution

The issue may stem from incorrect DNS configuration. If the server cannot resolve the domain name before the Network Location Awareness (NLA) service starts, the network zone may default to "Private."

To resolve this:

  1. Set the server's primary DNS to 127.0.0.1 (its loopback address).
  2. Set the secondary DNS to either:
    • Another Domain Controller's IP address, or
    • The server's other IP address (if it is the only Domain Controller).
  3. Set the Network Location Awareness server to "Delayed Start" in Services.

Emergency "Break Glass" Solution

If the server continues to boot into the "Private" profile and the primary solution doesn't resolve the issue, you can disable the domain discovery negative cache by adding specific registry keys.

Registry Keys to Disable Domain Discovery Negative Cache

Add the following registry keys:

1. Disable the Domain Discovery Negative Cache
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  • Name: NegativeCachePeriod
  • Type: REG_DWORD
  • Value Data: 0
    (Default value: 45 seconds. Set to 0 to disable caching.)

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

  • Name: MaxNegativeCacheTtl
  • Type: REG_DWORD
  • Value Data: 0
    (Default value: 5 seconds. Set to 0 to disable caching.)

Note: Disabling the negative cache ensures that failed domain detection results (e.g., ERROR_NO_SUCH_DOMAIN) are not cached. By default, Network Location Awareness (NLA) attempts domain detection multiple times during network setup (triggered by route or IP address changes). However, if the first detection fails and is cached negatively, subsequent attempts may also fail.


2. Alter NLA Domain Detection Behavior
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters

  • Name: AlwaysExpectDomainController
  • Type: REG_DWORD
  • Value Data: 1

Note: This registry key modifies how NLA handles retries for domain detection, ensuring it always expects a Domain Controller.


By following these steps, you can mitigate issues with your Domain Controller booting into the wrong network profile. Always exercise caution when editing the registry and ensure you have backups before making changes.